carbonblack / cbapi-python

Carbon Black API - Python language bindings
Other
147 stars 86 forks source link

[BUG] ThreatHunter queries generate 403 response #223

Closed jfatwork closed 4 years ago

jfatwork commented 4 years ago

I am seeing this behaviour on: (please complete the following information):

Describe the bug Any request to the ThreatHunter API generates a 403 response using the cbapi.

Steps to Reproduce Steps to reproduce the behavior (Provide a log message if relevant):

  1. Install the latest version of the cbapi (1.6.2)
  2. Configure CB credentials (using an API type key for this example)
  3. Use an example script from the repository (https://github.com/carbonblack/cbapi-python/blob/master/examples/threathunter/process_query.py) or the following example code:
import logging

from cbapi.example_helpers import build_cli_parser, get_cb_threathunter_object
from cbapi.psc.threathunter import Event, Process, Tree

root = logging.getLogger()
root.addHandler(logging.StreamHandler())
logging.getLogger("cbapi").setLevel(logging.DEBUG)

parser = build_cli_parser("Query processes")
args = parser.parse_args()

cb = get_cb_threathunter_object(args)
search_processes = cb.select(Process).where("process_name:notepad.exe")
processes = search_processes[0:3]

for process in processes:
    print(process.process_name)
  1. Observe the error in the console

» python3 test.py 
Using file credential store
HTTP GET /threathunter/search/v1/orgs/<redacted>/processes/search_validation?fl=%2A%2Cparent_hash%2Cparent_name%2Cprocess_cmdline%2Cbackend_timestamp%2Cdevice_external_ip%2Cdevice_group%2Cdevice_internal_ip%2Cdevice_os%2Cprocess_effective_reputation%2Cprocess_reputation%2Cttp&q=process_name%3Anotepad.exe took 0.468s (response 403)
Traceback (most recent call last):
  File "test.py", line 15, in <module>
    processes = search_processes[0:3]
  File "/usr/local/lib/python3.7/site-packages/cbapi/query.py", line 202, in __getitem__
    return list(self._perform_query(start, numrows))
  File "/usr/local/lib/python3.7/site-packages/cbapi/query.py", line 219, in _perform_query
    for item in self._search(start=start, rows=numrows):
  File "/usr/local/lib/python3.7/site-packages/cbapi/psc/threathunter/query.py", line 437, in _search
    self._submit()
  File "/usr/local/lib/python3.7/site-packages/cbapi/psc/threathunter/query.py", line 382, in _submit
    self._validate(args)
  File "/usr/local/lib/python3.7/site-packages/cbapi/psc/threathunter/query.py", line 280, in _validate
    validated = self._cb.get_object(url, query_parameters=args)
  File "/usr/local/lib/python3.7/site-packages/cbapi/connection.py", line 257, in get_object
    result = self.api_json_request("GET", uri)
  File "/usr/local/lib/python3.7/site-packages/cbapi/connection.py", line 295, in api_json_request
    result = self.session.http_request(method, uri, headers=headers, data=raw_data, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/cbapi/connection.py", line 192, in http_request
    raise ServerError(error_code=r.status_code, message=r.text)
cbapi.errors.ServerError: Received error code 403 from API (No further information provided)

Expected behavior The process query should succeed and return 0 or more results

Screenshots see above

Additional context I had different code using cbapi 1.5.2 working before and now it also doesn't work anymore and returns the same error.

I believe a change in the API endpoints might have happened and the cbapi has not been updated to reflect these new URLs. I tried manually patching the api to use the endpoints in the documentation instead of what's in the existing codebase (See https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/process-search/ or example url endpoint: GET <psc-hostname>/api/investigate/v1/orgs/{org_key}/processes/search_validation?q=<string>&cb.min_backend_timestamp=<integer>&cb.max_backend_timestamp=<integer>) but that didn't work, so maybe I'm missing something.

Thanks

jfatwork commented 4 years ago

This was user error, i was using the orgID instead of org key, sorry for the bother

kebringer-cb commented 4 years ago

glad to hear you figured it out.