import logging
from cbapi.example_helpers import build_cli_parser, get_cb_threathunter_object
from cbapi.psc.threathunter import Event, Process, Tree
root = logging.getLogger()
root.addHandler(logging.StreamHandler())
logging.getLogger("cbapi").setLevel(logging.DEBUG)
parser = build_cli_parser("Query processes")
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
search_processes = cb.select(Process).where("process_name:notepad.exe")
processes = search_processes[0:3]
for process in processes:
print(process.process_name)
Observe the error in the console
» python3 test.py
Using file credential store
HTTP GET /threathunter/search/v1/orgs/<redacted>/processes/search_validation?fl=%2A%2Cparent_hash%2Cparent_name%2Cprocess_cmdline%2Cbackend_timestamp%2Cdevice_external_ip%2Cdevice_group%2Cdevice_internal_ip%2Cdevice_os%2Cprocess_effective_reputation%2Cprocess_reputation%2Cttp&q=process_name%3Anotepad.exe took 0.468s (response 403)
Traceback (most recent call last):
File "test.py", line 15, in <module>
processes = search_processes[0:3]
File "/usr/local/lib/python3.7/site-packages/cbapi/query.py", line 202, in __getitem__
return list(self._perform_query(start, numrows))
File "/usr/local/lib/python3.7/site-packages/cbapi/query.py", line 219, in _perform_query
for item in self._search(start=start, rows=numrows):
File "/usr/local/lib/python3.7/site-packages/cbapi/psc/threathunter/query.py", line 437, in _search
self._submit()
File "/usr/local/lib/python3.7/site-packages/cbapi/psc/threathunter/query.py", line 382, in _submit
self._validate(args)
File "/usr/local/lib/python3.7/site-packages/cbapi/psc/threathunter/query.py", line 280, in _validate
validated = self._cb.get_object(url, query_parameters=args)
File "/usr/local/lib/python3.7/site-packages/cbapi/connection.py", line 257, in get_object
result = self.api_json_request("GET", uri)
File "/usr/local/lib/python3.7/site-packages/cbapi/connection.py", line 295, in api_json_request
result = self.session.http_request(method, uri, headers=headers, data=raw_data, **kwargs)
File "/usr/local/lib/python3.7/site-packages/cbapi/connection.py", line 192, in http_request
raise ServerError(error_code=r.status_code, message=r.text)
cbapi.errors.ServerError: Received error code 403 from API (No further information provided)
Expected behavior
The process query should succeed and return 0 or more results
Screenshots
see above
Additional context
I had different code using cbapi 1.5.2 working before and now it also doesn't work anymore and returns the same error.
I believe a change in the API endpoints might have happened and the cbapi has not been updated to reflect these new URLs. I tried manually patching the api to use the endpoints in the documentation instead of what's in the existing codebase (See https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/process-search/ or example url endpoint: GET <psc-hostname>/api/investigate/v1/orgs/{org_key}/processes/search_validation?q=<string>&cb.min_backend_timestamp=<integer>&cb.max_backend_timestamp=<integer>) but that didn't work, so maybe I'm missing something.
I am seeing this behaviour on: (please complete the following information):
Describe the bug Any request to the ThreatHunter API generates a 403 response using the cbapi.
Steps to Reproduce Steps to reproduce the behavior (Provide a log message if relevant):
Expected behavior The process query should succeed and return 0 or more results
Screenshots see above
Additional context I had different code using cbapi 1.5.2 working before and now it also doesn't work anymore and returns the same error.
I believe a change in the API endpoints might have happened and the cbapi has not been updated to reflect these new URLs. I tried manually patching the api to use the endpoints in the documentation instead of what's in the existing codebase (See https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/process-search/ or example url endpoint:
GET <psc-hostname>/api/investigate/v1/orgs/{org_key}/processes/search_validation?q=<string>&cb.min_backend_timestamp=<integer>&cb.max_backend_timestamp=<integer>
) but that didn't work, so maybe I'm missing something.Thanks