search

redcanaryco / surveyor

A cross-platform baselining, threat hunting, and attack surface analysis tool for security teams.
MIT License
169 stars 59 forks source link

[BUG] SentinelOne PowerQuery throwing errors with definition files #103

Closed xC0uNt3r7hr34t closed 1 year ago

xC0uNt3r7hr34t commented 1 year ago

Describe the bug When running definition files for SentinelOne utilizing the default PowerQuery, mulitiple errors are being thrown with the queries. Log excerpt is attached for additional context.

[2023-04-12 12:36:28,124] [DEBUG   ] [surveyor.s1                         ] [sentinel_one.py     :635 ] {'errors': [{'code': 4000040, 'detail': 'Bad Request: [\'expected "(" to begin the value list for "in" operator\']', 'title': 'Bad Request'}]}
[2023-04-12 12:36:28,124] [ERROR   ] [surveyor.s1                         ] [sentinel_one.py     :679 ] 400 Client Error: BAD REQUEST for url: https://usea1-dfir.sentinelone.net/web/api/v2.1/dv/events/pq
[2023-04-12 12:36:28,126] [DEBUG   ] [surveyor.s1                         ] [sentinel_one.py     :614 ] Query params: {'accountIds': ['1226260871178354542'], 'fromDate': 1680107787623, 'toDate': 1681317387626, 'limit': 20000, 'query': "src.process.publisher contains 'ConnectWise, LLC' | group count() by endpoint.name, src.process.user, src.process.image.path, src.process.cmdline, src.process.name, src.process.publisher, url.address, tgt.file.internalName, src.process.startTime, site.id, site.name, src.process.storyline.id"}
[2023-04-12 12:36:28,150] [DEBUG   ] [urllib3.connectionpool              ] [connectionpool.py   :456 ] https://usea1-dfir.sentinelone.net:443 "POST /web/api/v2.1/dv/events/pq HTTP/1.1" 400 139
[2023-04-12 12:36:28,150] [DEBUG   ] [surveyor.s1                         ] [sentinel_one.py     :635 ] {'errors': [{'code': 4000040, 'detail': 'Bad Request: [\'expected "(" to begin the value list for "in" operator\']', 'title': 'Bad Request'}]}
[2023-04-12 12:36:28,150] [ERROR   ] [surveyor.s1                         ] [sentinel_one.py     :679 ] 400 Client Error: BAD REQUEST for url: https://usea1-dfir.sentinelone.net/web/api/v2.1/dv/events/pq
[2023-04-12 12:36:28,151] [DEBUG   ] [surveyor.s1                         ] [sentinel_one.py     :614 ] Query params: {'accountIds': ['1226260871178354542'], 'fromDate': 1680107787623, 'toDate': 1681317387626, 'limit': 20000, 'query': "src.process.cmdline contains 'cmdline:efmjfjelnicpmdcmfikempdhlmainjcb*' | group count() by endpoint.name, src.process.user, src.process.image.path, src.process.cmdline, src.process.name, src.process.publisher, url.address, tgt.file.internalName, src.process.startTime, site.id, site.name, src.process.storyline.id"}
[2023-04-12 12:36:28,373] [DEBUG   ] [urllib3.connectionpool              ] [connectionpool.py   :456 ] https://usea1-dfir.sentinelone.net:443 "POST /web/api/v2.1/dv/events/pq HTTP/1.1" 400 139
[2023-04-12 12:36:28,373] [DEBUG   ] [surveyor.s1                         ] [sentinel_one.py     :635 ] {'errors': [{'code': 4000040, 'detail': 'Bad Request: [\'expected "(" to begin the value list for "in" operator\']', 'title': 'Bad Request'}]}
[2023-04-12 12:36:28,373] [ERROR   ] [surveyor.s1                         ] [sentinel_one.py     :679 ] 400 Client Error: BAD REQUEST for url: https://usea1-dfir.sentinelone.net/web/api/v2.1/dv/events/pq
[2023-04-12 12:36:28,374] [DEBUG   ] [surveyor.s1                         ] [sentinel_one.py     :614 ] Query params: {'accountIds': ['1226260871178354542'], 'fromDate': 1680107787623, 'toDate': 1681317387626, 'limit': 20000, 'query': "url.address contains 'remotedesktop.google.com' | group count() by endpoint.name, src.process.user, src.process.image.path, src.process.cmdline, src.process.name, src.process.publisher, url.address, tgt.file.internalName, src.process.startTime, site.id, site.name, src.process.storyline.id"}
[2023-04-12 12:36:29,028] [DEBUG   ] [urllib3.connectionpool              ] [connectionpool.py   :456 ] https://usea1-dfir.sentinelone.net:443 "POST /web/api/v2.1/dv/events/pq HTTP/1.1" 200 None
[2023-04-12 12:36:29,029] [DEBUG   ] [surveyor.s1                         ] [sentinel_one.py     :635 ] {'data': {'columns': [], 'data': [], 'externalId': '{"lrqToken":"450365c6-0e54-4346-9ac2-b81919ab4aac","target":"dvus1-api-7fff46666b-xdkfh"}', 'progress': 3, 'queryId': 'pq8706658115c80b3ec6a3f1516ac141e9', 'recommendations': [], 'status': 'RUNNING'}}
[2023-04-12 12:36:29,029] [INFO    ] [surveyor.s1                         ] [sentinel_one.py     :639 ] Query ID is pq8706658115c80b3ec6a3f1516ac141e9
[2023-04-12 12:36:29,142] [DEBUG   ] [urllib3.connectionpool              ] [connectionpool.py   :456 ] https://usea1-dfir.sentinelone.net:443 "POST /web/api/v2.1/dv/events/pq HTTP/1.1" 200 None
[2023-04-12 12:36:29,142] [DEBUG   ] [surveyor.s1                         ] [sentinel_one.py     :635 ] {'data': {'columns': [], 'data': [], 'externalId': '{"lrqToken":"d6d8655b-eec4-4e5b-986b-f46b6ccc505d","target":"dvus1-api-7fff46666b-jctqr"}', 'progress': 0, 'queryId': 'pq5dfcaec71142c2ea5ff727004e7f0ed4', 'recommendations': [], 'status': 'RUNNING'}}

What side of Surveyor is impacted?

What product is impacted?

To Reproduce What did you do? What is the command line you're running that is causing the error? Command line 'py .\surveyor.py --profile dfir --deffile .\definitions\remote-admin.json s1 --creds creds.ini'

Expected behavior Query should be built for each "definition" within the file without causing bad request errors.

Screenshots image

xC0uNt3r7hr34t commented 1 year ago

After further review, this issue is specific to code within a pull request and not also within the master branch. closing as unneeded.