Open rc-csmith opened 1 year ago
When running Surveyor CbC, the full query that includes filtering parameters doesn't get logged properly.
Run the command
python surveyor.py --sigmarule /path/to/certutil_rule.yml --hostname workstation1 --days 1
The full query isn't printed out
[2023-07-10 16:53:39,355] [DEBUG ] [surveyor.cbc ] [common.py :52 ] Authenticating to cbc [2023-07-10 16:53:39,355] [DEBUG ] [cbc_sdk.credential_providers.default] [default.py :40 ] Using FileCredentialProvider [2023-07-10 16:53:39,355] [WARNING ] [cbc_sdk.credential_providers.file_credential_provider] [file_credential_provider.py:109 ] Security warning: A future version of CBC SDK will disallow access to the following files altogether unless their permissions are updated. [2023-07-10 16:53:39,356] [WARNING ] [cbc_sdk.credential_providers.file_credential_provider] [file_credential_provider.py:112 ] Security warning: Directory /Users/[REDACTED]/.carbonblack has invalid permissions [2023-07-10 16:53:39,356] [DEBUG ] [surveyor.cbc ] [common.py :54 ] Authenticated [2023-07-10 16:53:39,356] [DEBUG ] [surveyor ] [help.py :36 ] Output arg takes precendence so prefix arg will be ignored [2023-07-10 16:53:39,552] [DEBUG ] [urllib3.connectionpool ] [connectionpool.py :1014] Starting new HTTPS connection (1): raw.githubusercontent.com:443 [2023-07-10 16:53:39,830] [DEBUG ] [urllib3.connectionpool ] [connectionpool.py :473 ] https://raw.githubusercontent.com:443 "GET /SigmaHQ/pySigma-plugin-directory/main/pySigma-plugins-v1.json HTTP/1.1" 200 2081 [2023-07-10 16:53:42,081] [DEBUG ] [surveyor.cbc ] [vmware_cb_enterprise_edr.py:102 ] Query Tag(tag='File Decoded From Base64/Hex Via Certutil.EXE - cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7', data='Sigma Rule'): (device_os:WINDOWS ((process_name:*\certutil.exe OR process_original_filename:CertUtil.exe) (process_cmdline:*-decode\ * OR process_cmdline:*/decode\ * OR process_cmdline:*-decodehex\ * OR process_cmdline:*/decodehex\ *))) [2023-07-10 16:53:42,082] [DEBUG ] [surveyor.cbc ] [vmware_cb_enterprise_edr.py:108 ] Full Query: <method-wrapper '__str__' of QueryBuilder object at 0x108b3aa50> [2023-07-10 16:53:42,141] [DEBUG ] [urllib3.connectionpool ] [connectionpool.py :1014] Starting new HTTPS connection (1): defense-prod05.conferdeploy.net:443
On the next to last line of the above log file, you should see the full query but instead are presented with the python object.
N/A
Describe the bug
When running Surveyor CbC, the full query that includes filtering parameters doesn't get logged properly.
What side of Surveyor is impacted?
What product is impacted?
Steps to reproduce
What did you do?
Run the command
The full query isn't printed out
Expected behavior
On the next to last line of the above log file, you should see the full query but instead are presented with the python object.
Screenshots
N/A
Additional context
N/A