Closed jholtmann closed 2 years ago
Summary of the most recent changes:
response
-> cbr
threathunter
-> cbc
defender
/atp
-> dfe
surveyor.py
will now print an error message if the user launches surveyor with a Python version <3.9.dfe
product that resulted in a 400
error for all queries.dfe
product now raises an error if the user's credential file is missing cbc
engine when the process name contains a space. Before this change I was receiving an API error when querying for process names with spaces in the name. Might be related to #3, though that issue relates to the CBR product.Proposed changes to the wiki. As wiki pages can't be included in a pull request I can add these once this PR is merged. Please let me know if there are any other wiki pages that need to be updated @rc-abodkins.
You need the following to use Surveyor:
To use Surveyor with SentinelOne, you need the following information from SentinelOne:
API Key
for user with permission to execute Deep Visibility queriesURL
of your SentinelOne serverSave your configuration information in an INI file as follows:
[profile_name_here]
url=<URL>
token=<API KEY>
Alternatively, you can omit the token
field and specify your API token via the environment variable S1_TOKEN
.
When you run Surveyor, specify the path of the INI file with the --creds option (e.g. py surveyor.py s1 --creds s1_creds.ini
). Note that unless otherwise specified with --profile, Surveyor uses the credentials and URL provided by the [default] header.
It might make sense to create per-product wiki pages that document any additional options implemented for those products. For example, the SentinelOne page could document the --site-id
, --account-id
, and --account-name
options.
@jholtmann to the Getting Started wiki we need to add that Python 3.9 is required for Surveyor to work as well as the new commands and their structure.
I think a per product Wiki is the right way to go and then we can also move all the credential pieces to that and additional information.
@rc-abodkins I have updated my comment above to reflect that addition. The README in this pull request also mentions the 3.9+ requirement.
unsubscribe
On Wed, Mar 30, 2022 at 12:37 PM Jonathan Holtmann @.***> wrote:
@rc-abodkins https://github.com/rc-abodkins I have updated my comment above to reflect that addition. The README in this pull request also mentions the 3.9+ requirement.
— Reply to this email directly, view it on GitHub https://github.com/redcanaryco/surveyor/pull/53#issuecomment-1083548708, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADGKEWCSMBRN7ZQNMVJBXHDVCSUQ3ANCNFSM5QHJ2VKQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
This is a fairly major rewrite of the surveyor tool. My initial goal was to implement SentinelOne support but I realized that doing so would be very difficult given the project's architecture. The problems were as follows:
common.py
as well as changes tosurveyor.py
.common.py
instead of being delegated to each individual product.process_search
andnested_process_search
both required results to be returned tosurveyor.py
. This does not work well for SentinelOne due to the 1 request per minute rate limit for Deep Visibility searches via the API. The correct way to handle this is to combine various process searches into a single query, but this was not possible given the old architecture.I addressed these issues in the following ways:
1. Refactor for CBR/CBTH/Defender products:
common.py
into an abstract class that defines a product interface.load.py
which can dynamically load any product class based on its unique name.The benefits of this refactor are as follows:
surveyor.py
with branching paths depending on how the authentication for the particular product functioned (profile vs credential file).products/
and making sure it has a uniqueproduct
attribute.load.py
will automatically expose the new product tosurveyor.py
.2. Refactored
process_search
andnested_process_search
:product.get_results()
. This returns a dictionary where the keys representtags
used to identify the results and the values represent the results themselves.surveyor.py
to display per-process/query result totals while also granting new products greater flexibility to change the way they handle search operations internally.3. Miscellaneous changes made:
surveyor.py
(e.g. having three branchedopen()
calls when the only change between them was the file name).--query
and--deffile
).logging
module.logs
folder. This can be configured via the CLI parameter--log-dir
.definitions
folder can now be resolved by the--deffiles
CLI option without needing to specify thedefinitions
folder or the.json
extension.requirements.txt
file to list required dependencies for development environments.Resolved issues:
deffiles
parsing and added--no-progress
CLI option to suppress the progress bar.--no-file
CLI option to print results to STDOUT instead of a CSV file. Implicitly sets--no-progress
toTrue
.SentinelOne
product.Implemented support for
SentinelOne
:s1
click command.Potential Breaking Changes:
--
.cbr
product implementation's survey results.cbth
ordefender
product instances so those have not been tested.New module dependencies:
requests
to the list of required module installs insetup.py
. Note that this module was already required for thedefender
product.tqdm
to resolve issue #31.To-Do:
These changes need to be tested on all implemented products.S1 query merging logic can be improved.Add timestamp to output for all products.