redcanaryco / surveyor

A cross-platform baselining, threat hunting, and attack surface analysis tool for security teams.
MIT License
178 stars 61 forks source link

[BUG] AccountId or SiteId must be specified within the config file for SentinelOne #75

Closed xC0uNt3r7hr34t closed 1 year ago

xC0uNt3r7hr34t commented 2 years ago

The existing code has checks for verifying that an AccountId or SiteId exists in the config file regardless of whether an AccountId or SiteId was specified in the command line arguments for SentinelOne.

Command:

py .\surveyor.py --profile default --query 'SrcProcName containsCIS \"explorer.exe\"' s1 --creds <cred-file> --account-id <account_id>

Output when no ID is in config file:

Usage: surveyor.py s1 [OPTIONS]
Try 'surveyor.py s1 -h' for help.

Error: S1 configuration invalid, specify a site_id or account_id

Log file:

[2022-09-27 12:41:44,998] [DEBUG   ] [surveyor.s1                         ] [common.py           :48  ] Authenticating to s1
[2022-09-27 12:41:44,999] [ERROR   ] [surveyor                            ] [surveyor.py         :234 ] S1 configuration invalid, specify a site_id or account_id
Traceback (most recent call last):
  File "C:\run-surveyor\surveyor.py", line 232, in survey
    product = get_product_instance(product, **kwargs)
  File "C:\run-surveyor\load.py", line 64, in get_product_instance
    return subclass(**kwargs)
  File "C:\run-surveyor\products\sentinel_one.py", line 63, in __init__
    super().__init__(self.product, profile, **kwargs)
  File "C:\run-surveyor\common.py", line 49, in __init__
    self._authenticate()
  File "C:\run-surveyor\products\sentinel_one.py", line 133, in _authenticate
    raise ValueError(f'S1 configuration invalid, specify a site_id or account_id')
ValueError: S1 configuration invalid, specify a site_id or account_id

Output for accountId in config file and siteId in cmdline argument:

query runs but incorectly. log file shows query as:

[2022-09-27 12:48:40,935] [DEBUG   ] [surveyor.s1                         ] [sentinel_one.py     :453 ] Query params: {'accountIds': ['REDACTED'], 'fromDate': 1663087720934, 'isVerbose': False, 'queryType': ['events'], 'limit': 20000, 'toDate': 1664297320935, 'query': 'SiteID in contains ("REDACTED", "REDACTED") AND (SrcProcName containsCIS "explorer.exe")'}

Expected behavior:

Any combination of accountid and siteid should be allowed whether specified in cmdline arguments or config file. Only one is required for a successful query. the config should likely be queried first and then command line arguments added to the query from the config.