search

tobor88 / CybereasonAPI

PowerShell module containing commands to easily interact with the Cybereason API.
https://www.cybereason.com/
GNU General Public License v3.0
15 stars 6 forks source link

Error with TFA and non API account #1

Open posh-man opened 3 years ago

posh-man commented 3 years ago

Describe the bug It looks like the Cybereason API will not work with a TFA account, and the account used must be an API account.

To Reproduce I added the following code to the Connect-CybereasonAPI function: [Parameter( Position=4, Mandatory=$true, ValueFromPipeline=$False, # End Parameter HelpMessage="`n[H] Enter the code on your google authenticator")] [String]$Authenticator,

I then added the following code to the same function

$Body = @{ username="$Username" password="$Passwd" totpCode="$Authenticator" }

This produces a result of:

[*] Successfully created an authenticated session to the Cybereason API.

However any other functions produce the following error: ConvertFrom-Json : Invalid JSON primitive: . At line:12 char:29 $Response.Content | ConvertFrom-Json | ForEach-Object {


     CategoryInfo          : NotSpecified: (:) [ConvertFrom-Json], ArgumentException
     FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.ConvertFromJsonCommand 

The only exception to this behavior is the Get-CybereasonThreatIntel  function.

**Expected behavior**
It would be nice to be able to have TFA to access these API's and not be required to use an API account. For automation it is clear that TFA is not going to work; however, for single use case or manned scripting TFA should be available. 

**Desktop **
 - OS: Windows 10

**Additional Considerations**
The API from Cybereason seems to have the ability to take TFA, so this may be a simple fix of adding in the functionality.
tobor88 commented 3 years ago

Thanks @posh-man! for the issue request! I have added your additions and some other appropriate changes into the cmdlet for "Connect-CybereasonAPI" and made a note of the specifics in it's help section. I will update the README as well with this and the below information.

The reason for this issue has to do with the Cybereason API. I am going to leave this open in case they ever update this as a reminder for myself to check every so often.

DETAILED EXPLANATION Cybereason has two permission types that can communicate with the API. There is an API user which needs to be created manually and a GUI User. A user who has the ability to sign into the Cybereason Web GUI can perform queries against the main Cybereason API site. This is their https://sage.cybereason.com/rest/ site. That same user however is not able to perform queries that for example affect isolation rules or other Malop related tasks. These queries get performed against your organizations Cybereason server https://organization-code.cybereason.com/rest/. (This URL value would be whatever value you enter into the -Server switch parameter in the Connect-CybereasonAPI cmdlet). Only the created API user, who does not have permissions to sign into the Cybereason Web GUI, is able to perform actions dealing with Malops and Isolation rules.

tobor88 commented 3 years ago

Hey just letting you know I did not realize I missed something in the MFA PowerShell code. There are two separate requests that needed to be set as well as another header value. I updated this on GitHub as well as PowerShell Gallery in Module version 1.0.3

Robert H. Osborne President, OsbornePro LLC. Executive Operations

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Tuesday, July 6th, 2021 at 12:14, posh-man @.***> wrote:

Describe the bug

It looks like the Cybereason API will not work with a TFA account, and the account used must be an API account.

To Reproduce

I added the following code to the Connect-CybereasonAPI function:

[Parameter(

Position=4,

Mandatory=$true,

ValueFromPipeline=$False, # End Parameter

HelpMessage="`n[H] Enter the code on your google authenticator")]

[String]$Authenticator,

I then added the following code to the same function

$Body = @{

username="$Username"

password="$Passwd"

totpCode="$Authenticator"

}

This produces a result of:

[*] Successfully created an authenticated session to the Cybereason API.

However any other functions produce the following error:

ConvertFrom-Json : Invalid JSON primitive: .

At line:12 char:29

$Response.Content | ConvertFrom-Json | ForEach-Object {



CategoryInfo : NotSpecified: (:) [ConvertFrom-Json], ArgumentException

FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.ConvertFromJsonCommand

The only exception to this behavior is the Get-CybereasonThreatIntel function.

Expected behavior

It would be nice to be able to have TFA to access these API's and not be required to use an API account. For automation it is clear that TFA is not going to work; however, for single use case or manned scripting TFA should be available.

**Desktop **

-   OS: Windows 10

Additional Considerations

The API from Cybereason seems to have the ability to take TFA, so this may be a simple fix of adding in the functionality.

—

You are receiving this because you are subscribed to this thread.

Reply to this email directly, view it on GitHub, or unsubscribe.