redcanaryco / surveyor Goto Github PK

Which category is the feature part of?

• Code Feature - impacts all products

Use Cases
Quit surveyor without quitting the terminal so you can change your query.

Proposal
Be able to have a master exit key in the event that you want to quit surveyor from running. Currently doing CTRL+C will quit the current search team but it will still iterate over the rest of the definition files and queries. If I realize I made a mistake in my query (ie forgot to put a days tag or other filter) and wanted to quit surveyor there is no good clean way to do that.

Additional context
Add any other context or screenshots about the feature request here.

When running this script I get an output file filled with duplicate entries. I don't mean 1 or 2 duplicates, I mean like 40 or 50 duplicates. Making my output file 10 mb before I edit it down.

Is there something that can be done with the script to eliminate duplicates?

Which category is the feature part of?

• Definition File
• Code Feature
• Other (please explain)

Which product is the feature part of?

• All products
• Carbon Black Response
• Threat Hunter
• Defender for Endpoint
• Sentinel1

Use Cases

Proposal
Document supported definition file fields. Currently, there is no easy way to tell what fields are supported by surveyor in general vs. what each EDR is able to use.

Additional context
N/A

Which category is the feature part of?

• Carbon Black Response
• Threat Hunter
• Definition File
• Code Feature - impacts all products
• New product support

Use Cases

Proposal
Create a definition file of vulnerable drivers based on Microsoft's WDAC policy

Additional context
Add any other context or screenshots about the feature request here.

Which category is the feature part of?

• Code Feature - impacts all products

Use Cases
Added a check and ability to load YAML files as an alternative to using JSON definition files. The test.json file should be deleted as it was a file created to test certain circumstances that show it works as expected.

Proposal
@tvjust i fixed the code for this, but i dont have permissions. :( This should go at line 206 just below setting the file_type variable. I also ported the critical_processes.json to yaml and would like to get that pushed up too.

      with open(definition_file, 'r') as fh:
        contents = fh.read()
        try:
          programs = json.loads(contents)
        except:
          try:
            programs = yaml.safe_load(contents)
          except:
            log("Unable to load config file as either JSON or YAML")
            sys.exit(1)```

**Additional context**
Add any other context or screenshots about the feature request here.

Which category is the feature part of?

• New product support

Use Cases

Proposal
Determine if it is possible to add support for ATP.

Additional context
Add any other context or screenshots about the feature request here.

Which category is the feature part of?

• Carbon Black Response
• Threat Hunter
• Definition File
• Code Feature - impacts all products
• New product support

Use Cases
Should add timestamp to everything in the CSV.

Proposal
A clear and concise description of what you want to happen.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
A clear and concise description of what the bug is.

What side of Surveyor is impacted?

• Definition File
• Code/Logic

What product is impacted?

• Carbon Black Response
• Carbon Black Threat Hunter
• Other

To Reproduce
What did you do?
What is the command line you're running that is causing the error?
Command line '...'

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Which category is the feature part of?

• Carbon Black Response
• Threat Hunter
• Definition File
• Code Feature - impacts all products
• New product support

Use Cases

Proposal
Update the contents of the active-directory definition file

Additional context
Add any other context or screenshots about the feature request here.

Which category is the feature part of?

• Definition File
• Code Feature
• Other (please explain)

Which product is the feature part of?

• All products
• Carbon Black Response
• Threat Hunter
• Defender for Endpoint
• Sentinel1

Use Cases
For large definition files, having the ability to run threads concurrently prevents the script from getting hung up on a single noisy entry.

Proposal
Enable threading to allow multiple queries to be run concurrently.

Additional context
N/A

Testing Slack integeration.

Processes on OSX with a space in their name get missed in the search. Doing a quick test with the API, I see that if I enclose the process in quotes, I get results
len( CbResponseAPI().select(Process).where('process_name:"Google Chrome"'))

whereas no quotes like:
len(CbResponseAPI().select(Process).where('process_name:Google Chrome'))
returns 0 results.

It seems the JSON file does not like the additional quotes, and I could not find the proper place in the script to attempt to encapsulate the process name with some additional formatting.

Which category is the feature part of?

• Carbon Black Response
• Threat Hunter
• Definition File
• Code Feature - impacts all products
• New product support

Make Separate Definition Folders/Files for Window/Mac/Linux

Describe the bug
AT.exe is located in both Admin Utils and System Utils definition files. Shouldn't it only be included in one for clarity?

What side of Surveyor is impacted?

• Definition File

To Reproduce
--deffile system-utils.json
--deffile admin-utils.json

Which category is the feature part of?

• Definition File
• Code Feature
• Other (please explain)

Which product is the feature part of?

• All products
• Carbon Black Response
• Threat Hunter
• Defender for Endpoint
• Sentinel1

Use Cases
Assists with proactively identifying bugs and type/error checking

Proposal
Implement MyPy for type/error checking

Additional context
N/A

Which category is the feature part of?

• Carbon Black Response
• Threat Hunter
• Definition File
• Code Feature - impacts all products
• New product support

Use Cases

Proposal
Update the contents of the admin-utils definition file

Additional context
Add any other context or screenshots about the feature request here.

A KeyError occurs when no --profile is not specified. Expected behavior is that the "default" profile will be used when no other profile is specified.

Command Line

py .\surveyor.py --query 'SrcProcName containsCIS \"explorer.exe\"' s1 --creds <cred-file>

Cred File

[default]
url=https://usea1-dfir.sentinelone.net
token=<api token>
account_id=<account-id>

Output/Error

Traceback (most recent call last):
  File "C:\run-surveyor\surveyor.py", line 386, in <module>
    cli()
  File "C:\Users\<redacted user>\AppData\Local\Programs\Python\Python310\lib\site-packages\click\core.py", line 1128, in __call__
    return self.main(*args, **kwargs)
  File "C:\Users\<redacted user>\AppData\Local\Programs\Python\Python310\lib\site-packages\click\core.py", line 1053, in main
    rv = self.invoke(ctx)
  File "C:\Users\<redacted user>\AppData\Local\Programs\Python\Python310\lib\site-packages\click\core.py", line 1659, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "C:\Users\<redacted user>\AppData\Local\Programs\Python\Python310\lib\site-packages\click\core.py", line 1395, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "C:\Users\<redacted user>\AppData\Local\Programs\Python\Python310\lib\site-packages\click\core.py", line 754, in invoke
    return __callback(*args, **kwargs)
  File "C:\Users\<redacted user>\AppData\Local\Programs\Python\Python310\lib\site-packages\click\decorators.py", line 26, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "C:\run-surveyor\surveyor.py", line 154, in s1
    survey(ctx, 's1')
  File "C:\run-surveyor\surveyor.py", line 232, in survey
    product = get_product_instance(product, **kwargs)
  File "C:\run-surveyor\load.py", line 64, in get_product_instance
    return subclass(**kwargs)
  File "C:\run-surveyor\products\sentinel_one.py", line 74, in __init__
    if 'account_id' in config[profile] and config[profile]['account_id'] not in account_ids:
  File "C:\Users\<redacted user>\AppData\Local\Programs\Python\Python310\lib\configparser.py", line 964, in __getitem__
    raise KeyError(key)
KeyError: None

Which category is the feature part of?

• Carbon Black Response
• Threat Hunter
• Definition File
• Code Feature - impacts all products
• New product support

Use Cases

Proposal
Update the contents of the system-utils definition file

Additional context
Add any other context or screenshots about the feature request here.

Which category is the feature part of?

• Definition File
• Code Feature
• Other (please explain)

Which product is the feature part of?

• All products
• Carbon Black Response
• Threat Hunter
• Defender for Endpoint
• Sentinel1

Use Cases

Surveyor results can take anywhere from seconds to hours/days/++ to return results. If a search process is interrupted by system sleep, results gathering crashes and potential hits may be lost.

Proposal
A clear and concise description of what you want to happen.

create a process based on results, time, both, something else that automatically terminates after some criteria is met and then steps to the next environment.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
setup.py was failing because of an error with for file in os.scandir(''): according to the traceback.
Additionally, the install_requires is failing on version checking.

What side of Surveyor is impacted?

• Definition File
• Code/Logic

What product is impacted?

• Carbon Black Response
• Carbon Black Threat Hunter
• Other

To Reproduce
What did you do?
When installing the app for the first time with setup.py install the process fails with a traceback.

Expected behavior
It should install all the dependencies and finish the install.

Screenshots
I don't have any screenshots.

Additional context
None.

Which category is the feature part of?

• Definition File
• Code Feature
• Other (please explain)

Which product is the feature part of?

• All products
• Carbon Black Response
• Threat Hunter
• Defender for Endpoint
• SentinelOne

Use Cases

• regex can be used for searching for binaries in suspicious locations or finding uniquely named binaries.
• a list of pre-defined queries can be added to a definition file for faster baselining/hunting instead of using the --query option multiple times.

Proposal
The ability to define regex strings for parameters in a definition file should be added. In addition the ability to define full queries in definition files should be added so a list of multiple pre-defined queries can be run in succession easily. It is recommended these features also be added to other platforms where supported.

Which category is the feature part of?

• Carbon Black Response

Use Cases
Added the feature where analysts can target a specific CbR group. Minor fix with the help message for the minutes arg.

Proposal
add ---group tag option to specify sensor group.

Additional context
#18

It would be nice to be able to exclude certain hosts from results being pulled from.

ExcludeHosts.txt containing:
Machine01
Machine02
Machine03

Add support for all core use cases atop of Cb ThreatHunter.

• Definition-based surveys
• Query-based survey
• IOC-based survey

At present, we do not prevent the user from inputting both --days and --minutes. The user should only be able to enter one of these.

Make this a mutually exclusive group.

Describe the bug
When running a query searching for filemods, the returned data doesn't include the responsible process or process command line.

What side of Surveyor is impacted?

• Definition File
• Code/Logic

What product is impacted?

• Carbon Black Response
• Carbon Black Threat Hunter
• Defender for Endpoints
• SentinelOne
• Other

To Reproduce
What did you do?
What is the command line you're running that is causing the error?
python surveyor.py --deffile test.json dfe --creds credentials.ini

Contents of test.json

{
  "Test for PS Scripts":{
    "filemod":["__PSScriptPolicytest"]
  }
}

Expected behavior
When querying for a filemod, results should include info on the responsible process.

Screenshots
N/A

Additional context
Based on the logs, this is the generated KQL query

union DeviceProcessEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceFileCertificateInfo, DeviceEvents
| where FileName contains "__PSScriptPolicytest"
| project DeviceName, AccountName, ProcessCommandLine, FolderPath, Timestamp 

Problem Description

Per help docs, either siteID or accountID is required (not both).

However, thie line requires a siteID to be given or it errors out

Error message if no siteID defined:

python surveyor.py --deffile remoteadmin.json  --profile test --prefix test_s1 s1 --creds <REDACTED>
Traceback (most recent call last):
  File "/Users/<REDACTED>/Documents/Github/surveyor/surveyor.py", line 386, in <module>
    cli()
  File "/Users/<REDACTED>/Documents/virtual_env/lib/python3.9/site-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
  File "/Users/<REDACTED>/Documents/virtual_env/lib/python3.9/site-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
  File "/Users/<REDACTED>/Documents/virtual_env/lib/python3.9/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/Users/<REDACTED>/Documents/virtual_env/lib/python3.9/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/Users/<REDACTED>/Documents/virtual_env/lib/python3.9/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "/Users/<REDACTED>/Documents/virtual_env/lib/python3.9/site-packages/click/decorators.py", line 26, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/Users/<REDACTED>/Documents/Github/surveyor/surveyor.py", line 154, in s1
    survey(ctx, 's1')
  File "/Users/<REDACTED>/Documents/Github/surveyor/surveyor.py", line 232, in survey
    product = get_product_instance(product, **kwargs)
  File "/Users/<REDACTED>/Documents/Github/surveyor/load.py", line 37, in get_product_instance
    return subclass(**kwargs)
  File "/Users/<REDACTED>/Documents/Github/surveyor/products/sentinel_one.py", line 87, in __init__
    site_response_data = self._get_all_paginated_data(self._build_url('/web/api/v2.1/sites'),
  File "/Users/<REDACTED>/Documents/Github/surveyor/products/sentinel_one.py", line 267, in _get_all_paginated_data
    response.raise_for_status()
  File "/Users/<REDACTED>/Documents/virtual_env/lib/python3.9/site-packages/requests/models.py", line 960, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: BAD REQUEST for url: https://<REDACTED>.sentinelone.net/web/api/v2.1/sites?siteIds=&limit=1000

Cred file used:

[test]
url=https://<REDACTED>.sentinelone.net
token=<REDACTED>
account_id=<REDACTED>

Proposed Solution

Edit the code to make siteID optional

Workaround?

Ensure site IDs are defined either in the cmdline or cred file

Which category is the feature part of?

• Carbon Black Response
• Threat Hunter
• Definition File
• Code Feature - impacts all products
• New product support

Use Cases
SentinelOne supports fetching telemetry data from "Deep Visibility" through their API. It would be great to be able to run similar hunts and baselining strategies against SentinelOne EDR data.

Proposal
Evaluate the integration with SentinelOne and determine what capabilities exist similar to Carbon Black integration.

Additional context
Add any other context or screenshots about the feature request here.

Which category is the feature part of?

• Carbon Black Response
• Threat Hunter
• Definition File
• Code Feature - impacts all products
• New product support

Use Cases

Proposal
Update the contents of the remote-admin definition file

Additional context
Add any other context or screenshots about the feature request here.

When running Surveyor, it may be desirable to customize the query at runtime to make results more accurate.

As an example, when searching for instances of the net.exe command, one may want to exclude processes where the command line includes the parameter "TPAutoConnSvc". In Cb Response queries, this would require appending "-cmdline:TPAutoConnSvc" to the net.exe query at runtime.

The surveyor script works fine when using definition files.

/opt/surveyor# python3 surveyor.py --deffile definitions/file-transfer.json
Processing definition file for definitions/file-transfer.json
-->CyberDuck: 0 results
-->Filezilla: 0 results
-->FTP: 4 results
-->pushd: 0 results
-->robocopy: 4 results
-->SCP: 17 results
-->SFTP: 0 results

When we attempt to perform a query using the --query option, we get the error below:

/opt/surveyor# python3 surveyor.py --query 'process_name:explorer.exe AND username:joebob'
Running Query: process_name:explorer.exe AND username:joebob
Traceback (most recent call last):
File "surveyor.py", line 154, in
cli()
File "/usr/lib/python3/dist-packages/click/core.py", line 764, in call
return self.main(*args, **kwargs)
File "/usr/lib/python3/dist-packages/click/core.py", line 717, in main
rv = self.invoke(ctx)
File "/usr/lib/python3/dist-packages/click/core.py", line 1114, in invoke
return Command.invoke(self, ctx)
File "/usr/lib/python3/dist-packages/click/core.py", line 956, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib/python3/dist-packages/click/core.py", line 555, in invoke
return callback(*args, **kwargs)
File "/usr/lib/python3/dist-packages/click/decorators.py", line 17, in new_func
return f(get_current_context(), *args, **kwargs)
File "surveyor.py", line 93, in cli
if utils.validate_input(query, hostname, username):
TypeError: validate_input() missing 2 required positional arguments: 'days' and 'minutes'

Version information below:

uname -a
Linux kali 5.4.0-kali3-amd64 #1 SMP Debian 5.4.13-1kali1 (2020-01-20) x86_64 GNU/Linux

python3 -V
Python 3.7.6

Describe the bug
Running surveyor for cbc errors out without providing any results.

What side of Surveyor is impacted?

• Definition File
• Code/Logic

What product is impacted?

• Carbon Black Response
• Carbon Black Threat Hunter
• Other

To Reproduce
What did you do?
Ran the following command line:
python surveyor.py --query "process_name:firefox.exe" --days 7 cbc

And generated the errors

Caught AttributeError (see log for details): 'Process' object has no attribute 'process_cmdline'

and

Traceback (most recent call last):
  File "/Users/REDACTED/surveyor/venv/lib/python3.9/site-packages/requests/models.py", line 910, in json
    return complexjson.loads(self.text, **kwargs)
  File "/usr/local/Cellar/[email protected]/3.9.12/Frameworks/Python.framework/Versions/3.9/lib/python3.9/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
  File "/usr/local/Cellar/[email protected]/3.9.12/Frameworks/Python.framework/Versions/3.9/lib/python3.9/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/local/Cellar/[email protected]/3.9.12/Frameworks/Python.framework/Versions/3.9/lib/python3.9/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/REDACTED/surveyor/venv/lib/python3.9/site-packages/cbc_sdk/connection.py", line 457, in get_object
    return result.json()
  File "/Users/REDACTED/surveyor/venv/lib/python3.9/site-packages/requests/models.py", line 917, in json
    raise RequestsJSONDecodeError(e.msg, e.doc, e.pos)
requests.exceptions.JSONDecodeError: [Errno Expecting value] <!DOCTYPE html><html><head><title>Carbon Black Cloud</title><link rel="shortcut icon" href="/assets/favicon.ico"><link rel="icon" href="/assets/favicon.svg" type="image/svg+xml"><link rel="icon" type="image/png" href="/assets/favicon-16x16.png" sizes="16x16"><link rel="icon" type="image/png" href="/assets/favicon-32x32.png" sizes="32x32"><link rel="stylesheet" rel="prefetch" href="/assets/fonts/styles.css?v=7"><link rel="stylesheet" rel="prefetch" href="/assets/fonts/opensans/styles.css?v=27"><link rel="stylesheet" rel="prefetch" href="/assets/react-console.css"><meta name="viewport" content="width=device-width,user-scalable=no,initial-scale=1,minimum-scale=1,maximum-scale=1"><meta name="robots" content="noindex,nofollow"><meta http-equiv="Content-Security-Policy" content="script-src 'self' https://matomo.esp.vmware.com"><meta charset="utf-8"></head><body><div id="app"></div><script type="text/javascript" rel="prefetch" src="/store_bundle.475eb221afa243072aa2.js"></script><script type="text/javascript" rel="prefetch" src="/elements_bundle.737fa667b711dd6d3d2e.js"></script><script type="text/javascript" rel="prefetch" src="/moment_bundle.995e58bb9d6730d0fd2f.js"></script><script type="text/javascript" rel="prefetch" src="/reactdom_bundle.c28f94f00fc28cde13ac.js"></script><script type="text/javascript" rel="prefetch" src="/vendor_bundle.1ac104122cb205e760ae.js"></script><script type="text/javascript" rel="prefetch" src="/main_bundle.c25079d8caf7652cbc49.js"></script></body></html><!-- 781ee57dcc77e191c4e4c64bbe5c79857412f8fc --><!-- 2022-10-25T11:57:04-04:00 -->: 0

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/[REDACTED]/surveyor/surveyor.py", line 289, in survey
    product.process_search(Tag('query'), base_query, opt.query)
  File "/Users/REDACTED/surveyor/products/vmware_cb_enterprise_edr.py", line 86, in process_search
    result = Result(proc.device_name, proc.process_username[0], proc.process_name, proc.process_cmdline[0],
  File "/Users/REDACTED/surveyor/venv/lib/python3.9/site-packages/cbc_sdk/base.py", line 442, in __getattr__
    self._refresh()
  File "/Users/REDACTED/surveyor/venv/lib/python3.9/site-packages/cbc_sdk/base.py", line 524, in _refresh
    self._info = self._parse(self._retrieve_cb_info())
  File "/Users/REDACTED/surveyor/venv/lib/python3.9/site-packages/cbc_sdk/base.py", line 539, in _retrieve_cb_info
    return self._cb.get_object(request_uri)
  File "/Users/REDACTED/surveyor/venv/lib/python3.9/site-packages/cbc_sdk/connection.py", line 459, in get_object
    raise ServerError(result.status_code, "Cannot parse response as JSON: {0:s}".format(result.content))
TypeError: unsupported format string passed to bytes.__format__

Expected behavior
Not to error out

Screenshots
N/A

Additional context
N/A

Which category is the feature part of?

• Definition File
• Code Feature
• Other (please explain)

Which product is the feature part of?

• All products
• Carbon Black Response
• Threat Hunter
• Defender for Endpoint
• SentinelOne

Use Cases
Requesting additional mappings for parameter conversion when using definition files. This will expand the search capabilities for the product. In the same way more fields should be added to give larger context to returned results in the output to csv.

Additional context
StorylineID is a key component to pivot when hunting or baselining an environment and is crucial to the output to eliminate the need to return all data to the csv.

I'm getting an error when trying to install Surveyor. After I run the command "python setup.py develop" I get the following:

build/temp.linux-x86_64-2.7/_openssl.c:434:30: fatal error: openssl/opensslv.h: No such file or directory
compilation terminated.
error: Setup script exited with error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

When using filter options in command line arguments along with --query, the operator is missing between the filter (base_query) and the specified query string. Any base query filters should use the 'AND' operator to combine these queries.

It is preferred to put the base query filters in their own parenthesis in case OR operators are used in a definition file or --query string. Without these parenthesis, an issue could occur when using OR operators other places in the query.

EXAMPLE FINISHED QUERY:
SiteId in contains ("site_id") AND (SrcProcName containsCIS "code.exe" or SrcProcName containsCIS "git.exe") AND (UserName containsCIS "username" AND EndpointName containsCIS "computer_name")

Command Line
py .\surveyor.py --username 'redacted-user' --profile default --query 'SrcProcName containsCIS \"explorer.exe\"' s1 --creds <cred-file>

py .\surveyor.py --username 'redacted-user' --hostname 'hostname' --profile default --deffile sysinternals.json s1 --creds <cred-file>

Output
Running Custom Query: SrcProcName containsCIS "explorer.exe"
Built Query: SrcProcName containsCIS "explorer.exe" UserName containscis "redacted-user"
Caught ValueError (see log for details): S1 could not parse query "SiteID in contains ("REDACTED", "REDACTED") AND (SrcProcName containsCIS "explorer.exe" UserName containscis "redacted-user")"

If possible it would be nice to not need to escape quotes in the query string, but I am not sure if this is a limitation with how variables are being stored.

Which category is the feature part of?

• Definition File
• Code Feature
• Other (please explain)

Which product is the feature part of?

• All products
• Carbon Black Response
• Threat Hunter
• Defender for Endpoint
• Sentinel1

Use Cases

• Ability to dump all fields returned by an EDR and not be limited to those supported by the preset CSV columns
• This data could then be pushed to a SIEM (e.g. Elastic) for further processing/searching

Proposal
Add a --json output option to dump all fields returned by an EDR. However, default output would stay as CSV

Additional context
N/A

Which category is the feature part of?

• Carbon Black Response
• Threat Hunter
• Definition File
• Code Feature - impacts all products
• New product support

Use Cases

Proposal
Based on Microsoft's recommended list of applications to block via WDAC, a definitions file should be created to search an environment for execution. By baselining with this definition file, an org can determine which applications may be impacted if they were to be blocked or which applications could be easily blocked.

Additional context
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

Which category is the feature part of?

• Definition File

Use Cases
Add Splashtop to the remote-admin definitions.

Proposal

       "process_name": ["srmanager.exe",
                        "strwinclt.exe"]
   }```.  

**Additional context**
Add any other context or screenshots about the feature request here.

Which category is the feature part of?

• Definition File
• Code Feature
• Other (please explain)

Which product is the feature part of?

• All products
• Carbon Black Response
• Threat Hunter
• Defender for Endpoint
• Sentinel1

Use Cases

Proposal
Currently, CbR and CbC are only supported on python 3.9 due to the cbapi dependency. However, CbC now has its own SDK that is not restricted by the python version.

The two products should be separated where CbC querying requires the newer SDK and CbR uses the legacy cbapi.

Which category is the feature part of?

• Definition File
• Code Feature
• Other (please explain)

Which product is the feature part of?

• All products
• Carbon Black Response
• Threat Hunter
• Defender for Endpoint
• Sentinel1

Use Cases
Develop a way to ensure as new features get added, the original/core functionality is not negatively impacted.

Proposal
Create unit/spec test for key components of surveyor to make sure each function works as expected

Additional context
N/A

Currently the output csv file is located in the same directory that surveyor is run from. However sometime people might want to store output CSV files in a specific location for organizational purposes.

Ask: Allow users to input an output file location to store the CSV output in a different location.

Which category is the feature part of?

• Code Feature - impacts all products

Use Cases
When running surveyor against defdirs or deffiles it's not always clear to see how much longer it'll run or how many more files/queries it should go through. Having a progress bar can give some insight into where surveyor is holding.

Which category is the feature part of?

• Carbon Black Response
• Threat Hunter
• Definition File
• Code Feature - impacts all products
• New product support
• S1
• MDE

Use Cases
With the new definition file regarding vulnerable drivers we have to add the key for hash to the process mapping for how each EDR calls the hashes.

Proposal
A clear and concise description of what you want to happen.

Additional context
Add any other context or screenshots about the feature request here.

We don't want or need to output the command-line for all use cases. Many times, we use Surveyor to ask simple questions like "How many of $thing do I have?" In these case we can make use of simplified output that provides source, application, path and hostname (or something along these lines).

Code is missing the ability to properly convert --query option to SentinelOne S1QL query language. ProcessName search is not currently supported with --query. Additionally it is recommended that containsCIS or contains anycase be used in most or all cases for best search results.

This can bee reproduced by using the --query parameter when running surveyor against SentinelOne.

Describe the bug
IOC files do not utilize a conversion to the proper fields when calling the process_search functions. A new function or additional code to reference the conversion fields needs to be added for using IOC files.

What side of Surveyor is impacted?

• Definition File
• Code/Logic

What product is impacted?

• Carbon Black Response
• Carbon Black Threat Hunter
• Defender for Endpoints
• SentinelOne
• Other

To Reproduce
run against S1 or DFE product with ioctype as ipaddr and an iocfile containing only IPs with one per line.

Expected behavior
a query is built out to search for any of the specified IPs or ioc specified.

The existing code has checks for verifying that an AccountId or SiteId exists in the config file regardless of whether an AccountId or SiteId was specified in the command line arguments for SentinelOne.

Command:

py .\surveyor.py --profile default --query 'SrcProcName containsCIS \"explorer.exe\"' s1 --creds <cred-file> --account-id <account_id>

Output when no ID is in config file:

Usage: surveyor.py s1 [OPTIONS]
Try 'surveyor.py s1 -h' for help.

Error: S1 configuration invalid, specify a site_id or account_id

Log file:

[2022-09-27 12:41:44,998] [DEBUG   ] [surveyor.s1                         ] [common.py           :48  ] Authenticating to s1
[2022-09-27 12:41:44,999] [ERROR   ] [surveyor                            ] [surveyor.py         :234 ] S1 configuration invalid, specify a site_id or account_id
Traceback (most recent call last):
  File "C:\run-surveyor\surveyor.py", line 232, in survey
    product = get_product_instance(product, **kwargs)
  File "C:\run-surveyor\load.py", line 64, in get_product_instance
    return subclass(**kwargs)
  File "C:\run-surveyor\products\sentinel_one.py", line 63, in __init__
    super().__init__(self.product, profile, **kwargs)
  File "C:\run-surveyor\common.py", line 49, in __init__
    self._authenticate()
  File "C:\run-surveyor\products\sentinel_one.py", line 133, in _authenticate
    raise ValueError(f'S1 configuration invalid, specify a site_id or account_id')
ValueError: S1 configuration invalid, specify a site_id or account_id

Output for accountId in config file and siteId in cmdline argument:

query runs but incorectly. log file shows query as:

[2022-09-27 12:48:40,935] [DEBUG   ] [surveyor.s1                         ] [sentinel_one.py     :453 ] Query params: {'accountIds': ['REDACTED'], 'fromDate': 1663087720934, 'isVerbose': False, 'queryType': ['events'], 'limit': 20000, 'toDate': 1664297320935, 'query': 'SiteID in contains ("REDACTED", "REDACTED") AND (SrcProcName containsCIS "explorer.exe")'}

Expected behavior:

Any combination of accountid and siteid should be allowed whether specified in cmdline arguments or config file. Only one is required for a successful query. the config should likely be queried first and then command line arguments added to the query from the config.

Which category is the feature part of?

• New product support

Use Cases

Proposal
Determine if it is possible to add support for Crowdstrike.

Additional context
Add any other context or screenshots about the feature request here.

Which category is the feature part of?

• Carbon Black Response
• Threat Hunter
• Definition File
• Code Feature - impacts all products
• New product support

Use Cases

Proposal
Update the contents of the scripting definition file

Additional context
Add any other context or screenshots about the feature request here.

Which category is the feature part of?

• Definition File
• Code Feature
• Other (please explain)

Which product is the feature part of?

• All products
• Carbon Black Response
• Threat Hunter
• Defender for Endpoint
• Sentinel1
• Other

Use Cases

Proposal
Add support to query Cortex XDR using native EDR query language or standardized definition file

Additional context
N/A