Merge pull request #84 from rc-csmith/34_add_sensor_group

Add Enhancements to CbR & CbC
redcanaryco · Dec 8, 2022 · 37a0320 · 37a0320
2 parents 2168ddb + c519c9e
commit 37a0320
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 29 deletions.
diff --git a/products/vmware_cb_enterprise_edr.py b/products/vmware_cb_enterprise_edr.py
@@ -36,6 +36,9 @@ class CbEnterpriseEdr(Product):
     _conn: CBCloudAPI  # CB Cloud API
 
     def __init__(self, profile: str, **kwargs):
+        self._device_group = kwargs['device_group']
+        self._device_policy = kwargs['device_policy']
+
         super().__init__(self.product, profile, **kwargs)
 
     def _authenticate(self):
@@ -67,6 +70,18 @@ def build_query(self, filters: dict):
             else:
                 self._echo(f'Query filter {key} is not supported by product {self.product}', logging.WARNING)
 
+        if self._device_group:
+            device_group = []
+            for name in self._device_group:
+                device_group.append(f'device_group:"{name}"')
+            query_base.and_('(' + ' OR '.join(device_group) + ')')
+
+        if self._device_policy:
+            device_policy = []
+            for name in self._device_policy:
+                device_policy.append(f'device_policy:"{name}"')
+            query_base.and_('(' + ' OR '.join(device_policy) + ')')
+
         return query_base
 
     def process_search(self, tag: Tag, base_query: dict, query: str) -> None:
@@ -123,8 +138,16 @@ def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict) -> N
                 # noinspection PyUnresolvedReferences
                 for proc in process.where(full_query):
                     deets = proc.get_details()
-                    result = Result(deets['device_name'], deets['process_username'][0], deets['process_name'],
-                                    deets['process_cmdline'][0], (deets['device_timestamp'], deets['process_guid'],))
+
+                    hostname = deets['device_name'] if 'device_name' in deets else 'None'
+                    user = deets['process_username'][0] if 'process_username' in deets else 'None'
+                    proc_name = deets['process_name'] if 'process_name' in deets else 'None'
+                    cmdline = deets['process_cmdline'][0] if 'process_cmdline' in deets else 'None'
+                    ts = deets['device_timestamp'] if 'device_timestamp' in deets else 'None'
+                    proc_guid = deets['process_guid'] if 'process_guid' in deets else 'Non'
+
+                    result = Result(hostname, user, proc_name, cmdline, (ts, proc_guid,))
+
                     results.add(result)
             except cbc_sdk.errors.ApiError as e:
                 self._echo(f'CbC SDK Error (see log for details): {e}', logging.ERROR)

diff --git a/products/vmware_cb_response.py b/products/vmware_cb_response.py
@@ -1,31 +1,18 @@
 import logging
-from datetime import datetime, timedelta
 
 from cbapi.response import CbEnterpriseResponseAPI
 from cbapi.response.models import Process
 
 from common import Product, Tag, Result
 
 
-def _convert_relative_time(relative_time):
-    """
-    Convert a Cb Response relative time boundary (i.e., start:-1440m) to a device_timestamp:
-    device_timestamp:[2019-06-02T00:00:00Z TO 2019-06-03T23:59:00Z]
-    """
-    time_format = "%Y-%m-%dT%H:%M:%SZ"
-    minus_minutes = relative_time.split(':')[1].split('m')[0].split('-')[1]
-    end_time = datetime.now()
-    start_time = end_time - timedelta(minutes=int(minus_minutes))
-    device_timestamp = 'device_timestamp:[{0} TO {1}]'.format(start_time.strftime(time_format),
-                                                              end_time.strftime(time_format))
-    return device_timestamp
-
-
 class CbResponse(Product):
     product: str = 'cbr'
     _conn: CbEnterpriseResponseAPI  # CB Response API
 
     def __init__(self, profile: str, **kwargs):
+        self._sensor_group = kwargs['sensor_group']
+
         super().__init__(self.product, profile, **kwargs)
 
     def _authenticate(self):
@@ -51,6 +38,12 @@ def build_query(self, filters: dict) -> str:
             else:
                 self._echo(f'Query filter {key} is not supported by product {self.product}', logging.WARNING)
 
+        if self._sensor_group:
+            sensor_group = []
+            for name in self._sensor_group:
+                sensor_group.append('group:"%s"' % name)            
+            query_base += '(' + ' OR '.join(sensor_group) + ')'
+
         return query_base
 
     def process_search(self, tag: Tag, base_query: dict, query: str) -> None:
@@ -63,7 +56,7 @@ def process_search(self, tag: Tag, base_query: dict, query: str) -> None:
             # noinspection PyUnresolvedReferences
             for proc in self._conn.select(Process).where(query):
                 result = Result(proc.hostname.lower(), proc.username.lower(), proc.path, proc.cmdline,
-                                (proc.start,))
+                                (proc.start, proc.id))
                 results.add(result)
         except KeyboardInterrupt:
             self._echo("Caught CTRL-C. Returning what we have . . .")
@@ -75,6 +68,8 @@ def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict) -> N
 
         try:
             for search_field, terms in criteria.items():
+                terms = [(f'"{term}"' if ' ' in term else term) for term in terms]
+
                 query = '(' + ' OR '.join('%s:%s' % (search_field, term) for term in terms) + ')'
                 query += self.build_query(base_query)
 
@@ -95,4 +90,4 @@ def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict) -> N
         self._add_results(list(results), tag)
 
     def get_other_row_headers(self) -> list[str]:
-        return ['Process Start']
+        return ['Process Start', 'Process GUID']
diff --git a/surveyor.py b/surveyor.py
@@ -153,22 +153,27 @@ def s1(ctx, site_id: Optional[Tuple], account_id: Optional[Tuple], account_name:
 
     survey(ctx, 's1')
 
-
+# CbC options
 @cli.command('cbc', help="Query VMware Cb Enterprise EDR")
+@click.option("--device-group", help="Name of device group to query", multiple=True, default=None)
+@click.option("--device-policy", help="Name of device policy to query", multiple=True, default=None)
 @click.pass_context
-def cbc(ctx):
-    survey(ctx, 'cbc')
+def cbc(ctx, device_group: Optional[Tuple], device_policy: Optional[Tuple]):
+    ctx.obj.product_args = {
+        'device_group': list(device_group),
+        'device_policy': list(device_policy)
+    }
 
+    survey(ctx, 'cbc')
 
+# CbR Options
 @cli.command('cbr', help="Query VMware Cb Response")
+@click.option("--sensor-group", help="Name of sensor group to query", multiple=True, default=None)
 @click.pass_context
-def cbr(ctx):
-    survey(ctx, 'cbr')
-
-
-@cli.command('cbr', help="Query Cb Response")
-@click.pass_context
-def response_alternate(ctx):
+def cbr(ctx, sensor_group: Optional[Tuple]):
+    ctx.obj.product_args = {
+        'sensor_group': list(sensor_group)
+    }
     survey(ctx, 'cbr')