Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for parent_name in definition files #139

Open
wants to merge 15 commits into
base: master
Choose a base branch
from
Open

Add support for parent_name in definition files #139

wants to merge 15 commits into from

Conversation

rc-csmith
Copy link
Contributor

@rc-csmith rc-csmith commented Jul 26, 2023
edited
Loading

Changes

  • Added support for parent_name definition file field in all product files
  • Added support for filemod and modload in vmware_cb_enterprise_edr.py
  • Updated spec tests to include new definition file field
  • Consolidated test data into single file
  • Fix bug in vmware_cb_enterprise_edr.py to properly record full query

Closes #122
Closes #131

@rc-csmith rc-csmith self-assigned this Jul 26, 2023
@rc-csmith rc-csmith marked this pull request as ready for review September 22, 2023 20:26
TreWilkinsRC
TreWilkinsRC previously approved these changes Sep 25, 2023
View reviewed changes
ChuckFrey
ChuckFrey reviewed Dec 21, 2023
View reviewed changes
Copy link

@ChuckFrey ChuckFrey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was trying to baseline a query to validate the pull request and I ran into a problem that stopped me from further testing. The following can be done in CbC'srclabtestcbthreathunter

device_name:ec2amaz\-b8bka2n AND process_cmdline:notepad.exe

w/out the sensor group specified
[2023-12-21 12:52:04,872][INFO] Executing surveyor command python /Users/chuckfrey/Documents/surveyor/surveyor.py --profile rclabtestcbthreathunter_rclabtestcbthreathunter --prefix rclabtestcbthreathunter_rclabtestcbthreathunter_cbc --output /Users/chuckfrey/Documents/github/cirt-threat-hunting/results/rclabtestcbthreathunter_rclabtestcbthreathunter_cbc_survey.csv --days 2 --hostname EC2AMAZ-B8BKA2N --query ' process_cmdline:notepad.exe' cbc --sensor-group ' '. See actual surveyor logs for more details.
Usage: surveyor.py cbc [OPTIONS]
Try 'surveyor.py cbc -h' for help.

Error: No such option: --sensor-group Did you mean --device-group?
[2023-12-21 12:52:05,998][INFO] Cleaning results files in /Users/chuckfrey/Documents/github/cirt-threat-hunting/results
[2023-12-21 12:52:06,000][ERROR] No file, /Users/chuckfrey/Documents/github/cirt-threat-hunting/results/rclabtestcbthreathunter_rclabtestcbthreathunter_cbc_survey.csv, found. Skipping to next file
[2023-12-21 12:52:06,000][WARNING] Appened dataframe appears to be empty. No files output.

w/ the sensor group specified

2023-12-21 12:58:31,790][INFO] Collecting credentials for all supported EDR sources for subdomain rclabtestcbthreathunter
[2023-12-21 12:58:52,785][INFO] Processing all supported EDR sources for subdomain rclabtestcbthreathunter
[2023-12-21 12:58:52,785][INFO] Total Profiles: 1
[2023-12-21 12:58:52,786][INFO] Executing surveyor command python /Users/chuckfrey/Documents/surveyor/surveyor.py --profile rclabtestcbthreathunter_rclabtestcbthreathunter --prefix rclabtestcbthreathunter_rclabtestcbthreathunter_cbc --output /Users/chuckfrey/Documents/github/cirt-threat-hunting/results/rclabtestcbthreathunter_rclabtestcbthreathunter_cbc_survey.csv --days 2 --hostname EC2AMAZ-B8BKA2N --query parent_cmdline:notepad.exe cbc --sensor-group MonitoredWithAVEnabled. See actual surveyor logs for more details.
Usage: surveyor.py cbc [OPTIONS]
Try 'surveyor.py cbc -h' for help.

Error: No such option: --sensor-group Did you mean --device-group?
[2023-12-21 12:58:53,889][INFO] Cleaning results files in /Users/chuckfrey/Documents/github/cirt-threat-hunting/results
[2023-12-21 12:58:53,891][ERROR] No file, /Users/chuckfrey/Documents/github/cirt-threat-hunting/results/rclabtestcbthreathunter_rclabtestcbthreathunter_cbc_survey.csv, found. Skipping to next file
[2023-12-21 12:58:53,891][WARNING] Appened dataframe appears to be empty. No files output.

@TreWilkinsRC TreWilkinsRC removed the request for review from ChuckFrey October 17, 2024 08:19
@rc-csmith rc-csmith dismissed TreWilkinsRC’s stale review November 6, 2024 15:58

new changes need additional review

@TreWilkinsRC TreWilkinsRC requested review from rc-abodkins and removed request for rc-abodkins November 6, 2024 17:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChuckFrey ChuckFrey ChuckFrey left review comments

@TreWilkinsRC TreWilkinsRC TreWilkinsRC approved these changes

@rc-MikeDevens rc-MikeDevens Awaiting requested review from rc-MikeDevens

@rc-abodkins rc-abodkins Awaiting requested review from rc-abodkins

At least 2 approving reviews are required to merge this pull request.

Assignees

@rc-csmith rc-csmith

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[FR] Parent Process Name Support [BUG] Full query not logged for CbC
3 participants
@rc-csmith @ChuckFrey @TreWilkinsRC