Skip to content

Commit

Permalink
moved json to only use __init__()
Browse files Browse the repository at this point in the history
  • Loading branch information
xC0uNt3r7hr34t committed Sep 8, 2023
1 parent e8bed00 commit 2cfa28f
Show file tree
Hide file tree
Showing 6 changed files with 35 additions and 37 deletions.
9 changes: 4 additions & 5 deletions products/cortex_xdr.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ class CortexXDR(Product):
_session: requests.Session
_queries: dict[Tag, list[Query]] = dict()
_last_request: float = 0.0
_json: bool # output raw json
_json: bool = False # output raw json
_limit: int = 1000 # Max is 1000 results otherwise have to get the results via stream
_raw: bool = False

Expand All @@ -70,6 +70,7 @@ def __init__(self, **kwargs):
self._url = kwargs['url'] if 'url' in kwargs else ''
self._auth_type = kwargs['auth_type'] if 'auth_type' in kwargs else "standard"
self._raw = kwargs['raw'] if 'raw' in kwargs else self._raw
self._json = kwargs['json'] if 'json' in kwargs else self._json

if self._limit >= int(kwargs.get('limit',0)) > 0:
self._limit = int(kwargs['limit'])
Expand Down Expand Up @@ -194,8 +195,7 @@ def build_query(self, filters: dict) -> Tuple[str, int]:
# therefore we return the relative time separately
return query_base, relative_time_ms

def process_search(self, tag: Tag, base_query: dict, json: bool, query: str) -> None:
self._json = json
def process_search(self, tag: Tag, base_query: dict, query: str) -> None:
self._base_query, relative_time_ms = self.build_query(base_query)

if tag not in self._queries:
Expand All @@ -204,8 +204,7 @@ def process_search(self, tag: Tag, base_query: dict, json: bool, query: str) ->
full_query = Query(relative_time_ms, None, None, None, query)
self._queries[tag].append(full_query)

def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict, json: bool) -> None:
self._json = json
def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict) -> None:
self._base_query, relative_time_ms = self.build_query(base_query)

try:
Expand Down
15 changes: 7 additions & 8 deletions products/microsoft_defender_for_endpoints.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ class DefenderForEndpoints(Product):
product: str = 'dfe'
creds_file: str # path to credential configuration file
_token: str # AAD access token
_json: bool # output raw json
_json: bool = False# output raw json
_limit: int = -1
_tenantId: Optional[str] = None
_appId: Optional[str] = None
Expand All @@ -61,6 +61,7 @@ def __init__(self, **kwargs):
self._appId = kwargs['appId'] if 'appId' in kwargs else None
self._appSecret = kwargs['appSecret'] if 'appSecret' in kwargs else None
self._raw = kwargs['raw'] if 'raw' in kwargs else self._raw
self._json = kwargs['json'] if 'json' in kwargs else self._json

if 100000 >= int(kwargs.get('limit', -1)) > self._limit:
self._limit = int(kwargs['limit'])
Expand Down Expand Up @@ -177,8 +178,7 @@ def _get_default_header(self) -> dict[str, str]:
"Accept": 'application/json'
}

def process_search(self, tag: Tag, base_query: dict, json: bool, query: str) -> None:
self._json = json
def process_search(self, tag: Tag, base_query: dict, query: str) -> None:
query = query.rstrip()

query += f" {self.build_query(base_query)}" if base_query != {} else ''
Expand All @@ -193,21 +193,20 @@ def process_search(self, tag: Tag, base_query: dict, json: bool, query: str) ->

self._add_results(list(results), tag)

def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict, json:bool) -> None:
def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict) -> None:
query_base = self.build_query(base_query)
self._json = json

try:
for search_field, terms in criteria.items():
if search_field == 'query':
if isinstance(terms, list):
for query_entry in terms:
query_entry += f" {query_base}" if query_base != '' else ''
self.process_search(tag, {}, json, query_entry)
self.process_search(tag, {}, query_entry)
else:
query_entry = terms
query_entry += f" {query_base}" if query_base != '' else ''
self.process_search(tag, {}, json, query_entry)
self.process_search(tag, {}, query_entry)

else:
all_terms = ', '.join(f"'{term}'" for term in terms)
Expand All @@ -226,7 +225,7 @@ def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict, json

query += f"| project Timestamp, {', '.join(PARAMETER_MAPPING[search_field]['projections'])}"

self.process_search(tag, {}, json, query)
self.process_search(tag, {}, query)
except KeyboardInterrupt:
self._echo("Caught CTRL-C. Returning what we have...")

Expand Down
10 changes: 4 additions & 6 deletions products/sentinel_one.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ class SentinelOne(Product):
_query_base: Optional[str] = None
_pq: bool # Run queries using PowerQuery instead of DeepVisibility
_raw: bool = False
_json: bool # output raw json
_json: bool = False # output raw json

def __init__(self, pq: bool = False, **kwargs):

Expand All @@ -104,7 +104,7 @@ def __init__(self, pq: bool = False, **kwargs):
self._raw = kwargs['raw'] if 'raw' in kwargs else self._raw
limit = (kwargs['limit']) if 'limit' in kwargs else 0
self._pq = pq # This supports command-line options, will default to Power Query
self._json = False
self._json = kwargs['json'] if 'json' in kwargs else self._json

# Will check for passed-in arguments; if none are present, it will default to Deep Visibility. Non-command line.
if 'deep_visibility' in kwargs:
Expand Down Expand Up @@ -489,8 +489,7 @@ def divide_chunks(self, l: list, n: int):
for i in range(0, len(l), n):
yield l[i:i + n]

def process_search(self, tag: Tag, base_query: dict, json_output: bool, query: str) -> None:
self._json = json_output
def process_search(self, tag: Tag, base_query: dict, query: str) -> None:
build_query, from_date, to_date = self.build_query(base_query)
self._query_base = build_query
self._echo(f'Built Query: {query}')
Expand All @@ -505,8 +504,7 @@ def process_search(self, tag: Tag, base_query: dict, json_output: bool, query: s
def parameter_mapping(self) -> dict[str, list[str]]:
return PARAMETER_MAPPING_PQ if self._pq else PARAMETER_MAPPING_DV

def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict, json_output: bool) -> None:
self._json = json_output
def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict) -> None:
query_base, from_date, to_date = self.build_query(base_query)
self._query_base = query_base
try:
Expand Down
11 changes: 6 additions & 5 deletions products/vmware_cb_enterprise_edr.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ def __init__(self, **kwargs):
self._device_policy = kwargs['device_policy'] if 'device_group' in kwargs else None
self._limit = int(kwargs['limit']) if 'limit' in kwargs else self._limit
self._raw = kwargs['raw'] if 'raw' in kwargs else self._raw
self._json = kwargs['json'] if 'json' in kwargs else self._json

super().__init__(self.product, **kwargs)

Expand Down Expand Up @@ -108,8 +109,8 @@ def divide_chunks(self, l: list, n: int) -> Generator:
for i in range(0, len(l), n):
yield l[i:i + n]

def perform_query(self, tag: Tag, base_query: dict, json: bool, query: str) -> set[Result]:
if json:
def perform_query(self, tag: Tag, base_query: dict, query: str) -> set[Result]:
if self._json:
results = dict()
else:
#raw_results= list()
Expand All @@ -127,7 +128,7 @@ def perform_query(self, tag: Tag, base_query: dict, json: bool, query: str) -> s
# noinspection PyUnresolvedReferences
for proc in process.where(full_query):
deets = proc.get_details()
if json:
if self._json:
results.update(deets)
else:
hostname = deets['device_name'] if 'device_name' in deets else 'None'
Expand Down Expand Up @@ -166,12 +167,12 @@ def perform_query(self, tag: Tag, base_query: dict, json: bool, query: str) -> s
'''
return results

def process_search(self, tag: Tag, base_query: dict, json: bool, query: str) -> None:
def process_search(self, tag: Tag, base_query: dict, query: str) -> None:
results = self.perform_query(tag, base_query, query)

self._add_results(list(results), tag)

def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict, json: bool) -> None:
def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict) -> None:
results: list = []

for search_field, terms in criteria.items():
Expand Down
13 changes: 7 additions & 6 deletions products/vmware_cb_response.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ def __init__(self, **kwargs):
self._sensor_group = kwargs['sensor_group'] if 'sensor_group' in kwargs else None
self._limit = int(kwargs['limit']) if 'limit' in kwargs else self._limit
self._raw = kwargs['raw'] if 'raw' in kwargs else self._raw
self._json = kwargs['json'] if 'json' in kwargs else self._json

super().__init__(self.product, **kwargs)

Expand Down Expand Up @@ -59,8 +60,8 @@ def build_query(self, filters: dict) -> str:

return query_base

def process_search(self, tag: Tag, base_query: dict, json: bool, query: str) -> None:
if json:
def process_search(self, tag: Tag, base_query: dict, query: str) -> None:
if self._json:
results = dict()
else:
#raw_results = list()
Expand All @@ -72,7 +73,7 @@ def process_search(self, tag: Tag, base_query: dict, json: bool, query: str) ->
try:
# noinspection PyUnresolvedReferences
for proc in self._conn.select(Process).where(query):
if json:
if self._json:
results.update(proc)
else:
result = Result(proc.hostname.lower(), proc.username.lower(), proc.path, proc.cmdline,
Expand Down Expand Up @@ -102,8 +103,8 @@ def process_search(self, tag: Tag, base_query: dict, json: bool, query: str) ->
'''
self._add_results(list(results), tag)

def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict, json: bool) -> None:
if json:
def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict) -> None:
if self._json:
results = dict()
else:
results = set()
Expand All @@ -128,7 +129,7 @@ def nested_process_search(self, tag: Tag, criteria: dict, base_query: dict, json
self.log.debug(f'Query: {query}')
# noinspection PyUnresolvedReferences
for proc in self._conn.select(Process).where(query):
if json:
if self._json:
results.update(proc)
else:
result = Result(proc.hostname.lower(), proc.username.lower(), proc.path, proc.cmdline,
Expand Down
14 changes: 7 additions & 7 deletions surveyor.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ def cli(ctx, prefix: Optional[str], hostname: Optional[str], profile: str, days:

ctx.ensure_object(dict)

ctx.obj = ExecutionOptions(prefix, hostname, profile, days, minutes, username, ioc_file, ioc_type, query, output,
ctx.obj = ExecutionOptions(prefix, hostname, profile, days, minutes, username, limit, ioc_file, ioc_type, query, output,
def_dir, def_file, sigma_rule, sigma_dir, json, no_file, no_progress, log_dir, dict())

if ctx.invoked_subcommand is None:
Expand Down Expand Up @@ -278,7 +278,8 @@ def survey(ctx, product_str: str = 'cbr') -> None:
# build arguments required for product class
# must products only require the profile name
kwargs = {
'profile': opt.profile
'profile': opt.profile,
'json': opt.json
}

if len(opt.product_args) > 0:
Expand All @@ -287,7 +288,6 @@ def survey(ctx, product_str: str = 'cbr') -> None:
if opt.limit:
kwargs['limit'] = str(opt.limit)


kwargs['tqdm_echo'] = str(not opt.no_progress)

# instantiate a product class instance based on the product string
Expand Down Expand Up @@ -361,7 +361,7 @@ def survey(ctx, product_str: str = 'cbr') -> None:
if opt.query:
# if a query is specified run it directly
log_echo(f"Running Custom Query: {opt.query}", log)
product.process_search(Tag('query'), base_query, opt.json, opt.query)
product.process_search(Tag('query'), base_query, opt.query)

for tag, results in product.get_results().items():
_write_results(writer, results, opt.query, "query", tag, log)
Expand Down Expand Up @@ -411,7 +411,7 @@ def survey(ctx, product_str: str = 'cbr') -> None:

ioc_list = [x.strip() for x in data]

product.nested_process_search(Tag(f"IOC - {opt.ioc_file}", data=basename), {opt.ioc_type: ioc_list}, base_query, opt.json)
product.nested_process_search(Tag(f"IOC - {opt.ioc_file}", data=basename), {opt.ioc_type: ioc_list}, base_query)

for tag, results in product.get_results().items():
_write_results(writer, results, opt.ioc_file, 'ioc', tag, log)
Expand All @@ -425,7 +425,7 @@ def survey(ctx, product_str: str = 'cbr') -> None:
with open(definitions, 'r') as file:
programs = json.load(file)
for program, criteria in programs.items():
product.nested_process_search(Tag(program, data=source), criteria, base_query, opt.json)
product.nested_process_search(Tag(program, data=source), criteria, base_query)

if product.has_results():
# write results as they become available
Expand All @@ -449,7 +449,7 @@ def survey(ctx, product_str: str = 'cbr') -> None:
program = f"{rule['title']} - {rule['id']}"
source = 'Sigma Rule'

product.nested_process_search(Tag(program, data=source), {'query': [rule['query']]}, base_query, opt.json)
product.nested_process_search(Tag(program, data=source), {'query': [rule['query']]}, base_query)

if product.has_results():
# write results as they become available
Expand Down

0 comments on commit 2cfa28f

Please sign in to comment.