Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

filter threats that don't belong to specified ComputerName #51

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

log1-c
Copy link
Contributor

@log1-c log1-c commented Mar 22, 2024

As the SentinelOne API parameter computerName__contains is not an exact match when filtering threats for specific ComputerNames, I updated the GetThreats function to ignore any threats that don't match the given ComputerName via the --computer-name parameter.

Current behavior for reference:
--computer-name "abc-job01"
Get's threats for hosts like abc-job01 but also for abc-job01_whatever (and so on).

If parameter --computer-name is not supplied, the function will gather all threats for the site

log1-c added 2 commits March 22, 2024 09:54
If ComputerName is set via parameter, ignore all threats that don't belong to it.
@martialblog martialblog self-assigned this Mar 22, 2024
@martialblog
Copy link
Member

Hi, thanks for the PR. I will have a look at it.

@martialblog
Copy link
Member

I think the change makes sense. The flag --computer-name also states this in the help "Only list threats belonging to the specified computer name", so it should be expected to only match full names not substrings.

Note: Might be nice to add the possibility to set the flag multiple times or have a flag to toggle the precise matching. But we can do that in another PR.

We can optimize the implementation a bit.

Since we already pass the url.Values map into the GetThreats method and it already contains the computer name, we can just use this value. Example:

func (c *Client) GetThreats(values url.Values) (threats []*Threat, err error) {
...
if computerName, ok := values["computerName__contains"]; ok {
    // continue if the name matches
}
...

I also checked the API docs, there is only the "computerName__contains" parameter and nothing to match exactely from what I can see. Don't now if the "contains" filter can include patterns.

@martialblog martialblog added this to the v0.4.0 milestone Mar 22, 2024
@martialblog
Copy link
Member

From the API docs:

computerName__contains
Free-text filter by computer name (supports multiple values). Example: "john-office,WIN".

If we do a precise matching by name then we would lose the ability to use multiple values. So a toggle option might be valuable.

@martialblog
Copy link
Member

I think this change is something we could add. However, the PR needs some feedback and fixing (see GitHub Actions) before we can move forward.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants