Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Velociraptor Legacy Plugin 1.0.0 #2101

Open
wants to merge 26 commits into
base: develop
Choose a base branch
from

Conversation

jbauvinet-r7
Copy link

Proposed Changes

Description

Describe the proposed changes:

  • Creation of a new Velociraptor Legacy Plugin
  • Connection Test : image
  • Action Test : image

This plugin will send a command to a legacy Velociraptor Console (not Rapid7 Hosted)

@cmcnally-r7 cmcnally-r7 changed the base branch from master to develop November 6, 2023 16:51
@cmcnally-r7 cmcnally-r7 force-pushed the velociraptor_legacy_1.0.0 branch from f14c28b to b3a85fd Compare November 7, 2023 09:18
try:
# Fill in the SSL params from the api_client config file. You can get such a file:
# velociraptor --config server.config.yaml config api_client > api_client.conf.yaml
api_connection_string = self.parameters["api_connection_string"]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
api_connection_string = self.parameters["api_connection_string"]
api_connection_string = params.get(Input.API_CONNECTION_STRING)

Comment on lines +40 to +42
root_certificates_decoded = base64.b64decode(self.parameters["ca_certificate"]["secretKey"])
private_key_decoded = base64.b64decode(self.parameters["client_private_key"]["secretKey"])
certificate_chain_decoded = base64.b64decode(self.parameters["client_cert"]["secretKey"])
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
root_certificates_decoded = base64.b64decode(self.parameters["ca_certificate"]["secretKey"])
private_key_decoded = base64.b64decode(self.parameters["client_private_key"]["secretKey"])
certificate_chain_decoded = base64.b64decode(self.parameters["client_cert"]["secretKey"])
root_certificates_decoded = base64.b64decode(params.get(Input.CA_CERTIFICATE).get('secretKey'))
private_key_decoded = base64.b64decode(params.get(Input.CLIENT_PRIVATE_KEY).get('secretKey'))
certificate_chain_decoded = base64.b64decode(params.get(Input.CLIENT_CERT).get('secretKey'))

Comment on lines +87 to +91
self.api_connection_string = self.parameters["api_connection_string"]
self.root_certificates_decoded = base64.b64decode(self.parameters["ca_certificate"]["secretKey"])
self.private_key_decoded = base64.b64decode(self.parameters["client_private_key"]["secretKey"])
self.certificate_chain_decoded = base64.b64decode(self.parameters["client_cert"]["secretKey"])
self.username = self.parameters["username"]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These could be declared at the start of the file and used as a single variable rather than repeating the code

Comment on lines +94 to +98
self.api_connection_string = self.parameters["api_connection_string"]
self.root_certificates_decoded = base64.b64decode(self.parameters["ca_certificate"]["secretKey"])
self.private_key_decoded = base64.b64decode(self.parameters["client_private_key"]["secretKey"])
self.certificate_chain_decoded = base64.b64decode(self.parameters["client_cert"]["secretKey"])
self.username = self.parameters["username"]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here with repeated code

Comment on lines +92 to +93
except grpc.RpcError as e:
self.logger.info("Error: ", e)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Avoid use of single letter variables.

Suggested change
except grpc.RpcError as e:
self.logger.info("Error: ", e)
except grpc.RpcError as error:
self.logger.info("Error: ", error)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This unimplemented unit test is causing the unit test check to fail. Please write a unit test to cover the code in your action 😄

Comment on lines +25 to +33
"""
Runs a VQL query against the Velociraptor server.

Args:
config: A dictionary containing the configuration parameters for the Velociraptor server.
query: The VQL query to run.

Returns:
A tuple containing the query, the response, and the query execution logs.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this docstring is relevant here, it is also causing one of the checks to fail. Kindly remove it 😃

dlaverty-r7 and others added 20 commits November 7, 2023 11:23
* Updated docker file to include curl for adding attachment

* Updated examples for help.md to include strings for ids

* Updated output ids to strings for consistency

* Updated attach incident example

* Removed print statement

* Updated formatting with black check

---------

Co-authored-by: Dympna Laverty <dympna_laverty@rapid7.com>
…h expected inputs (#1624)

* Updated to output ids as integers to line up with expected inputs

* Updated example fields

* Updated example fields

---------

Co-authored-by: Dympna Laverty <dympna_laverty@rapid7.com>
* added get_sensor action

* fixed checksum

* sensor stats added acc

* finished spec file, regenerated

* generated archive sensor action

* added example output for archive sensor

* refactoring for lint

* updated descriptions in spec file for validator

* created and tested 2 new actions, need to add unit tests

* update spec file

* refactored quarantine action, added unit tests for most of the actions

* added unit tests 95 percent coverage

* fix for plugin validator

* fix lint

* prospector fix

* unit test fix

* dympna change

* igor updates

* lukasz changes

* formatting help.md to use 2 spaces instead of 4

* updated version history note
* updated output

* updated output for cybereaosn

* regen

* version bump

* specific fake email

* fixed schema issue

* changing back to rapid7 vendor

* version bump in helpmd
* [MC-1452] Update Okta plugin

* [MC-1452] Fixed test

* [MC-1452] Fix prospector

* [MC-1452] Update help.md

* [MC-1452] Update SDK image to latest version

* [MC-1452] Update unit tests for task

---------

Co-authored-by: Cyprian Dankowski <cyprian_dankowski@rapid7.com>
* [MC-1452] Return status code in Monitor Logs task

* [MC-1452] Update exceptions in api.py

* [MC-1452] Fix prospector

* [MC-1452] Use logger instance
* [MC-1452] Update pagination in Monitor Logs task in Okta plugin

* [MC-1452] Update unit tests
* Initial commit for armorblox plugin

* Fix validate errors

* Timestamp changes

* Updated armorblox-sdk 0.1.4 version in requirements.txt

* Updated the suggestions for plugin.spec.yaml

* Update plugins/armorblox/help.md

* Update plugins/armorblox/help.md

* Update plugins/armorblox/help.md

* Update plugins/armorblox/help.md

* Update plugins/armorblox/help.md

* Update plugins/armorblox/help.md

* Update plugins/armorblox/help.md

* Updated review comments

* Update plugins/armorblox/icon_armorblox/triggers/get_incidents/schema.py

* Update plugins/armorblox/unit_test/payloads/get_remediation_action.json

* Update plugins/armorblox/unit_test/payloads/get_remediation_action.json

* Updated armorblox plugin with the required fixes

* Updated plugin with latest fixes

* Updated plugin with parameterized on test cases

* "Fixed review comments"

* Updated support field to community in plugin.spec.yaml

---------

Co-authored-by: Ankita Sharma <ankita.sharma@xoriant.com>
Co-authored-by: Rajat Upadhyaya <45485+urajat@users.noreply.github.com>
* updated status codes + black formatting

* regen

* added examples to plugin spec

* Refresh

* removed quotes from variables in spec

* tidying up

* changed imports to work with github validators

* changed task unitest imports to work with github validators

* fixed unit tests

* Added example outputs to help.md

* spec & help changes + status codes fix

* checksum

* period validation

* revert description change

* remove full stop in trigger schema
* Updated task cutofftime, removed cleaning of logs, added debug

* Updated task cutofftime, removed cleaning of logs, added debug

* Removed page index from state if resetting collection time to max lookback

* Updated unit tests following task updates

---------

Co-authored-by: Dympna Laverty <dympna_laverty@rapid7.com>
* Updated task handling of query interval out of range

* Updated unit test following task function update

---------

Co-authored-by: Dympna Laverty <dympna_laverty@rapid7.com>
…2033)

* PLGN-362-Updating pager duty to use http rather than pypd

* PLGN-362-Reducing complexity of get_on_calls method and send_request method

* PLGN-362-Adding parameterized to requirements.txt to allow unit tests to now run on git

* PLGN-362-Running black formatter on get_on_call and util/api

* PLGN-362-Updating to use correct input and output objects, also removing redunant checks for required fields

* PLGN-362-Updating to use newest version of error messages from insightconnect_plugin_runtime.exceptions

* PLGN-362-Removing redunant required check

* PLGN-362-Running black formatter on get_on_call and util/api

* PLGN-362-Adding docstrings, using the input object in the connection class

* PLGN-362-Running black formatter on get_on_call and util/api

* PLGN-362-Updating docstrings to use sphinx format

* PLGN-362-Updating examples to user real fake data

* PLGN-362-Updating black format

* PLGN-362-Making sure return for delete is of type string

* PLGN-362-Making sure return for delete is of type string

* PLGN-362-Fixing typos / tidying up code

* PLGN-362-Adding back in get user by email action + tests

* PLGN-362-using black format

* PLGN-362-adding back in  prefix to eah actions description
@cmcnally-r7 cmcnally-r7 force-pushed the velociraptor_legacy_1.0.0 branch from f935638 to ec4c682 Compare November 7, 2023 11:45
@rbowden-r7 rbowden-r7 force-pushed the develop branch 3 times, most recently from 35a2c1d to c63d7dc Compare September 12, 2024 11:03
@ablakley-r7 ablakley-r7 force-pushed the develop branch 3 times, most recently from 409b877 to 7e49c36 Compare September 19, 2024 14:18
@rmurray-r7 rmurray-r7 force-pushed the develop branch 6 times, most recently from e7f10ec to 2e967fc Compare November 5, 2024 09:13
@joneill-r7 joneill-r7 force-pushed the develop branch 3 times, most recently from ba715f2 to 9f862b4 Compare November 14, 2024 17:00
@dlaverty-r7 dlaverty-r7 force-pushed the develop branch 2 times, most recently from c2f4dd7 to 6629741 Compare November 20, 2024 12:01
@rmurray-r7 rmurray-r7 force-pushed the develop branch 2 times, most recently from 1be0264 to 1b1b456 Compare December 18, 2024 15:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants