Merge pull request #51 from hazcod/feat/withoutsensor

Feature: report on users without sensors/mdm

Author: hazcod

cmd/main.go

@@ -6,6 +6,7 @@ import (
 	"github.com/hazcod/crowdstrike-spotlight-slacker/pkg/overview/security"
 	"github.com/hazcod/crowdstrike-spotlight-slacker/pkg/overview/user"
 	"github.com/hazcod/crowdstrike-spotlight-slacker/pkg/ws1"
+	"gopkg.in/errgo.v2/fmt/errors"
 	"os"
 	"strings"
 
@@ -49,12 +50,12 @@ func main() {
 
 	// ---
 
-	falconMessages, err := falcon.GetMessages(config, ctx)
+	falconMessages, usersWithSensors, err := falcon.GetMessages(config, ctx)
 	if err != nil {
 		logrus.WithError(err).Fatal("could not get falcon messages")
 	}
 
-	ws1Messages, err := ws1.GetMessages(config, ctx)
+	ws1Messages, usersWithDevices, err := ws1.GetMessages(config, ctx)
 	if err != nil {
 		logrus.WithError(err).Fatal("could not get WS1 messages")
 	}
@@ -89,7 +90,7 @@ func main() {
 	for _, slackUser := range slackUsers {
 		userEmail := strings.ToLower(slackUser.Profile.Email)
 
-		if slackUser.IsBot {
+		if slackUser.IsBot || slackUser.Deleted {
 			continue
 		}
 
@@ -102,6 +103,32 @@ func main() {
 			numFindings += len(device.Findings)
 		}
 
+		// check if every slack user has a device in MDM
+		hasDevice := false
+		for _, userWDevice := range usersWithDevices {
+			if strings.EqualFold(userWDevice, userEmail) {
+				hasDevice = true
+				break
+			}
+		}
+
+		if !hasDevice {
+
+			isWhitelisted := false
+			for _, whitelist := range config.Email.Whitelist {
+				if strings.EqualFold(whitelist, userEmail) {
+					isWhitelisted = true
+					break
+				}
+			}
+
+			if !isWhitelisted {
+				errorsToReport = append(errorsToReport, errors.Newf(
+					"%s does not have a device in MDM nor a sensor", userEmail,
+				))
+			}
+		}
+
 		if len(userFalconMsg.Devices) == 0 && numFindings == 0 {
 			continue
 		}
@@ -157,6 +184,39 @@ func main() {
 		}
 	}
 
+	// --- find users without sensors
+
+	for _, userWithSensor := range usersWithSensors {
+		if strings.HasPrefix(userWithSensor, "_NOTAG/") {
+			errorsToReport = append(errorsToReport, errors.Newf(
+				"%s does not have a user email tag assigned", strings.Split("/", userWithSensor)[1],
+			))
+		}
+	}
+
+	for _, userWDevice := range usersWithDevices {
+		if strings.TrimSpace(userWDevice) == "" {
+			continue
+		}
+
+		found := false
+
+		for _, userWSensor := range usersWithSensors {
+			if strings.EqualFold(userWDevice, userWSensor) {
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			errorsToReport = append(errorsToReport, errors.Newf(
+				"%s does not have at least one sensor assigned", userWDevice),
+			)
+		}
+	}
+
+	// ---
+
 	overviewText, err := security.BuildSecurityOverviewMessage(logrus.StandardLogger(), *config, falconMessages, ws1Messages, errorsToReport)
 	if err != nil {
 		logrus.WithError(err).Fatal("could not generate security overview")

config/config.go

@@ -17,7 +17,7 @@ type Config struct {
 		Token        string `yaml:"token" env:"SLACK_TOKEN"`
 		SecurityUser string `yaml:"security_user" emv:"SLACK_SECURITY_USER"`
 
-		SkipNoReport bool `yaml:"skip_no_report" env:"SLACK_SKIP_NO_REPORT"`
+		SkipNoReport  bool `yaml:"skip_no_report" env:"SLACK_SKIP_NO_REPORT"`
 		SkipOnHoliday bool `yaml:"skip_on_holiday" env:"SLACK_SKIP_ON_HOLIDAY"`
 	} `yaml:"slack"`
 
@@ -26,31 +26,32 @@ type Config struct {
 		Secret      string `yaml:"secret" env:"FALCON_SECRET"`
 		CloudRegion string `yaml:"cloud_region" env:"FALCON_CLOUD_REGION"`
 
-		SkipNoMitigation bool `yaml:"skip_no_mitigation" env:"FALCON_SKIP_NO_MITIGATION"`
-		SkipSeverities []string `yaml:"skip_severities" env:"FALCON_SKIP_SEVERITIES"`
-		MinCVEBaseScore int `yaml:"min_cve_base_score" env:"FALCON_MIN_CVE_BASE_SCORE"`
-		SkipCVEs []string `yaml:"skip_cves" env:"FALCON_SKIP_CVES"`
-		MinExprtAISeverity string `yaml:"min_exprtai_severity" env:"FALCON_MIN_EXPRTAI_SEVERITYs"`
+		SkipNoMitigation   bool     `yaml:"skip_no_mitigation" env:"FALCON_SKIP_NO_MITIGATION"`
+		SkipSeverities     []string `yaml:"skip_severities" env:"FALCON_SKIP_SEVERITIES"`
+		MinCVEBaseScore    int      `yaml:"min_cve_base_score" env:"FALCON_MIN_CVE_BASE_SCORE"`
+		SkipCVEs           []string `yaml:"skip_cves" env:"FALCON_SKIP_CVES"`
+		MinExprtAISeverity string   `yaml:"min_exprtai_severity" env:"FALCON_MIN_EXPRTAI_SEVERITYs"`
 	} `yaml:"falcon"`
 
 	WS1 struct {
 		Endpoint string `yaml:"api_url" env:"WS1_API_URL"`
-		APIKey string `yaml:"api_key" env:"WS1_API_KEY"`
-		User string `yaml:"user" env:"WS1_USER"`
+		APIKey   string `yaml:"api_key" env:"WS1_API_KEY"`
+		User     string `yaml:"user" env:"WS1_USER"`
 		Password string `yaml:"password" env:"WS1_PASSWORD"`
 
 		SkipFilters []struct {
 			Policy string `yaml:"policy"`
-			User string `yaml:"user"`
-		}  `yaml:"skip"`
+			User   string `yaml:"user"`
+		} `yaml:"skip"`
 	} `yaml:"ws1"`
 
 	Email struct {
-		Domains []string `yaml:"domains" env:"DOMAINS"`
+		Domains   []string `yaml:"domains" env:"DOMAINS"`
+		Whitelist []string `yaml:"whitelist" env:"WHITELIST"`
 	} `yaml:"email"`
 
 	Templates struct {
-		UserMessage string `yaml:"user_message" env:"USER_MESSAGE"`
+		UserMessage             string `yaml:"user_message" env:"USER_MESSAGE"`
 		SecurityOverviewMessage string `yaml:"security_overview_message" env:"SECURITY_OVERVIEW_MESSAGE"`
 	} `yaml:"templates"`
 }

go.mod

@@ -8,5 +8,6 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.8.1
 	github.com/slack-go/slack v0.10.2
+	gopkg.in/errgo.v2 v2.1.0
 	gopkg.in/yaml.v2 v2.4.0
 )

go.sum

@@ -629,6 +629,7 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/errgo.v2 v2.1.0 h1:0vLT13EuvQ0hNvakwLuFZ/jYrLp5F3kcWHXdRggjCE8=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

pkg/falcon/extractor.go

@@ -6,6 +6,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"github.com/crowdstrike/gofalcon/falcon/client/hosts"
 	"github.com/pkg/errors"
 	"strings"
 
@@ -19,6 +20,7 @@ import (
 const (
 	tagEmailPrefix  = "email/"
 	tagFalconPrefix = "FalconGroupingTags/"
+	tagSensorPrefix = "SensorGroupingTags/"
 )
 
 type FalconResult struct {
@@ -27,17 +29,18 @@ type FalconResult struct {
 }
 
 type UserDevice struct {
+	Hostname    string
 	MachineName string
 	Tags        []string
 	Findings    []UserDeviceFinding
 }
 
 type UserDeviceFinding struct {
-	ProductName         string
-	CveID               string
-	CveSeverity         string
-	TimestampFound      string
-	Mitigations		    []string
+	ProductName    string
+	CveID          string
+	CveSeverity    string
+	TimestampFound string
+	Mitigations    []string
 }
 
 func getUniqueDeviceID(hostInfo models.DomainAPIVulnerabilityHostFacetV2) (string, error) {
@@ -56,6 +59,7 @@ func findEmailTag(tags []string, emailDomains []string) (email string, err error
 	for _, tag := range tags {
 		tag = strings.ToLower(tag)
 		tag = strings.TrimPrefix(tag, strings.ToLower(tagFalconPrefix))
+		tag = strings.TrimPrefix(tag, strings.ToLower(tagSensorPrefix))
 
 		logrus.WithField("tag", tag).Trace("looking at falcon tag")
 
@@ -75,7 +79,7 @@ func findEmailTag(tags []string, emailDomains []string) (email string, err error
 	for _, domain := range emailDomains {
 		encodedDomain := strings.ToLower(strings.ReplaceAll(domain, ".", "/"))
 
-		if ! strings.HasSuffix(email, encodedDomain) {
+		if !strings.HasSuffix(email, encodedDomain) {
 			continue
 		}
 
@@ -110,7 +114,9 @@ func appendUnique(main, adder []string) []string {
 			}
 		}
 
-		if found { continue }
+		if found {
+			continue
+		}
 
 		main = append(main, adder[i])
 	}
@@ -135,7 +141,7 @@ func getSeverityScore(severity string) (int, error) {
 	return -1, errors.New("unknown severity: " + severity)
 }
 
-func GetMessages(config *config.Config, ctx context.Context) (results map[string]FalconResult, err error) {
+func GetMessages(config *config.Config, ctx context.Context) (results map[string]FalconResult, usersWithSensors []string, err error) {
 	falconAPIMaxRecords := int64(400)
 
 	results = map[string]FalconResult{}
@@ -147,31 +153,62 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string
 		Context:      ctx,
 	})
 	if err != nil {
-		return nil, errors.Wrap(err, "could not initialize Falcon client")
+		return nil, nil, errors.Wrap(err, "could not initialize Falcon client")
+	}
+
+	hostResult, err := client.Hosts.QueryDevicesByFilter(
+		&hosts.QueryDevicesByFilterParams{
+			Filter:  nil,
+			Limit:   &falconAPIMaxRecords,
+			Offset:  nil,
+			Sort:    nil,
+			Context: ctx,
+		},
+	)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "could not query all hosts")
+	}
+
+	hostDetail, err := client.Hosts.GetDeviceDetails(&hosts.GetDeviceDetailsParams{
+		Ids:        hostResult.Payload.Resources,
+		Context:    ctx,
+		HTTPClient: nil,
+	})
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "could not query all host details")
+	}
+
+	for _, detail := range hostDetail.Payload.Resources {
+		email, err := findEmailTag(detail.Tags, config.Email.Domains)
+		if err != nil || email == "" {
+			email = "_NOTAG/" + detail.Hostname
+		}
+
+		usersWithSensors = append(usersWithSensors, strings.ToLower(email))
 	}
 
 	queryResult, err := client.SpotlightVulnerabilities.CombinedQueryVulnerabilities(
 		&spotlight_vulnerabilities.CombinedQueryVulnerabilitiesParams{
 			Context: ctx,
 			Filter:  "status:'open'",
 			Limit:   &falconAPIMaxRecords,
-			Facet: []string{"host_info", "cve", "remediation"},
+			Facet:   []string{"host_info", "cve", "remediation"},
 		},
 	)
 	if err != nil {
-		return nil, errors.Wrap(err, "could not query vulnerabilities")
+		return nil, nil, errors.Wrap(err, "could not query vulnerabilities")
 	}
 
 	if queryResult == nil {
-		return nil, errors.New("QueryVulnerabilities result was nil")
+		return nil, nil, errors.New("QueryVulnerabilities result was nil")
 	}
 
 	var hostTags []string
 	devices := map[string]UserDevice{}
 
 	minExpertAIScore := 0
 	if newScore, err := getSeverityScore(config.Falcon.MinExprtAISeverity); err != nil {
-		return nil, errors.Wrap(err, "unknown minimum exprtai severity specified")
+		return nil, nil, errors.Wrap(err, "unknown minimum exprtai severity specified")
 	} else {
 		minExpertAIScore = newScore
 	}
@@ -279,6 +316,7 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string
 
 			if _, ok := devices[uniqueDeviceID]; !ok {
 				devices[uniqueDeviceID] = UserDevice{
+					Hostname: *vuln.HostInfo.Hostname,
 					MachineName: fmt.Sprintf(
 						"%s %s",
 						*vuln.HostInfo.OsVersion,
@@ -313,11 +351,11 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string
 	}
 
 	if len(devices) == 0 {
-		return results, nil
+		return results, nil, nil
 	}
 
 	if len(hostTags) == 0 {
-		return nil, errors.New("no tags found on decices")
+		return nil, nil, errors.New("no tags found on decices")
 	}
 
 	logrus.WithField("devices", len(devices)).Info("found vulnerable devices")
@@ -335,7 +373,7 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string
 			}
 		}
 
-		if !hasMitigations{
+		if !hasMitigations {
 			logrus.WithField("device", device.MachineName).
 				Debug("skipping device with vulnerabilities but no mitigations")
 			continue
@@ -366,5 +404,5 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string
 		results[userEmail] = user
 	}
 
-	return results, nil
+	return results, usersWithSensors, nil
 }

pkg/overview/security/builder.go

@@ -40,15 +40,17 @@ func BuildSecurityOverviewMessage(logger *logrus.Logger, config config.Config, f
 	logrus.Debugf("findings: falcon: %d ws1: %d", len(allFalcon), len(allWS1))
 
 	variables := struct {
-		Falcon []falcon.FalconResult
-		WS1    []ws1.WS1Result
-		Date   time.Time
-		Errors []error
+		Falcon        []falcon.FalconResult
+		WS1           []ws1.WS1Result
+		Date          time.Time
+		Errors        []error
+		MissingSensor []ws1.UserDevice
 	}{
 		Date:   time.Now(),
 		Falcon: allFalcon,
 		WS1:    allWS1,
 		Errors: reportedErrors,
+		//MissingSensor: devicesWithoutFalcon,
 	}
 
 	var buffer bytes.Buffer