From 39e011a1e6a270736e0355e768fb7652bb7f0e55 Mon Sep 17 00:00:00 2001 From: hazcod Date: Tue, 17 Aug 2021 10:11:23 +0200 Subject: [PATCH 1/2] feat: skip findings w/o mitigations + holiday feature --- cmd/main.go | 2 +- config/config.go | 1 + go.mod | 2 +- go.sum | 4 ++-- pkg/falcon/extractor.go | 11 +++++++++-- 5 files changed, 14 insertions(+), 6 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index fa5cc89..2c22351 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -92,7 +92,7 @@ func main() { continue } - if strings.EqualFold(slackUser.Profile.StatusText, slackStatusHoliday) { + if config.Slack.SkipOnHoliday && strings.EqualFold(slackUser.Profile.StatusText, slackStatusHoliday) { logrus.WithField("slack_name", slackUser.Name).Warn("skipping user since he/she is on holiday") continue } diff --git a/config/config.go b/config/config.go index 259d1ec..89db16b 100644 --- a/config/config.go +++ b/config/config.go @@ -18,6 +18,7 @@ type Config struct { SecurityUser string `yaml:"security_user" emv:"SLACK_SECURITY_USER"` SkipNoReport bool `yaml:"skip_no_report" env:"SLACK_SKIP_NO_REPORT"` + SkipOnHoliday bool `yaml:"skip_on_holiday" env:"SLACK_SKIP_ON_HOLIDAY"` } `yaml:"slack"` Falcon struct { diff --git a/go.mod b/go.mod index dce48c7..ce77816 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/hazcod/crowdstrike-spotlight-slacker go 1.16 require ( - github.com/crowdstrike/gofalcon v0.2.6 + github.com/crowdstrike/gofalcon v0.2.7 github.com/kelseyhightower/envconfig v1.4.0 github.com/pkg/errors v0.9.1 github.com/sirupsen/logrus v1.8.1 diff --git a/go.sum b/go.sum index dc862e1..25f6658 100644 --- a/go.sum +++ b/go.sum @@ -54,8 +54,8 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/crowdstrike/gofalcon v0.2.6 h1:WRZV6stnbfVKYwfDOUmGZp92lT0FkkQLxFpSlriins0= -github.com/crowdstrike/gofalcon v0.2.6/go.mod h1:tM+/b9HnHhJxysZmpn2ZXDfv1F4r4VSp6tFdCao/3Gw= +github.com/crowdstrike/gofalcon v0.2.7 h1:aijfM6rg3Y+baE0DIk8F2bAMfieG7BPn2o3vNtVsUY4= +github.com/crowdstrike/gofalcon v0.2.7/go.mod h1:tM+/b9HnHhJxysZmpn2ZXDfv1F4r4VSp6tFdCao/3Gw= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/pkg/falcon/extractor.go b/pkg/falcon/extractor.go index fff336b..921e658 100644 --- a/pkg/falcon/extractor.go +++ b/pkg/falcon/extractor.go @@ -119,7 +119,7 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string queryResult, err := client.SpotlightVulnerabilities.QueryVulnerabilities( &spotlight_vulnerabilities.QueryVulnerabilitiesParams{ - Context: context.Background(), + Context: ctx, Filter: "status:'open',remediation.ids:'*'", Limit: &falconAPIMaxRecords, }, @@ -177,12 +177,19 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string ProductName: *vuln.App.ProductNameVersion, CveID: *vuln.Cve.ID, CveSeverity: *vuln.Cve.Severity, - MitigationAvailable: true, + MitigationAvailable: len(vuln.Remediation.Ids) > 0, TimestampFound: *vuln.CreatedTimestamp, } logrus.Warnf("%+v", vuln.HostInfo.Tags) + if !deviceFinding.MitigationAvailable { + logrus.WithField("cve",*vuln.Cve.ID).WithField("severity", *vuln.Cve.Severity). + WithField("product", *vuln.App.ProductNameVersion). + Warn("skipping finding without mitigation(s)") + continue + } + if _, ok := devices[uniqueDeviceID]; !ok { devices[uniqueDeviceID] = UserDevice{ MachineName: fmt.Sprintf( From 3958a7054848a0ade09995853580bf26b8fdbef5 Mon Sep 17 00:00:00 2001 From: Niels Hofmans Date: Tue, 17 Aug 2021 10:17:29 +0200 Subject: [PATCH 2/2] chore: add readme skip_on_holiday --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index a5a8585..36d22c9 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,8 @@ slack: security_user: "security@mycompany.com" # skip sending a security overview if there is nothing to mention skip_no_report: true + # don't send a message to the user if 'Vacationing' status is set + skip_on_holiday: true # falcon crowdstrike falcon: