azure / stormspotter Goto Github PK

Azure Red Team tool for graphing Azure and Azure Active Directory objects

License: MIT License

Python 57.26% JavaScript 15.42% Vue 24.77% HTML 0.76% Sass 1.79%

stormspotter's Introduction

Stormspotter creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work.

Installation

With Docker

Most users may find it easier to install Stormspotter via Docker. This is the recommended method.

git clone https://github.com/Azure/Stormspotter
docker-compose up

The docker-compose file will create three containers:

Stormspotter Frontend
Stormspotter Backend
Neo4j v4

By default, the Stormspotter container will expose the UI on port 9091. The neo4j container will expose neo4j on ports 7474 (HTTP), and 7687 (Bolt). Default configuration of Neo4j does not have SSL enabled, therefore you may initially interact directly with the neo4j interface on port 7474.

Note: Currently, Stormspotter only supports running these containers locally. Attempting to upload to the frontend hosted remotely will be unsuccessful but this behavior is expected to change in the future.

The default credentials for neo4j are: neo4j/password. You can change this in the docker-compose file via the NEO4JAUTH environment variable.

Without Docker

If you choose to run Stormspotter without Docker, you must have Python 3.8, NodeJS/npm, and Neo4j installed. You can also grab the latest Stormspotter releases from here.

Backend

The backend handles parsing data into Neo4j is built with FastAPI. If you don't plan on uploading new content for the database, you may not need to run the backend at all. The backend is configured to run on port 9090. You may change this by changing the port number on line 5 of app.py. If you do, you must also change the port in the Q-Uploader component in the DatabaseView Component so that the uploads from the frontend get sent to the correct port where the backend resides.

cd backend
python3 ssbackend.pyz

Web App

The web app is developed using Vue and the Quasar Framework. The single-page app (SPA) has been built for you and resides in frontend/dist/spa. To serve this directory:

npm install -g @quasar/cli
cd frontend/dist/spa
quasar serve -p 9091 --history

You can then visit http://localhost:9091 in your browser.

Running Stormspotter

Stormcollector

Stormcollector is the portion of Stormspotter that allows you to enumerate the subscriptions the provided credentials have access to. The RECOMMENDED way to use Stormcollector is to run the sscollector.pyz package, found in the release file for your operating system. This PYZ has been created with Shiv and comes with all the packages already zipped up! The dependencies will extract themselves to a .shiv folder in the user's home directory.

cd stormcollector
python3 sscollector.pyz -h

If for some reason you don't want to use the provided package, you may install the required packages with pip or pipenv. With this approach, it's highly recommended to install Stormcollector in a virtual environment to prevent package conflicts. If you have issues managing your virtual environments, you should use the recommended method above.

cd stormcollector
python3 -m pip install pipenv
pipenv install .
python3 ./sscollector.py

Current login types supported:

Azure CLI (must use az login first)
Service Principal Client ID/Secret

You can check out all of the options Stormcollector offers by using the -h switch as shown above. The most basic usages of Stormcollector are:

python3 sscollector.pyz cli
python3 sscollector.pyz spn -t <tenant> -c <clientID> -s <clientSecret>

Common options for all authentication types

--cloud: Specify a different Azure Cloud (GERMAN, CHINA, USGOV)
--config: Specify a custom configuration for cloud environments
--azure: Only enumerate Azure Resource Manager resources
--aad: Only enumerate Azure Active Directory
--subs: Subscriptions you wish to scan. Multiple subscriptions can be added as a space deliminated list.
--nosubs: Subscriptions you wish to exclude. Multiple subscriptions can be excluded as a space deliminated list.
--json: Convert SQLite output to JSON (WARNING: STORMSPOTTER ONLY PARSES SQLITE FORMAT )
- This option is useful if you want to parse the output for reasons other than Stormspotter.
--ssl-cert: Specify an SSL cert for Stormcollector to use for requests. Not a common option
--backfill: Perform AAD enumeration only for object IDs associated with RBAC enumeration. Only applicable when --azure is specified.

Uploading Results

Once you've started up the UI, you will see a section in the database tab labeled "Stormcollector Upload". Add your file to this uploader and the processing will begin. As the results get processed, you can check the backend logs to view progress, and the results should also be reflected in the same Database View tab.

Notes

With Stormspotter currently in beta, not all resource types have been implemented for display. You may see labels with missing icons and/or simply display the "name" and "id" fields. Over time, more resources will be properly implemented.

Known Issues

Check for known issues before submitting one.

Screenshots

View Permissions on a KeyVault
Show Members of an Azure AD Role
Show Incoming and Outgoing Relationships

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

stormspotter's People

Contributors

Stargazers

Watchers

Forkers

analyticsearch s1ckb0y1337 k3aczyk shantanu561993 verlegen basfmthibodeaux rdsece jr69ss red-infosec gtrikoilis ericdelasecu tonghuaroot jontargaryen subi3wr3x jemrobinson hpxpat flatl1neapt ferranespigares assumebreach materaj2 jonathanzhou348 flipmonster nicwells686 jaguasch mstair theotherside askyeye thegablemethod 0x13337 titounkle kartikeyap minkione n1h1lu5 avineshwar redteamoperations 0xsv1 rajivraj babywyrm ndrix polling-repo-continua prashanthspot core269 chiranjibagri sasqwatch gdraperi chhajershrenik digitalarche tobey123 stmag benzetaa kl1ch c0a3bd killvxk asll666 dahelanren yangshuangfu chinguyen1 jmattheus macdaliot an4k4ta dekoder l1kw1d magnologan malyshusness eduriel 1ce7c95x deepak1104 jaybeale s4fv4n isabella232 5l1v3r1 boulosdib connectionmaster acealchemycyberblaze genbod tungsec naioja cheahengsoon actorexpose muyenzo xkhahuss pentestw0rkerbit0 nejibnbm mohammedshanawaz soumyadeep-fc monoclue gl4ssesbo1 aeae995 gotorland nextdynamic przybylskirobert lunarobliq anthonyhendrickss2 method1cal zha0 jermainlaforce haraprasadghosh th3k3ymak3r 5m7x aarandomhacker

stormspotter's Issues

python3 sscollector.pyz cli error

Hi,

While running above command, i got below log and the results zip is created. When I am trying to upload this results zip in FE, i am getting some error. Results zip took good amount of time to get generated -

Log -

2020-09-09 13:30:29.063 | ERROR    | asyncio.events:_run:81 - An error has been caught in function '_run', process 'MainProcess' (5661), thread 'MainThread' (140196066711360):
Traceback (most recent call last):

  File "/usr/lib/python3.8/runpy.py", line 193, in _run_module_as_main
    return _run_code(code, main_globals, None,
           │         │     └ {'__name__': '__main__', '__doc__': None, '__package__': '', '__loader__': <zipimporter object "sscollector.pyz/">, '__spec__...
           │         └ <code object <module> at 0x7f81f08e1b30, file "sscollector.pyz/__main__.py", line 2>
           └ <function _run_code at 0x7f81f097fc10>
  File "/usr/lib/python3.8/runpy.py", line 86, in _run_code
    exec(code, run_globals)
         │     └ {'__name__': '__main__', '__doc__': None, '__package__': '', '__loader__': <zipimporter object "sscollector.pyz/">, '__spec__...
         └ <code object <module> at 0x7f81f08e1b30, file "sscollector.pyz/__main__.py", line 2>

  File "sscollector.pyz/__main__.py", line 3, in <module>

  File "sscollector.pyz/_bootstrap/__init__.py", line 233, in bootstrap

  File "sscollector.pyz/_bootstrap/__init__.py", line 36, in run

  File "/root/.shiv/sscollector_f1bc86a4f6f6fe47e7a3adca48b68f91357a3dc18de4c8a256722b4a00ef2273/site-packages/main.py", line 119, in main
    asyncio.run(run(args))
    │       │   │   └ Namespace(aad=False, auth='cli', azure=False, cloud='PUBLIC', config=None, get_creds=<function Context.auth at 0x7f81efcfe670...
    │       │   └ <function run at 0x7f81f02d10d0>
    │       └ <function run at 0x7f81f02b88b0>
    └ <module 'asyncio' from '/usr/lib/python3.8/asyncio/__init__.py'>

  File "/usr/lib/python3.8/asyncio/runners.py", line 43, in run
    return loop.run_until_complete(main)
           │    │                  └ <coroutine object run at 0x7f81eec06340>
           │    └ <function BaseEventLoop.run_until_complete at 0x7f81f00119d0>
           └ <_UnixSelectorEventLoop running=True closed=False debug=False>
  File "/usr/lib/python3.8/asyncio/base_events.py", line 603, in run_until_complete
    self.run_forever()
    │    └ <function BaseEventLoop.run_forever at 0x7f81f0011940>
    └ <_UnixSelectorEventLoop running=True closed=False debug=False>
  File "/usr/lib/python3.8/asyncio/base_events.py", line 570, in run_forever
    self._run_once()
    │    └ <function BaseEventLoop._run_once at 0x7f81f00144c0>
    └ <_UnixSelectorEventLoop running=True closed=False debug=False>
  File "/usr/lib/python3.8/asyncio/base_events.py", line 1859, in _run_once
    handle._run()
    │      └ <function Handle._run at 0x7f81f00a23a0>
    └ <Handle <TaskWakeupMethWrapper object at 0x7f81d43893d0>(<Future finished result=None>)>
> File "/usr/lib/python3.8/asyncio/events.py", line 81, in _run
    self._context.run(self._callback, *self._args)
    │    │            │    │           │    └ <member '_args' of 'Handle' objects>
    │    │            │    │           └ <Handle <TaskWakeupMethWrapper object at 0x7f81d43893d0>(<Future finished result=None>)>
    │    │            │    └ <member '_callback' of 'Handle' objects>
    │    │            └ <Handle <TaskWakeupMethWrapper object at 0x7f81d43893d0>(<Future finished result=None>)>
    │    └ <member '_context' of 'Handle' objects>
    └ <Handle <TaskWakeupMethWrapper object at 0x7f81d43893d0>(<Future finished result=None>)>

  File "/root/.shiv/sscollector_f1bc86a4f6f6fe47e7a3adca48b68f91357a3dc18de4c8a256722b4a00ef2273/site-packages/stormcollector/aad.py", line 46, in query_objects
    parsedVal = await self.parse(value)
                      │    │     └ {'odata.type': 'Microsoft.DirectoryServices.Group', 'objectType': 'Group', 'objectId': 'abccfb09-8df9-48c7-b071-adf71f4f803f'...
                      │    └ <function AADGroup.parse at 0x7f81eed6dd30>
                      └ AADGroup(ctx=<stormcollector.auth.Context object at 0x7f81eebac1c0>, tenant_id='myorganization', base_url='https://graph.wind...

  File "/root/.shiv/sscollector_f1bc86a4f6f6fe47e7a3adca48b68f91357a3dc18de4c8a256722b4a00ef2273/site-packages/stormcollector/aad.py", line 123, in parse
    owner.get("objectId") or owner.get("id") for owner in owners["value"]
                                                          └ {'odata.error': {'code': 'Authentication_ExpiredToken', 'message': {'lang': 'en', 'value': 'Your access token has expired. Pl...

KeyError: 'value'
Unclosed client session
client_session: <aiohttp.client.ClientSession object at 0x7f81edb04a60>
Unclosed connector
connections: ['[(<aiohttp.client_proto.ResponseHandler object at 0x7f81edb2f880>, 373672.262163161)]']
connector: <aiohttp.connector.TCPConnector object at 0x7f81edb1dbe0>
2020-09-09 13:30:33.365 | ERROR    | asyncio.events:_run:81 - An error has been caught in function '_run', process 'MainProcess' (5661), thread 'MainThread' (140196066711360):
Traceback (most recent call last):

  File "/usr/lib/python3.8/runpy.py", line 193, in _run_module_as_main
    return _run_code(code, main_globals, None,
           │         │     └ {'__name__': '__main__', '__doc__': None, '__package__': '', '__loader__': <zipimporter object "sscollector.pyz/">, '__spec__...
           │         └ <code object <module> at 0x7f81f08e1b30, file "sscollector.pyz/__main__.py", line 2>
           └ <function _run_code at 0x7f81f097fc10>
  File "/usr/lib/python3.8/runpy.py", line 86, in _run_code
    exec(code, run_globals)
         │     └ {'__name__': '__main__', '__doc__': None, '__package__': '', '__loader__': <zipimporter object "sscollector.pyz/">, '__spec__...
         └ <code object <module> at 0x7f81f08e1b30, file "sscollector.pyz/__main__.py", line 2>

  File "sscollector.pyz/__main__.py", line 3, in <module>

  File "sscollector.pyz/_bootstrap/__init__.py", line 233, in bootstrap

  File "sscollector.pyz/_bootstrap/__init__.py", line 36, in run

  File "/root/.shiv/sscollector_f1bc86a4f6f6fe47e7a3adca48b68f91357a3dc18de4c8a256722b4a00ef2273/site-packages/main.py", line 119, in main
    asyncio.run(run(args))
    │       │   │   └ Namespace(aad=False, auth='cli', azure=False, cloud='PUBLIC', config=None, get_creds=<function Context.auth at 0x7f81efcfe670...
    │       │   └ <function run at 0x7f81f02d10d0>
    │       └ <function run at 0x7f81f02b88b0>
    └ <module 'asyncio' from '/usr/lib/python3.8/asyncio/__init__.py'>

  File "/usr/lib/python3.8/asyncio/runners.py", line 43, in run
    return loop.run_until_complete(main)
           │    │                  └ <coroutine object run at 0x7f81eec06340>
           │    └ <function BaseEventLoop.run_until_complete at 0x7f81f00119d0>
           └ <_UnixSelectorEventLoop running=True closed=False debug=False>
  File "/usr/lib/python3.8/asyncio/base_events.py", line 603, in run_until_complete
    self.run_forever()
    │    └ <function BaseEventLoop.run_forever at 0x7f81f0011940>
    └ <_UnixSelectorEventLoop running=True closed=False debug=False>
  File "/usr/lib/python3.8/asyncio/base_events.py", line 570, in run_forever
    self._run_once()
    │    └ <function BaseEventLoop._run_once at 0x7f81f00144c0>
    └ <_UnixSelectorEventLoop running=True closed=False debug=False>
  File "/usr/lib/python3.8/asyncio/base_events.py", line 1859, in _run_once
    handle._run()
    │      └ <function Handle._run at 0x7f81f00a23a0>
    └ <Handle <TaskWakeupMethWrapper object at 0x7f81d446e040>(<Future finished result=None>)>
> File "/usr/lib/python3.8/asyncio/events.py", line 81, in _run
    self._context.run(self._callback, *self._args)
    │    │            │    │           │    └ <member '_args' of 'Handle' objects>
    │    │            │    │           └ <Handle <TaskWakeupMethWrapper object at 0x7f81d446e040>(<Future finished result=None>)>
    │    │            │    └ <member '_callback' of 'Handle' objects>
    │    │            └ <Handle <TaskWakeupMethWrapper object at 0x7f81d446e040>(<Future finished result=None>)>
    │    └ <member '_context' of 'Handle' objects>
    └ <Handle <TaskWakeupMethWrapper object at 0x7f81d446e040>(<Future finished result=None>)>

  File "/root/.shiv/sscollector_f1bc86a4f6f6fe47e7a3adca48b68f91357a3dc18de4c8a256722b4a00ef2273/site-packages/stormcollector/aad.py", line 43, in query_objects
    raise Exception(response)
                    └ {'odata.error': {'code': 'Authentication_ExpiredToken', 'message': {'lang': 'en', 'value': 'Your access token has expired. Pl...

Exception: {'odata.error': {'code': 'Authentication_ExpiredToken', 'message': {'lang': 'en', 'value': 'Your access token has expired. Please renew it before submitting the request.'}}}
Unclosed client session
client_session: <aiohttp.client.ClientSession object at 0x7f81edb84520>
Unclosed connector
connections: ['[(<aiohttp.client_proto.ResponseHandler object at 0x7f81ec295ca0>, 373676.563147996)]']
connector: <aiohttp.connector.TCPConnector object at 0x7f81eebdd070>
2020-09-09 13:30:33.368 | INFO     | main:main:120 - Zipping up output...
2020-09-09 13:30:41.792 | INFO     | main:main:124 - --- COMPLETE: 3912.481698513031 seconds. OUTPUT: /stormspotter/stormcollector/results_20200909-122529.zip ---

Roles for stormcollector ?

Am I missing something but what are recommended minimum Azure AD / RBAC roles for stormcollector ? Thanks

Neo4j Authentication Error

I am logging in to the neo4j instance whilst using docker and am not being authenticated.

I made changes to the password in the docker compose and still not allowing me to authenticate.

Could someone please help

Azure CLI not found

Testing out Stormspotter on a Ubuntu machine in Azure using LTS 20.04.

Running into error that says "Azure CLI not found on path"

All prerequisites are installed. Attaching a couple screenshots instead of the whole process, at the end is where we are getting the error.

See attached.
stormspotter error 03072022.docx

This repo is missing important files

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

python3 sscollector.pyz -h | Error

I got below error while trying to run - python3 sscollector.pyz -h

Note - I am using Ubuntu OS

File "", line 991, in _find_and_load
File "", line 975, in _find_and_load_unlocked
File "", line 671, in _load_unlocked
File "", line 783, in exec_module
File "", line 219, in _call_with_frames_removed
File "/root/.shiv/sscollector_f1bc86a4f6f6fe47e7a3adca48b68f91357a3dc18de4c8a256722b4a00ef2273/site-packages/main.py", line 14, in
from stormcollector.aad import query_aad
File "/root/.shiv/sscollector_f1bc86a4f6f6fe47e7a3adca48b68f91357a3dc18de4c8a256722b4a00ef2273/site-packages/stormcollector/aad.py", line 9, in
from .auth import Context
File "/root/.shiv/sscollector_f1bc86a4f6f6fe47e7a3adca48b68f91357a3dc18de4c8a256722b4a00ef2273/site-packages/stormcollector/auth.py", line 43, in
class Context:
File "/root/.shiv/sscollector_f1bc86a4f6f6fe47e7a3adca48b68f91357a3dc18de4c8a256722b4a00ef2273/site-packages/stormcollector/auth.py", line 68, in Context
) -> Tuple[identity.AzureCliCredential, identity_aio.AzureCliCredential]:
AttributeError: module 'azure.identity' has no attribute 'AzureCliCredential'

missing rbac.json file inside results.zip

Hi,
I am running the following command:
stormstopper --cli while being connected to global administrator account and this user also owner of the subscriptions in the account.
After quering all the API`s the results.zip is missing rbac.json file which causes stormdash script to crash

Error in upload

Having the same issue also. Stormcollector ran successfully but unable uploading to the FE wasn't successful

Originally posted by @davidokeyode in #21 (comment)

No permissions specs specified for the azure appliance

Hi,

I seem unable to find the necessary azure permissions to use the -spn flag for the scollector.

I set up an azure appliance/service principal i thought might be the necessary permissions, but it failed with "access denied to specified API version" and ending with "Insufficent privileges to complete the operation.

I don't know any other way to dump the logs. Can someone direct me to where the necessary azure permissions are for the -spn flag?

Thanks in advance

Fixed context.py: KeyError: 'availabilitySet'

Pull requests not working for me so adding it to here:

If VM's have availability sets configured, stormdash.py crashed with the error: "KeyError: 'availabilitySet'

Fixed by opening context.py under /stormspotter/dash/core/ and adding ["properties"] in line 319:
vmas_id = vm["properties"]["availabilitySet"]["id"]

resource enumeration : NoRegisteredProviderFound for hardcoded API version '2018-02-14'

Hi,

There seem to be a hardcoded version issue in sscollector.pyz. I tried to patch the specific .shiv packaged file in my ~/.shiv/ with a brand new version but encountered import errors related to that version.

sscollector cli - error, only fetches an equivalent of az resource list
sscollector cli --azure, same as no parameter, raises the error below and only fecthes an equivalent of az resource list
sscollector cli --aad - works, no error, now we're speaking, it works, 400MB and counting in the output folder

azure.core.exceptions.HttpResponseError: (NoRegisteredProviderFound) No registered resource provider found for location 'canadacentral' and API version '2018-02-14' for type 'workbooks'. The supported api-versions are '2018-06-01-preview, 2018-06-17-preview, 2020-02-12, 2020-10-20'. The supported locations are ', westeurope, southcentralus, eastus, northeurope, southeastasia, westus2, japaneast, australiaeast, koreacentral, francecentral, centralus, eastus2, eastasia, westus, canadacentral, centralindia, uksouth, ukwest, southafricanorth, northcentralus, brazilsouth, switzerlandnorth, norwayeast, australiasoutheast'.

Running sscollector.pyz

user@debian:~/git/stormspotter/stormcollector$ python3 sscollector.pyz cli --azure
2021-01-21 07:44:33.874 | INFO     | stormcollector.auth:_get_resource_creds_from_cli:73 - Authenticating to login.microsoftonline.com with CLI credentials.
2021-01-21 07:44:33.875 | INFO     | stormcollector.arm:query_arm:134 - Starting enumeration for ARM - https://management.azure.com
2021-01-21 07:44:36.276 | INFO     | stormcollector.arm:query_arm:142 - Enumerating subscription and resource groups for tenant x
2021-01-21 07:44:36.677 | INFO     | stormcollector.arm:_query_management_certs:103 - Enumerating management certs for subscription: x
2021-01-21 07:44:38.727 | WARNING  | stormcollector.arm:_query_management_certs:111 - Forbidden: Cannot enumerate management certs for x
2021-01-21 07:44:38.729 | INFO     | stormcollector.arm:_query_rbac:81 - Enumerating rbac permissions for subscription: x
2021-01-21 07:44:55.568 | INFO     | stormcollector.arm:_query_rbac:97 - Finishing rbac permissions for subscription: x
2021-01-21 07:44:56.099 | INFO     | stormcollector.arm:_query_subscription:55 - Querying for resources in subscription - x
2021-01-21 07:45:06.525 | ERROR    | asyncio.events:_run:81 - An error has been caught in function '_run', process 'MainProcess' (2793), thread 'MainThread' (140393654445888):
Traceback (most recent call last):

  File "/home/user/.shiv/sscollector_c820988d13859f1bb61185859fa4382c0b0b940dd43447e95de851c2d7e834d0/site-packages/stormcollector/arm.py", line 28, in _query_resource
    response = await client.resources.get_by_id(resource_id, api_version)
                     │      │                   │            └ '2018-02-14'
                     │      │                   └ '/subscriptions/191c06c2-637b-4a1e-8efa-143e899b7ab4/resourceGroups/rg-sentinel-secops/providers/microsoft.insights/workbooks...
                     │      └ <property object at 0x7fafef2b02c0>
                     └ <azure.mgmt.resource.resources.aio._resource_management_client.ResourceManagementClient object at 0x7fafede64490>

  File "/home/user/.shiv/sscollector_c820988d13859f1bb61185859fa4382c0b0b940dd43447e95de851c2d7e834d0/site-packages/azure/mgmt/resource/resources/v2020_06_01/aio/operations/_resources_operations.py", line 1470, in get_by_id
    raise HttpResponseError(response=response, error_format=ARMErrorFormat)
          │                          │                      └ <class 'azure.mgmt.core.exceptions.ARMErrorFormat'>
          │                          └ <azure.core.pipeline.transport._aiohttp.AioHttpTransportResponse object at 0x7fafd769c160>
          └ <class 'azure.core.exceptions.HttpResponseError'>

azure.core.exceptions.HttpResponseError: (NoRegisteredProviderFound) No registered resource provider found for location 'canadacentral' and API version '2018-02-14' for type 'workbooks'. The supported api-versions are '2018-06-01-preview, 2018-06-17-preview, 2020-02-12, 2020-10-20'. The supported locations are ', westeurope, southcentralus, eastus, northeurope, southeastasia, westus2, japaneast, australiaeast, koreacentral, francecentral, centralus, eastus2, eastasia, westus, canadacentral, centralindia, uksouth, ukwest, southafricanorth, northcentralus, brazilsouth, switzerlandnorth, norwayeast, australiasoutheast'.


During handling of the above exception, another exception occurred:


Traceback (most recent call last):

  File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main
    return _run_code(code, main_globals, None,
           │         │     └ {'__name__': '__main__', '__doc__': None, '__package__': '', '__loader__': <zipimporter object "sscollector.pyz/">, '__spec__...
           │         └ <code object <module> at 0x7faff1827f50, file "sscollector.pyz/__main__.py", line 2>
           └ <function _run_code at 0x7faff18760d0>
  File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
         │     └ {'__name__': '__main__', '__doc__': None, '__package__': '', '__loader__': <zipimporter object "sscollector.pyz/">, '__spec__...
         └ <code object <module> at 0x7faff1827f50, file "sscollector.pyz/__main__.py", line 2>

  File "sscollector.pyz/__main__.py", line 3, in <module>

  File "sscollector.pyz/_bootstrap/__init__.py", line 241, in bootstrap

  File "sscollector.pyz/_bootstrap/__init__.py", line 36, in run

  File "/home/user/.shiv/sscollector_c820988d13859f1bb61185859fa4382c0b0b940dd43447e95de851c2d7e834d0/site-packages/main.py", line 124, in main
    asyncio.run(run(args))
    │       │   │   └ Namespace(aad=False, auth='cli', azure=True, backfill=False, cloud='PUBLIC', config=None, get_creds=<function Context.auth at...
    │       │   └ <function run at 0x7faff126a430>
    │       └ <function run at 0x7faff11abc10>
    └ <module 'asyncio' from '/usr/lib/python3.8/asyncio/__init__.py'>

  File "/usr/lib/python3.8/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
           │    │                  └ <coroutine object run at 0x7fafef24a3c0>
           │    └ <function BaseEventLoop.run_until_complete at 0x7faff0f26e50>
           └ <_UnixSelectorEventLoop running=True closed=False debug=False>
  File "/usr/lib/python3.8/asyncio/base_events.py", line 603, in run_until_complete
    self.run_forever()
    │    └ <function BaseEventLoop.run_forever at 0x7faff0f26dc0>
    └ <_UnixSelectorEventLoop running=True closed=False debug=False>
  File "/usr/lib/python3.8/asyncio/base_events.py", line 570, in run_forever
    self._run_once()
    │    └ <function BaseEventLoop._run_once at 0x7faff0f2a940>
    └ <_UnixSelectorEventLoop running=True closed=False debug=False>
  File "/usr/lib/python3.8/asyncio/base_events.py", line 1859, in _run_once
    handle._run()
    │      └ <function Handle._run at 0x7faff0fa3700>
    └ <Handle <TaskStepMethWrapper object at 0x7fafef1ca310>()>
> File "/usr/lib/python3.8/asyncio/events.py", line 81, in _run
    self._context.run(self._callback, *self._args)
    │    │            │    │           │    └ <member '_args' of 'Handle' objects>
    │    │            │    │           └ <Handle <TaskStepMethWrapper object at 0x7fafef1ca310>()>
    │    │            │    └ <member '_callback' of 'Handle' objects>
    │    │            └ <Handle <TaskStepMethWrapper object at 0x7fafef1ca310>()>
    │    └ <member '_context' of 'Handle' objects>
    └ <Handle <TaskStepMethWrapper object at 0x7fafef1ca310>()>

  File "/home/user/.shiv/sscollector_c820988d13859f1bb61185859fa4382c0b0b940dd43447e95de851c2d7e834d0/site-packages/stormcollector/arm.py", line 203, in query_arm
    tenant_dict["subscriptions"].append(await result)
    │                                         └ <coroutine object as_completed.<locals>._wait_for_one at 0x7fafedf5a140>
    └ {'id': '/tenants/x', 'tenant_id': 'x', 'tenant_category...

  File "/usr/lib/python3.8/asyncio/tasks.py", line 616, in _wait_for_one
    return f.result()  # May raise f.exception().
           │ └ <method 'result' of '_asyncio.Task' objects>
           └ <Task finished name='Task-14' coro=<_query_subscription() done, defined at /home/user/.shiv/sscollector_c820988d13859f1bb6118...

  File "/home/user/.shiv/sscollector_c820988d13859f1bb61185859fa4382c0b0b940dd43447e95de851c2d7e834d0/site-packages/stormcollector/arm.py", line 69, in _query_subscription
    res = await _query_resource(rm_client, resource.id)
                │               │          │        └ '/subscriptions/x/resourceGroups/x/providers/microsoft.insights/workbooks...
                │               │          └ <azure.mgmt.resource.resources.v2020_06_01.models._models_py3.GenericResourceExpanded object at 0x7fafd76365e0>
                │               └ <azure.mgmt.resource.resources.aio._resource_management_client.ResourceManagementClient object at 0x7fafede64490>
                └ <function _query_resource at 0x7fafef57c040>

  File "/home/user/.shiv/sscollector_c820988d13859f1bb61185859fa4382c0b0b940dd43447e95de851c2d7e834d0/site-packages/stormcollector/arm.py", line 45, in _query_resource
    return await _query_resource(
                 └ <function _query_resource at 0x7fafef57c040>

  File "/home/user/.shiv/sscollector_c820988d13859f1bb61185859fa4382c0b0b940dd43447e95de851c2d7e834d0/site-packages/stormcollector/arm.py", line 29, in _query_resource
    return response.as_dict()
           └ None

AttributeError: 'NoneType' object has no attribute 'as_dict'
2021-01-21 07:45:06.559 | INFO     | main:main:125 - --- COMPLETE: 32.68561935424805 seconds. ---
2021-01-21 07:45:06.560 | INFO     | main:main:127 - Zipping up output...
2021-01-21 07:45:06.562 | INFO     | main:main:129 - OUTPUT: /home/user/git/stormspotter/stormcollector/results_20210121-074433.zip

Version:

user@debian:~/git/stormspotter/stormcollector$ unzip -p sscollector.pyz environment.json | jq .
{
  "always_write_cache": false,
  "build_id": "c820988d13859f1bb61185859fa4382c0b0b940dd43447e95de851c2d7e834d0",
  "built_at": "2021-01-19 05:41:16",
  "hashes": {},
  "no_modify": false,
  "reproducible": false,
  "script": null,
  "shiv_version": "0.4.0",
  "preamble": null,
  "entry_point": "main:main",
  "compile_pyc": false,
  "extend_pythonpath": true,
  "root": null
}

Failed to insert new document - An equivalent index already exists

Thank you for the Stormspotter tool.

I try to run the tool in my test lab:
Windows 10
neo4j 4.0
Python 3.8

Collection with stormspotter worked well.
But when I run the cmd: stormdash -dbu neo4j -dbp
I get the following error:

Connecting to bolt://localhost:7687
Running on http://127.0.0.1:8050/
Debugger PIN: 848-976-926
 * Serving Flask app "Stormdash" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: on
Connecting to bolt://localhost:7687
CREATE INDEX ON : AADApplication(id)
[=] Failed to insert new document
trying to reconnect to bolt server
Traceback (most recent call last):
  File "C:\AzureAssessment\Stormspotter-master\stormspotter\dash\core\neo4j.py", line 149, in query
    result = session.run(statement)
  File "C:\Python\Python38-32\lib\site-packages\neo4j\__init__.py", line 503, in run
    self._connection.fetch()
  File "C:\Python\Python38-32\lib\site-packages\neobolt\direct.py", line 419, in fetch
    return self._fetch()
  File "C:\Python\Python38-32\lib\site-packages\neobolt\direct.py", line 461, in _fetch
    response.on_failure(summary_metadata or {})
  File "C:\Python\Python38-32\lib\site-packages\neobolt\direct.py", line 755, in on_failure
    raise CypherError.hydrate(**metadata)
neobolt.exceptions.ClientError: An equivalent index already exists, 'Index( 1, 'index_9b31a2b5', GENERAL BTREE, :AADApplication(id), native-btree-1.0 )'.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\AzureAssessment\Stormspotter-master\Stormdash.py", line 175, in <module>
    main()
  File "C:\AzureAssessment\Stormspotter-master\Stormdash.py", line 171, in main
    parser = DashParser(args.dbuser, args.dbpass, args.db)
  File "C:\AzureAssessment\Stormspotter-master\stormspotter\dash\core\context.py", line 19, in __init__
    self.neo = Neo4j(user=user, password=password, server=server)
  File "C:\AzureAssessment\Stormspotter-master\stormspotter\dash\core\neo4j.py", line 31, in __init__
    self.create_indexes()
  File "C:\AzureAssessment\Stormspotter-master\stormspotter\dash\core\neo4j.py", line 98, in create_indexes
    self.query(statement)
  File "C:\AzureAssessment\Stormspotter-master\stormspotter\dash\core\neo4j.py", line 160, in query
    self.session.run(statement)
AttributeError: 'Neo4j' object has no attribute 'session'
Closing the neo4j session

Maybe already known?

Thank you

docker-compose error

While running docker-compose up, the following error occurs after a while, not letting me start the program.

Step 1/10 : FROM python:3.8-slim-buster as compile-stage
ERROR: Service 'stormspotter-backend' failed to build: Error parsing reference: "python:3.8-slim-buster as compile-stage" is not a valid repository/tag: invalid reference format

[frontend] - SyntaxError: Unexpected reserved word - on docker

on the following system:

Linux kali 6.0.0-kali6-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.12-1kali1 (2022-12-19) x86_64 GNU/Linux
Docker version 23.0.1, build a5ee5b1
Docker Compose version v2.16.0

Cloning the repository and typing

docker compose up

Produces the following output:

[+] Running 3/3
 ⠿ Container stormspotter-stormspotter-neo4j-1     Recreated                                                                                   1.0s
 ⠿ Container stormspotter-stormspotter-backend-1   Recreated                                                                                   1.4s 
 ⠿ Container stormspotter-stormspotter-frontend-1  Recreated                                                                                   1.3s 
Attaching to stormspotter-stormspotter-backend-1, stormspotter-stormspotter-frontend-1, stormspotter-stormspotter-neo4j-1                           
stormspotter-stormspotter-frontend-1  | file:///usr/local/lib/node_modules/@quasar/cli/bin/quasar.js:43
stormspotter-stormspotter-frontend-1  |   const { getProjectRoot } = await import('../lib/get-project-root.js')
stormspotter-stormspotter-frontend-1  |                              ^^^^^
stormspotter-stormspotter-frontend-1  | 
stormspotter-stormspotter-frontend-1  | SyntaxError: Unexpected reserved word
stormspotter-stormspotter-frontend-1  |     at Loader.moduleStrategy (internal/modules/esm/translators.js:140:18)
stormspotter-stormspotter-frontend-1  |     at async link (internal/modules/esm/module_job.js:42:21)
stormspotter-stormspotter-backend-1   | INFO:     Started server process [1]
stormspotter-stormspotter-backend-1   | INFO:     Waiting for application startup.
stormspotter-stormspotter-backend-1   | INFO:     Application startup complete.
stormspotter-stormspotter-backend-1   | INFO:     Uvicorn running on http://0.0.0.0:9090 (Press CTRL+C to quit)
stormspotter-stormspotter-frontend-1 exited with code 1

A quick fix would be to pin NodeJS to an higher version than 12 in frontend/dockerfile (I know this is quite "generic", but even pinning to latest fixed the issue)

Login failed error

Hi, I am trying to test Stormspotter and after the installation and running sscollector I tried to run the front end. It opens up but I am not able to login with the credentials:

user- neo4j
password- password
server- bolt://localhost:7687

Is there anything I am missing? I installed the tool without Docker following the instructions in "Without Docker" section of the readme.

Error: "Login Failed"

OS details

Operating System: Ubuntu 20.04.2 LTS
Kernel: Linux 5.8.0-63-generic
Architecture: x86-64

Other software

Vue: [email protected]
Python: 3.8.10
node: '10.19.0'
npm: '6.14.4'

Cannot read property 'charAt' of undefined

Import of the result is done successfully but while running the query I am getting 'Cannot read property 'charAt' of undefined'...Please advise....

[PINNED] - KNOWN ISSUES - READ HERE FIRST

Updated 9/14/2020:

[PRIORITY] Long collection sessions (over an hour) using CLI credentials will time out and cause errors. This is because access tokens have an expiration of roughly 60 minutes and Stormspotter does not currently support automatic refreshing tokens. The Azure Identity team for the SDK is currently working on automatically refresh credentials but I will be testing workarounds in the meantime. If your long run time is caused by a large Azure AD environment, there is no current work around. If you have large subscriptions, you can split your collection up by subscriptions using the --subs flag to specify the subscriptions you want to enumerate.
On Windows, running the collector with CLI credentials may fail the first time fairly quickly with ValueError: I/O operation on closed pipe. This is a result of how asyncio works on Windows, and the way the collector will handle the ProactorEventLoop for Windows. It is likely only to occur when either you've just logged in via az cli before running the collector, or if your access tokens have expired and you attempt to run the collector. Running it a second time should be successful. If not, create an issue.
Currently, Stormspotter only supports running containers locally. Attempting to upload to the frontend hosted remotely will be unsuccessful but this behavior is expected to change in the future as the tool matures.

Stormcollector Container?

Any chance there is a collector container? Tons of errors attempting to run the collector from various systems

sscollector.pyz - file missing...as it is mentioned in gitignore file

Instruction says -

cd stormcollector
python3 sscollector.pyz -h

Frontend container is not starting

As you can see in the above image, the response said that the frontend container should be up an running but when i list out the running container its not there. Please help me solve this

Maybe the latest Neo4j not matching to Stormspotter

I use docker to install Stormspotter, but meet issue when uploading resources scanning result.

The issue is that when I do some common query, alway get no results found.

Then I check the logs of results uploading, I found the data may not imported correctly.

However, when I config the docker with Neo4j version 3.5.18, it works well, I can upload the result and get the right output when querying.

So, I wonder if the latest Neo4j not matching to Stormspotter, or have to do some modifications in Stormspotter to adapt the latest Neo4j.

Thanks,
Xing.

Command not found error when running stormdash.py

Hi, I am having below error when running ""stormdash.py"" however no issue when I run the command ""root@kali:/opt/Stormspotter# ./Stormspotter.py --cli""

root@kali:/opt/Stormspotter# ./Stormdash.py -dbu neo4j -dbp *******
./Stormdash.py: line 1: import: command not found
./Stormdash.py: line 2: import: command not found
./Stormdash.py: line 3: import: command not found
./Stormdash.py: line 4: import: command not found
./Stormdash.py: line 5: import: command not found
from: can't read /var/mail/pathlib
from: can't read /var/mail/pprint
from: can't read /var/mail/dash.dependencies
from: can't read /var/mail/dash.exceptions
from: can't read /var/mail/stormspotter.dash.layout.cytoscape
from: can't read /var/mail/stormspotter.dash.layout.ui
from: can't read /var/mail/stormspotter.dash.core.context
from: can't read /var/mail/stormspotter.dash.core.parsers
./Stormdash.py: line 17: parser: command not found
./Stormdash.py: line 18: syntax error near unexpected token (' ./Stormdash.py: line 18: app = dash.Dash(name, assets_folder=Path("stormspotter/dash/assets").absolute())'

Please help...

Stormspotter --cli authentication points to inactive session

Running stormspotter from the scripts folder I get authentication problems.
I have a successful session via device-login but get "credentials have expired due to inactivity, please run as login".

Command stormspotter --cli

Need debug/failure logs in stormspotter

Running the following command fails silently for me. Logs can help here debug why this failed and how i can fix it to unblock.
stormspotter --cli

sscollector CLI errors

I am running the collector from within an pipenv and with all modules installed however I am getting the same error everytime, can someone please help?

Error at Stormdash level

To start with, I ran Stormspotter --cli and it completed with "value" string at the end just before the completion time. I am logged using the account which has permissions into the subscriptions.

After it i ran stormdash command and got the below result. Please advise how to resolve it...

Traceback (most recent call last):
File "/root/.local/share/virtualenvs/Stormspotter-Kjgaye4t/bin/stormdash", line 8, in
sys.exit(main())
File "/root/.local/share/virtualenvs/Stormspotter-Kjgaye4t/lib/python3.8/site-packages/Stormdash.py", line 171, in main
parser = DashParser(args.dbuser, args.dbpass, args.db)
File "/root/.local/share/virtualenvs/Stormspotter-Kjgaye4t/lib/python3.8/site-packages/stormspotter/dash/core/context.py", line 30, in init
self.processExistingFiles()
File "/root/.local/share/virtualenvs/Stormspotter-Kjgaye4t/lib/python3.8/site-packages/stormspotter/dash/core/context.py", line 40, in processExistingFiles
event = self.event_handler.on_created(FileCreatedEvent(str(file)))
File "/root/.local/share/virtualenvs/Stormspotter-Kjgaye4t/lib/python3.8/site-packages/stormspotter/dash/core/context.py", line 35, in on_created
self.parseInputFile(src)
File "/root/.local/share/virtualenvs/Stormspotter-Kjgaye4t/lib/python3.8/site-packages/stormspotter/dash/core/context.py", line 395, in parseInputFile
if resource["type"].lower() in validAzure.keys():
AttributeError: 'NoneType' object has no attribute 'lower'

Error uploading results

Just downloaded and ran latest Stormcollector and when uploading results I am getting errors and no data is uploaded.

An example of the errors is as follows:

stormspotter-backend_1 | ^}
stormspotter-backend_1 | 2021-11-17 20:23:07.954 | ERROR | backend.db:query:172 - [=] Failed to insert new document. Trying again.
stormspotter-backend_1 | 2021-11-17 20:23:07.954 | ERROR | backend.parser:_process_json:693 - An error has been caught in function '_process_json', process 'MainProcess' (1), thread 'MainThread' (140142363948864):
stormspotter-backend_1 | (type=<class 'AttributeError'>, value=AttributeError("'Neo4j' object has no attribute 'session'"), traceback=<traceback object at 0x7f756ba54cc0>)
stormspotter-backend_1 | 2021-11-17 20:23:07.965 | ERROR | backend.db:query:171 - {code: Neo.ClientError.Statement.SyntaxError} {message: Type mismatch: expected Node or Relationship but was Boolean, Float, Integer, Number, Point, String, Duration, Date, Time, LocalTime, LocalDateTime, DateTime, List, List, List, List, List, List, List, List, List, List, List or List (line 1, column 70 (offset: 69))
stormspotter-backend_1 | "MERGE (obj:AADObject{id:'ff135bcc-8d47-4d4d-94a2-e1fb4748c381'}) SET obj.odata.type = 'Microsoft.DirectoryServices.ServicePrincipal', obj.objectType = 'ServicePrincipal', obj.objectId = 'ff135bcc-8d47-4d4d-94a2-e1fb4748c381', obj.deletionTimestamp = 'None', obj.accountEnabled = True, obj.appBranding = 'None', obj.appCategory = 'None', obj.appData = 'None', obj.appDisplayName = 'SharePoint Online Web Client Extensibility', obj.appId = '08e18876-6177-487e-b8b5-cf950c1e598c', obj.applicationTemplateId = 'None', obj.appMetadata = 'None', obj.appOwnerTenantId = 'f8cdef31-a31e-4b4a-93e4-5f571e91255a', obj.appRoleAssignmentRequired = 'False', obj.appRoles = 'None', obj.authenticationPolicy = 'None', obj.createdDateTime = '2020-06-03T09:59:52Z', obj.errorUrl = 'None', obj.homepage = 'None', obj.informationalUrls = 'None', obj.keyCredentials = 'None', obj.loginUrl = 'None', obj.logoutUrl = 'None', obj.managedIdentityResourceId = 'None', obj.microsoftFirstParty = True, obj.notificationEmailAddresses = 'None', obj.oauth2Permissions = 'None', obj.passwordCredentials = 'None', obj.preferredSingleSignOnMode = 'None', obj.preferredTokenSigningKeyEndDateTime = 'None', obj.preferredTokenSigningKeyThumbprint = 'None', obj.publisherName = 'Microsoft Services', obj.replyUrls = ['https://geneticnz-my.sharepoint.com/_forms/spfxsinglesignon.aspx', 'https://geneticnz-admin.sharepoint.com/_forms/spfxsinglesignon.aspx', 'https://geneticnz.sharepoint.com/_forms/spfxsinglesignon.aspx', 'https://dev.fluidpreview.office.net/spfxsinglesignon', 'https://fluidpreview.office.net/spfxsinglesignon'], obj.samlMetadataUrl = 'None', obj.samlSingleSignOnSettings = 'None', obj.servicePrincipalNames = ['api://geneticnz.sharepoint.com', 'api://geneticnz-admin.sharepoint.com', 'api://geneticnz-my.sharepoint.com', '08e18876-6177-487e-b8b5-cf950c1e598c'], obj.tags = 'None', obj.tokenEncryptionKeyId = 'None', obj.verifiedPublisher = 'None', obj.useCustomTokenSigningKey = 'None', obj.owners = 'None', obj.type = 'AADServicePrincipal', obj.name = 'SharePoint Online Web Client Extensibility', obj.passwordCredentialCount = '0', obj.keyCredentialCount = '0', obj.raw = '{"odata.type":"Microsoft.DirectoryServices.ServicePrincipal","objectType":"ServicePrincipal","objectId":"ff135bcc-8d47-4d4d-94a2-e1fb4748c381","deletionTimestamp":null,"accountEnabled":true,"appBranding":null,"appCategory":null,"appData":null,"appDisplayName":"SharePoint Online Web Client Extensibility","appId":"08e18876-6177-487e-b8b5-cf950c1e598c","applicationTemplateId":null,"appMetadata":null,"appOwnerTenantId":"f8cdef31-a31e-4b4a-93e4-5f571e91255a","appRoleAssignmentRequired":false,"appRoles":[],"authenticationPolicy":null,"createdDateTime":"2020-06-03T09:59:52Z","displayName":"SharePoint Online Web Client Extensibility","errorUrl":null,"homepage":null,"informationalUrls":{"termsOfService":null,"support":null,"privacy":null,"marketing":null},"keyCredentials":[],"loginUrl":null,"logoutUrl":null,"managedIdentityResourceId":null,"microsoftFirstParty":true,"notificationEmailAddresses":[],"oauth2Permissions":[],"passwordCredentials":[],"preferredSingleSignOnMode":null,"preferredTokenSigningKeyEndDateTime":null,"preferredTokenSigningKeyThumbprint":null,"publisherName":"Microsoft Services","replyUrls":["https://geneticnz-my.sharepoint.com/_forms/spfxsinglesignon.aspx","https://geneticnz-admin.sharepoint.com/_forms/spfxsinglesignon.aspx","https://geneticnz.sharepoint.com/_forms/spfxsinglesignon.aspx","https://dev.fluidpreview.office.net/spfxsinglesignon","https://fluidpreview.office.net/spfxsinglesignon"],"samlMetadataUrl":null,"samlSingleSignOnSettings":null,"servicePrincipalNames":["api://geneticnz.sharepoint.com","api://geneticnz-admin.sharepoint.com","api://geneticnz-my.sharepoint.com","08e18876-6177-487e-b8b5-cf950c1e598c"],"tags":[],"tokenEncryptionKeyId":null,"verifiedPublisher":{"displayName":null,"verifiedPublisherId":null,"addedDateTime":null},"useCustomTokenSigningKey":null,"owners":[]}', obj :AADServicePrincipal"
stormspotter-backend_1 | ^}
stormspotter-backend_1 | 2021-11-17 20:23:07.966 | ERROR | backend.db:query:172 - [=] Failed to insert new document. Trying again.
stormspotter-backend_1 | 2021-11-17 20:23:07.966 | ERROR | backend.parser:_process_json:693 - An error has been caught in function '_process_json', process 'MainProcess' (1), thread 'MainThread' (140142363948864):
stormspotter-backend_1 | (type=<class 'AttributeError'>, value=AttributeError("'Neo4j' object has no attribute 'session'"), traceback=<traceback object at 0x7f7568153280>)
stormspotter-backend_1 | 2021-11-17 20:23:07.972 | INFO | backend.parser:process_sqlite:723 - Finished processing AADServicePrincipal.sqlite
stormspotter-backend_1 | 2021-11-17 20:23:08.107 | INFO | backend.parser:process:757 - Completed ingestion of results_20211118-080850.zip

This happens for everything. Any ideas?

Thanks

Not able to view any graph/resources on dashboard

After setting up Stormspotter in a virtual environment. I tried to gather resource and object information using both options (via cli login and via service principal).

When tried to gather resources using command: stormspotter --service-principal -u -p --tenant it queries AADUser, AADGroup, AADServicePrincipal, AADApplication and it gives below output.

Attemprint to get CLI Credentials from a Service Principal
Attemprint to get CLI Credentials from a Service Principal
Starting query for AADUser
Starting query for AADGroup
Starting query for AADServicePrincipal
Starting query for AADApplication
'value'
'value'
'value'
'value'
Querying for resources in subscription id
Getting rbac permissions for subscription:
Getting management certs for subscription:
Completion Time: 4.692746639251709
user or service principal does not have coadministrator access to subscription to access management certs.
Finished management certs for subscription:

and when we try using --cli command as stormspotter --cli or stormspotter --cli --tenant we get below output.

Attempting to get cli credentials for resource https://management.core.windows.net/
Attempting to get cli credentials for resource https://graph.windows.net/
Starting query for AADUser
Starting query for AADGroup
Starting query for AADServicePrincipal
Starting query for AADApplication
Finished query for AADApplication
Finished query for AADServicePrincipal
Finished query for AADUser
'value'
Completion Time: 3924.17653465271

Not sure, what's significance of 'value' if it's related to any error message. But post this when we try to load dashboard using stormdash it doesn;t show any graph/ resources as below.

Do we need coadministrator access to service principal over subscription here ?
We have followed steps mentioned in readme, are we missing any steps here ?
Are there any other steps/ access required to be get the graph loaded ?

No sscollector.pyz file

The sscollector.pyz file was not in the stormcollector directory. I used the second setup to spin up the environment