cartography 0.93.0rc1__py3-none-any.whl → 0.123.0__py3-none-any.whl

cartography/intel/semgrep/deployment.py

@@ -0,0 +1,69 @@
+import logging
+from typing import Any
+from typing import Dict
+
+import neo4j
+import requests
+
+from cartography.client.core.tx import load
+from cartography.models.semgrep.deployment import SemgrepDeploymentSchema
+from cartography.stats import get_stats_client
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+stat_handler = get_stats_client(__name__)
+_TIMEOUT = (60, 60)
+
+
+@timeit
+def get_deployment(semgrep_app_token: str) -> Dict[str, Any]:
+    """
+    Gets the deployment associated with the passed Semgrep App token.
+    param: semgrep_app_token: The Semgrep App token to use for authentication.
+    """
+    deployment = {}
+    deployment_url = "https://semgrep.dev/api/v1/deployments"
+    headers = {
+        "Content-Type": "application/json",
+        "Authorization": f"Bearer {semgrep_app_token}",
+    }
+    response = requests.get(deployment_url, headers=headers, timeout=_TIMEOUT)
+    response.raise_for_status()
+
+    data = response.json()
+    deployment["id"] = data["deployments"][0]["id"]
+    deployment["name"] = data["deployments"][0]["name"]
+    deployment["slug"] = data["deployments"][0]["slug"]
+
+    return deployment
+
+
+@timeit
+def load_semgrep_deployment(
+    neo4j_session: neo4j.Session,
+    deployment: Dict[str, Any],
+    update_tag: int,
+) -> None:
+    logger.info(f"Loading SemgrepDeployment {deployment} into the graph.")
+    load(
+        neo4j_session,
+        SemgrepDeploymentSchema(),
+        [deployment],
+        lastupdated=update_tag,
+    )
+
+
+@timeit
+def sync_deployment(
+    neo4j_session: neo4j.Session,
+    semgrep_app_token: str,
+    update_tag: int,
+    common_job_parameters: Dict[str, Any],
+) -> None:
+
+    semgrep_deployment = get_deployment(semgrep_app_token)
+    deployment_id = semgrep_deployment["id"]
+    deployment_slug = semgrep_deployment["slug"]
+    load_semgrep_deployment(neo4j_session, semgrep_deployment, update_tag)
+    common_job_parameters["DEPLOYMENT_ID"] = deployment_id
+    common_job_parameters["DEPLOYMENT_SLUG"] = deployment_slug

cartography/intel/semgrep/findings.py

@@ -3,14 +3,14 @@ from typing import Any
 from typing import Dict
 from typing import List
 from typing import Tuple
-from urllib.error import HTTPError
 
 import neo4j
 import requests
+from requests.exceptions import HTTPError
+from requests.exceptions import ReadTimeout
 
 from cartography.client.core.tx import load
 from cartography.graph.job import GraphJob
-from cartography.models.semgrep.deployment import SemgrepDeploymentSchema
 from cartography.models.semgrep.findings import SemgrepSCAFindingSchema
 from cartography.models.semgrep.locations import SemgrepSCALocationSchema
 from cartography.stats import get_stats_client
@@ -20,89 +20,107 @@ from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
 stat_handler = get_stats_client(__name__)
+_PAGE_SIZE = 500
 _TIMEOUT = (60, 60)
 _MAX_RETRIES = 3
 
 
 @timeit
-def get_deployment(semgrep_app_token: str) -> Dict[str, Any]:
-    """
-    Gets the deployment associated with the passed Semgrep App token.
-    param: semgrep_app_token: The Semgrep App token to use for authentication.
-    """
-    deployment = {}
-    deployment_url = "https://semgrep.dev/api/v1/deployments"
-    headers = {
-        "Content-Type": "application/json",
-        "Authorization": f"Bearer {semgrep_app_token}",
-    }
-    response = requests.get(deployment_url, headers=headers, timeout=_TIMEOUT)
-    response.raise_for_status()
-
-    data = response.json()
-    deployment["id"] = data["deployments"][0]["id"]
-    deployment["name"] = data["deployments"][0]["name"]
-    deployment["slug"] = data["deployments"][0]["slug"]
-
-    return deployment
-
-
-@timeit
-def get_sca_vulns(semgrep_app_token: str, deployment_id: str) -> List[Dict[str, Any]]:
+def get_sca_vulns(semgrep_app_token: str, deployment_slug: str) -> List[Dict[str, Any]]:
     """
     Gets the SCA vulns associated with the passed Semgrep App token and deployment id.
     param: semgrep_app_token: The Semgrep App token to use for authentication.
-    param: deployment_id: The Semgrep deployment id to use for retrieving SCA vulns.
+    param: deployment_slug: The Semgrep deployment slug to use for retrieving SCA vulns.
     """
     all_vulns = []
-    sca_url = f"https://semgrep.dev/api/v1/deployments/{deployment_id}/ssc-vulns"
+    sca_url = f"https://semgrep.dev/api/v1/deployments/{deployment_slug}/findings"
     has_more = True
-    cursor: Dict[str, str] = {}
-    page = 1
+    page = 0
     retries = 0
     headers = {
         "Content-Type": "application/json",
         "Authorization": f"Bearer {semgrep_app_token}",
     }
 
-    request_data = {
-        "deploymentId": deployment_id,
-        "pageSize": 100,
-        "exposure": ["UNREACHABLE", "REACHABLE", "UNKNOWN_EXPOSURE"],
-        "refs": ["_default"],
+    request_data: dict[str, Any] = {
+        "page": page,
+        "page_size": _PAGE_SIZE,
+        "issue_type": "sca",
+        "exposures": "reachable,always_reachable,conditionally_reachable,unreachable,unknown",
+        "ref": "_default",
+        "dedup": "true",
     }
-
+    logger.info(f"Retrieving Semgrep SCA vulns for deployment '{deployment_slug}'.")
     while has_more:
 
-        if cursor:
-            request_data.update({
-                "cursor": {
-                    "vulnOffset": cursor["vulnOffset"],
-                    "issueOffset": cursor["issueOffset"],
-                },
-            })
         try:
-            response = requests.post(sca_url, json=request_data, headers=headers, timeout=_TIMEOUT)
+            response = requests.get(
+                sca_url,
+                params=request_data,
+                headers=headers,
+                timeout=_TIMEOUT,
+            )
             response.raise_for_status()
             data = response.json()
-        except HTTPError as e:
-            logger.warning(f"Failed to retrieve Semgrep SCA vulns for page {page}. Retrying...")
+        except (ReadTimeout, HTTPError):
+            logger.warning(
+                f"Failed to retrieve Semgrep SCA vulns for page {page}. Retrying...",
+            )
             retries += 1
             if retries >= _MAX_RETRIES:
-                raise e
+                raise
             continue
-        vulns = data["vulns"]
-        cursor = data.get("cursor")
-        has_more = data.get("hasMore", False)
+        vulns = data["findings"]
+        has_more = len(vulns) > 0
         if page % 10 == 0:
-            logger.info(f"Processed {page} pages of Semgrep SCA vulnerabilities so far.")
+            logger.info(f"Processed page {page} of Semgrep SCA vulnerabilities.")
         all_vulns.extend(vulns)
         retries = 0
+        page += 1
+        request_data["page"] = page
 
+    logger.info(f"Retrieved {len(all_vulns)} Semgrep SCA vulns in {page} pages.")
     return all_vulns
 
 
-def transform_sca_vulns(raw_vulns: List[Dict[str, Any]]) -> Tuple[List[Dict[str, Any]], List[Dict[str, str]]]:
+def _get_vuln_class(vuln: Dict) -> str:
+    vulnerability_classes = vuln["rule"].get("vulnerability_classes", [])
+    if vulnerability_classes:
+        return vulnerability_classes[0]
+    return "Other"
+
+
+def _determine_exposure(vuln: Dict[str, Any]) -> str | None:
+    # See Semgrep reachability types:
+    # https://semgrep.dev/docs/semgrep-supply-chain/overview#types-of-semgrep-supply-chain-findings
+    reachability_types = {
+        "NO REACHABILITY ANALYSIS": 2,
+        "UNREACHABLE": 2,
+        "REACHABLE": 0,
+        "ALWAYS REACHABLE": 0,
+        "CONDITIONALLY REACHABLE": 1,
+    }
+    reachable_flag = vuln["reachability"]
+    if reachable_flag and reachable_flag.upper() in reachability_types:
+        reach_score = reachability_types[reachable_flag.upper()]
+        if reach_score < reachability_types["UNREACHABLE"]:
+            return "REACHABLE"
+        else:
+            return "UNREACHABLE"
+    return None
+
+
+def _build_vuln_url(vuln: str) -> str | None:
+    if "CVE" in vuln:
+        return f"https://nvd.nist.gov/vuln/detail/{vuln}"
+    if "GHSA" in vuln:
+        return f"https://github.com/advisories/{vuln}"
+    return None
+
+
+def transform_sca_vulns(
+    raw_vulns: List[Dict[str, Any]],
+) -> Tuple[List[Dict[str, Any]], List[Dict[str, str]]]:
     """
     Transforms the raw SCA vulns response from Semgrep API into a list of dicts
     that can be used to create the SemgrepSCAFinding nodes.
@@ -112,60 +130,68 @@ def transform_sca_vulns(raw_vulns: List[Dict[str, Any]]) -> Tuple[List[Dict[str,
     for vuln in raw_vulns:
         sca_vuln: Dict[str, Any] = {}
         # Mandatory fields
-        sca_vuln["id"] = vuln["groupKey"]
-        sca_vuln["repositoryName"] = vuln["repositoryName"]
-        sca_vuln["ruleId"] = vuln["advisory"]["ruleId"]
-        sca_vuln["title"] = vuln["advisory"]["title"]
-        sca_vuln["description"] = vuln["advisory"]["description"]
-        sca_vuln["ecosystem"] = vuln["advisory"]["ecosystem"]
-        sca_vuln["severity"] = vuln["advisory"]["severity"]
-        sca_vuln["reachability"] = vuln["advisory"]["reachability"]
-        sca_vuln["reachableIf"] = vuln["advisory"]["reachableIf"]
-        sca_vuln["exposureType"] = vuln["exposureType"]
-        dependency = f"{vuln['matchedDependency']['name']}|{vuln['matchedDependency']['versionSpecifier']}"
+        repository_name = vuln["repository"]["name"]
+        rule_id = vuln["rule"]["name"]
+        vulnerability_class = _get_vuln_class(vuln)
+        package = vuln["found_dependency"]["package"]
+        sca_vuln["id"] = vuln["id"]
+        sca_vuln["repositoryName"] = repository_name
+        sca_vuln["branch"] = vuln["ref"]
+        sca_vuln["ruleId"] = rule_id
+        sca_vuln["title"] = package + ":" + vulnerability_class
+        sca_vuln["description"] = vuln["rule"]["message"]
+        sca_vuln["ecosystem"] = vuln["found_dependency"]["ecosystem"]
+        sca_vuln["severity"] = vuln["severity"].upper()
+        sca_vuln["reachability"] = vuln[
+            "reachability"
+        ].upper()  # Check done to determine rechabilitity
+        sca_vuln["reachableIf"] = (
+            vuln["reachable_condition"].upper() if vuln["reachable_condition"] else None
+        )
+        sca_vuln["exposureType"] = _determine_exposure(
+            vuln,
+        )  # Determintes if reachable or unreachable
+        dependency = f"{package}|{vuln['found_dependency']['version']}"
         sca_vuln["matchedDependency"] = dependency
-        sca_vuln["dependencyFileLocation_path"] = vuln["dependencyFileLocation"]["path"]
-        sca_vuln["dependencyFileLocation_url"] = vuln["dependencyFileLocation"]["url"]
-        # Optional fields
-        sca_vuln["transitivity"] = vuln.get("transitivity", None)
-        cves = vuln.get("advisory", {}).get("references", {}).get("cveIds")
-        if len(cves) > 0:
-            # Take the first CVE
-            sca_vuln["cveId"] = vuln["advisory"]["references"]["cveIds"][0]
-        if vuln.get('closestSafeDependency'):
-            dep_fix = f"{vuln['closestSafeDependency']['name']}|{vuln['closestSafeDependency']['versionSpecifier']}"
+        dep_url = vuln["found_dependency"]["lockfile_line_url"]
+        if dep_url:  # Lock file can be null, need to set
+            dep_file = dep_url.split("/")[-1].split("#")[0]
+            sca_vuln["dependencyFileLocation_path"] = dep_file
+            sca_vuln["dependencyFileLocation_url"] = dep_url
+        else:
+            if sca_vuln.get("location"):
+                sca_vuln["dependencyFileLocation_path"] = sca_vuln["location"][
+                    "file_path"
+                ]
+        sca_vuln["transitivity"] = vuln["found_dependency"]["transitivity"].upper()
+        if vuln.get("vulnerability_identifier"):
+            vuln_id = vuln["vulnerability_identifier"].upper()
+            sca_vuln["cveId"] = vuln_id
+            sca_vuln["ref_urls"] = [_build_vuln_url(vuln_id)]
+        if vuln.get("fix_recommendations") and len(vuln["fix_recommendations"]) > 0:
+            fix = vuln["fix_recommendations"][0]
+            dep_fix = f"{fix['package']}|{fix['version']}"
             sca_vuln["closestSafeDependency"] = dep_fix
-        if vuln["advisory"].get("references", {}).get("urls", []):
-            sca_vuln["ref_urls"] = vuln["advisory"].get("references", {}).get("urls", [])
-        sca_vuln["openedAt"] = vuln.get("openedAt", None)
-        sca_vuln["announcedAt"] = vuln.get("announcedAt", None)
-        sca_vuln["fixStatus"] = vuln["triage"]["status"]
-        for usage in vuln.get("usages", []):
+        sca_vuln["openedAt"] = vuln["created_at"]
+        sca_vuln["fixStatus"] = vuln["status"]
+        sca_vuln["triageStatus"] = vuln["triage_state"]
+        sca_vuln["confidence"] = vuln["confidence"]
+        usage = vuln.get("usage")
+        if usage:
             usage_dict = {}
+            url = usage["location"]["url"]
             usage_dict["SCA_ID"] = sca_vuln["id"]
-            usage_dict["findingId"] = usage["findingId"]
+            usage_dict["findingId"] = hash(url.split("github.com/")[-1])
             usage_dict["path"] = usage["location"]["path"]
-            usage_dict["startLine"] = usage["location"]["startLine"]
-            usage_dict["startCol"] = usage["location"]["startCol"]
-            usage_dict["endLine"] = usage["location"]["endLine"]
-            usage_dict["endCol"] = usage["location"]["endCol"]
-            usage_dict["url"] = usage["location"]["url"]
+            usage_dict["startLine"] = usage["location"]["start_line"]
+            usage_dict["startCol"] = usage["location"]["start_col"]
+            usage_dict["endLine"] = usage["location"]["end_line"]
+            usage_dict["endCol"] = usage["location"]["end_col"]
+            usage_dict["url"] = url
             usages.append(usage_dict)
         vulns.append(sca_vuln)
-    return vulns, usages
-
 
-@timeit
-def load_semgrep_deployment(
-    neo4j_session: neo4j.Session, deployment: Dict[str, Any], update_tag: int,
-) -> None:
-    logger.info(f"Loading Semgrep deployment info {deployment} into the graph...")
-    load(
-        neo4j_session,
-        SemgrepDeploymentSchema(),
-        [deployment],
-        lastupdated=update_tag,
-    )
+    return vulns, usages
 
 
 @timeit
@@ -175,7 +201,7 @@ def load_semgrep_sca_vulns(
     deployment_id: str,
     update_tag: int,
 ) -> None:
-    logger.info(f"Loading {len(vulns)} Semgrep SCA vulns info into the graph.")
+    logger.info(f"Loading {len(vulns)} SemgrepSCAFinding objects into the graph.")
     load(
         neo4j_session,
         SemgrepSCAFindingSchema(),
@@ -192,7 +218,7 @@ def load_semgrep_sca_usages(
     deployment_id: str,
     update_tag: int,
 ) -> None:
-    logger.info(f"Loading {len(usages)} Semgrep SCA usages info into the graph.")
+    logger.info(f"Loading {len(usages)} SemgrepSCALocation objects into the graph.")
     load(
         neo4j_session,
         SemgrepSCALocationSchema(),
@@ -204,43 +230,57 @@ def load_semgrep_sca_usages(
 
 @timeit
 def cleanup(
-    neo4j_session: neo4j.Session, common_job_parameters: Dict[str, Any],
+    neo4j_session: neo4j.Session,
+    common_job_parameters: Dict[str, Any],
 ) -> None:
     logger.info("Running Semgrep SCA findings cleanup job.")
     findings_cleanup_job = GraphJob.from_node_schema(
-        SemgrepSCAFindingSchema(), common_job_parameters,
+        SemgrepSCAFindingSchema(),
+        common_job_parameters,
     )
     findings_cleanup_job.run(neo4j_session)
     logger.info("Running Semgrep SCA Locations cleanup job.")
     locations_cleanup_job = GraphJob.from_node_schema(
-        SemgrepSCALocationSchema(), common_job_parameters,
+        SemgrepSCALocationSchema(),
+        common_job_parameters,
     )
     locations_cleanup_job.run(neo4j_session)
 
 
 @timeit
-def sync(
-    neo4j_sesion: neo4j.Session,
+def sync_findings(
+    neo4j_session: neo4j.Session,
     semgrep_app_token: str,
     update_tag: int,
     common_job_parameters: Dict[str, Any],
 ) -> None:
+
+    deployment_id = common_job_parameters.get("DEPLOYMENT_ID")
+    deployment_slug = common_job_parameters.get("DEPLOYMENT_SLUG")
+    if not deployment_id or not deployment_slug:
+        logger.warning(
+            "Missing Semgrep deployment ID or slug, ensure that sync_deployment() has been called."
+            "Skipping SCA findings sync job.",
+        )
+        return
+
     logger.info("Running Semgrep SCA findings sync job.")
-    semgrep_deployment = get_deployment(semgrep_app_token)
-    deployment_id = semgrep_deployment["id"]
-    load_semgrep_deployment(neo4j_sesion, semgrep_deployment, update_tag)
-    common_job_parameters["DEPLOYMENT_ID"] = deployment_id
-    raw_vulns = get_sca_vulns(semgrep_app_token, deployment_id)
+    raw_vulns = get_sca_vulns(semgrep_app_token, deployment_slug)
     vulns, usages = transform_sca_vulns(raw_vulns)
-    load_semgrep_sca_vulns(neo4j_sesion, vulns, deployment_id, update_tag)
-    load_semgrep_sca_usages(neo4j_sesion, usages, deployment_id, update_tag)
-    run_scoped_analysis_job('semgrep_sca_risk_analysis.json', neo4j_sesion, common_job_parameters)
-    cleanup(neo4j_sesion, common_job_parameters)
+    load_semgrep_sca_vulns(neo4j_session, vulns, deployment_id, update_tag)
+    load_semgrep_sca_usages(neo4j_session, usages, deployment_id, update_tag)
+    run_scoped_analysis_job(
+        "semgrep_sca_risk_analysis.json",
+        neo4j_session,
+        common_job_parameters,
+    )
+
+    cleanup(neo4j_session, common_job_parameters)
     merge_module_sync_metadata(
-        neo4j_session=neo4j_sesion,
-        group_type='Semgrep',
+        neo4j_session=neo4j_session,
+        group_type="Semgrep",
         group_id=deployment_id,
-        synced_type='SCA',
+        synced_type="SCA",
         update_tag=update_tag,
         stat_handler=stat_handler,
     )

cartography/intel/sentinelone/__init__.py

@@ -0,0 +1,75 @@
+import logging
+
+import neo4j
+
+import cartography.intel.sentinelone.agent
+import cartography.intel.sentinelone.application
+import cartography.intel.sentinelone.cve
+from cartography.config import Config
+from cartography.intel.sentinelone.account import sync_accounts
+from cartography.stats import get_stats_client
+from cartography.util import merge_module_sync_metadata
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+stat_handler = get_stats_client(__name__)
+
+
+@timeit
+def start_sentinelone_ingestion(neo4j_session: neo4j.Session, config: Config) -> None:
+    """
+    Perform ingestion of SentinelOne data.
+    :param neo4j_session: Neo4j session for database interface
+    :param config: A cartography.config object
+    :return: None
+    """
+    if not config.sentinelone_api_token or not config.sentinelone_api_url:
+        logger.info("SentinelOne API configuration not found - skipping this module.")
+        return
+
+    # Set up common job parameters
+    common_job_parameters = {
+        "UPDATE_TAG": config.update_tag,
+        "API_URL": config.sentinelone_api_url,
+        "API_TOKEN": config.sentinelone_api_token,
+    }
+
+    # Sync SentinelOne account data (needs to be done first to establish the account nodes)
+    synced_account_ids = sync_accounts(
+        neo4j_session,
+        common_job_parameters,
+        config.sentinelone_account_ids,
+    )
+
+    # Sync agents and applications for each account
+    for account_id in synced_account_ids:
+        # Add account-specific parameter
+        common_job_parameters["S1_ACCOUNT_ID"] = account_id
+
+        cartography.intel.sentinelone.agent.sync(
+            neo4j_session,
+            common_job_parameters,
+        )
+
+        cartography.intel.sentinelone.application.sync(
+            neo4j_session,
+            common_job_parameters,
+        )
+
+        cartography.intel.sentinelone.cve.sync(
+            neo4j_session,
+            common_job_parameters,
+        )
+
+        # Clean up account-specific parameters
+        del common_job_parameters["S1_ACCOUNT_ID"]
+
+    # Record that the sync is complete
+    merge_module_sync_metadata(
+        neo4j_session,
+        group_type="SentinelOne",
+        group_id="sentinelone",
+        synced_type="SentinelOneData",
+        update_tag=config.update_tag,
+        stat_handler=stat_handler,
+    )

cartography/intel/sentinelone/account.py

@@ -0,0 +1,140 @@
+import logging
+from typing import Any
+
+import neo4j
+
+from cartography.client.core.tx import load
+from cartography.intel.sentinelone.api import call_sentinelone_api
+from cartography.models.sentinelone.account import S1AccountSchema
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+
+
+@timeit
+def get_accounts(
+    api_url: str, api_token: str, account_ids: list[str] | None = None
+) -> list[dict[str, Any]]:
+    """
+    Get account data from SentinelOne API
+    :param api_url: The SentinelOne API URL
+    :param api_token: The SentinelOne API token
+    :param account_ids: Optional list of account IDs to filter for
+    :return: Raw account data from API
+    """
+    logger.info("Retrieving SentinelOne account data")
+
+    # Get accounts info
+    response = call_sentinelone_api(
+        api_url=api_url,
+        endpoint="web/api/v2.1/accounts",
+        api_token=api_token,
+    )
+
+    accounts_data = response.get("data", [])
+
+    # Filter accounts by ID if specified
+    if account_ids:
+        accounts_data = [
+            account for account in accounts_data if account.get("id") in account_ids
+        ]
+        logger.info(f"Filtered accounts data to {len(accounts_data)} matching accounts")
+
+    if accounts_data:
+        logger.info(
+            f"Retrieved SentinelOne account data: {len(accounts_data)} accounts"
+        )
+    else:
+        logger.warning("No SentinelOne accounts retrieved")
+
+    return accounts_data
+
+
+def transform_accounts(accounts_data: list[dict[str, Any]]) -> list[dict[str, Any]]:
+    """
+    Transform raw account data into standardized format for Neo4j ingestion
+    :param accounts_data: Raw account data from API
+    :return: List of transformed account data
+    """
+    result: list[dict[str, Any]] = []
+
+    for account in accounts_data:
+        transformed_account = {
+            # Required fields - use direct access (will raise KeyError if missing)
+            "id": account["id"],
+            # Optional fields - use .get() with None default
+            "name": account.get("name"),
+            "account_type": account.get("accountType"),
+            "active_agents": account.get("activeAgents"),
+            "created_at": account.get("createdAt"),
+            "expiration": account.get("expiration"),
+            "number_of_sites": account.get("numberOfSites"),
+            "state": account.get("state"),
+        }
+        result.append(transformed_account)
+
+    return result
+
+
+def load_accounts(
+    neo4j_session: neo4j.Session,
+    accounts_data: list[dict[str, Any]],
+    update_tag: int,
+) -> None:
+    """
+    Load SentinelOne account data into Neo4j using the data model
+    :param neo4j_session: Neo4j session
+    :param accounts_data: List of account data to load
+    :param update_tag: Update tag for tracking data freshness
+    """
+    if not accounts_data:
+        logger.warning("No account data provided to load_accounts")
+        return
+
+    load(
+        neo4j_session,
+        S1AccountSchema(),
+        accounts_data,
+        lastupdated=update_tag,
+        firstseen=update_tag,
+    )
+
+    logger.info(f"Loaded {len(accounts_data)} SentinelOne account nodes")
+
+
+@timeit
+def sync_accounts(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: dict[str, Any],
+    account_ids: list[str] | None = None,
+) -> list[str]:
+    """
+    Sync SentinelOne account data using the modern sync pattern
+    :param neo4j_session: Neo4j session
+    :param api_url: SentinelOne API URL
+    :param api_token: SentinelOne API token
+    :param update_tag: Update tag for tracking data freshness
+    :param common_job_parameters: Job parameters for cleanup
+    :param account_ids: Optional list of account IDs to filter for
+    :return: List of synced account IDs
+    """
+    # 1. GET - Fetch data from API
+    accounts_raw_data = get_accounts(
+        common_job_parameters["API_URL"],
+        common_job_parameters["API_TOKEN"],
+        account_ids,
+    )
+
+    # 2. TRANSFORM - Shape data for ingestion
+    transformed_accounts = transform_accounts(accounts_raw_data)
+
+    # 3. LOAD - Ingest to Neo4j using data model
+    load_accounts(
+        neo4j_session,
+        transformed_accounts,
+        common_job_parameters["UPDATE_TAG"],
+    )
+
+    synced_account_ids = [account["id"] for account in transformed_accounts]
+    logger.info(f"Synced {len(synced_account_ids)} SentinelOne accounts")
+    return synced_account_ids