PyPI - howler-sentinel-plugin - Versions diffs - 0.2.0.dev100__tar.gz → 0.2.0.dev103__tar.gz - Mend

howler-sentinel-plugin 0.2.0.dev100tar.gz → 0.2.0.dev103tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

{howler_sentinel_plugin-0.2.0.dev100 → howler_sentinel_plugin-0.2.0.dev103}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: howler-sentinel-plugin
-Version: 0.2.0.dev100
+Version: 0.2.0.dev103
 Summary: A howler plugin for integration with Microsoft's Sentinel API
 License: MIT
 Author: CCCS

{howler_sentinel_plugin-0.2.0.dev100 → howler_sentinel_plugin-0.2.0.dev103}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "howler-sentinel-plugin"
-version = "0.2.0.dev100"
+version = "0.2.0.dev103"
 description = "A howler plugin for integration with Microsoft's Sentinel API"
 authors = [{ name = "CCCS", email = "analysis-development@cyber.gc.ca" }]
 license = { text = "MIT" }

{howler_sentinel_plugin-0.2.0.dev100 → howler_sentinel_plugin-0.2.0.dev103}/sentinel/actions/azure_emit_hash.py RENAMED Viewed

@@ -83,10 +83,9 @@ def specification():
     return {
         "id": OPERATION_ID,
         "title": "Emit sha256 hash to Sentinel",
-        "priority": 8,
-        "i18nKey": "operations.add_label",
+        "priority": 28,
         "description": {
-            "short": "Add a label to a hit",
+            "short": "Emit sha256 hash to Sentinel",
             "long": execute.__doc__,
         },
         "roles": ["automation_basic"],

{howler_sentinel_plugin-0.2.0.dev100 → howler_sentinel_plugin-0.2.0.dev103}/sentinel/actions/send_to_sentinel.py RENAMED Viewed

@@ -50,7 +50,7 @@ def execute(query: str, **kwargs):
             continue
         try:
-            token, credentials = get_token(tenant_id)
+            token, credentials = get_token(tenant_id, "https://monitor.azure.com/.default")
         except HowlerRuntimeError as err:
             logger.exception("Error on token fetching")
             report.append(
@@ -79,6 +79,11 @@ def execute(query: str, **kwargs):
         response = requests.post(uri, headers=headers, json=payload, timeout=5.0)
         if not response.ok:
+            logger.warning(
+                "POST request to Azure Monitor failed with status code %s. Content:\n%s",
+                response.status_code,
+                response.text,
+            )
             report.append(
                 {
                     "query": f"howler.id:{hit.howler.id}",

{howler_sentinel_plugin-0.2.0.dev100 → howler_sentinel_plugin-0.2.0.dev103}/sentinel/actions/update_defender_xdr_alert.py RENAMED Viewed

@@ -89,7 +89,7 @@ def execute(query: str, **kwargs):
             continue
         try:
-            token = get_token(tenant_id)[0]
+            token = get_token(tenant_id, "https://graph.microsoft.com/.default")[0]
         except HowlerRuntimeError as err:
             logger.exception("Error on token fetching")
             report.append(
@@ -106,7 +106,11 @@ def execute(query: str, **kwargs):
         alert_url = f"https://graph.microsoft.com/v1.0/security/alerts_v2/{hit.rule.id}"
         response = requests.get(alert_url, headers={"Authorization": f"Bearer {token}"}, timeout=5.0)
         if not response.ok:
-            logger.warning("GET request to Microsoft Graph failed with status code %s.", response.status_code)
+            logger.warning(
+                "GET request to Microsoft Graph failed with status code %s. Content:\n%s",
+                response.status_code,
+                response.text,
+            )
             report.append(
                 {
                     "query": query,
@@ -148,6 +152,11 @@ def execute(query: str, **kwargs):
             timeout=5.0,
         )
         if not response.ok:
+            logger.warning(
+                "PATCH request to Microsoft Graph failed with status code %s. Content:\n%s",
+                response.status_code,
+                response.text,
+            )
             report.append(
                 {
                     "query": query,

{howler_sentinel_plugin-0.2.0.dev100 → howler_sentinel_plugin-0.2.0.dev103}/sentinel/utils/tenant_utils.py RENAMED Viewed

@@ -10,7 +10,7 @@ logger = get_logger(__file__)
 @cache.memoize(15 * 60)
-def get_token(tenant_id: str) -> tuple[str, dict[str, str]]:
+def get_token(tenant_id: str, scope: str) -> tuple[str, dict[str, str]]:
     """Get a borealis token based on the current howler token"""
     # Get bearer token
     try:
@@ -18,6 +18,8 @@ def get_token(tenant_id: str) -> tuple[str, dict[str, str]]:
     except (KeyError, json.JSONDecodeError):
         raise HowlerRuntimeError("Credential data not configured.")
+    logger.info("Generating client credential token for client id %s with scope %s", credentials["client_id"], scope)
     token_request_url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"
     response = requests.post(
         token_request_url,
@@ -25,7 +27,7 @@ def get_token(tenant_id: str) -> tuple[str, dict[str, str]]:
             "grant_type": "client_credentials",
             "client_id": credentials["client_id"],
             "client_secret": credentials["client_secret"],
-            "scope": "https://monitor.azure.com/.default",
+            "scope": scope,
         },
         timeout=5.0,
     )