howler-sentinel-plugin 0.2.0.dev102__tar.gz → 0.2.0.dev104__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/PKG-INFO +1 -1
  2. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/pyproject.toml +1 -1
  3. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/actions/azure_emit_hash.py +30 -15
  4. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/actions/send_to_sentinel.py +3 -1
  5. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/LICENSE +0 -0
  6. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/README.md +0 -0
  7. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/__init__.py +0 -0
  8. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/actions/update_defender_xdr_alert.py +0 -0
  9. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/mapping/sentinel_incident.py +0 -0
  10. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/mapping/xdr_alert.py +0 -0
  11. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/mapping/xdr_alert_evidence.py +0 -0
  12. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/odm/hit.py +0 -0
  13. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/odm/models/sentinel.py +0 -0
  14. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/routes/__init__.py +0 -0
  15. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/routes/ingest.py +0 -0
  16. {howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/utils/tenant_utils.py +0 -0
{howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.3
2
2
  Name: howler-sentinel-plugin
3
- Version: 0.2.0.dev102
3
+ Version: 0.2.0.dev104
4
4
  Summary: A howler plugin for integration with Microsoft's Sentinel API
5
5
  License: MIT
6
6
  Author: CCCS
{howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/pyproject.toml RENAMED
@@ -1,6 +1,6 @@
1
1
  [project]
2
2
  name = "howler-sentinel-plugin"
3
- version = "0.2.0.dev102"
3
+ version = "0.2.0.dev104"
4
4
  description = "A howler plugin for integration with Microsoft's Sentinel API"
5
5
  authors = [{ name = "CCCS", email = "analysis-development@cyber.gc.ca" }]
6
6
  license = { text = "MIT" }
{howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/actions/azure_emit_hash.py RENAMED
@@ -1,12 +1,15 @@
1
1
  import os
2
- from typing import Optional
2
+ from typing import Any, Optional
3
3
 
4
4
  import requests
5
5
  from howler.common.loader import datastore
6
+ from howler.common.logging import get_logger
6
7
  from howler.odm.models.action import VALID_TRIGGERS
7
8
  from howler.odm.models.hit import Hit
8
9
  from pydash import get
9
10
 
11
+ logger = get_logger(__file__)
12
+
10
13
  OPERATION_ID = "azure_emit_hash"
11
14
 
12
15
 
@@ -15,7 +18,7 @@ def execute(
15
18
  url: Optional[str] = os.environ.get("SHA256_LOGIC_APP_URL", None),
16
19
  field: str = "file.hash.sha256",
17
20
  **kwargs,
18
- ):
21
+ ) -> list[dict[str, Any]]:
19
22
  "Emit hashes to sentinel"
20
23
  result = datastore().hit.search(query, rows=1)
21
24
  hits = result["items"]
@@ -56,17 +59,28 @@ def execute(
56
59
  for hit in hits:
57
60
  hash_value = get(hit, field)
58
61
  if hash_value:
59
- requests.post(
60
- url, # noqa: F821
61
- json={
62
- "indicator": hash_value,
63
- "type": "FileSha256",
64
- "description": "Sent from Howler",
65
- "action": "alert",
66
- "severity": "high",
67
- },
68
- timeout=5.0,
69
- )
62
+ try:
63
+ requests.post(
64
+ url, # noqa: F821
65
+ json={
66
+ "indicator": hash_value,
67
+ "type": "FileSha256",
68
+ "description": "Sent from Howler",
69
+ "action": "alert",
70
+ "severity": "high",
71
+ },
72
+ timeout=5.0,
73
+ )
74
+ except Exception:
75
+ logger.exception("Exception on network call for alert %s", hit.howler.id)
76
+ report.append(
77
+ {
78
+ "query": f"howler.id:{hit.howler.id}",
79
+ "outcome": "error",
80
+ "title": "Network error on execution",
81
+ "message": "Alert processing failed due to network errors.",
82
+ }
83
+ )
70
84
  else:
71
85
  report.append(
72
86
  {
@@ -77,6 +91,8 @@ def execute(
77
91
  }
78
92
  )
79
93
 
94
+ return report
95
+
80
96
 
81
97
  def specification():
82
98
  "Specify various properties of the action, such as title, descriptions, permissions and input steps."
@@ -84,9 +100,8 @@ def specification():
84
100
  "id": OPERATION_ID,
85
101
  "title": "Emit sha256 hash to Sentinel",
86
102
  "priority": 28,
87
- "i18nKey": "operations.add_label",
88
103
  "description": {
89
- "short": "Add a label to a hit",
104
+ "short": "Emit sha256 hash to Sentinel",
90
105
  "long": execute.__doc__,
91
106
  },
92
107
  "roles": ["automation_basic"],
{howler_sentinel_plugin-0.2.0.dev102 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/actions/send_to_sentinel.py RENAMED
@@ -1,3 +1,5 @@
1
+ from typing import Any
2
+
1
3
  import requests
2
4
  from howler.common.exceptions import HowlerRuntimeError
3
5
  from howler.common.loader import datastore
@@ -12,7 +14,7 @@ logger = get_logger(__file__)
12
14
  OPERATION_ID = "send_to_sentinel"
13
15
 
14
16
 
15
- def execute(query: str, **kwargs):
17
+ def execute(query: str, **kwargs) -> list[dict[str, Any]]:
16
18
  """Send hit to Microsoft Sentinel.
17
19
 
18
20
  Args: