howler-sentinel-plugin 0.2.0.dev103__tar.gz → 0.2.0.dev104__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/PKG-INFO +1 -1
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/pyproject.toml +1 -1
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/actions/azure_emit_hash.py +29 -13
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/actions/send_to_sentinel.py +3 -1
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/LICENSE +0 -0
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/README.md +0 -0
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/__init__.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/actions/update_defender_xdr_alert.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/mapping/sentinel_incident.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/mapping/xdr_alert.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/mapping/xdr_alert_evidence.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/odm/hit.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/odm/models/sentinel.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/routes/__init__.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/routes/ingest.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/utils/tenant_utils.py +0 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
[project]
|
|
2
2
|
name = "howler-sentinel-plugin"
|
|
3
|
-
version = "0.2.0.
|
|
3
|
+
version = "0.2.0.dev104"
|
|
4
4
|
description = "A howler plugin for integration with Microsoft's Sentinel API"
|
|
5
5
|
authors = [{ name = "CCCS", email = "analysis-development@cyber.gc.ca" }]
|
|
6
6
|
license = { text = "MIT" }
|
|
@@ -1,12 +1,15 @@
|
|
|
1
1
|
import os
|
|
2
|
-
from typing import Optional
|
|
2
|
+
from typing import Any, Optional
|
|
3
3
|
|
|
4
4
|
import requests
|
|
5
5
|
from howler.common.loader import datastore
|
|
6
|
+
from howler.common.logging import get_logger
|
|
6
7
|
from howler.odm.models.action import VALID_TRIGGERS
|
|
7
8
|
from howler.odm.models.hit import Hit
|
|
8
9
|
from pydash import get
|
|
9
10
|
|
|
11
|
+
logger = get_logger(__file__)
|
|
12
|
+
|
|
10
13
|
OPERATION_ID = "azure_emit_hash"
|
|
11
14
|
|
|
12
15
|
|
|
@@ -15,7 +18,7 @@ def execute(
|
|
|
15
18
|
url: Optional[str] = os.environ.get("SHA256_LOGIC_APP_URL", None),
|
|
16
19
|
field: str = "file.hash.sha256",
|
|
17
20
|
**kwargs,
|
|
18
|
-
):
|
|
21
|
+
) -> list[dict[str, Any]]:
|
|
19
22
|
"Emit hashes to sentinel"
|
|
20
23
|
result = datastore().hit.search(query, rows=1)
|
|
21
24
|
hits = result["items"]
|
|
@@ -56,17 +59,28 @@ def execute(
|
|
|
56
59
|
for hit in hits:
|
|
57
60
|
hash_value = get(hit, field)
|
|
58
61
|
if hash_value:
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
62
|
+
try:
|
|
63
|
+
requests.post(
|
|
64
|
+
url, # noqa: F821
|
|
65
|
+
json={
|
|
66
|
+
"indicator": hash_value,
|
|
67
|
+
"type": "FileSha256",
|
|
68
|
+
"description": "Sent from Howler",
|
|
69
|
+
"action": "alert",
|
|
70
|
+
"severity": "high",
|
|
71
|
+
},
|
|
72
|
+
timeout=5.0,
|
|
73
|
+
)
|
|
74
|
+
except Exception:
|
|
75
|
+
logger.exception("Exception on network call for alert %s", hit.howler.id)
|
|
76
|
+
report.append(
|
|
77
|
+
{
|
|
78
|
+
"query": f"howler.id:{hit.howler.id}",
|
|
79
|
+
"outcome": "error",
|
|
80
|
+
"title": "Network error on execution",
|
|
81
|
+
"message": "Alert processing failed due to network errors.",
|
|
82
|
+
}
|
|
83
|
+
)
|
|
70
84
|
else:
|
|
71
85
|
report.append(
|
|
72
86
|
{
|
|
@@ -77,6 +91,8 @@ def execute(
|
|
|
77
91
|
}
|
|
78
92
|
)
|
|
79
93
|
|
|
94
|
+
return report
|
|
95
|
+
|
|
80
96
|
|
|
81
97
|
def specification():
|
|
82
98
|
"Specify various properties of the action, such as title, descriptions, permissions and input steps."
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
from typing import Any
|
|
2
|
+
|
|
1
3
|
import requests
|
|
2
4
|
from howler.common.exceptions import HowlerRuntimeError
|
|
3
5
|
from howler.common.loader import datastore
|
|
@@ -12,7 +14,7 @@ logger = get_logger(__file__)
|
|
|
12
14
|
OPERATION_ID = "send_to_sentinel"
|
|
13
15
|
|
|
14
16
|
|
|
15
|
-
def execute(query: str, **kwargs):
|
|
17
|
+
def execute(query: str, **kwargs) -> list[dict[str, Any]]:
|
|
16
18
|
"""Send hit to Microsoft Sentinel.
|
|
17
19
|
|
|
18
20
|
Args:
|
|
File without changes
|
|
File without changes
|
{howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/__init__.py
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
{howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev104}/sentinel/odm/hit.py
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|