PyPI - howler-sentinel-plugin - Versions diffs - 0.2.0.dev103__tar.gz → 0.2.0.dev105__tar.gz - Mend

howler-sentinel-plugin 0.2.0.dev103tar.gz → 0.2.0.dev105tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

{howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev105}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: howler-sentinel-plugin
-Version: 0.2.0.dev103
+Version: 0.2.0.dev105
 Summary: A howler plugin for integration with Microsoft's Sentinel API
 License: MIT
 Author: CCCS

{howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev105}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "howler-sentinel-plugin"
-version = "0.2.0.dev103"
+version = "0.2.0.dev105"
 description = "A howler plugin for integration with Microsoft's Sentinel API"
 authors = [{ name = "CCCS", email = "analysis-development@cyber.gc.ca" }]
 license = { text = "MIT" }

{howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev105}/sentinel/actions/azure_emit_hash.py RENAMED Viewed

@@ -1,12 +1,15 @@
 import os
-from typing import Optional
+from typing import Any, Optional
 import requests
 from howler.common.loader import datastore
+from howler.common.logging import get_logger
 from howler.odm.models.action import VALID_TRIGGERS
 from howler.odm.models.hit import Hit
 from pydash import get
+logger = get_logger(__file__)
 OPERATION_ID = "azure_emit_hash"
@@ -15,7 +18,7 @@ def execute(
     url: Optional[str] = os.environ.get("SHA256_LOGIC_APP_URL", None),
     field: str = "file.hash.sha256",
     **kwargs,
-):
+) -> list[dict[str, Any]]:
     "Emit hashes to sentinel"
     result = datastore().hit.search(query, rows=1)
     hits = result["items"]
@@ -56,17 +59,36 @@ def execute(
     for hit in hits:
         hash_value = get(hit, field)
         if hash_value:
-            requests.post(
-                url,  # noqa: F821
-                json={
-                    "indicator": hash_value,
-                    "type": "FileSha256",
-                    "description": "Sent from Howler",
-                    "action": "alert",
-                    "severity": "high",
-                },
-                timeout=5.0,
-            )
+            try:
+                requests.post(
+                    url,  # noqa: F821
+                    json={
+                        "indicator": hash_value,
+                        "type": "FileSha256",
+                        "description": "Sent from Howler",
+                        "action": "alert",
+                        "severity": "high",
+                    },
+                    timeout=5.0,
+                )
+                report.append(
+                    {
+                        "query": f"howler.id:{hit.howler.id}",
+                        "outcome": "success",
+                        "title": "Webhook Triggered",
+                        "message": f"Field {field} from alert {hit.howler.id} was successfully sent to url {url}.",
+                    }
+                )
+            except Exception:
+                logger.exception("Exception on network call for alert %s", hit.howler.id)
+                report.append(
+                    {
+                        "query": f"howler.id:{hit.howler.id}",
+                        "outcome": "error",
+                        "title": "Network error on execution",
+                        "message": "Alert processing failed due to network errors.",
+                    }
+                )
         else:
             report.append(
                 {
@@ -77,6 +99,8 @@ def execute(
                 }
             )
+    return report
 def specification():
     "Specify various properties of the action, such as title, descriptions, permissions and input steps."
@@ -93,6 +117,7 @@ def specification():
             {
                 "args": {"url": [], "field": []},
                 "options": {"field": [field for field in Hit.flat_fields().keys() if field.endswith("sha256")]},
+                "validation": {"warn": {"query": "-_exists_:$field"}},
             }
         ],
         "triggers": VALID_TRIGGERS,

{howler_sentinel_plugin-0.2.0.dev103 → howler_sentinel_plugin-0.2.0.dev105}/sentinel/actions/send_to_sentinel.py RENAMED Viewed

@@ -1,3 +1,5 @@
+from typing import Any
 import requests
 from howler.common.exceptions import HowlerRuntimeError
 from howler.common.loader import datastore
@@ -12,7 +14,7 @@ logger = get_logger(__file__)
 OPERATION_ID = "send_to_sentinel"
-def execute(query: str, **kwargs):
+def execute(query: str, **kwargs) -> list[dict[str, Any]]:
     """Send hit to Microsoft Sentinel.
     Args: