howler-sentinel-plugin 0.2.0.dev105__tar.gz → 0.2.0.dev137__tar.gz

{howler_sentinel_plugin-0.2.0.dev105 → howler_sentinel_plugin-0.2.0.dev137}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: howler-sentinel-plugin
-Version: 0.2.0.dev105
+Version: 0.2.0.dev137
 Summary: A howler plugin for integration with Microsoft's Sentinel API
 License: MIT
 Author: CCCS

{howler_sentinel_plugin-0.2.0.dev105 → howler_sentinel_plugin-0.2.0.dev137}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "howler-sentinel-plugin"
-version = "0.2.0.dev105"
+version = "0.2.0.dev137"
 description = "A howler plugin for integration with Microsoft's Sentinel API"
 authors = [{ name = "CCCS", email = "analysis-development@cyber.gc.ca" }]
 license = { text = "MIT" }

{howler_sentinel_plugin-0.2.0.dev105 → howler_sentinel_plugin-0.2.0.dev137}/sentinel/actions/send_to_sentinel.py

@@ -101,7 +101,7 @@ def execute(query: str, **kwargs) -> list[dict[str, Any]]:
                 "query": f"howler.id:{hit.howler.id}",
                 "outcome": "success",
                 "title": "Alert updated in Sentinel",
-                "message": "Howler has successfuly propagated changes to this alert to Sentinel.",
+                "message": "Howler has successfully propagated changes to this alert to Sentinel.",
             }
         )
 

{howler_sentinel_plugin-0.2.0.dev105 → howler_sentinel_plugin-0.2.0.dev137}/sentinel/actions/update_defender_xdr_alert.py

@@ -165,15 +165,15 @@ def execute(query: str, **kwargs):
                     "message": f"PATCH request to Microsoft Graph failed with status code {response.status_code}.",
                 }
             )
-
-        report.append(
-            {
-                "query": f"howler.id:{hit.howler.id}",
-                "outcome": "success",
-                "title": "Alert updated in XDR Defender",
-                "message": "Howler has successfuly propagated changes to this alert to XDR Defender.",
-            }
-        )
+        else:
+            report.append(
+                {
+                    "query": f"howler.id:{hit.howler.id}",
+                    "outcome": "success",
+                    "title": "Alert updated in XDR Defender",
+                    "message": "Howler has successfully propagated changes to this alert to XDR Defender.",
+                }
+            )
 
     return report
 

howler_sentinel_plugin-0.2.0.dev137/sentinel/actions/update_defender_xdr_incident.py

@@ -0,0 +1,194 @@
+import requests
+from howler.common.exceptions import HowlerRuntimeError
+from howler.common.loader import datastore
+from howler.common.logging import get_logger
+from howler.odm.models.action import VALID_TRIGGERS
+from howler.odm.models.hit import Hit
+from howler.odm.models.howler_data import Assessment, HitStatus
+
+from sentinel.utils.tenant_utils import get_token
+
+logger = get_logger(__file__)
+
+OPERATION_ID = "update_defender_xdr_incident"
+
+properties_map = {
+    "graph": {
+        "status": {
+            HitStatus.OPEN: "active",
+            HitStatus.IN_PROGRESS: "inProgress",
+            HitStatus.ON_HOLD: "inProgress",
+            HitStatus.RESOLVED: "resolved",
+        },
+        "classification": {
+            Assessment.AMBIGUOUS: "unknown",
+            Assessment.SECURITY: "informationalExpectedActivity",
+            Assessment.DEVELOPMENT: "informationalExpectedActivity",
+            Assessment.FALSE_POSITIVE: "falsePositive",
+            Assessment.LEGITIMATE: "informationalExpectedActivity",
+            Assessment.TRIVIAL: "falsePositive",
+            Assessment.RECON: "truePositive",
+            Assessment.ATTEMPT: "truePositive",
+            Assessment.COMPROMISE: "truePositive",
+            Assessment.MITIGATED: "truePositive",
+            None: "unknown",
+        },
+        "determination": {
+            Assessment.AMBIGUOUS: "unknown",
+            Assessment.SECURITY: "securityTesting",
+            Assessment.DEVELOPMENT: "confirmedUserActivity",
+            Assessment.FALSE_POSITIVE: "other",
+            Assessment.LEGITIMATE: "lineOfBusinessApplication",
+            Assessment.TRIVIAL: "other",
+            Assessment.RECON: "multiStagedAttack",
+            Assessment.ATTEMPT: "other",
+            Assessment.COMPROMISE: "maliciousUserActivity",
+            Assessment.MITIGATED: "other",
+            None: "unknown",
+        },
+    },
+}
+
+
+def execute(query: str, **kwargs):
+    """Update Microsoft Defender XDR incident.
+
+    Args:
+        query (str): The query on which to apply this automation.
+    """
+    report = []
+    ds = datastore()
+
+    hits: list[Hit] = ds.hit.search(query, as_obj=True)["items"]
+
+    if not hits:
+        report.append(
+            {
+                "query": query,
+                "outcome": "error",
+                "title": "No hits returned by query",
+                "message": f"No hits returned by '{query}'",
+            }
+        )
+        return report
+
+    for hit in hits:
+        if hit.azure and hit.azure.tenant_id:
+            tenant_id = hit.azure.tenant_id
+        elif hit.organization.id:
+            tenant_id = hit.organization.id
+        else:
+            report.append(
+                {
+                    "query": f"howler.id:{hit.howler.id}",
+                    "outcome": "skipped",
+                    "title": "Azure Tenant ID is missing",
+                    "message": "This incident does not have a set tenant ID.",
+                }
+            )
+            continue
+
+        try:
+            token = get_token(tenant_id, "https://graph.microsoft.com/.default")[0]
+        except HowlerRuntimeError as err:
+            logger.exception("Error on token fetching")
+            report.append(
+                {
+                    "query": f"howler.id:{hit.howler.id}",
+                    "outcome": "error",
+                    "title": "Invalid Credentials",
+                    "message": err.message,
+                }
+            )
+            continue
+
+        # Fetch incident details
+        incident_url = f"https://graph.microsoft.com/v1.0/security/incidents/{hit.sentinel.id}"
+        response = requests.get(incident_url, headers={"Authorization": f"Bearer {token}"}, timeout=5.0)
+        if not response.ok:
+            logger.warning(
+                "GET request to Microsoft Graph failed with status code %s. Content:\n%s",
+                response.status_code,
+                response.text,
+            )
+            report.append(
+                {
+                    "query": query,
+                    "outcome": "error",
+                    "title": "Microsoft Graph API request failed",
+                    "message": f"GET request to Microsoft Graph failed with status code {response.status_code}.",
+                }
+            )
+            continue
+
+        incident_data = response.json()
+
+        # Update incident
+        if (
+            "assessment" in hit.howler
+            and hit.howler.assessment in properties_map["graph"]["classification"]
+            and hit.howler.assessment in properties_map["graph"]["determination"]
+        ):
+            classification = properties_map["graph"]["classification"][hit.howler.assessment]
+            determination = properties_map["graph"]["determination"][hit.howler.assessment]
+        else:
+            classification = incident_data["classification"]
+            determination = incident_data["determination"]
+
+        status = properties_map["graph"]["status"][hit.howler.status]
+        assigned_to = incident_data["assignedTo"]
+
+        data = {
+            "assignedTo": assigned_to,
+            "classification": classification,
+            "determination": determination,
+            "status": status,
+        }
+
+        response = requests.patch(
+            incident_url,
+            json=data,
+            headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"},
+            timeout=5.0,
+        )
+        if not response.ok:
+            logger.warning(
+                "PATCH request to Microsoft Graph failed with status code %s. Content:\n%s",
+                response.status_code,
+                response.text,
+            )
+            report.append(
+                {
+                    "query": query,
+                    "outcome": "error",
+                    "title": "Microsoft Graph API request failed",
+                    "message": f"PATCH request to Microsoft Graph failed with status code {response.status_code}.",
+                }
+            )
+        else:
+            report.append(
+                {
+                    "query": f"howler.id:{hit.howler.id}",
+                    "outcome": "success",
+                    "title": "Incident updated in XDR Defender",
+                    "message": "Howler has successfully propagated changes to this incident to XDR Defender.",
+                }
+            )
+
+    return report
+
+
+def specification():
+    "Update Defender action specification"
+    return {
+        "id": OPERATION_ID,
+        "title": "Update Microsoft Defender XDR incident",
+        "priority": 8,
+        "description": {
+            "short": "Update Microsoft Defender XDR incident",
+            "long": execute.__doc__,
+        },
+        "roles": ["automation_basic"],
+        "steps": [{"args": {}, "options": {}, "validation": {}}],
+        "triggers": VALID_TRIGGERS,
+    }

{howler_sentinel_plugin-0.2.0.dev105 → howler_sentinel_plugin-0.2.0.dev137}/sentinel/mapping/sentinel_incident.py

@@ -1,5 +1,6 @@
-"""Sentiel Incident mapper for converting Microsoft Sentinel Sentiel Incidents to Howler bundles."""
+"""Sentinel Incident mapper for converting Microsoft Sentinel Incidents to Howler bundles."""
 
+import json
 import logging
 from typing import Any, Optional
 
@@ -81,6 +82,7 @@ class SentinelIncident:
                     "bundle_size": 0,
                     "hits": [],
                     "labels.generic": self._build_labels(custom_tags, system_tags),
+                    "data": [json.dumps(sentinel_incident)],
                 },
                 "organization": {"name": customer_name, "id": tenant_id},
                 "sentinel": {
@@ -115,14 +117,18 @@ class SentinelIncident:
         """
         return self.tid_mapping.get(tid, self.DEFAULT_CUSTOMER_NAME)
 
-    def map_sentinel_status_to_howler(self, sentinel_status: str) -> str:
-        """Map Sentiel Incident status to Howler status.
+    def map_sentinel_status_to_howler(self, sentinel_status: Optional[str]) -> str:
+        """Map Sentinel Incident status to Howler status.
 
         Args:
-            sentinel_status (str): Sentinel status string.
+            sentinel_status (str | None): Sentinel status string or None.
+
         Returns:
             str: Howler status string.
         """
+        if not isinstance(sentinel_status, str) or not sentinel_status:
+            return "open"
+
         status_mapping: dict[str, str] = {
             "new": "open",
             "active": "in-progress",

{howler_sentinel_plugin-0.2.0.dev105 → howler_sentinel_plugin-0.2.0.dev137}/sentinel/mapping/xdr_alert.py

@@ -1,3 +1,4 @@
+import json
 import logging
 from datetime import datetime
 from typing import Any, Optional
@@ -149,7 +150,7 @@ class XDRAlert:
         # TODO evaluate if we should set this field if new alert
         return classification.get(graph_classification, "ambiguous")
 
-    def map_alert(self, graph_alert: dict[str, Any], customer_id: str) -> dict[str, Any] | None:
+    def map_alert(self, graph_alert: dict[str, Any], customer_id: str) -> Optional[dict[str, Any]]:
         """Transform a Microsoft Graph alert into a Howler hit format.
 
         This is the main mapping function that converts a Graph API alert object
@@ -231,14 +232,7 @@ class XDRAlert:
                     "operation": [],
                     "generic": [],
                 },
-                "dossier": [
-                    {
-                        "content": [display_name],
-                        "metadata": [graph_alert],
-                        "label": {"en": "MSGraph Alert", "fr": "Alerte MSGraph"},
-                        "format": "markdown",
-                    }
-                ],
+                "data": [json.dumps(graph_alert)],
             },
             "evidence": {"data": []},
             "event": {

{howler_sentinel_plugin-0.2.0.dev105 → howler_sentinel_plugin-0.2.0.dev137}/sentinel/mapping/xdr_alert_evidence.py

@@ -232,10 +232,13 @@ class XDRAlertEvidence:
     @staticmethod
     def device_evidence(evidence: dict[str, Any]) -> dict[str, Any]:
         """Convert device evidence to howler evidence format."""
+        hostname = evidence.get("hostName")
+        if not hostname:
+            hostname = evidence.get("deviceDnsName")
         return {
             "host": {
                 "id": evidence.get("mdeDeviceId"),
-                "name": evidence.get("hostName"),
+                "name": hostname,
                 "domain": [evidence.get("ntDomain", "unknown")],
                 "os": {
                     "platform": evidence.get("osPlatform"),
@@ -668,51 +671,51 @@ class XDRAlertEvidence:
                 "status_remediation_details": evidence.get("remediationStatusDetails"),
             },
             "teams": {
-                "campaign_id": evidence.get("CampaignId"),
-                "channel_id": evidence.get("ChannelId"),
-                "delivery_action": evidence.get("DeliveryAction"),
-                "delivery_location": evidence.get("DeliveryLocation"),
-                "detailed_roles": evidence.get("DetailedRoles"),
+                "campaign_id": evidence.get("campaignId"),
+                "channel_id": evidence.get("channelId"),
+                "delivery_action": evidence.get("deliveryAction"),
+                "delivery_location": evidence.get("deliveryLocation"),
+                "detailed_roles": evidence.get("detailedRoles"),
                 "files": [
                     {
-                        "path": file.get("FileDetails", {}).get("FilePath"),
-                        "name": file.get("FileDetails", {}).get("FileName"),
+                        "path": file.get("fileDetails", {}).get("filePath"),
+                        "name": file.get("fileDetails", {}).get("fileName"),
                         "hash": {
-                            "sha1": file.get("FileDetails", {}).get("Sha1"),
-                            "sha256": file.get("FileDetails", {}).get("Sha256"),
-                            "md5": file.get("FileDetails", {}).get("Md5"),
+                            "sha1": file.get("fileDetails", {}).get("sha1"),
+                            "sha256": file.get("fileDetails", {}).get("sha256"),
+                            "md5": file.get("fileDetails", {}).get("md5"),
                         },
                         "code_signature": {
-                            "signing_id": file.get("FileDetails", {}).get("Signer"),
-                            "team_id": file.get("FileDetails", {}).get("Issuer"),
+                            "signing_id": file.get("fileDetails", {}).get("signer"),
+                            "team_id": file.get("fileDetails", {}).get("issuer"),
                         },
-                        "size": file.get("FileDetails", {}).get("FileSize"),
+                        "size": file.get("fileDetails", {}).get("fileSize"),
                     }
-                    for file in evidence.get("Files", [])
+                    for file in evidence.get("files", [])
                 ],
-                "group_id": evidence.get("GroupId"),
-                "is_external": evidence.get("IsExternal"),
-                "is_owned": evidence.get("IsOwned"),
-                "last_modified": evidence.get("LastModified"),
-                "message_direction": evidence.get("MessageDirection"),
-                "message_id": evidence.get("MessageId"),
-                "owning_tenant_id": evidence.get("OwningTenantId"),
-                "parent_message_id": evidence.get("ParentMessageId"),
-                "received": evidence.get("Received"),
-                "recipients": evidence.get("Recipients"),
-                "sender_from_address": evidence.get("SenderFromAddress"),
-                "sender_ip": evidence.get("SenderIp"),
-                "source_add_name": evidence.get("SourceAddName"),
-                "source_id": evidence.get("SourceId"),
-                "subject": evidence.get("Subject"),
-                "suspicious_recipients": evidence.get("SuspiciousRecipients"),
-                "thread_id": evidence.get("ThreadId"),
-                "thread_type": evidence.get("ThreadType"),
+                "group_id": evidence.get("groupId"),
+                "is_external": evidence.get("isExternal"),
+                "is_owned": evidence.get("isOwned"),
+                "last_modified": evidence.get("lastModified"),
+                "message_direction": evidence.get("messageDirection"),
+                "message_id": evidence.get("messageId"),
+                "owning_tenant_id": evidence.get("owningTenantId"),
+                "parent_message_id": evidence.get("parentMessageId"),
+                "received": evidence.get("received"),
+                "recipients": evidence.get("recipients"),
+                "sender_from_address": evidence.get("senderFromAddress"),
+                "sender_ip": evidence.get("senderIp"),
+                "source_add_name": evidence.get("sourceAddName"),
+                "source_id": evidence.get("sourceId"),
+                "subject": evidence.get("subject"),
+                "suspicious_recipients": evidence.get("suspiciousRecipients"),
+                "thread_id": evidence.get("threadId"),
+                "thread_type": evidence.get("threadType"),
                 "urls": [
                     {
-                        "full": url.get("Url"),
+                        "full": url.get("url"),
                     }
-                    for url in evidence.get("Urls", [])
+                    for url in evidence.get("urls", [])
                 ],
             },
         }
@@ -722,22 +725,22 @@ class XDRAlertEvidence:
         """Convert URL evidence to howler evidence format."""
         return {
             "url": {
-                "full": evidence.get("Url"),
+                "full": evidence.get("url"),
             },
         }
 
     @staticmethod
     def user_evidence(evidence: dict[str, Any]) -> dict[str, Any]:
         """Convert user evidence to howler evidence format."""
-        user = evidence.get("UserAccount", {})
+        user = evidence.get("userAccount", {})
         if not user:
             user = {}
         return {
             "user": {
-                "name": user.get("AccountName"),
-                "full_name": user.get("UserPrincipalName"),
-                "id": user.get("AzureAdUserId"),
-                "domain": user.get("DomainName"),
+                "name": user.get("accountName"),
+                "full_name": user.get("userPrincipalName"),
+                "id": user.get("azureAdUserId"),
+                "domain": user.get("domainName"),
             },
         }
 

howler_sentinel_plugin-0.2.0.dev137/sentinel/routes/ingest.py

@@ -0,0 +1,261 @@
+import os
+import re
+from typing import Any
+
+from flask import request
+from howler.api import bad_request, created, internal_error, make_subapi_blueprint, ok, unauthorized
+from howler.common.exceptions import HowlerException
+from howler.common.loader import datastore
+from howler.common.logging import get_logger
+from howler.common.swagger import generate_swagger_docs
+from howler.services import action_service, analytic_service, hit_service
+
+from ..mapping.sentinel_incident import SentinelIncident
+from ..mapping.xdr_alert import XDRAlert
+
+SUB_API = "sentinel"
+sentinel_api = make_subapi_blueprint(SUB_API, api_version=1)
+sentinel_api._doc = "Ingest Microsoft Sentinel XDR incidents into Howler"
+
+logger = get_logger(__file__)
+
+# For testing purposes, replace with actual secret in production
+SECRET = os.environ.get("SENTINEL_LINK_KEY", "abcdefghijklmnopqrstuvwxyz1234567890")
+
+if SECRET.startswith("abcdef"):
+    logger.warning("Default secret used!")
+
+
+@generate_swagger_docs()
+@sentinel_api.route("/ingest", methods=["POST"])
+def ingest_xdr_incident(**kwargs) -> tuple[dict[str, Any], int]:  # noqa C901
+    """Ingest a Microsoft Sentinel XDR incident into Howler.
+
+    Variables:
+        None
+
+    Arguments:
+        None
+
+    Data Block:
+        {
+            ...Sentinel XDR incident JSON...
+        }
+
+    Headers:
+        Authorization: API in the format "Basic <key>"
+
+    Result Example (201 Created):
+        {
+            "success": True,
+            "bundle_hit_id": "howler-bundle-id",
+            "bundle_id": "sentinel-incident-id",
+            "individual_hit_ids": ["alert-hit-id-1", "alert-hit-id-2"],
+            "total_hits_created": 3,
+            "bundle_size": 2,
+            "organization": "Acme Corporation"
+        }
+
+    Result Example (200 OK, update):
+        {
+            "success": True,
+            "bundle_hit_id": "howler-bundle-id",
+            "bundle_id": "sentinel-incident-id",
+            "individual_hit_ids": ["alert-hit-id-1", "alert-hit-id-2"],
+            "total_hits_updated": 3,
+            "bundle_size": 2,
+            "organization": "Acme Corporation",
+            "updated": True
+        }
+
+    Error Codes:
+        400 - Bad request (e.g., missing JSON)
+        401 - Unauthorized (invalid API key)
+        500 - Internal server error
+
+    Description:
+        Receives a Microsoft Sentinel XDR incident as JSON, maps it to Howler format, and creates or updates a bundle
+        and its underlying alerts in Howler. Returns details about the created or updated bundle and alerts.
+    """
+    apikey = request.headers.get("Authorization", "Basic ", type=str).split(" ")[1]
+    if not apikey or apikey != SECRET:
+        return unauthorized(err="API Key does not match expected value.")
+
+    logger.info("Received authorization header with value %s", re.sub(r"^(.{3}).+(.{3})$", r"\1...\2", apikey))
+
+    xdr_incident = request.json
+    if not xdr_incident:
+        return bad_request(err="No JSON data provided in request body")
+
+    try:
+        # TODO needs to be replaced with actual tenant mapping logic
+        tenant_mapping = {"020cd98f-1002-45b7-90ff-69fc68bdd027": "Acme Corporation"}
+        incident_mapper = SentinelIncident(tid_mapping=tenant_mapping)
+        bundle_hit = incident_mapper.map_incident_to_bundle(xdr_incident)
+        if bundle_hit is None:
+            return internal_error(err="Failed to map XDR incident to Howler bundle format")
+
+        sentinel_id = xdr_incident.get("id")
+        if sentinel_id:
+            existing_bundles = datastore().hit.search(f"sentinel.id:{sentinel_id}", as_obj=True)["items"]
+            if existing_bundles:
+                return _update_existing_incident(existing_bundles[0], xdr_incident, incident_mapper)
+
+        return _create_new_incident(bundle_hit, xdr_incident, tenant_mapping)
+
+    except HowlerException as e:
+        logger.exception("Failed to process XDR incident")
+        return internal_error(err=f"Failed to process XDR incident: {str(e)}")
+    except Exception as e:
+        logger.exception("Unexpected error during XDR incident ingestion")
+        return internal_error(err=f"Internal error occurred during ingestion: {str(e)}")
+
+
+def _update_existing_incident(
+    existing_bundle: Any, xdr_incident: dict[str, Any], incident_mapper: SentinelIncident
+) -> tuple[dict[str, Any], int]:
+    """Update an existing incident and its underlying alerts in Howler.
+
+    Args:
+        existing_bundle: The existing Howler bundle object.
+        xdr_incident: The incoming XDR incident data.
+        incident_mapper: The incident mapper instance.
+
+    Returns:
+        Tuple containing response dictionary and HTTP status code.
+    """
+    new_status = xdr_incident.get("status")
+    if new_status:
+        existing_bundle.howler.status = incident_mapper.map_sentinel_status_to_howler(new_status)
+        datastore().hit.save(existing_bundle.howler.id, existing_bundle)
+    for child_id in getattr(existing_bundle.howler, "hits", []):
+        child_hit = datastore().hit.get(child_id, as_obj=True)
+        if child_hit:
+            child_hit.howler.status = incident_mapper.map_sentinel_status_to_howler(new_status)
+            datastore().hit.save(child_id, child_hit)
+    datastore().hit.commit()
+    logger.info("Updated status for existing bundle %s and its child hits", existing_bundle.howler.id)
+    return ok(
+        {
+            "success": True,
+            "bundle_hit_id": existing_bundle.howler.id,
+            "bundle_id": existing_bundle.sentinel.id if hasattr(existing_bundle, "sentinel") else None,
+            "individual_hit_ids": getattr(existing_bundle.howler, "hits", []),
+            "total_hits_updated": 1 + len(getattr(existing_bundle.howler, "hits", [])),
+            "bundle_size": len(getattr(existing_bundle.howler, "hits", [])),
+            "organization": getattr(existing_bundle, "organization", {}).get("name", ""),
+            "updated": True,
+        }
+    )
+
+
+def _create_alert_hits(alerts: list[dict[str, Any]], tenant_id: str, alert_mapper: XDRAlert) -> list[str]:
+    """Create alert hits from the provided alerts and return their IDs.
+
+    Args:
+        alerts: List of alert dictionaries.
+        tenant_id: The tenant ID string.
+        alert_mapper: The alert mapper instance.
+
+    Returns:
+        List of created alert hit IDs.
+    """
+    child_hit_ids = []
+    for i, alert in enumerate(alerts):
+        try:
+            mapped_hit = alert_mapper.map_alert(alert, tenant_id)
+            if mapped_hit:
+                alert_hit_odm, _ = hit_service.convert_hit(mapped_hit, unique=True, ignore_extra_values=True)
+                if alert_hit_odm.event is not None:
+                    alert_hit_odm.event.id = alert_hit_odm.howler.id
+                logger.info("Creating individual alert hit %s with ID %s", i, alert_hit_odm.howler.id)
+                hit_service.create_hit(alert_hit_odm.howler.id, alert_hit_odm, user="system")
+                analytic_service.save_from_hit(alert_hit_odm, {"uname": "system"})
+                child_hit_ids.append(alert_hit_odm.howler.id)
+                logger.debug("Successfully created alert hit %s: %s", i, alert_hit_odm.howler.id)
+            else:
+                logger.warning("Alert mapper returned None for alert %s: %s", i, alert.get("id", "unknown"))
+        except Exception:
+            logger.exception("Failed to create individual alert hit %s", i)
+            continue
+    return child_hit_ids
+
+
+def _link_child_hits_to_bundle(bundle_odm: Any, child_hit_ids: list[str]) -> None:
+    """Link child hits to the bundle and update their bundle references.
+
+    Args:
+        bundle_odm: The bundle ODM object.
+        child_hit_ids: List of child hit IDs to link.
+    """
+    for hit_id in bundle_odm.howler.hits:
+        child_hit = hit_service.get_hit(hit_id, as_odm=True)
+
+        if child_hit.howler.is_bundle:
+            logger.warning("Child hit %s is a bundle - skipping bundle assignment", child_hit.howler.id)
+            continue
+
+        new_bundle_list = child_hit.howler.get("bundles", [])
+        new_bundle_list.append(bundle_odm.howler.id)
+        child_hit.howler.bundles = new_bundle_list
+        datastore().hit.save(child_hit.howler.id, child_hit)
+
+
+def _create_new_incident(
+    bundle_hit: dict[str, Any], xdr_incident: dict[str, Any], tenant_mapping: dict[str, str]
+) -> tuple[dict[str, Any], int]:
+    """Create a new incident bundle and its underlying alerts in Howler.
+
+    Args:
+        bundle_hit: The mapped Howler bundle data.
+        xdr_incident: The incoming XDR incident data.
+        tenant_mapping: The tenant mapping dictionary.
+
+    Returns:
+        Tuple containing response dictionary and HTTP status code.
+    """
+    alerts = xdr_incident.get("alerts", [])
+    tenant_id = xdr_incident.get("tenantId", "")
+    alert_mapper = XDRAlert(tid_mapping=tenant_mapping)
+    child_hit_ids = _create_alert_hits(alerts, tenant_id, alert_mapper)
+    try:
+        bundle_odm, _ = hit_service.convert_hit(bundle_hit, unique=True)
+        # If there are no alerts, do not treat as bundle
+        if child_hit_ids:
+            bundle_odm.howler.is_bundle = True
+            if not hasattr(bundle_odm.howler, "hits") or not isinstance(bundle_odm.howler.hits, list):
+                bundle_odm.howler.hits = []
+            for hit_id in child_hit_ids:
+                if hit_id not in bundle_odm.howler.hits:
+                    bundle_odm.howler.hits.append(hit_id)
+            bundle_odm.howler.bundle_size = len(bundle_odm.howler.hits)
+        else:
+            bundle_odm.howler.is_bundle = False
+            bundle_odm.howler.hits = []
+            bundle_odm.howler.bundle_size = 0
+
+        if bundle_odm.event is not None:
+            bundle_odm.event.id = bundle_odm.howler.id
+
+        logger.info("Creating incident hit with ID %s", bundle_odm.howler.id)
+        hit_service.create_hit(bundle_odm.howler.id, bundle_odm, user="system")
+        analytic_service.save_from_hit(bundle_odm, {"uname": "system"})
+        if child_hit_ids:
+            _link_child_hits_to_bundle(bundle_odm, child_hit_ids)
+        datastore().hit.commit()
+        if child_hit_ids:
+            action_service.bulk_execute_on_query(f"howler.id:{bundle_odm.howler.id}", user={"uname": "system"})
+        logger.info("Successfully completed XDR incident ingestion")
+        response_body = {
+            "success": True,
+            "bundle_hit_id": bundle_odm.howler.id,
+            "bundle_id": bundle_hit["howler"].get("xdr.incident.id"),
+            "individual_hit_ids": child_hit_ids,
+            "total_hits_created": len(child_hit_ids) + 1,
+            "bundle_size": len(child_hit_ids),
+            "organization": bundle_hit["organization"]["name"],
+        }
+        return created(response_body)
+    except HowlerException as e:
+        logger.exception("Failed to create bundle")
+        return internal_error(err=f"Failed to create bundle: {str(e)}")

howler_sentinel_plugin-0.2.0.dev105/sentinel/routes/ingest.py

@@ -1,171 +0,0 @@
-import os
-import re
-from typing import Any
-
-from flask import request
-from howler.api import bad_request, created, make_subapi_blueprint, unauthorized
-from howler.common.exceptions import HowlerException
-from howler.common.loader import datastore
-from howler.common.logging import get_logger
-from howler.common.swagger import generate_swagger_docs
-from howler.services import action_service, analytic_service, hit_service
-
-from ..mapping.sentinel_incident import SentinelIncident
-from ..mapping.xdr_alert import XDRAlert
-
-SUB_API = "sentinel"
-sentinel_api = make_subapi_blueprint(SUB_API, api_version=1)
-sentinel_api._doc = "Ingest Microsoft Sentinel XDR incidents into Howler"
-
-logger = get_logger(__file__)
-
-# For testing purposes, replace with actual secret in production
-SECRET = os.environ.get("SENTINEL_LINK_KEY", "abcdefghijklmnopqrstuvwxyz1234567890")
-
-if SECRET.startswith("abcdef"):
-    logger.warning("Default secret used!")
-
-
-@generate_swagger_docs()
-@sentinel_api.route("/ingest", methods=["POST"])
-def ingest_xdr_incident(**kwargs) -> tuple[dict[str, Any], int]:  # noqa C901
-    """Ingest a Microsoft Sentinel XDR incident into Howler.
-
-    This endpoint receives an XDR incident as JSON, maps it to Howler format using XDRIncidentMapper,
-    and creates a bundle following the same pattern as the create_bundle endpoint.
-
-    Uses API key authentication via Authorization header.
-
-    Variables:
-    None
-
-    Data Body:
-    XDR incident JSON data to be ingested
-
-    Result Example:
-    {
-        "success": true,
-        "bundle_id": "generated_bundle_id",
-        "hit_count": 1
-    }
-    """
-    # API Key authentication
-    apikey = request.headers.get("Authorization", "Basic ", type=str).split(" ")[1]
-
-    if not apikey or apikey != SECRET:
-        return unauthorized(err="API Key does not match expected value.")
-
-    logger.info("Received authorization header with value %s", re.sub(r"^(.{3}).+(.{3})$", r"\1...\2", apikey))
-
-    # Validate JSON payload
-    xdr_incident = request.json
-    if not xdr_incident:
-        return bad_request(err="No JSON data provided in request body")
-
-    logger.info("XDR Incident received")
-
-    try:
-        # Configure tenant mapping for both mappers
-        tenant_mapping = {"020cd98f-1002-45b7-90ff-69fc68bdd027": "Acme Corporation"}
-
-        incident_mapper = SentinelIncident(tid_mapping=tenant_mapping)
-        bundle_hit = incident_mapper.map_incident_to_bundle(xdr_incident)
-
-        if bundle_hit is None:
-            return bad_request(err="Failed to map XDR incident to Howler bundle format")
-
-        logger.info("Successfully mapped XDR incident to bundle")
-
-        alerts = xdr_incident.get("alerts", [])
-        tenant_id = xdr_incident.get("tenantId", "")
-
-        alert_mapper = XDRAlert(tid_mapping=tenant_mapping)
-
-        # Create individual hits from alerts first
-        child_hit_ids = []
-
-        for i, alert in enumerate(alerts):
-            try:
-                mapped_hit = alert_mapper.map_alert(alert, tenant_id)
-                if mapped_hit:
-                    alert_hit_odm, _ = hit_service.convert_hit(mapped_hit, unique=True, ignore_extra_values=True)
-
-                    if alert_hit_odm.event is not None:
-                        alert_hit_odm.event.id = alert_hit_odm.howler.id
-
-                    logger.info("Creating individual alert hit %s with ID %s", i, alert_hit_odm.howler.id)
-                    hit_service.create_hit(alert_hit_odm.howler.id, alert_hit_odm, user="system")
-                    analytic_service.save_from_hit(alert_hit_odm, {"uname": "system"})
-
-                    child_hit_ids.append(alert_hit_odm.howler.id)
-                    logger.debug("Successfully created alert hit %s: %s", i, alert_hit_odm.howler.id)
-                else:
-                    logger.warning("Alert mapper returned None for alert %s: %s", i, alert.get("id", "unknown"))
-            except Exception:
-                logger.exception("Failed to create individual alert hit %s", i)
-                continue
-
-        try:
-            bundle_odm, _ = hit_service.convert_hit(bundle_hit, unique=True)
-            bundle_odm.howler.is_bundle = True
-
-            if not hasattr(bundle_odm.howler, "hits") or not isinstance(bundle_odm.howler.hits, list):
-                bundle_odm.howler.hits = []
-            for hit_id in child_hit_ids:
-                if hit_id not in bundle_odm.howler.hits:
-                    bundle_odm.howler.hits.append(hit_id)
-
-            if len(bundle_odm.howler.hits) < 1:
-                logger.error("No valid child hits were created from the XDR incident alerts")
-                return bad_request(err="No valid child hits were created from the XDR incident alerts.")
-
-            bundle_odm.howler.bundle_size = len(bundle_odm.howler.hits)
-
-            if bundle_odm.event is not None:
-                bundle_odm.event.id = bundle_odm.howler.id
-
-            logger.info("Creating bundle hit with ID %s", bundle_odm.howler.id)
-            hit_service.create_hit(bundle_odm.howler.id, bundle_odm, user="system")
-            analytic_service.save_from_hit(bundle_odm, {"uname": "system"})
-
-            # Link child hits to bundle (same as create_bundle)
-            for hit_id in bundle_odm.howler.hits:
-                child_hit = hit_service.get_hit(hit_id, as_odm=True)
-
-                if child_hit.howler.is_bundle:
-                    logger.warning("Child hit %s is a bundle - skipping bundle assignment", child_hit.howler.id)
-                    continue
-
-                new_bundle_list = child_hit.howler.get("bundles", [])
-                new_bundle_list.append(bundle_odm.howler.id)
-                child_hit.howler.bundles = new_bundle_list
-                datastore().hit.save(child_hit.howler.id, child_hit)
-
-            datastore().hit.commit()
-            action_service.bulk_execute_on_query(f"howler.id:{bundle_odm.howler.id}", user={"uname": "system"})
-
-            logger.info("Successfully completed XDR incident ingestion")
-
-            response_body = {
-                "success": True,
-                "bundle_hit_id": bundle_odm.howler.id,
-                "bundle_id": bundle_hit["howler"].get("xdr.incident.id"),
-                "individual_hit_ids": child_hit_ids,
-                "total_hits_created": len(child_hit_ids) + 1,  # +1 for the bundle itself
-                "bundle_size": len(child_hit_ids),
-                "organization": bundle_hit["organization"]["name"],
-            }
-
-            return created(response_body)
-
-        except HowlerException as e:
-            logger.exception("Failed to create bundle")
-            return bad_request(err=f"Failed to create bundle: {str(e)}")
-
-    except HowlerException as e:
-        logger.exception("Failed to process XDR incident")
-        return bad_request(err=f"Failed to process XDR incident: {str(e)}")
-
-    except Exception as e:
-        logger.exception("Unexpected error during XDR incident ingestion")
-        return bad_request(err=f"Internal error occurred during ingestion: {str(e)}")