howler-sentinel-plugin 0.2.0.dev113__py3-none-any.whl → 0.2.0.dev147__py3-none-any.whl

{howler_sentinel_plugin-0.2.0.dev113.dist-info → howler_sentinel_plugin-0.2.0.dev147.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: howler-sentinel-plugin
-Version: 0.2.0.dev113
+Version: 0.2.0.dev147
 Summary: A howler plugin for integration with Microsoft's Sentinel API
 License: MIT
 Author: CCCS

howler_sentinel_plugin-0.2.0.dev147.dist-info/RECORD

@@ -0,0 +1,21 @@
+sentinel/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sentinel/actions/azure_emit_hash.py,sha256=ES9u3iIkm18qcwVT7-f3r8K5d-haCnjSTC7cyOKxH7A,4000
+sentinel/actions/send_to_sentinel.py,sha256=wrpE-ML19CPFU7l5aVWsZpiNvdyQImelt0hFwhtmXPw,4588
+sentinel/actions/update_defender_xdr_alert.py,sha256=_AS6fL0lWgrKIfd2fgVfWXyLias1uX89bZ0RgjNsB7c,6796
+sentinel/actions/update_defender_xdr_incident.py,sha256=HjvK8yTDafYePY5LoMkYat_cFUHnFWK3tzpCfAO3JNE,6854
+sentinel/config.py,sha256=RLt65CZhD0VxygWngU6RjDkrS24h1H9OMLieV4iTf9A,1788
+sentinel/manifest.yml,sha256=Ps5qp5PjcY6MY9U8wQFt-18VDpEySI0lrj25wMlxod4,222
+sentinel/mapping/sentinel_incident.py,sha256=GkOMbFLeHgKd00H8Bc42yQylr4fvO8yq8y2bM1x7c3s,9741
+sentinel/mapping/xdr_alert.py,sha256=J-o76G6gJy2R_bZO7FBgG3Ks8QToIkr5Uy7HRHzmb6w,17994
+sentinel/mapping/xdr_alert_evidence.py,sha256=iMn9Wd5NB7Wi9l0Fl0vmJhugX8L6hAO9jYA9AtLLX2o,31429
+sentinel/odm/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sentinel/odm/hit.py,sha256=XEStYFIfiEUzcNVYo2Z1s6U7j6B-IDQOhRZR6YRUJn0,867
+sentinel/odm/models/sentinel.py,sha256=XT3XdT92uoCV5vmY9dT1jmcxRyuu9vp1gE8AwZdKBIc,337
+sentinel/routes/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sentinel/routes/ingest.py,sha256=XlQqOaZT-6_cBUuhe_DAdD81brKIgG1B4d3ZH8JJ0NA,10788
+sentinel/utils/tenant_utils.py,sha256=Xfxh90x87pl0rdf8aqkwYtEOje8Hw5U5KNXLFtVxXCw,1725
+howler_sentinel_plugin-0.2.0.dev147.dist-info/LICENSE,sha256=Wg2luVnxEkP2NSn11nh1US6W_nFFbICBAVTG9iG3t5M,1091
+howler_sentinel_plugin-0.2.0.dev147.dist-info/METADATA,sha256=8CSPIJuPOJqXWV2q99h22R4cQnmw2lHH-6ulsD2GPhA,749
+howler_sentinel_plugin-0.2.0.dev147.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
+howler_sentinel_plugin-0.2.0.dev147.dist-info/entry_points.txt,sha256=4IJyMY0V49s3Wp659ngN_7U8g66-czeKxI-_dNAFP5g,60
+howler_sentinel_plugin-0.2.0.dev147.dist-info/RECORD,,

sentinel/actions/send_to_sentinel.py

@@ -35,6 +35,8 @@ def execute(query: str, **kwargs) -> list[dict[str, Any]]:
         )
         return report
 
+    from sentinel.config import config
+
     for hit in hits:
         if hit.azure and hit.azure.tenant_id:
             tenant_id = hit.azure.tenant_id
@@ -52,7 +54,7 @@ def execute(query: str, **kwargs) -> list[dict[str, Any]]:
             continue
 
         try:
-            token, credentials = get_token(tenant_id, "https://monitor.azure.com/.default")
+            token = get_token(tenant_id, "https://monitor.azure.com/.default")
         except HowlerRuntimeError as err:
             logger.exception("Error on token fetching")
             report.append(
@@ -65,9 +67,24 @@ def execute(query: str, **kwargs) -> list[dict[str, Any]]:
             )
             continue
 
+        ingestor = next((ingestor for ingestor in config.ingestors if ingestor.tenant_id == tenant_id), None)
+
+        if not ingestor:
+            report.append(
+                {
+                    "query": f"howler.id:{hit.howler.id}",
+                    "outcome": "error",
+                    "title": "Invalid Tenant ID",
+                    "message": (
+                        f"The tenant ID ({tenant_id}) associated with this alert has not been correctly configured."
+                    ),
+                }
+            )
+            continue
+
         uri = (
-            f"https://{credentials['dce']}.ingest.monitor.azure.com/dataCollectionRules/{credentials['dcr']}/"
-            + f"streams/{credentials['table']}?api-version=2021-11-01-preview"
+            f"https://{ingestor.dce}.ingest.monitor.azure.com/dataCollectionRules/{ingestor.dcr}/"
+            + f"streams/{ingestor.table}?api-version=2021-11-01-preview"
         )
 
         payload = [

sentinel/actions/update_defender_xdr_alert.py

@@ -89,7 +89,7 @@ def execute(query: str, **kwargs):
             continue
 
         try:
-            token = get_token(tenant_id, "https://graph.microsoft.com/.default")[0]
+            token = get_token(tenant_id, "https://graph.microsoft.com/.default")
         except HowlerRuntimeError as err:
             logger.exception("Error on token fetching")
             report.append(

sentinel/config.py

@@ -0,0 +1,70 @@
+# mypy: ignore-errors
+import os
+from pathlib import Path
+from typing import Optional
+
+from howler.plugins.config import BasePluginConfig
+from pydantic import BaseModel, ImportString
+from pydantic_settings import SettingsConfigDict
+
+APP_NAME = os.environ.get("APP_NAME", "howler")
+PLUGIN_NAME = "sentinel"
+
+root_path = Path("/etc") / APP_NAME.replace("-dev", "").replace("-stg", "")
+
+config_locations = [
+    Path(__file__).parent / "manifest.yml",
+    root_path / "conf" / f"{PLUGIN_NAME}.yml",
+    Path(os.environ.get("HWL_CONF_FOLDER", root_path)) / f"{PLUGIN_NAME}.yml",
+]
+
+
+class ClientCredentials(BaseModel):
+    "OAuth2 credentials for client_credential OAuth2 Flow"
+
+    client_id: str
+    client_secret: str
+
+
+class Auth(BaseModel):
+    "Configuration for the various authentication methods, both to azure and incoming requests."
+
+    link_key: str = "abcdefghijklmnopqrstuvwxyz1234567890"
+
+    client_credentials: Optional[ClientCredentials] = None
+
+    custom_auth: Optional[ImportString] = None
+
+
+class Ingestor(BaseModel):
+    "Defines necessary data to ingest howler alerts into a specific azure tenancy"
+
+    tenant_id: str
+    dce: str
+    dcr: str
+    table: str
+
+
+class SentinelConfig(BasePluginConfig):
+    "Sentinel Plugin Configuration Model"
+
+    auth: Auth = Auth()
+
+    ingestors: list[Ingestor] = []
+
+    model_config = SettingsConfigDict(
+        yaml_file=config_locations,
+        yaml_file_encoding="utf-8",
+        strict=True,
+        env_nested_delimiter="__",
+        env_prefix=f"{PLUGIN_NAME.upper()}_",
+    )
+
+
+config = SentinelConfig()
+
+if __name__ == "__main__":
+    # When executed, the config model will print the default values of the configuration
+    import yaml
+
+    print(yaml.safe_dump(SentinelConfig().model_dump(mode="json")))  # noqa: T201

sentinel/manifest.yml

@@ -0,0 +1,13 @@
+name: sentinel
+modules:
+  odm:
+    modify_odm:
+      hit: true
+    generation:
+      hit: true
+  operations:
+    - azure_emit_hash
+    - send_to_sentinel
+    - update_defender_xdr_alert
+  routes:
+    - ingest:sentinel_api

sentinel/mapping/sentinel_incident.py

@@ -1,5 +1,6 @@
-"""Sentiel Incident mapper for converting Microsoft Sentinel Sentiel Incidents to Howler bundles."""
+"""Sentinel Incident mapper for converting Microsoft Sentinel Incidents to Howler bundles."""
 
+import json
 import logging
 from typing import Any, Optional
 
@@ -81,6 +82,7 @@ class SentinelIncident:
                     "bundle_size": 0,
                     "hits": [],
                     "labels.generic": self._build_labels(custom_tags, system_tags),
+                    "data": [json.dumps(sentinel_incident)],
                 },
                 "organization": {"name": customer_name, "id": tenant_id},
                 "sentinel": {
@@ -98,7 +100,7 @@ class SentinelIncident:
             # Add assessment conditionally if classification is not null
             if classification is not None:
                 bundle["howler"]["assessment"] = self.map_classification(classification)
-            logger.info("Successfully mapped Sentiel Incident %s", incident_id)
+            logger.info("Successfully mapped Sentinel Incident %s", incident_id)
             return bundle
 
         except Exception as exc:
@@ -115,14 +117,18 @@ class SentinelIncident:
         """
         return self.tid_mapping.get(tid, self.DEFAULT_CUSTOMER_NAME)
 
-    def map_sentinel_status_to_howler(self, sentinel_status: str) -> str:
-        """Map Sentiel Incident status to Howler status.
+    def map_sentinel_status_to_howler(self, sentinel_status: Optional[str]) -> str:
+        """Map Sentinel Incident status to Howler status.
 
         Args:
-            sentinel_status (str): Sentinel status string.
+            sentinel_status (str | None): Sentinel status string or None.
+
         Returns:
             str: Howler status string.
         """
+        if not isinstance(sentinel_status, str) or not sentinel_status:
+            return "open"
+
         status_mapping: dict[str, str] = {
             "new": "open",
             "active": "in-progress",

sentinel/mapping/xdr_alert.py

@@ -1,3 +1,4 @@
+import json
 import logging
 from datetime import datetime
 from typing import Any, Optional
@@ -149,7 +150,7 @@ class XDRAlert:
         # TODO evaluate if we should set this field if new alert
         return classification.get(graph_classification, "ambiguous")
 
-    def map_alert(self, graph_alert: dict[str, Any], customer_id: str) -> dict[str, Any] | None:
+    def map_alert(self, graph_alert: dict[str, Any], customer_id: str) -> Optional[dict[str, Any]]:
         """Transform a Microsoft Graph alert into a Howler hit format.
 
         This is the main mapping function that converts a Graph API alert object
@@ -231,14 +232,7 @@ class XDRAlert:
                     "operation": [],
                     "generic": [],
                 },
-                "dossier": [
-                    {
-                        "content": [display_name],
-                        "metadata": [graph_alert],
-                        "label": {"en": "MSGraph Alert", "fr": "Alerte MSGraph"},
-                        "format": "markdown",
-                    }
-                ],
+                "data": [json.dumps(graph_alert)],
             },
             "evidence": {"data": []},
             "event": {

sentinel/odm/hit.py

@@ -1,24 +1,33 @@
+from typing import TYPE_CHECKING
+
 import howler.odm as odm
 from howler.common.logging import get_logger
-from howler.odm.models.hit import Hit
+from howler.odm.models.azure import Azure
 
 from sentinel.odm.models.sentinel import Sentinel
 
+if TYPE_CHECKING:
+    from howler.odm.models.hit import Hit
+
+
 logger = get_logger(__file__)
 
 
 def modify_odm(target):
     "Add additional internal fields to the ODM"
-    logger.info("Modifying ODM with additional fields")
-
     target.add_namespace(
         "sentinel",
         odm.Optional(odm.Compound(Sentinel, description="Sentinel metadata associated with this alert")),
     )
 
 
-def generate_useful_hit(hit: Hit) -> Hit:
+def generate(hit: "Hit") -> "Hit":  # pragma: no cover
     "Add cccs-specific changes to hits on generation"
     hit.sentinel = Sentinel({"id": "example-sentinel-id"})
 
+    if not hit.azure:
+        hit.azure = Azure({"tenant_id": "example-tenant-id"})
+    else:
+        hit.azure.tenant_id = "example-tenant-id"
+
     return ["sentinel"], hit

sentinel/routes/__init__.py

@@ -1,5 +0,0 @@
-from flask.blueprints import Blueprint
-
-from sentinel.routes.ingest import sentinel_api
-
-ROUTES: list[Blueprint] = [sentinel_api]

sentinel/routes/ingest.py

@@ -1,17 +1,16 @@
-import os
 import re
 from typing import Any
 
 from flask import request
-from howler.api import bad_request, created, make_subapi_blueprint, ok, unauthorized
+from howler.api import bad_request, created, internal_error, make_subapi_blueprint, ok, unauthorized
 from howler.common.exceptions import HowlerException
 from howler.common.loader import datastore
 from howler.common.logging import get_logger
 from howler.common.swagger import generate_swagger_docs
 from howler.services import action_service, analytic_service, hit_service
 
-from ..mapping.sentinel_incident import SentinelIncident
-from ..mapping.xdr_alert import XDRAlert
+from sentinel.mapping.sentinel_incident import SentinelIncident
+from sentinel.mapping.xdr_alert import XDRAlert
 
 SUB_API = "sentinel"
 sentinel_api = make_subapi_blueprint(SUB_API, api_version=1)
@@ -19,40 +18,66 @@ sentinel_api._doc = "Ingest Microsoft Sentinel XDR incidents into Howler"
 
 logger = get_logger(__file__)
 
-# For testing purposes, replace with actual secret in production
-SECRET = os.environ.get("SENTINEL_LINK_KEY", "abcdefghijklmnopqrstuvwxyz1234567890")
-
-if SECRET.startswith("abcdef"):
-    logger.warning("Default secret used!")
-
 
 @generate_swagger_docs()
 @sentinel_api.route("/ingest", methods=["POST"])
 def ingest_xdr_incident(**kwargs) -> tuple[dict[str, Any], int]:  # noqa C901
     """Ingest a Microsoft Sentinel XDR incident into Howler.
 
-    This endpoint receives an XDR incident as JSON, maps it to Howler format using XDRIncidentMapper,
-    and creates a bundle following the same pattern as the create_bundle endpoint.
-
-    Uses API key authentication via Authorization header.
-
     Variables:
-    None
-
-    Data Body:
-    XDR incident JSON data to be ingested
-
-    Result Example:
-    {
-        "success": true,
-        "bundle_id": "generated_bundle_id",
-        "hit_count": 1
-    }
+        None
+
+    Arguments:
+        None
+
+    Data Block:
+        {
+            ...Sentinel XDR incident JSON...
+        }
+
+    Headers:
+        Authorization: API in the format "Basic <key>"
+
+    Result Example (201 Created):
+        {
+            "success": True,
+            "bundle_hit_id": "howler-bundle-id",
+            "bundle_id": "sentinel-incident-id",
+            "individual_hit_ids": ["alert-hit-id-1", "alert-hit-id-2"],
+            "total_hits_created": 3,
+            "bundle_size": 2,
+            "organization": "Acme Corporation"
+        }
+
+    Result Example (200 OK, update):
+        {
+            "success": True,
+            "bundle_hit_id": "howler-bundle-id",
+            "bundle_id": "sentinel-incident-id",
+            "individual_hit_ids": ["alert-hit-id-1", "alert-hit-id-2"],
+            "total_hits_updated": 3,
+            "bundle_size": 2,
+            "organization": "Acme Corporation",
+            "updated": True
+        }
+
+    Error Codes:
+        400 - Bad request (e.g., missing JSON)
+        401 - Unauthorized (invalid API key)
+        500 - Internal server error
+
+    Description:
+        Receives a Microsoft Sentinel XDR incident as JSON, maps it to Howler format, and creates or updates a bundle
+        and its underlying alerts in Howler. Returns details about the created or updated bundle and alerts.
     """
-    # TODO this endpoint need to be refactored to make it more readable and maintainable
+    from sentinel.config import config
+
+    # API Key authentication
     apikey = request.headers.get("Authorization", "Basic ", type=str).split(" ")[1]
 
-    if not apikey or apikey != SECRET:
+    link_key = config.auth.link_key
+
+    if not apikey or apikey != link_key:
         return unauthorized(err="API Key does not match expected value.")
 
     logger.info("Received authorization header with value %s", re.sub(r"^(.{3}).+(.{3})$", r"\1...\2", apikey))
@@ -61,139 +86,175 @@ def ingest_xdr_incident(**kwargs) -> tuple[dict[str, Any], int]:  # noqa C901
     if not xdr_incident:
         return bad_request(err="No JSON data provided in request body")
 
-    logger.info("XDR Incident received")
-
     try:
+        # TODO needs to be replaced with actual tenant mapping logic
         tenant_mapping = {"020cd98f-1002-45b7-90ff-69fc68bdd027": "Acme Corporation"}
-
         incident_mapper = SentinelIncident(tid_mapping=tenant_mapping)
         bundle_hit = incident_mapper.map_incident_to_bundle(xdr_incident)
-
         if bundle_hit is None:
-            return bad_request(err="Failed to map XDR incident to Howler bundle format")
+            return internal_error(err="Failed to map XDR incident to Howler bundle format")
 
         sentinel_id = xdr_incident.get("id")
         if sentinel_id:
             existing_bundles = datastore().hit.search(f"sentinel.id:{sentinel_id}", as_obj=True)["items"]
             if existing_bundles:
-                existing_bundle = existing_bundles[0]
-                new_status = xdr_incident.get("status")
-                if new_status:
-                    existing_bundle.howler.status = incident_mapper.map_sentinel_status_to_howler(new_status)
-                    datastore().hit.save(existing_bundle.howler.id, existing_bundle)
-                for child_id in getattr(existing_bundle.howler, "hits", []):
-                    child_hit = datastore().hit.get(child_id, as_obj=True)
-                    if child_hit:
-                        child_hit.howler.status = incident_mapper.map_sentinel_status_to_howler(new_status)
-                        datastore().hit.save(child_id, child_hit)
-                datastore().hit.commit()
-                logger.info("Updated status for existing bundle %s and its child hits", existing_bundle.howler.id)
-                return ok(
-                    {
-                        "success": True,
-                        "bundle_hit_id": existing_bundle.howler.id,
-                        "bundle_id": existing_bundle.sentinel.id if hasattr(existing_bundle, "sentinel") else None,
-                        "individual_hit_ids": getattr(existing_bundle.howler, "hits", []),
-                        "total_hits_updated": 1 + len(getattr(existing_bundle.howler, "hits", [])),
-                        "bundle_size": len(getattr(existing_bundle.howler, "hits", [])),
-                        "organization": getattr(existing_bundle, "organization", {}).get("name", ""),
-                        "updated": True,
-                    }
-                )
-
-        logger.info("Successfully mapped XDR incident to bundle")
-
-        alerts = xdr_incident.get("alerts", [])
-        tenant_id = xdr_incident.get("tenantId", "")
-
-        alert_mapper = XDRAlert(tid_mapping=tenant_mapping)
-
-        # Create individual hits from alerts first
-        child_hit_ids = []
-
-        for i, alert in enumerate(alerts):
-            try:
-                mapped_hit = alert_mapper.map_alert(alert, tenant_id)
-                if mapped_hit:
-                    alert_hit_odm, _ = hit_service.convert_hit(mapped_hit, unique=True, ignore_extra_values=True)
-
-                    if alert_hit_odm.event is not None:
-                        alert_hit_odm.event.id = alert_hit_odm.howler.id
-
-                    logger.info("Creating individual alert hit %s with ID %s", i, alert_hit_odm.howler.id)
-                    hit_service.create_hit(alert_hit_odm.howler.id, alert_hit_odm, user="system")
-                    analytic_service.save_from_hit(alert_hit_odm, {"uname": "system"})
-
-                    child_hit_ids.append(alert_hit_odm.howler.id)
-                    logger.debug("Successfully created alert hit %s: %s", i, alert_hit_odm.howler.id)
-                else:
-                    logger.warning("Alert mapper returned None for alert %s: %s", i, alert.get("id", "unknown"))
-            except Exception:
-                logger.exception("Failed to create individual alert hit %s", i)
-                continue
+                return _update_existing_incident(existing_bundles[0], xdr_incident, incident_mapper)
 
-        try:
-            bundle_odm, _ = hit_service.convert_hit(bundle_hit, unique=True)
-            bundle_odm.howler.is_bundle = True
+        return _create_new_incident(bundle_hit, xdr_incident, tenant_mapping)
 
-            if not hasattr(bundle_odm.howler, "hits") or not isinstance(bundle_odm.howler.hits, list):
-                bundle_odm.howler.hits = []
-            for hit_id in child_hit_ids:
-                if hit_id not in bundle_odm.howler.hits:
-                    bundle_odm.howler.hits.append(hit_id)
-
-            if len(bundle_odm.howler.hits) < 1:
-                # TODO figure out how to handle incidens without alerts
-                logger.info("No valid child hits were created from the XDR incident alerts")
-                return ok("Incident contains no valid alerts to create hits from")
-
-            bundle_odm.howler.bundle_size = len(bundle_odm.howler.hits)
-
-            if bundle_odm.event is not None:
-                bundle_odm.event.id = bundle_odm.howler.id
+    except HowlerException as e:
+        logger.exception("Failed to process XDR incident")
+        return internal_error(err=f"Failed to process XDR incident: {str(e)}")
+    except Exception as e:
+        logger.exception("Unexpected error during XDR incident ingestion")
+        return internal_error(err=f"Internal error occurred during ingestion: {str(e)}")
 
-            logger.info("Creating bundle hit with ID %s", bundle_odm.howler.id)
-            hit_service.create_hit(bundle_odm.howler.id, bundle_odm, user="system")
-            analytic_service.save_from_hit(bundle_odm, {"uname": "system"})
 
-            # Link child hits to bundle (same as create_bundle)
-            for hit_id in bundle_odm.howler.hits:
-                child_hit = hit_service.get_hit(hit_id, as_odm=True)
+def _update_existing_incident(
+    existing_bundle: Any, xdr_incident: dict[str, Any], incident_mapper: SentinelIncident
+) -> tuple[dict[str, Any], int]:
+    """Update an existing incident and its underlying alerts in Howler.
 
-                if child_hit.howler.is_bundle:
-                    logger.warning("Child hit %s is a bundle - skipping bundle assignment", child_hit.howler.id)
-                    continue
+    Args:
+        existing_bundle: The existing Howler bundle object.
+        xdr_incident: The incoming XDR incident data.
+        incident_mapper: The incident mapper instance.
 
-                new_bundle_list = child_hit.howler.get("bundles", [])
-                new_bundle_list.append(bundle_odm.howler.id)
-                child_hit.howler.bundles = new_bundle_list
-                datastore().hit.save(child_hit.howler.id, child_hit)
+    Returns:
+        Tuple containing response dictionary and HTTP status code.
+    """
+    new_status = xdr_incident.get("status")
+    if new_status:
+        existing_bundle.howler.status = incident_mapper.map_sentinel_status_to_howler(new_status)
+        datastore().hit.save(existing_bundle.howler.id, existing_bundle)
+    for child_id in getattr(existing_bundle.howler, "hits", []):
+        child_hit = datastore().hit.get(child_id, as_obj=True)
+        if child_hit:
+            child_hit.howler.status = incident_mapper.map_sentinel_status_to_howler(new_status)
+            datastore().hit.save(child_id, child_hit)
+    datastore().hit.commit()
+    logger.info("Updated status for existing bundle %s and its child hits", existing_bundle.howler.id)
+    return ok(
+        {
+            "success": True,
+            "bundle_hit_id": existing_bundle.howler.id,
+            "bundle_id": existing_bundle.sentinel.id if hasattr(existing_bundle, "sentinel") else None,
+            "individual_hit_ids": getattr(existing_bundle.howler, "hits", []),
+            "total_hits_updated": 1 + len(getattr(existing_bundle.howler, "hits", [])),
+            "bundle_size": len(getattr(existing_bundle.howler, "hits", [])),
+            "organization": getattr(existing_bundle, "organization", {}).get("name", ""),
+            "updated": True,
+        }
+    )
+
+
+def _create_alert_hits(alerts: list[dict[str, Any]], tenant_id: str, alert_mapper: XDRAlert) -> list[str]:
+    """Create alert hits from the provided alerts and return their IDs.
+
+    Args:
+        alerts: List of alert dictionaries.
+        tenant_id: The tenant ID string.
+        alert_mapper: The alert mapper instance.
+
+    Returns:
+        List of created alert hit IDs.
+    """
+    child_hit_ids = []
+    for i, alert in enumerate(alerts):
+        try:
+            mapped_hit = alert_mapper.map_alert(alert, tenant_id)
+            if mapped_hit:
+                alert_hit_odm, _ = hit_service.convert_hit(mapped_hit, unique=True, ignore_extra_values=True)
+                if alert_hit_odm.event is not None:
+                    alert_hit_odm.event.id = alert_hit_odm.howler.id
+                logger.info("Creating individual alert hit %s with ID %s", i, alert_hit_odm.howler.id)
+                hit_service.create_hit(alert_hit_odm.howler.id, alert_hit_odm, user="system")
+                analytic_service.save_from_hit(alert_hit_odm, {"uname": "system"})
+                child_hit_ids.append(alert_hit_odm.howler.id)
+                logger.debug("Successfully created alert hit %s: %s", i, alert_hit_odm.howler.id)
+            else:
+                logger.warning("Alert mapper returned None for alert %s: %s", i, alert.get("id", "unknown"))
+        except Exception:
+            logger.exception("Failed to create individual alert hit %s", i)
+            continue
+    return child_hit_ids
+
+
+def _link_child_hits_to_bundle(bundle_odm: Any, child_hit_ids: list[str]) -> None:
+    """Link child hits to the bundle and update their bundle references.
+
+    Args:
+        bundle_odm: The bundle ODM object.
+        child_hit_ids: List of child hit IDs to link.
+    """
+    for hit_id in bundle_odm.howler.hits:
+        child_hit = hit_service.get_hit(hit_id, as_odm=True)
 
-            datastore().hit.commit()
-            action_service.bulk_execute_on_query(f"howler.id:{bundle_odm.howler.id}", user={"uname": "system"})
+        if child_hit.howler.is_bundle:
+            logger.warning("Child hit %s is a bundle - skipping bundle assignment", child_hit.howler.id)
+            continue
 
-            logger.info("Successfully completed XDR incident ingestion")
+        new_bundle_list = child_hit.howler.get("bundles", [])
+        new_bundle_list.append(bundle_odm.howler.id)
+        child_hit.howler.bundles = new_bundle_list
+        datastore().hit.save(child_hit.howler.id, child_hit)
 
-            response_body = {
-                "success": True,
-                "bundle_hit_id": bundle_odm.howler.id,
-                "bundle_id": bundle_hit["howler"].get("xdr.incident.id"),
-                "individual_hit_ids": child_hit_ids,
-                "total_hits_created": len(child_hit_ids) + 1,
-                "bundle_size": len(child_hit_ids),
-                "organization": bundle_hit["organization"]["name"],
-            }
 
-            return created(response_body)
+def _create_new_incident(
+    bundle_hit: dict[str, Any], xdr_incident: dict[str, Any], tenant_mapping: dict[str, str]
+) -> tuple[dict[str, Any], int]:
+    """Create a new incident bundle and its underlying alerts in Howler.
 
-        except HowlerException as e:
-            logger.exception("Failed to create bundle")
-            return bad_request(err=f"Failed to create bundle: {str(e)}")
+    Args:
+        bundle_hit: The mapped Howler bundle data.
+        xdr_incident: The incoming XDR incident data.
+        tenant_mapping: The tenant mapping dictionary.
 
+    Returns:
+        Tuple containing response dictionary and HTTP status code.
+    """
+    alerts = xdr_incident.get("alerts", [])
+    tenant_id = xdr_incident.get("tenantId", "")
+    alert_mapper = XDRAlert(tid_mapping=tenant_mapping)
+    child_hit_ids = _create_alert_hits(alerts, tenant_id, alert_mapper)
+    try:
+        bundle_odm, _ = hit_service.convert_hit(bundle_hit, unique=True)
+        # If there are no alerts, do not treat as bundle
+        if child_hit_ids:
+            bundle_odm.howler.is_bundle = True
+            if not hasattr(bundle_odm.howler, "hits") or not isinstance(bundle_odm.howler.hits, list):
+                bundle_odm.howler.hits = []
+            for hit_id in child_hit_ids:
+                if hit_id not in bundle_odm.howler.hits:
+                    bundle_odm.howler.hits.append(hit_id)
+            bundle_odm.howler.bundle_size = len(bundle_odm.howler.hits)
+        else:
+            bundle_odm.howler.is_bundle = False
+            bundle_odm.howler.hits = []
+            bundle_odm.howler.bundle_size = 0
+
+        if bundle_odm.event is not None:
+            bundle_odm.event.id = bundle_odm.howler.id
+
+        logger.info("Creating incident hit with ID %s", bundle_odm.howler.id)
+        hit_service.create_hit(bundle_odm.howler.id, bundle_odm, user="system")
+        analytic_service.save_from_hit(bundle_odm, {"uname": "system"})
+        if child_hit_ids:
+            _link_child_hits_to_bundle(bundle_odm, child_hit_ids)
+        datastore().hit.commit()
+        if child_hit_ids:
+            action_service.bulk_execute_on_query(f"howler.id:{bundle_odm.howler.id}", user={"uname": "system"})
+        logger.info("Successfully completed XDR incident ingestion")
+        response_body = {
+            "success": True,
+            "bundle_hit_id": bundle_odm.howler.id,
+            "bundle_id": bundle_hit["howler"].get("xdr.incident.id"),
+            "individual_hit_ids": child_hit_ids,
+            "total_hits_created": len(child_hit_ids) + 1,
+            "bundle_size": len(child_hit_ids),
+            "organization": bundle_hit["organization"]["name"],
+        }
+        return created(response_body)
     except HowlerException as e:
-        logger.exception("Failed to process XDR incident")
-        return bad_request(err=f"Failed to process XDR incident: {str(e)}")
-
-    except Exception as e:
-        logger.exception("Unexpected error during XDR incident ingestion")
-        return bad_request(err=f"Internal error occurred during ingestion: {str(e)}")
+        logger.exception("Failed to create bundle")
+        return internal_error(err=f"Failed to create bundle: {str(e)}")

sentinel/utils/tenant_utils.py

@@ -1,5 +1,5 @@
-import json
-import os
+import sys
+from typing import Optional
 
 import requests
 from howler.common.exceptions import HowlerRuntimeError
@@ -9,32 +9,48 @@ from howler.config import cache
 logger = get_logger(__file__)
 
 
-@cache.memoize(15 * 60)
-def get_token(tenant_id: str, scope: str) -> tuple[str, dict[str, str]]:
+def skip_cache(*args):
+    "Function to skip cache in testing mode"
+    return "pytest" in sys.modules
+
+
+@cache.memoize(15 * 60, unless=skip_cache)
+def get_token(tenant_id: str, scope: str) -> Optional[str]:
     """Get a borealis token based on the current howler token"""
-    # Get bearer token
-    try:
-        credentials = json.loads(os.environ["HOWLER_SENTINEL_INGEST_CREDENTIALS"])
-    except (KeyError, json.JSONDecodeError):
-        raise HowlerRuntimeError("Credential data not configured.")
-
-    logger.info("Generating client credential token for client id %s with scope %s", credentials["client_id"], scope)
-
-    token_request_url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"
-    response = requests.post(
-        token_request_url,
-        data={
-            "grant_type": "client_credentials",
-            "client_id": credentials["client_id"],
-            "client_secret": credentials["client_secret"],
-            "scope": scope,
-        },
-        timeout=5.0,
-    )
-
-    if not response.ok:
-        raise HowlerRuntimeError(f"Authentication to Azure Monitor API failed with status code {response.status_code}.")
-
-    token = response.json()["access_token"]
-
-    return token, credentials
+    from sentinel.config import config
+
+    token = None
+
+    if config.auth.client_credentials:
+        logger.info(
+            "Using client_credentials flow for client id %s with scope %s",
+            config.auth.client_credentials.client_id,
+            scope,
+        )
+
+        token_request_url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"
+        response = requests.post(
+            token_request_url,
+            data={
+                "grant_type": "client_credentials",
+                "client_id": config.auth.client_credentials.client_id,
+                "client_secret": config.auth.client_credentials.client_secret,
+                "scope": scope,
+            },
+            timeout=5.0,
+        )
+
+        if not response.ok:
+            raise HowlerRuntimeError(
+                "Authentication to Azure Monitor API using client_credentials flow failed with status code"
+                f" {response.status_code}. Response:\n{response.text}"
+            )
+
+        token = response.json()["access_token"]
+    elif config.auth.custom_auth:
+        token = config.auth.custom_auth(tenant_id, scope)
+
+    if not token:
+        logger.warning("No access token received")
+
+    return token

howler_sentinel_plugin-0.2.0.dev113.dist-info/RECORD

@@ -1,18 +0,0 @@
-sentinel/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sentinel/actions/azure_emit_hash.py,sha256=ES9u3iIkm18qcwVT7-f3r8K5d-haCnjSTC7cyOKxH7A,4000
-sentinel/actions/send_to_sentinel.py,sha256=RRmUSiPDKr7oQjA4f-iSGjEtziUQH77O2s-578pb1Uc,4022
-sentinel/actions/update_defender_xdr_alert.py,sha256=bHBHEZwAAT1pHTF2L4JK5gttzguq12NdV58fx0tj4dQ,6799
-sentinel/actions/update_defender_xdr_incident.py,sha256=HjvK8yTDafYePY5LoMkYat_cFUHnFWK3tzpCfAO3JNE,6854
-sentinel/mapping/sentinel_incident.py,sha256=U7fIh8N4Jdr1A4z1E0jPRP28Ll0Cq7u9Q6292AnyRDI,9548
-sentinel/mapping/xdr_alert.py,sha256=UPoqdZsjUXmJz0dCf_qMlh9Jr0D2HcSNOFvbg8lE4wY,18250
-sentinel/mapping/xdr_alert_evidence.py,sha256=iMn9Wd5NB7Wi9l0Fl0vmJhugX8L6hAO9jYA9AtLLX2o,31429
-sentinel/odm/hit.py,sha256=hAuO2ONMK3Ml8Xu6E7tHrmZ7M6HG5tT38RD9ZxwY254,666
-sentinel/odm/models/sentinel.py,sha256=XT3XdT92uoCV5vmY9dT1jmcxRyuu9vp1gE8AwZdKBIc,337
-sentinel/routes/__init__.py,sha256=JYmKRwIfEsiPos1XuMQ2mlGDbxk6TN_cVEM0K_RNze4,130
-sentinel/routes/ingest.py,sha256=c7GtZakMizDaubXDm_qtw4SXLJyvsHoMheADTIjIiTY,8821
-sentinel/utils/tenant_utils.py,sha256=nGOCbLzUx9OyATLAZ5UbW0WNao_1ioW4wL-htn2ltKU,1324
-howler_sentinel_plugin-0.2.0.dev113.dist-info/LICENSE,sha256=Wg2luVnxEkP2NSn11nh1US6W_nFFbICBAVTG9iG3t5M,1091
-howler_sentinel_plugin-0.2.0.dev113.dist-info/METADATA,sha256=21QcysnK4MtoG5BZ9VBzUYcQA5hAOrDYpmArynPt9HA,749
-howler_sentinel_plugin-0.2.0.dev113.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
-howler_sentinel_plugin-0.2.0.dev113.dist-info/entry_points.txt,sha256=4IJyMY0V49s3Wp659ngN_7U8g66-czeKxI-_dNAFP5g,60
-howler_sentinel_plugin-0.2.0.dev113.dist-info/RECORD,,