PyPI - howler-sentinel-plugin - Versions diffs - 0.2.0.dev31__py3-none-any.whl → 0.2.0.dev87__py3-none-any.whl - Mend

howler-sentinel-plugin 0.2.0.dev31py3-none-any.whl → 0.2.0.dev87py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

sentinel/routes/ingest.py CHANGED Viewed

@@ -1,42 +1,171 @@
 import os
 import re
+from typing import Any
 from flask import request
-from howler.api import make_subapi_blueprint, ok, unauthorized
+from howler.api import bad_request, created, make_subapi_blueprint, unauthorized
+from howler.common.exceptions import HowlerException
+from howler.common.loader import datastore
 from howler.common.logging import get_logger
 from howler.common.swagger import generate_swagger_docs
+from howler.services import action_service, analytic_service, hit_service
+from ..mapping.sentinel_incident import SentinelIncident
+from ..mapping.xdr_alert import XDRAlert
 SUB_API = "sentinel"
 sentinel_api = make_subapi_blueprint(SUB_API, api_version=1)
-sentinel_api._doc = "Interact with spellbook"
+sentinel_api._doc = "Ingest Microsoft Sentinel XDR incidents into Howler"
 logger = get_logger(__file__)
-SECRET = os.environ["SENTINEL_LINK_KEY"]
+# For testing purposes, replace with actual secret in production
+SECRET = os.environ.get("SENTINEL_LINK_KEY", "abcdefghijklmnopqrstuvwxyz1234567890")
+if SECRET.startswith("abcdef"):
+    logger.warning("Default secret used!")
 @generate_swagger_docs()
 @sentinel_api.route("/ingest", methods=["POST"])
-def ingest_alert(**kwargs):
-    """Ingest a sentinel alert into howler
+def ingest_xdr_incident(**kwargs) -> tuple[dict[str, Any], int]:  # noqa C901
+    """Ingest a Microsoft Sentinel XDR incident into Howler.
+    This endpoint receives an XDR incident as JSON, maps it to Howler format using XDRIncidentMapper,
+    and creates a bundle following the same pattern as the create_bundle endpoint.
+    Uses API key authentication via Authorization header.
     Variables:
     None
-    Optional Arguments:
-    None
+    Data Body:
+    XDR incident JSON data to be ingested
     Result Example:
+    {
+        "success": true,
+        "bundle_id": "generated_bundle_id",
+        "hit_count": 1
+    }
     """
+    # API Key authentication
     apikey = request.headers.get("Authorization", "Basic ", type=str).split(" ")[1]
     if not apikey or apikey != SECRET:
         return unauthorized(err="API Key does not match expected value.")
-    logger.info("Recieved authorization header with value %s", re.sub(r"^(.{3}).+(.{3})$", r"\1...\2", apikey))
+    logger.info("Received authorization header with value %s", re.sub(r"^(.{3}).+(.{3})$", r"\1...\2", apikey))
+    # Validate JSON payload
+    xdr_incident = request.json
+    if not xdr_incident:
+        return bad_request(err="No JSON data provided in request body")
+    logger.info("XDR Incident received")
+    try:
+        # Configure tenant mapping for both mappers
+        tenant_mapping = {"020cd98f-1002-45b7-90ff-69fc68bdd027": "Acme Corporation"}
+        incident_mapper = SentinelIncident(tid_mapping=tenant_mapping)
+        bundle_hit = incident_mapper.map_incident_to_bundle(xdr_incident)
+        if bundle_hit is None:
+            return bad_request(err="Failed to map XDR incident to Howler bundle format")
+        logger.info("Successfully mapped XDR incident to bundle")
+        alerts = xdr_incident.get("alerts", [])
+        tenant_id = xdr_incident.get("tenantId", "")
+        alert_mapper = XDRAlert(tid_mapping=tenant_mapping)
+        # Create individual hits from alerts first
+        child_hit_ids = []
+        for i, alert in enumerate(alerts):
+            try:
+                mapped_hit = alert_mapper.map_alert(alert, tenant_id)
+                if mapped_hit:
+                    alert_hit_odm, _ = hit_service.convert_hit(mapped_hit, unique=True, ignore_extra_values=True)
+                    if alert_hit_odm.event is not None:
+                        alert_hit_odm.event.id = alert_hit_odm.howler.id
+                    logger.info("Creating individual alert hit %s with ID %s", i, alert_hit_odm.howler.id)
+                    hit_service.create_hit(alert_hit_odm.howler.id, alert_hit_odm, user="system")
+                    analytic_service.save_from_hit(alert_hit_odm, {"uname": "system"})
+                    child_hit_ids.append(alert_hit_odm.howler.id)
+                    logger.debug("Successfully created alert hit %s: %s", i, alert_hit_odm.howler.id)
+                else:
+                    logger.warning("Alert mapper returned None for alert %s: %s", i, alert.get("id", "unknown"))
+            except Exception:
+                logger.exception("Failed to create individual alert hit %s", i)
+                continue
+        try:
+            bundle_odm, _ = hit_service.convert_hit(bundle_hit, unique=True)
+            bundle_odm.howler.is_bundle = True
+            if not hasattr(bundle_odm.howler, "hits") or not isinstance(bundle_odm.howler.hits, list):
+                bundle_odm.howler.hits = []
+            for hit_id in child_hit_ids:
+                if hit_id not in bundle_odm.howler.hits:
+                    bundle_odm.howler.hits.append(hit_id)
+            if len(bundle_odm.howler.hits) < 1:
+                logger.error("No valid child hits were created from the XDR incident alerts")
+                return bad_request(err="No valid child hits were created from the XDR incident alerts.")
+            bundle_odm.howler.bundle_size = len(bundle_odm.howler.hits)
+            if bundle_odm.event is not None:
+                bundle_odm.event.id = bundle_odm.howler.id
+            logger.info("Creating bundle hit with ID %s", bundle_odm.howler.id)
+            hit_service.create_hit(bundle_odm.howler.id, bundle_odm, user="system")
+            analytic_service.save_from_hit(bundle_odm, {"uname": "system"})
+            # Link child hits to bundle (same as create_bundle)
+            for hit_id in bundle_odm.howler.hits:
+                child_hit = hit_service.get_hit(hit_id, as_odm=True)
+                if child_hit.howler.is_bundle:
+                    logger.warning("Child hit %s is a bundle - skipping bundle assignment", child_hit.howler.id)
+                    continue
+                new_bundle_list = child_hit.howler.get("bundles", [])
+                new_bundle_list.append(bundle_odm.howler.id)
+                child_hit.howler.bundles = new_bundle_list
+                datastore().hit.save(child_hit.howler.id, child_hit)
+            datastore().hit.commit()
+            action_service.bulk_execute_on_query(f"howler.id:{bundle_odm.howler.id}", user={"uname": "system"})
+            logger.info("Successfully completed XDR incident ingestion")
+            response_body = {
+                "success": True,
+                "bundle_hit_id": bundle_odm.howler.id,
+                "bundle_id": bundle_hit["howler"].get("xdr.incident.id"),
+                "individual_hit_ids": child_hit_ids,
+                "total_hits_created": len(child_hit_ids) + 1,  # +1 for the bundle itself
+                "bundle_size": len(child_hit_ids),
+                "organization": bundle_hit["organization"]["name"],
+            }
+            return created(response_body)
-    sentinel_alert = request.json
+        except HowlerException as e:
+            logger.exception("Failed to create bundle")
+            return bad_request(err=f"Failed to create bundle: {str(e)}")
-    logger.info("Sentinel Alert:\n%s", sentinel_alert)
+    except HowlerException as e:
+        logger.exception("Failed to process XDR incident")
+        return bad_request(err=f"Failed to process XDR incident: {str(e)}")
-    return ok()
+    except Exception as e:
+        logger.exception("Unexpected error during XDR incident ingestion")
+        return bad_request(err=f"Internal error occurred during ingestion: {str(e)}")

howler_sentinel_plugin-0.2.0.dev31.dist-info/RECORD DELETED Viewed

@@ -1,12 +0,0 @@
-sentinel/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sentinel/actions/ingestion.py,sha256=_t7wrmozhoT_MmktDmNxYiXrA1Q0LCiDt0rTwHBkwbc,1669
-sentinel/actions/synchronization.py,sha256=g5c34410zINWb4fSEzj94drnk5alRj_ju9xMrB39z0s,1818
-sentinel/odm/hit.py,sha256=hAuO2ONMK3Ml8Xu6E7tHrmZ7M6HG5tT38RD9ZxwY254,666
-sentinel/odm/models/sentinel.py,sha256=XT3XdT92uoCV5vmY9dT1jmcxRyuu9vp1gE8AwZdKBIc,337
-sentinel/routes/__init__.py,sha256=JYmKRwIfEsiPos1XuMQ2mlGDbxk6TN_cVEM0K_RNze4,130
-sentinel/routes/ingest.py,sha256=zcKQmLStIh1uU_kWO6KBgqr-ZBkAGcFwvXWBiwjOuC8,1067
-howler_sentinel_plugin-0.2.0.dev31.dist-info/LICENSE,sha256=Wg2luVnxEkP2NSn11nh1US6W_nFFbICBAVTG9iG3t5M,1091
-howler_sentinel_plugin-0.2.0.dev31.dist-info/METADATA,sha256=ZYY3PQKPTdpwQc5x55fldX7rRx5EfTcSuEChFiDwfdo,694
-howler_sentinel_plugin-0.2.0.dev31.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
-howler_sentinel_plugin-0.2.0.dev31.dist-info/entry_points.txt,sha256=4IJyMY0V49s3Wp659ngN_7U8g66-czeKxI-_dNAFP5g,60
-howler_sentinel_plugin-0.2.0.dev31.dist-info/RECORD,,

{howler_sentinel_plugin-0.2.0.dev31.dist-info → howler_sentinel_plugin-0.2.0.dev87.dist-info}/LICENSE RENAMED Viewed

File without changes

{howler_sentinel_plugin-0.2.0.dev31.dist-info → howler_sentinel_plugin-0.2.0.dev87.dist-info}/WHEEL RENAMED Viewed

File without changes

{howler_sentinel_plugin-0.2.0.dev31.dist-info → howler_sentinel_plugin-0.2.0.dev87.dist-info}/entry_points.txt RENAMED Viewed

File without changes

howler-sentinel-plugin 0.2.0.dev31__py3-none-any.whl → 0.2.0.dev87__py3-none-any.whl

howler-sentinel-plugin 0.2.0.dev31py3-none-any.whl → 0.2.0.dev87py3-none-any.whl