PyPI - howler-sentinel-plugin - Versions diffs - 0.2.0.dev87__tar.gz → 0.2.0.dev92__tar.gz - Mend

howler-sentinel-plugin 0.2.0.dev87tar.gz → 0.2.0.dev92tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

{howler_sentinel_plugin-0.2.0.dev87 → howler_sentinel_plugin-0.2.0.dev92}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: howler-sentinel-plugin
-Version: 0.2.0.dev87
+Version: 0.2.0.dev92
 Summary: A howler plugin for integration with Microsoft's Sentinel API
 License: MIT
 Author: CCCS

{howler_sentinel_plugin-0.2.0.dev87 → howler_sentinel_plugin-0.2.0.dev92}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "howler-sentinel-plugin"
-version = "0.2.0.dev87"
+version = "0.2.0.dev92"
 description = "A howler plugin for integration with Microsoft's Sentinel API"
 authors = [{ name = "CCCS", email = "analysis-development@cyber.gc.ca" }]
 license = { text = "MIT" }

howler_sentinel_plugin-0.2.0.dev92/sentinel/actions/send_to_sentinel.py ADDED Viewed

@@ -0,0 +1,103 @@
+import requests
+from howler.common.exceptions import HowlerRuntimeError
+from howler.common.loader import datastore
+from howler.common.logging import get_logger
+from howler.odm.models.action import VALID_TRIGGERS
+from howler.odm.models.hit import Hit
+from sentinel.utils.tenant_utils import get_token
+logger = get_logger(__file__)
+OPERATION_ID = "send_to_sentinel"
+def execute(query: str, **kwargs):
+    """Send hit to Microsoft Sentinel.
+    Args:
+        query (str): The query on which to apply this automation.
+    """
+    report = []
+    ds = datastore()
+    hits: list[Hit] = ds.hit.search(query, as_obj=True)["items"]
+    if not hits:
+        report.append(
+            {
+                "query": query,
+                "outcome": "error",
+                "title": "No hits returned by query",
+                "message": f"No hits returned by '{query}'",
+            }
+        )
+        return report
+    for hit in hits:
+        try:
+            token, credentials = get_token(hit.azure.tenant_id)
+        except HowlerRuntimeError as err:
+            logger.exception("Error on token fetching")
+            report.append(
+                {
+                    "query": f"howler.id:{hit.howler.id}",
+                    "outcome": "error",
+                    "title": "Invalid Credentials",
+                    "message": err.message,
+                }
+            )
+            continue
+        uri = (
+            f"https://{credentials['dce']}.ingest.monitor.azure.com/dataCollectionRules/{credentials['dcr']}/"
+            + f"streams/{credentials['table']}?api-version=2021-11-01-preview"
+        )
+        payload = [
+            {
+                "TimeGenerated": hit.event.ingested.isoformat(),
+                "Title": hit.howler.analytic,
+                "RawData": {"Hit": hit.as_primitives(), "From": "Howler"},
+            }
+        ]
+        headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
+        response = requests.post(uri, headers=headers, json=payload, timeout=5.0)
+        if not response.ok:
+            report.append(
+                {
+                    "query": f"howler.id:{hit.howler.id}",
+                    "outcome": "error",
+                    "title": "Azure Monitor API request failed",
+                    "message": f"POST request to Azure Monitor failed with status code {response.status_code}.",
+                }
+            )
+            continue
+        report.append(
+            {
+                "query": f"howler.id:{hit.howler.id}",
+                "outcome": "success",
+                "title": "Alert updated in Sentinel",
+                "message": "Howler has successfuly propagated changes to this alert to Sentinel.",
+            }
+        )
+    return report
+def specification():
+    "Send to Sentinel action specification"
+    return {
+        "id": OPERATION_ID,
+        "title": "Send hit to Microsoft Sentinel",
+        "priority": 8,
+        "i18nKey": "Send hit to Microsoft Sentinel",
+        "description": {
+            "short": "Send hit to Microsoft Sentinel",
+            "long": execute.__doc__,
+        },
+        "roles": ["automation_basic"],
+        "steps": [{"args": {}, "options": {}, "validation": {}}],
+        "triggers": VALID_TRIGGERS,
+    }

howler_sentinel_plugin-0.2.0.dev92/sentinel/utils/tenant_utils.py ADDED Viewed

@@ -0,0 +1,38 @@
+import json
+import os
+import requests
+from howler.common.exceptions import HowlerRuntimeError
+from howler.common.logging import get_logger
+from howler.config import cache
+logger = get_logger(__file__)
+@cache.memoize(15 * 60)
+def get_token(tenant_id: str) -> tuple[str, dict[str, str]]:
+    """Get a borealis token based on the current howler token"""
+    # Get bearer token
+    try:
+        credentials = json.loads(os.environ["HOWLER_SENTINEL_INGEST_CREDENTIALS"])
+    except (KeyError, json.JSONDecodeError):
+        raise HowlerRuntimeError("Credential data not configured.")
+    token_request_url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"
+    response = requests.post(
+        token_request_url,
+        data={
+            "grant_type": "client_credentials",
+            "client_id": credentials["client_id"],
+            "client_secret": credentials["client_secret"],
+            "scope": "https://monitor.azure.com/.default",
+        },
+        timeout=5.0,
+    )
+    if not response.ok:
+        raise HowlerRuntimeError(f"Authentication to Azure Monitor API failed with status code {response.status_code}.")
+    token = response.json()["access_token"]
+    return token, credentials