howler-sentinel-plugin 0.2.0.dev92__py3-none-any.whl → 0.2.0.dev96__py3-none-any.whl

{howler_sentinel_plugin-0.2.0.dev92.dist-info → howler_sentinel_plugin-0.2.0.dev96.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: howler-sentinel-plugin
-Version: 0.2.0.dev92
+Version: 0.2.0.dev96
 Summary: A howler plugin for integration with Microsoft's Sentinel API
 License: MIT
 Author: CCCS

{howler_sentinel_plugin-0.2.0.dev92.dist-info → howler_sentinel_plugin-0.2.0.dev96.dist-info}/RECORD

@@ -1,7 +1,8 @@
 sentinel/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 sentinel/actions/ingestion.py,sha256=_t7wrmozhoT_MmktDmNxYiXrA1Q0LCiDt0rTwHBkwbc,1669
-sentinel/actions/send_to_sentinel.py,sha256=qxYPHqsA2jbEiQG1qJdnIVQkdvxlL1gyPXNmOUVYnmk,3280
+sentinel/actions/send_to_sentinel.py,sha256=REclVHxuG0Q5PIXZ-13crQhoz8BmJJJyTc6suzpq0m0,3227
 sentinel/actions/synchronization.py,sha256=g5c34410zINWb4fSEzj94drnk5alRj_ju9xMrB39z0s,1818
+sentinel/actions/update_defender_xdr_alert.py,sha256=hlCG2d2X19Zhtm1KGAqNHLG9a4yO53GZebRp--07D7c,6408
 sentinel/mapping/sentinel_incident.py,sha256=3QBnP6qFpJgE3pHvx5VvFnB3m2TVOoWxs8OysDlJVV8,9547
 sentinel/mapping/xdr_alert.py,sha256=UPoqdZsjUXmJz0dCf_qMlh9Jr0D2HcSNOFvbg8lE4wY,18250
 sentinel/mapping/xdr_alert_evidence.py,sha256=q622G4eZwFR3TCj418ZCpE83DGVicrWIQZo8Gkj_3FM,31323
@@ -10,8 +11,8 @@ sentinel/odm/models/sentinel.py,sha256=XT3XdT92uoCV5vmY9dT1jmcxRyuu9vp1gE8AwZdKB
 sentinel/routes/__init__.py,sha256=JYmKRwIfEsiPos1XuMQ2mlGDbxk6TN_cVEM0K_RNze4,130
 sentinel/routes/ingest.py,sha256=_9OdOw_9nBJseKIBnmHDLjnqZ_bDdM4wfLpLrek4-ak,7018
 sentinel/utils/tenant_utils.py,sha256=W7kBtxYNhs3vcgMf78eIRqiTpDtqjzEI2H2d0papQ_Q,1224
-howler_sentinel_plugin-0.2.0.dev92.dist-info/LICENSE,sha256=Wg2luVnxEkP2NSn11nh1US6W_nFFbICBAVTG9iG3t5M,1091
-howler_sentinel_plugin-0.2.0.dev92.dist-info/METADATA,sha256=JxB76pRL1VAh9GWtDRhdo3ls9xtATvSwzpeU7vWubzU,748
-howler_sentinel_plugin-0.2.0.dev92.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
-howler_sentinel_plugin-0.2.0.dev92.dist-info/entry_points.txt,sha256=4IJyMY0V49s3Wp659ngN_7U8g66-czeKxI-_dNAFP5g,60
-howler_sentinel_plugin-0.2.0.dev92.dist-info/RECORD,,
+howler_sentinel_plugin-0.2.0.dev96.dist-info/LICENSE,sha256=Wg2luVnxEkP2NSn11nh1US6W_nFFbICBAVTG9iG3t5M,1091
+howler_sentinel_plugin-0.2.0.dev96.dist-info/METADATA,sha256=rLIqpGiyGrs750JTWKDjpoDIesH3zh9i495TjeOwoZs,748
+howler_sentinel_plugin-0.2.0.dev96.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
+howler_sentinel_plugin-0.2.0.dev96.dist-info/entry_points.txt,sha256=4IJyMY0V49s3Wp659ngN_7U8g66-czeKxI-_dNAFP5g,60
+howler_sentinel_plugin-0.2.0.dev96.dist-info/RECORD,,

sentinel/actions/send_to_sentinel.py

@@ -92,7 +92,6 @@ def specification():
         "id": OPERATION_ID,
         "title": "Send hit to Microsoft Sentinel",
         "priority": 8,
-        "i18nKey": "Send hit to Microsoft Sentinel",
         "description": {
             "short": "Send hit to Microsoft Sentinel",
             "long": execute.__doc__,

sentinel/actions/update_defender_xdr_alert.py

@@ -0,0 +1,184 @@
+import requests
+from howler.common.exceptions import HowlerRuntimeError
+from howler.common.loader import datastore
+from howler.common.logging import get_logger
+from howler.odm.models.action import VALID_TRIGGERS
+from howler.odm.models.hit import Hit
+from howler.odm.models.howler_data import Assessment, HitStatus
+
+from sentinel.utils.tenant_utils import get_token
+
+logger = get_logger(__file__)
+
+OPERATION_ID = "update_defender_xdr_alert"
+
+properties_map = {
+    "graph": {
+        "status": {
+            HitStatus.OPEN: "new",
+            HitStatus.IN_PROGRESS: "inProgress",
+            HitStatus.ON_HOLD: "inProgress",
+            HitStatus.RESOLVED: "resolved",
+        },
+        "classification": {
+            Assessment.AMBIGUOUS: "unknown",
+            Assessment.SECURITY: "informationalExpectedActivity",
+            Assessment.DEVELOPMENT: "informationalExpectedActivity",
+            Assessment.FALSE_POSITIVE: "falsePositive",
+            Assessment.LEGITIMATE: "informationalExpectedActivity",
+            Assessment.TRIVIAL: "falsePositive",
+            Assessment.RECON: "truePositive",
+            Assessment.ATTEMPT: "truePositive",
+            Assessment.COMPROMISE: "truePositive",
+            Assessment.MITIGATED: "truePositive",
+            None: "unknown",
+        },
+        "determination": {
+            Assessment.AMBIGUOUS: "unknown",
+            Assessment.SECURITY: "securityTesting",
+            Assessment.DEVELOPMENT: "confirmedUserActivity",
+            Assessment.FALSE_POSITIVE: "other",
+            Assessment.LEGITIMATE: "lineOfBusinessApplication",
+            Assessment.TRIVIAL: "other",
+            Assessment.RECON: "multiStagedAttack",
+            Assessment.ATTEMPT: "other",
+            Assessment.COMPROMISE: "maliciousUserActivity",
+            Assessment.MITIGATED: "other",
+            None: "unknown",
+        },
+    },
+}
+
+
+def execute(query: str, **kwargs):
+    """Update Microsoft Defender XDR alert.
+
+    Args:
+        query (str): The query on which to apply this automation.
+    """
+    report = []
+    ds = datastore()
+
+    hits: list[Hit] = ds.hit.search(query, as_obj=True)["items"]
+
+    if not hits:
+        report.append(
+            {
+                "query": query,
+                "outcome": "error",
+                "title": "No hits returned by query",
+                "message": f"No hits returned by '{query}'",
+            }
+        )
+        return report
+
+    for hit in hits:
+        tenant_id = hit.azure.tenant_id
+        if not tenant_id and hit.organization.id:
+            tenant_id = hit.organization.id
+        elif not tenant_id:
+            report.append(
+                {
+                    "query": f"howler.id:{hit.howler.id}",
+                    "outcome": "skipped",
+                    "title": "Azure Tenant ID is missing",
+                    "message": "This alert does not have a set tenant ID.",
+                }
+            )
+            continue
+
+        try:
+            token = get_token(hit.azure.tenant_id)[0]
+        except HowlerRuntimeError as err:
+            logger.exception("Error on token fetching")
+            report.append(
+                {
+                    "query": f"howler.id:{hit.howler.id}",
+                    "outcome": "error",
+                    "title": "Invalid Credentials",
+                    "message": err.message,
+                }
+            )
+            continue
+
+        # Fetch alert details
+        alert_url = f"https://graph.microsoft.com/v1.0/security/alerts_v2/{hit.rule.id}"
+        response = requests.get(alert_url, headers={"Authorization": f"Bearer {token}"}, timeout=5.0)
+        if not response.ok:
+            logger.warning("GET request to Microsoft Graph failed with status code %s.", response.status_code)
+            report.append(
+                {
+                    "query": query,
+                    "outcome": "error",
+                    "title": "Microsoft Graph API request failed",
+                    "message": f"GET request to Microsoft Graph failed with status code {response.status_code}.",
+                }
+            )
+            continue
+
+        alert_data = response.json()
+
+        # Update alert
+        if (
+            "assessment" in hit.howler
+            and hit.howler.assessment in properties_map["graph"]["classification"]
+            and hit.howler.assessment in properties_map["graph"]["determination"]
+        ):
+            classification = properties_map["graph"]["classification"][hit.howler.assessment]
+            determination = properties_map["graph"]["determination"][hit.howler.assessment]
+        else:
+            classification = alert_data["classification"]
+            determination = alert_data["determination"]
+
+        status = properties_map["graph"]["status"][hit.howler.status]
+        assigned_to = alert_data["assignedTo"]
+
+        data = {
+            "assignedTo": assigned_to,
+            "classification": classification,
+            "determination": determination,
+            "status": status,
+        }
+
+        response = requests.patch(
+            alert_url,
+            json=data,
+            headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"},
+            timeout=5.0,
+        )
+        if not response.ok:
+            report.append(
+                {
+                    "query": query,
+                    "outcome": "error",
+                    "title": "Microsoft Graph API request failed",
+                    "message": f"PATCH request to Microsoft Graph failed with status code {response.status_code}.",
+                }
+            )
+
+        report.append(
+            {
+                "query": f"howler.id:{hit.howler.id}",
+                "outcome": "success",
+                "title": "Alert updated in XDR Defender",
+                "message": "Howler has successfuly propagated changes to this alert to XDR Defender.",
+            }
+        )
+
+    return report
+
+
+def specification():
+    "Update Defender action specification"
+    return {
+        "id": OPERATION_ID,
+        "title": "Update Microsoft Defender XDR alert",
+        "priority": 8,
+        "description": {
+            "short": "Update Microsoft Defender XDR alert",
+            "long": execute.__doc__,
+        },
+        "roles": ["automation_basic"],
+        "steps": [{"args": {}, "options": {}, "validation": {}}],
+        "triggers": VALID_TRIGGERS,
+    }