howler-sentinel-plugin 0.2.0.dev95__py3-none-any.whl → 0.2.0.dev96__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. {howler_sentinel_plugin-0.2.0.dev95.dist-info → howler_sentinel_plugin-0.2.0.dev96.dist-info}/METADATA +1 -1
  2. {howler_sentinel_plugin-0.2.0.dev95.dist-info → howler_sentinel_plugin-0.2.0.dev96.dist-info}/RECORD +6 -6
  3. sentinel/actions/update_defender_xdr_alert.py +15 -23
  4. {howler_sentinel_plugin-0.2.0.dev95.dist-info → howler_sentinel_plugin-0.2.0.dev96.dist-info}/LICENSE +0 -0
  5. {howler_sentinel_plugin-0.2.0.dev95.dist-info → howler_sentinel_plugin-0.2.0.dev96.dist-info}/WHEEL +0 -0
  6. {howler_sentinel_plugin-0.2.0.dev95.dist-info → howler_sentinel_plugin-0.2.0.dev96.dist-info}/entry_points.txt +0 -0
{howler_sentinel_plugin-0.2.0.dev95.dist-info → howler_sentinel_plugin-0.2.0.dev96.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.3
2
2
  Name: howler-sentinel-plugin
3
- Version: 0.2.0.dev95
3
+ Version: 0.2.0.dev96
4
4
  Summary: A howler plugin for integration with Microsoft's Sentinel API
5
5
  License: MIT
6
6
  Author: CCCS
{howler_sentinel_plugin-0.2.0.dev95.dist-info → howler_sentinel_plugin-0.2.0.dev96.dist-info}/RECORD RENAMED
@@ -2,7 +2,7 @@ sentinel/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
2
2
  sentinel/actions/ingestion.py,sha256=_t7wrmozhoT_MmktDmNxYiXrA1Q0LCiDt0rTwHBkwbc,1669
3
3
  sentinel/actions/send_to_sentinel.py,sha256=REclVHxuG0Q5PIXZ-13crQhoz8BmJJJyTc6suzpq0m0,3227
4
4
  sentinel/actions/synchronization.py,sha256=g5c34410zINWb4fSEzj94drnk5alRj_ju9xMrB39z0s,1818
5
- sentinel/actions/update_defender_xdr_alert.py,sha256=y6xCUFp6xpR1u1uAZd9CeK_sV9acwHamkXBTD_3cHg8,6848
5
+ sentinel/actions/update_defender_xdr_alert.py,sha256=hlCG2d2X19Zhtm1KGAqNHLG9a4yO53GZebRp--07D7c,6408
6
6
  sentinel/mapping/sentinel_incident.py,sha256=3QBnP6qFpJgE3pHvx5VvFnB3m2TVOoWxs8OysDlJVV8,9547
7
7
  sentinel/mapping/xdr_alert.py,sha256=UPoqdZsjUXmJz0dCf_qMlh9Jr0D2HcSNOFvbg8lE4wY,18250
8
8
  sentinel/mapping/xdr_alert_evidence.py,sha256=q622G4eZwFR3TCj418ZCpE83DGVicrWIQZo8Gkj_3FM,31323
@@ -11,8 +11,8 @@ sentinel/odm/models/sentinel.py,sha256=XT3XdT92uoCV5vmY9dT1jmcxRyuu9vp1gE8AwZdKB
11
11
  sentinel/routes/__init__.py,sha256=JYmKRwIfEsiPos1XuMQ2mlGDbxk6TN_cVEM0K_RNze4,130
12
12
  sentinel/routes/ingest.py,sha256=_9OdOw_9nBJseKIBnmHDLjnqZ_bDdM4wfLpLrek4-ak,7018
13
13
  sentinel/utils/tenant_utils.py,sha256=W7kBtxYNhs3vcgMf78eIRqiTpDtqjzEI2H2d0papQ_Q,1224
14
- howler_sentinel_plugin-0.2.0.dev95.dist-info/LICENSE,sha256=Wg2luVnxEkP2NSn11nh1US6W_nFFbICBAVTG9iG3t5M,1091
15
- howler_sentinel_plugin-0.2.0.dev95.dist-info/METADATA,sha256=ivfqDB5AuHiiNXVlA5CcbdB0N-yS1qQuZ86gau729mM,748
16
- howler_sentinel_plugin-0.2.0.dev95.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
17
- howler_sentinel_plugin-0.2.0.dev95.dist-info/entry_points.txt,sha256=4IJyMY0V49s3Wp659ngN_7U8g66-czeKxI-_dNAFP5g,60
18
- howler_sentinel_plugin-0.2.0.dev95.dist-info/RECORD,,
14
+ howler_sentinel_plugin-0.2.0.dev96.dist-info/LICENSE,sha256=Wg2luVnxEkP2NSn11nh1US6W_nFFbICBAVTG9iG3t5M,1091
15
+ howler_sentinel_plugin-0.2.0.dev96.dist-info/METADATA,sha256=rLIqpGiyGrs750JTWKDjpoDIesH3zh9i495TjeOwoZs,748
16
+ howler_sentinel_plugin-0.2.0.dev96.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
17
+ howler_sentinel_plugin-0.2.0.dev96.dist-info/entry_points.txt,sha256=4IJyMY0V49s3Wp659ngN_7U8g66-czeKxI-_dNAFP5g,60
18
+ howler_sentinel_plugin-0.2.0.dev96.dist-info/RECORD,,
sentinel/actions/update_defender_xdr_alert.py CHANGED
@@ -73,43 +73,34 @@ def execute(query: str, **kwargs):
73
73
  return report
74
74
 
75
75
  for hit in hits:
76
- try:
77
- token, credentials = get_token(hit.azure.tenant_id)
78
- except HowlerRuntimeError as err:
79
- logger.exception("Error on token fetching")
76
+ tenant_id = hit.azure.tenant_id
77
+ if not tenant_id and hit.organization.id:
78
+ tenant_id = hit.organization.id
79
+ elif not tenant_id:
80
80
  report.append(
81
81
  {
82
82
  "query": f"howler.id:{hit.howler.id}",
83
- "outcome": "error",
84
- "title": "Invalid Credentials",
85
- "message": err.message,
83
+ "outcome": "skipped",
84
+ "title": "Azure Tenant ID is missing",
85
+ "message": "This alert does not have a set tenant ID.",
86
86
  }
87
87
  )
88
88
  continue
89
89
 
90
- token_request_url = f"https://login.microsoftonline.com/{hit.azure.tenant_id}/oauth2/v2.0/token"
91
- data = {
92
- "grant_type": "client_credentials",
93
- "client_id": credentials["client_id"],
94
- "client_secret": credentials["client_secret"],
95
- "scope": "https://graph.microsoft.com/.default",
96
- }
97
- response = requests.post(token_request_url, data=data, timeout=5.0)
98
-
99
- if not response.ok:
100
- logger.warning("Failed to authenticate to Microsoft Graph.")
90
+ try:
91
+ token = get_token(hit.azure.tenant_id)[0]
92
+ except HowlerRuntimeError as err:
93
+ logger.exception("Error on token fetching")
101
94
  report.append(
102
95
  {
103
- "query": query,
96
+ "query": f"howler.id:{hit.howler.id}",
104
97
  "outcome": "error",
105
- "title": "Authentication failed",
106
- "message": f"Authentication to Microsoft Graph API failed with status code {response.status_code}.",
98
+ "title": "Invalid Credentials",
99
+ "message": err.message,
107
100
  }
108
101
  )
109
102
  continue
110
103
 
111
- token = response.json()["access_token"]
112
-
113
104
  # Fetch alert details
114
105
  alert_url = f"https://graph.microsoft.com/v1.0/security/alerts_v2/{hit.rule.id}"
115
106
  response = requests.get(alert_url, headers={"Authorization": f"Bearer {token}"}, timeout=5.0)
@@ -124,6 +115,7 @@ def execute(query: str, **kwargs):
124
115
  }
125
116
  )
126
117
  continue
118
+
127
119
  alert_data = response.json()
128
120
 
129
121
  # Update alert