howler-sentinel-plugin 0.2.0.dev95__tar.gz → 0.2.0.dev97__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/PKG-INFO +1 -1
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/pyproject.toml +1 -1
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/actions/send_to_sentinel.py +15 -1
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/actions/update_defender_xdr_alert.py +15 -23
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/LICENSE +0 -0
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/README.md +0 -0
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/__init__.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/actions/ingestion.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/actions/synchronization.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/mapping/sentinel_incident.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/mapping/xdr_alert.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/mapping/xdr_alert_evidence.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/odm/hit.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/odm/models/sentinel.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/routes/__init__.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/routes/ingest.py +0 -0
- {howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/utils/tenant_utils.py +0 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
[project]
|
|
2
2
|
name = "howler-sentinel-plugin"
|
|
3
|
-
version = "0.2.0.
|
|
3
|
+
version = "0.2.0.dev97"
|
|
4
4
|
description = "A howler plugin for integration with Microsoft's Sentinel API"
|
|
5
5
|
authors = [{ name = "CCCS", email = "analysis-development@cyber.gc.ca" }]
|
|
6
6
|
license = { text = "MIT" }
|
|
@@ -34,8 +34,22 @@ def execute(query: str, **kwargs):
|
|
|
34
34
|
return report
|
|
35
35
|
|
|
36
36
|
for hit in hits:
|
|
37
|
+
tenant_id = hit.azure.tenant_id
|
|
38
|
+
if not tenant_id and hit.organization.id:
|
|
39
|
+
tenant_id = hit.organization.id
|
|
40
|
+
elif not tenant_id:
|
|
41
|
+
report.append(
|
|
42
|
+
{
|
|
43
|
+
"query": f"howler.id:{hit.howler.id}",
|
|
44
|
+
"outcome": "skipped",
|
|
45
|
+
"title": "Azure Tenant ID is missing",
|
|
46
|
+
"message": "This alert does not have a set tenant ID.",
|
|
47
|
+
}
|
|
48
|
+
)
|
|
49
|
+
continue
|
|
50
|
+
|
|
37
51
|
try:
|
|
38
|
-
token, credentials = get_token(
|
|
52
|
+
token, credentials = get_token(tenant_id)
|
|
39
53
|
except HowlerRuntimeError as err:
|
|
40
54
|
logger.exception("Error on token fetching")
|
|
41
55
|
report.append(
|
|
@@ -73,43 +73,34 @@ def execute(query: str, **kwargs):
|
|
|
73
73
|
return report
|
|
74
74
|
|
|
75
75
|
for hit in hits:
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
76
|
+
tenant_id = hit.azure.tenant_id
|
|
77
|
+
if not tenant_id and hit.organization.id:
|
|
78
|
+
tenant_id = hit.organization.id
|
|
79
|
+
elif not tenant_id:
|
|
80
80
|
report.append(
|
|
81
81
|
{
|
|
82
82
|
"query": f"howler.id:{hit.howler.id}",
|
|
83
|
-
"outcome": "
|
|
84
|
-
"title": "
|
|
85
|
-
"message":
|
|
83
|
+
"outcome": "skipped",
|
|
84
|
+
"title": "Azure Tenant ID is missing",
|
|
85
|
+
"message": "This alert does not have a set tenant ID.",
|
|
86
86
|
}
|
|
87
87
|
)
|
|
88
88
|
continue
|
|
89
89
|
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
"
|
|
94
|
-
"client_secret": credentials["client_secret"],
|
|
95
|
-
"scope": "https://graph.microsoft.com/.default",
|
|
96
|
-
}
|
|
97
|
-
response = requests.post(token_request_url, data=data, timeout=5.0)
|
|
98
|
-
|
|
99
|
-
if not response.ok:
|
|
100
|
-
logger.warning("Failed to authenticate to Microsoft Graph.")
|
|
90
|
+
try:
|
|
91
|
+
token = get_token(tenant_id)[0]
|
|
92
|
+
except HowlerRuntimeError as err:
|
|
93
|
+
logger.exception("Error on token fetching")
|
|
101
94
|
report.append(
|
|
102
95
|
{
|
|
103
|
-
"query":
|
|
96
|
+
"query": f"howler.id:{hit.howler.id}",
|
|
104
97
|
"outcome": "error",
|
|
105
|
-
"title": "
|
|
106
|
-
"message":
|
|
98
|
+
"title": "Invalid Credentials",
|
|
99
|
+
"message": err.message,
|
|
107
100
|
}
|
|
108
101
|
)
|
|
109
102
|
continue
|
|
110
103
|
|
|
111
|
-
token = response.json()["access_token"]
|
|
112
|
-
|
|
113
104
|
# Fetch alert details
|
|
114
105
|
alert_url = f"https://graph.microsoft.com/v1.0/security/alerts_v2/{hit.rule.id}"
|
|
115
106
|
response = requests.get(alert_url, headers={"Authorization": f"Bearer {token}"}, timeout=5.0)
|
|
@@ -124,6 +115,7 @@ def execute(query: str, **kwargs):
|
|
|
124
115
|
}
|
|
125
116
|
)
|
|
126
117
|
continue
|
|
118
|
+
|
|
127
119
|
alert_data = response.json()
|
|
128
120
|
|
|
129
121
|
# Update alert
|
|
File without changes
|
|
File without changes
|
{howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/__init__.py
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
{howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/odm/hit.py
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
{howler_sentinel_plugin-0.2.0.dev95 → howler_sentinel_plugin-0.2.0.dev97}/sentinel/routes/ingest.py
RENAMED
|
File without changes
|
|
File without changes
|