howler-sentinel-plugin 0.2.0.dev97__py3-none-any.whl → 0.2.0.dev99__py3-none-any.whl

{howler_sentinel_plugin-0.2.0.dev97.dist-info → howler_sentinel_plugin-0.2.0.dev99.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: howler-sentinel-plugin
-Version: 0.2.0.dev97
+Version: 0.2.0.dev99
 Summary: A howler plugin for integration with Microsoft's Sentinel API
 License: MIT
 Author: CCCS

{howler_sentinel_plugin-0.2.0.dev97.dist-info → howler_sentinel_plugin-0.2.0.dev99.dist-info}/RECORD

@@ -1,8 +1,7 @@
 sentinel/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sentinel/actions/ingestion.py,sha256=_t7wrmozhoT_MmktDmNxYiXrA1Q0LCiDt0rTwHBkwbc,1669
-sentinel/actions/send_to_sentinel.py,sha256=sg3LyP7IGApMftBU1TTZSUmCGtUI9PwvmI7UBj1Jrf0,3714
-sentinel/actions/synchronization.py,sha256=g5c34410zINWb4fSEzj94drnk5alRj_ju9xMrB39z0s,1818
-sentinel/actions/update_defender_xdr_alert.py,sha256=_Dtsi2pR5xN8ltzYGpCn9JbYnK731l6LSrGtERVfym4,6398
+sentinel/actions/azure_emit_hash.py,sha256=yEO8ZjFTUjNm03fJfHRVER3xf0v5o0qdU8GnqwZtMTM,2938
+sentinel/actions/send_to_sentinel.py,sha256=rfIJk02iAACvb8bfKv9MEkSDILDnvXlxt49hQVyvvQ4,3734
+sentinel/actions/update_defender_xdr_alert.py,sha256=OjNXM8DixURYdl7fHLCS81I0izQVtQgFkw9Iteeklwg,6418
 sentinel/mapping/sentinel_incident.py,sha256=3QBnP6qFpJgE3pHvx5VvFnB3m2TVOoWxs8OysDlJVV8,9547
 sentinel/mapping/xdr_alert.py,sha256=UPoqdZsjUXmJz0dCf_qMlh9Jr0D2HcSNOFvbg8lE4wY,18250
 sentinel/mapping/xdr_alert_evidence.py,sha256=q622G4eZwFR3TCj418ZCpE83DGVicrWIQZo8Gkj_3FM,31323
@@ -11,8 +10,8 @@ sentinel/odm/models/sentinel.py,sha256=XT3XdT92uoCV5vmY9dT1jmcxRyuu9vp1gE8AwZdKB
 sentinel/routes/__init__.py,sha256=JYmKRwIfEsiPos1XuMQ2mlGDbxk6TN_cVEM0K_RNze4,130
 sentinel/routes/ingest.py,sha256=_9OdOw_9nBJseKIBnmHDLjnqZ_bDdM4wfLpLrek4-ak,7018
 sentinel/utils/tenant_utils.py,sha256=W7kBtxYNhs3vcgMf78eIRqiTpDtqjzEI2H2d0papQ_Q,1224
-howler_sentinel_plugin-0.2.0.dev97.dist-info/LICENSE,sha256=Wg2luVnxEkP2NSn11nh1US6W_nFFbICBAVTG9iG3t5M,1091
-howler_sentinel_plugin-0.2.0.dev97.dist-info/METADATA,sha256=x3hPU9xXhV3PXUjvFkolFYrXimd1VvhWk96rky6mcpA,748
-howler_sentinel_plugin-0.2.0.dev97.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
-howler_sentinel_plugin-0.2.0.dev97.dist-info/entry_points.txt,sha256=4IJyMY0V49s3Wp659ngN_7U8g66-czeKxI-_dNAFP5g,60
-howler_sentinel_plugin-0.2.0.dev97.dist-info/RECORD,,
+howler_sentinel_plugin-0.2.0.dev99.dist-info/LICENSE,sha256=Wg2luVnxEkP2NSn11nh1US6W_nFFbICBAVTG9iG3t5M,1091
+howler_sentinel_plugin-0.2.0.dev99.dist-info/METADATA,sha256=QZH7YTqc7odZI8KwzX9IeOU_C2quRyThuIHqiKjdyaM,748
+howler_sentinel_plugin-0.2.0.dev99.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
+howler_sentinel_plugin-0.2.0.dev99.dist-info/entry_points.txt,sha256=4IJyMY0V49s3Wp659ngN_7U8g66-czeKxI-_dNAFP5g,60
+howler_sentinel_plugin-0.2.0.dev99.dist-info/RECORD,,

sentinel/actions/azure_emit_hash.py

@@ -0,0 +1,100 @@
+import os
+from typing import Optional
+
+import requests
+from howler.common.loader import datastore
+from howler.odm.models.action import VALID_TRIGGERS
+from howler.odm.models.hit import Hit
+from pydash import get
+
+OPERATION_ID = "azure_emit_hash"
+
+
+def execute(
+    query: str,
+    url: Optional[str] = os.environ.get("SHA256_LOGIC_APP_URL", None),
+    field: str = "file.hash.sha256",
+    **kwargs,
+):
+    "Emit hashes to sentinel"
+    result = datastore().hit.search(query, rows=1)
+    hits = result["items"]
+
+    if not url:
+        return [
+            {
+                "query": query,
+                "outcome": "error",
+                "title": "Action is not properly configured",
+                "message": "url argument cannot be empty.",
+            }
+        ]
+
+    if len(hits) < 1:
+        return [
+            {
+                "query": query,
+                "outcome": "error",
+                "title": "No alert found",
+                "message": "No alerts exist in this query.",
+            }
+        ]
+
+    report = []
+    hit = hits[0]
+
+    if result["total"] > 1:
+        report.append(
+            {
+                "query": f"{query} AND -howler.id:{hit.howler.id}",
+                "outcome": "skipped",
+                "title": "Action applies to a single alert",
+                "message": "This action supports execution against a single alert at once, not bulk execution.",
+            }
+        )
+
+    for hit in hits:
+        hash_value = get(hit, field)
+        if hash_value:
+            requests.post(
+                url,  # noqa: F821
+                json={
+                    "indicator": hash_value,
+                    "type": "FileSha256",
+                    "description": "Sent from Howler",
+                    "action": "alert",
+                    "severity": "high",
+                },
+                timeout=5.0,
+            )
+        else:
+            report.append(
+                {
+                    "query": f"howler.id:{hit.howler.id}",
+                    "outcome": "error",
+                    "title": "Hash does not exist on alert",
+                    "message": f"The specified alert does not have a valid sha256 hash at path {field}.",
+                }
+            )
+
+
+def specification():
+    "Specify various properties of the action, such as title, descriptions, permissions and input steps."
+    return {
+        "id": OPERATION_ID,
+        "title": "Emit sha256 hash to Sentinel",
+        "priority": 8,
+        "i18nKey": "operations.add_label",
+        "description": {
+            "short": "Add a label to a hit",
+            "long": execute.__doc__,
+        },
+        "roles": ["automation_basic"],
+        "steps": [
+            {
+                "args": {"url": [], "field": []},
+                "options": {"field": [field for field in Hit.flat_fields().keys() if field.endswith("sha256")]},
+            }
+        ],
+        "triggers": VALID_TRIGGERS,
+    }

sentinel/actions/send_to_sentinel.py

@@ -34,10 +34,11 @@ def execute(query: str, **kwargs):
         return report
 
     for hit in hits:
-        tenant_id = hit.azure.tenant_id
-        if not tenant_id and hit.organization.id:
+        if hit.azure and hit.azure.tenant_id:
+            tenant_id = hit.azure.tenant_id
+        elif hit.organization.id:
             tenant_id = hit.organization.id
-        elif not tenant_id:
+        else:
             report.append(
                 {
                     "query": f"howler.id:{hit.howler.id}",

sentinel/actions/update_defender_xdr_alert.py

@@ -73,10 +73,11 @@ def execute(query: str, **kwargs):
         return report
 
     for hit in hits:
-        tenant_id = hit.azure.tenant_id
-        if not tenant_id and hit.organization.id:
+        if hit.azure and hit.azure.tenant_id:
+            tenant_id = hit.azure.tenant_id
+        elif hit.organization.id:
             tenant_id = hit.organization.id
-        elif not tenant_id:
+        else:
             report.append(
                 {
                     "query": f"howler.id:{hit.howler.id}",

sentinel/actions/ingestion.py

@@ -1,59 +0,0 @@
-from howler.common.loader import datastore
-from howler.datastore.operations import OdmHelper
-from howler.odm.models.hit import Hit
-
-hit_helper = OdmHelper(Hit)
-
-OPERATION_ID = "sentinel_ingestion"
-
-
-def execute(query: str, **kwargs):
-    """Handle ingestion of howler alerts into sentinel.
-
-    Args:
-        query (str): The query specifying alerts to ingest into sentinel.
-    """
-    report = [
-        {
-            "query": query,
-            "outcome": "skipped",
-            "title": "Not Yet Implemented",
-            "message": "This functionality hasn't been implemented yet.",
-        }
-    ]
-
-    ds = datastore()
-
-    skipped_hits = ds.hit.search(
-        f"({query}) AND _exists_:sentinel.id",
-        fl="howler.id",
-    )["items"]
-
-    if len(skipped_hits) > 0:
-        report.append(
-            {
-                "query": f"howler.id:({' OR '.join(h.howler.id for h in skipped_hits)})",
-                "outcome": "skipped",
-                "title": "Skipped Hit with matching sentinel alert",
-                "message": "These hits already have a matching incident in sentinel.",
-            }
-        )
-
-    print("Ingest alerts into sentinel that match this query:", query)  # noqa: T201
-
-    return report
-
-
-def specification():
-    """Specify various properties of the action, such as title, descriptions, permissions and input steps."""
-    return {
-        "id": OPERATION_ID,
-        "title": "Ingest into Sentinel",
-        "priority": 15,
-        "description": {
-            "short": "Ingest alerts into sentinel",
-            "long": execute.__doc__,
-        },
-        "roles": ["automation_basic"],
-        "triggers": ["create"],
-    }

sentinel/actions/synchronization.py

@@ -1,60 +0,0 @@
-from howler.common.loader import datastore
-from howler.datastore.operations import OdmHelper
-from howler.odm.models.action import VALID_TRIGGERS
-from howler.odm.models.hit import Hit
-
-hit_helper = OdmHelper(Hit)
-
-OPERATION_ID = "sentinel_synchronization"
-
-
-def execute(query: str, **kwargs):
-    """Handle synchronization of howler alerts into sentinel.
-
-    Args:
-        query (str): The query specifying alerts to syncrhonize with sentinel.
-    """
-    report = [
-        {
-            "query": query,
-            "outcome": "skipped",
-            "title": "Not Yet Implemented",
-            "message": "This functionality hasn't been implemented yet.",
-        }
-    ]
-
-    ds = datastore()
-
-    skipped_hits = ds.hit.search(
-        f"({query}) AND -_exists_:sentinel.id",
-        fl="howler.id",
-    )["items"]
-
-    if len(skipped_hits) > 0:
-        report.append(
-            {
-                "query": f"howler.id:({' OR '.join(h.howler.id for h in skipped_hits)})",
-                "outcome": "skipped",
-                "title": "No matching sentinel alert",
-                "message": "These hits do not have a matching incident in sentinel.",
-            }
-        )
-
-    print("Update alerts into sentinel that match this query:", f"({query}) AND _exists_:sentinel.id")  # noqa: T201
-
-    return report
-
-
-def specification():
-    """Specify various properties of the action, such as title, descriptions, permissions and input steps."""
-    return {
-        "id": OPERATION_ID,
-        "title": "Synchronize with Sentinel",
-        "priority": 16,
-        "description": {
-            "short": "Synchronize alerts with sentinel",
-            "long": execute.__doc__,
-        },
-        "roles": ["automation_basic"],
-        "triggers": [trigger for trigger in VALID_TRIGGERS if trigger != "create"],
-    }