PyPI - howler-sentinel-plugin - Versions diffs - 0.2.0.dev97__tar.gz → 0.2.0.dev98__tar.gz - Mend

howler-sentinel-plugin 0.2.0.dev97tar.gz → 0.2.0.dev98tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

{howler_sentinel_plugin-0.2.0.dev97 → howler_sentinel_plugin-0.2.0.dev98}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: howler-sentinel-plugin
-Version: 0.2.0.dev97
+Version: 0.2.0.dev98
 Summary: A howler plugin for integration with Microsoft's Sentinel API
 License: MIT
 Author: CCCS

{howler_sentinel_plugin-0.2.0.dev97 → howler_sentinel_plugin-0.2.0.dev98}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "howler-sentinel-plugin"
-version = "0.2.0.dev97"
+version = "0.2.0.dev98"
 description = "A howler plugin for integration with Microsoft's Sentinel API"
 authors = [{ name = "CCCS", email = "analysis-development@cyber.gc.ca" }]
 license = { text = "MIT" }

howler_sentinel_plugin-0.2.0.dev98/sentinel/actions/azure_emit_hash.py ADDED Viewed

@@ -0,0 +1,84 @@
+import os
+import requests
+from howler.common.loader import datastore
+from howler.odm.models.action import VALID_TRIGGERS
+from howler.odm.models.hit import Hit
+from pydash import get
+OPERATION_ID = "azure_emit_hash"
+def execute(query: str, field: str = "file.hash.sha256", **kwargs):
+    "Emit hashes to sentinel"
+    result = datastore().hit.search(query, rows=1)
+    hits = result["items"]
+    if len(hits) < 1:
+        return [
+            {
+                "query": query,
+                "outcome": "error",
+                "title": "No alert found",
+                "message": "No alerts exist in this query.",
+            }
+        ]
+    report = []
+    hit = hits[0]
+    if result["total"] > 1:
+        report.append(
+            {
+                "query": f"{query} AND -howler.id:{hit.howler.id}",
+                "outcome": "skipped",
+                "title": "Action applies to a single alert",
+                "message": "This action supports execution against a single alert at once, not bulk execution.",
+            }
+        )
+    for hit in hits:
+        hash_value = get(hit, field)
+        if hash_value:
+            requests.post(
+                os.environ["SHA256_LOGIC_APP_URL"],  # noqa: F821
+                json={
+                    "indicator": hash_value,
+                    "type": "FileSha256",
+                    "description": "Sent from Howler",
+                    "action": "alert",
+                    "severity": "high",
+                },
+                timeout=5.0,
+            )
+        else:
+            report.append(
+                {
+                    "query": f"howler.id:{hit.howler.id}",
+                    "outcome": "error",
+                    "title": "Hash does not exist on alert",
+                    "message": f"The specified alert does not have a valid sha256 hash at path {field}.",
+                }
+            )
+def specification():
+    "Specify various properties of the action, such as title, descriptions, permissions and input steps."
+    return {
+        "id": OPERATION_ID,
+        "title": "Emit sha256 hash to Sentinel",
+        "priority": 8,
+        "i18nKey": "operations.add_label",
+        "description": {
+            "short": "Add a label to a hit",
+            "long": execute.__doc__,
+        },
+        "roles": ["automation_basic"],
+        "steps": [
+            {
+                "args": {"field": []},
+                "options": {"field": [field for field in Hit.flat_fields().keys() if field.endswith("sha256")]},
+            }
+        ],
+        "triggers": VALID_TRIGGERS,
+    }

howler_sentinel_plugin-0.2.0.dev97/sentinel/actions/ingestion.py DELETED Viewed

@@ -1,59 +0,0 @@
-from howler.common.loader import datastore
-from howler.datastore.operations import OdmHelper
-from howler.odm.models.hit import Hit
-hit_helper = OdmHelper(Hit)
-OPERATION_ID = "sentinel_ingestion"
-def execute(query: str, **kwargs):
-    """Handle ingestion of howler alerts into sentinel.
-    Args:
-        query (str): The query specifying alerts to ingest into sentinel.
-    """
-    report = [
-        {
-            "query": query,
-            "outcome": "skipped",
-            "title": "Not Yet Implemented",
-            "message": "This functionality hasn't been implemented yet.",
-        }
-    ]
-    ds = datastore()
-    skipped_hits = ds.hit.search(
-        f"({query}) AND _exists_:sentinel.id",
-        fl="howler.id",
-    )["items"]
-    if len(skipped_hits) > 0:
-        report.append(
-            {
-                "query": f"howler.id:({' OR '.join(h.howler.id for h in skipped_hits)})",
-                "outcome": "skipped",
-                "title": "Skipped Hit with matching sentinel alert",
-                "message": "These hits already have a matching incident in sentinel.",
-            }
-        )
-    print("Ingest alerts into sentinel that match this query:", query)  # noqa: T201
-    return report
-def specification():
-    """Specify various properties of the action, such as title, descriptions, permissions and input steps."""
-    return {
-        "id": OPERATION_ID,
-        "title": "Ingest into Sentinel",
-        "priority": 15,
-        "description": {
-            "short": "Ingest alerts into sentinel",
-            "long": execute.__doc__,
-        },
-        "roles": ["automation_basic"],
-        "triggers": ["create"],
-    }

howler_sentinel_plugin-0.2.0.dev97/sentinel/actions/synchronization.py DELETED Viewed

@@ -1,60 +0,0 @@
-from howler.common.loader import datastore
-from howler.datastore.operations import OdmHelper
-from howler.odm.models.action import VALID_TRIGGERS
-from howler.odm.models.hit import Hit
-hit_helper = OdmHelper(Hit)
-OPERATION_ID = "sentinel_synchronization"
-def execute(query: str, **kwargs):
-    """Handle synchronization of howler alerts into sentinel.
-    Args:
-        query (str): The query specifying alerts to syncrhonize with sentinel.
-    """
-    report = [
-        {
-            "query": query,
-            "outcome": "skipped",
-            "title": "Not Yet Implemented",
-            "message": "This functionality hasn't been implemented yet.",
-        }
-    ]
-    ds = datastore()
-    skipped_hits = ds.hit.search(
-        f"({query}) AND -_exists_:sentinel.id",
-        fl="howler.id",
-    )["items"]
-    if len(skipped_hits) > 0:
-        report.append(
-            {
-                "query": f"howler.id:({' OR '.join(h.howler.id for h in skipped_hits)})",
-                "outcome": "skipped",
-                "title": "No matching sentinel alert",
-                "message": "These hits do not have a matching incident in sentinel.",
-            }
-        )
-    print("Update alerts into sentinel that match this query:", f"({query}) AND _exists_:sentinel.id")  # noqa: T201
-    return report
-def specification():
-    """Specify various properties of the action, such as title, descriptions, permissions and input steps."""
-    return {
-        "id": OPERATION_ID,
-        "title": "Synchronize with Sentinel",
-        "priority": 16,
-        "description": {
-            "short": "Synchronize alerts with sentinel",
-            "long": execute.__doc__,
-        },
-        "roles": ["automation_basic"],
-        "triggers": [trigger for trigger in VALID_TRIGGERS if trigger != "create"],
-    }