howler-sentinel-plugin 0.2.0.dev99__py3-none-any.whl → 0.2.0.dev102__py3-none-any.whl

{howler_sentinel_plugin-0.2.0.dev99.dist-info → howler_sentinel_plugin-0.2.0.dev102.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: howler-sentinel-plugin
-Version: 0.2.0.dev99
+Version: 0.2.0.dev102
 Summary: A howler plugin for integration with Microsoft's Sentinel API
 License: MIT
 Author: CCCS

howler_sentinel_plugin-0.2.0.dev102.dist-info/RECORD

@@ -0,0 +1,17 @@
+sentinel/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sentinel/actions/azure_emit_hash.py,sha256=NyqWqe7BshQBq4YfTkGGkLAek6YImqnlpSWMABRdVxM,2939
+sentinel/actions/send_to_sentinel.py,sha256=Y2Ps2a715G2edCJXY5x1UNJkj-qwGkJ_0WYiAdCScXk,3973
+sentinel/actions/update_defender_xdr_alert.py,sha256=gXuVZfr7Ou0Lc6BuECmo18E8hfJPhUlM1VMKVCkofk4,6753
+sentinel/mapping/sentinel_incident.py,sha256=U7fIh8N4Jdr1A4z1E0jPRP28Ll0Cq7u9Q6292AnyRDI,9548
+sentinel/mapping/xdr_alert.py,sha256=UPoqdZsjUXmJz0dCf_qMlh9Jr0D2HcSNOFvbg8lE4wY,18250
+sentinel/mapping/xdr_alert_evidence.py,sha256=q622G4eZwFR3TCj418ZCpE83DGVicrWIQZo8Gkj_3FM,31323
+sentinel/odm/hit.py,sha256=hAuO2ONMK3Ml8Xu6E7tHrmZ7M6HG5tT38RD9ZxwY254,666
+sentinel/odm/models/sentinel.py,sha256=XT3XdT92uoCV5vmY9dT1jmcxRyuu9vp1gE8AwZdKBIc,337
+sentinel/routes/__init__.py,sha256=JYmKRwIfEsiPos1XuMQ2mlGDbxk6TN_cVEM0K_RNze4,130
+sentinel/routes/ingest.py,sha256=_9OdOw_9nBJseKIBnmHDLjnqZ_bDdM4wfLpLrek4-ak,7018
+sentinel/utils/tenant_utils.py,sha256=nGOCbLzUx9OyATLAZ5UbW0WNao_1ioW4wL-htn2ltKU,1324
+howler_sentinel_plugin-0.2.0.dev102.dist-info/LICENSE,sha256=Wg2luVnxEkP2NSn11nh1US6W_nFFbICBAVTG9iG3t5M,1091
+howler_sentinel_plugin-0.2.0.dev102.dist-info/METADATA,sha256=x6T8WqMLWPJYYrB6_cLfcbNPf3RpRHjQ6AOoGp8wZMw,749
+howler_sentinel_plugin-0.2.0.dev102.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
+howler_sentinel_plugin-0.2.0.dev102.dist-info/entry_points.txt,sha256=4IJyMY0V49s3Wp659ngN_7U8g66-czeKxI-_dNAFP5g,60
+howler_sentinel_plugin-0.2.0.dev102.dist-info/RECORD,,

sentinel/actions/azure_emit_hash.py

@@ -83,7 +83,7 @@ def specification():
     return {
         "id": OPERATION_ID,
         "title": "Emit sha256 hash to Sentinel",
-        "priority": 8,
+        "priority": 28,
         "i18nKey": "operations.add_label",
         "description": {
             "short": "Add a label to a hit",

sentinel/actions/send_to_sentinel.py

@@ -50,7 +50,7 @@ def execute(query: str, **kwargs):
             continue
 
         try:
-            token, credentials = get_token(tenant_id)
+            token, credentials = get_token(tenant_id, "https://monitor.azure.com/.default")
         except HowlerRuntimeError as err:
             logger.exception("Error on token fetching")
             report.append(
@@ -79,6 +79,11 @@ def execute(query: str, **kwargs):
 
         response = requests.post(uri, headers=headers, json=payload, timeout=5.0)
         if not response.ok:
+            logger.warning(
+                "POST request to Azure Monitor failed with status code %s. Content:\n%s",
+                response.status_code,
+                response.text,
+            )
             report.append(
                 {
                     "query": f"howler.id:{hit.howler.id}",

sentinel/actions/update_defender_xdr_alert.py

@@ -89,7 +89,7 @@ def execute(query: str, **kwargs):
             continue
 
         try:
-            token = get_token(tenant_id)[0]
+            token = get_token(tenant_id, "https://graph.microsoft.com/.default")[0]
         except HowlerRuntimeError as err:
             logger.exception("Error on token fetching")
             report.append(
@@ -106,7 +106,11 @@ def execute(query: str, **kwargs):
         alert_url = f"https://graph.microsoft.com/v1.0/security/alerts_v2/{hit.rule.id}"
         response = requests.get(alert_url, headers={"Authorization": f"Bearer {token}"}, timeout=5.0)
         if not response.ok:
-            logger.warning("GET request to Microsoft Graph failed with status code %s.", response.status_code)
+            logger.warning(
+                "GET request to Microsoft Graph failed with status code %s. Content:\n%s",
+                response.status_code,
+                response.text,
+            )
             report.append(
                 {
                     "query": query,
@@ -148,6 +152,11 @@ def execute(query: str, **kwargs):
             timeout=5.0,
         )
         if not response.ok:
+            logger.warning(
+                "PATCH request to Microsoft Graph failed with status code %s. Content:\n%s",
+                response.status_code,
+                response.text,
+            )
             report.append(
                 {
                     "query": query,

sentinel/mapping/sentinel_incident.py

@@ -76,7 +76,7 @@ class SentinelIncident:
                     "score": self.map_severity_to_score(severity),
                     "outline.summary": description,
                     "rationale": resolving_comment,
-                    "analytic": "MSGraph",
+                    "analytic": "Sentinel",
                     "is_bundle": True,
                     "bundle_size": 0,
                     "hits": [],

sentinel/utils/tenant_utils.py

@@ -10,7 +10,7 @@ logger = get_logger(__file__)
 
 
 @cache.memoize(15 * 60)
-def get_token(tenant_id: str) -> tuple[str, dict[str, str]]:
+def get_token(tenant_id: str, scope: str) -> tuple[str, dict[str, str]]:
     """Get a borealis token based on the current howler token"""
     # Get bearer token
     try:
@@ -18,6 +18,8 @@ def get_token(tenant_id: str) -> tuple[str, dict[str, str]]:
     except (KeyError, json.JSONDecodeError):
         raise HowlerRuntimeError("Credential data not configured.")
 
+    logger.info("Generating client credential token for client id %s with scope %s", credentials["client_id"], scope)
+
     token_request_url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"
     response = requests.post(
         token_request_url,
@@ -25,7 +27,7 @@ def get_token(tenant_id: str) -> tuple[str, dict[str, str]]:
             "grant_type": "client_credentials",
             "client_id": credentials["client_id"],
             "client_secret": credentials["client_secret"],
-            "scope": "https://monitor.azure.com/.default",
+            "scope": scope,
         },
         timeout=5.0,
     )

howler_sentinel_plugin-0.2.0.dev99.dist-info/RECORD

@@ -1,17 +0,0 @@
-sentinel/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sentinel/actions/azure_emit_hash.py,sha256=yEO8ZjFTUjNm03fJfHRVER3xf0v5o0qdU8GnqwZtMTM,2938
-sentinel/actions/send_to_sentinel.py,sha256=rfIJk02iAACvb8bfKv9MEkSDILDnvXlxt49hQVyvvQ4,3734
-sentinel/actions/update_defender_xdr_alert.py,sha256=OjNXM8DixURYdl7fHLCS81I0izQVtQgFkw9Iteeklwg,6418
-sentinel/mapping/sentinel_incident.py,sha256=3QBnP6qFpJgE3pHvx5VvFnB3m2TVOoWxs8OysDlJVV8,9547
-sentinel/mapping/xdr_alert.py,sha256=UPoqdZsjUXmJz0dCf_qMlh9Jr0D2HcSNOFvbg8lE4wY,18250
-sentinel/mapping/xdr_alert_evidence.py,sha256=q622G4eZwFR3TCj418ZCpE83DGVicrWIQZo8Gkj_3FM,31323
-sentinel/odm/hit.py,sha256=hAuO2ONMK3Ml8Xu6E7tHrmZ7M6HG5tT38RD9ZxwY254,666
-sentinel/odm/models/sentinel.py,sha256=XT3XdT92uoCV5vmY9dT1jmcxRyuu9vp1gE8AwZdKBIc,337
-sentinel/routes/__init__.py,sha256=JYmKRwIfEsiPos1XuMQ2mlGDbxk6TN_cVEM0K_RNze4,130
-sentinel/routes/ingest.py,sha256=_9OdOw_9nBJseKIBnmHDLjnqZ_bDdM4wfLpLrek4-ak,7018
-sentinel/utils/tenant_utils.py,sha256=W7kBtxYNhs3vcgMf78eIRqiTpDtqjzEI2H2d0papQ_Q,1224
-howler_sentinel_plugin-0.2.0.dev99.dist-info/LICENSE,sha256=Wg2luVnxEkP2NSn11nh1US6W_nFFbICBAVTG9iG3t5M,1091
-howler_sentinel_plugin-0.2.0.dev99.dist-info/METADATA,sha256=QZH7YTqc7odZI8KwzX9IeOU_C2quRyThuIHqiKjdyaM,748
-howler_sentinel_plugin-0.2.0.dev99.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
-howler_sentinel_plugin-0.2.0.dev99.dist-info/entry_points.txt,sha256=4IJyMY0V49s3Wp659ngN_7U8g66-czeKxI-_dNAFP5g,60
-howler_sentinel_plugin-0.2.0.dev99.dist-info/RECORD,,