function app sentinel helper

pythonhelpers/sentinel-beautify/__init__.py

@@ -0,0 +1,54 @@
+import logging, json, hashlib, pathlib, os
+from string import Template
+import azure.functions as func
+
+
+def main(req: func.HttpRequest) -> func.HttpResponse:
+    logging.info('Beautifying sentinel json and adding html and markdown representations')
+
+    data = req.get_json()
+    labels = [
+        f"SIEM_Severity:{data['Severity']}",
+        f"SIEM_Status:{data['Status']}",
+        f"SIEM_Title:{data['Title']}",
+    ]    
+
+    if data.get("Classification"):
+        labels.append(f"SIEM_Classification:{data['Classification']}")
+    if data.get("ClassificationReason"):
+        labels.append(f"SIEM_ClassificationReason:{data['ClassificationReason']}")
+    if data.get("ProviderName"):
+        labels.append(f"SIEM_ProviderName:{data['ProviderName']}")
+
+    if data.get("Owner"):
+        data["Owner"] = json.loads(data["Owner"])
+        if data["Owner"].get("email"):
+            labels.append(f"SIEM_OwnerEmail:{data['Owner']['email']}")
+
+    if data.get("AdditionalData"):
+        data["AdditionalData"] = json.loads(data["AdditionalData"])
+        if data["AdditionalData"].get("alertProductNames"):
+            labels.append(f"SIEM_alertProductNames:{','.join(data['AdditionalData']['alertProductNames'])}")
+        if data["AdditionalData"].get("tactics"):
+            labels.append(f"SIEM_tactics:{','.join(data['AdditionalData']['tactics'])}")
+        if data["AdditionalData"].get("techniques"):
+            labels.append(f"SIEM_techniques:{','.join(data['AdditionalData']['techniques'])}")
+
+    urlhash = hashlib.new('sha256')
+    urlhash.update(data['IncidentUrl'].encode("utf-8"))
+    urlhash = urlhash.hexdigest()
+    subject = f"Sentinel Detection - {data['Title']} ({data['Status']}) - urlhash:{urlhash}"
+    emailTemplate = Template(open(pathlib.Path(__file__).parent / 'email-template.html').read())
+    content = f"Sentinel Incident: <a href='{data['IncidentUrl']}'>{data['Title']}</a>"
+    footer = os.environ.get("FOOTER_HTML", "Set FOOTER_HTML env var to configure this...")
+    html = emailTemplate.substitute(title=subject, content=content, footer=footer)
+
+    response = {
+        "subject": subject,
+        "html": html,
+        "labels": labels,
+        "urlhash": urlhash,
+        "sentinel_data": data
+    }
+
+    return func.HttpResponse(json.dumps(response), mimetype="application/json")

pythonhelpers/sentinel-beautify/email-template.html

@@ -0,0 +1,145 @@
+<!doctype html>
+<html>
+  <head>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+    <title>$title</title>
+    <style>
+@media only screen and (max-width: 620px) {
+  table.body h1 {
+    font-size: 28px !important;
+    margin-bottom: 10px !important;
+  }
+
+  table.body p,
+table.body ul,
+table.body ol,
+table.body td,
+table.body span,
+table.body a {
+    font-size: 16px !important;
+  }
+
+  table.body .wrapper,
+table.body .article {
+    padding: 10px !important;
+  }
+
+  table.body .content {
+    padding: 0 !important;
+  }
+
+  table.body .container {
+    padding: 0 !important;
+    width: 100% !important;
+  }
+
+  table.body .main {
+    border-left-width: 0 !important;
+    border-radius: 0 !important;
+    border-right-width: 0 !important;
+  }
+
+  table.body .btn table {
+    width: 100% !important;
+  }
+
+  table.body .btn a {
+    width: 100% !important;
+  }
+
+  table.body .img-responsive {
+    height: auto !important;
+    max-width: 100% !important;
+    width: auto !important;
+  }
+}
+@media all {
+  .ExternalClass {
+    width: 100%;
+  }
+
+  .ExternalClass,
+.ExternalClass p,
+.ExternalClass span,
+.ExternalClass font,
+.ExternalClass td,
+.ExternalClass div {
+    line-height: 100%;
+  }
+
+  .apple-link a {
+    color: inherit !important;
+    font-family: inherit !important;
+    font-size: inherit !important;
+    font-weight: inherit !important;
+    line-height: inherit !important;
+    text-decoration: none !important;
+  }
+
+  #MessageViewBody a {
+    color: inherit;
+    text-decoration: none;
+    font-size: inherit;
+    font-family: inherit;
+    font-weight: inherit;
+    line-height: inherit;
+  }
+
+  .btn-primary table td:hover {
+    background-color: #34495e !important;
+  }
+
+  .btn-primary a:hover {
+    background-color: #34495e !important;
+    border-color: #34495e !important;
+  }
+}
+</style>
+  </head>
+  <body style="background-color: #f6f6f6; font-family: sans-serif; -webkit-font-smoothing: antialiased; font-size: 14px; line-height: 1.4; margin: 0; padding: 0; -ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%;">
+    <table role="presentation" border="0" cellpadding="0" cellspacing="0" class="body" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; background-color: #f6f6f6; width: 100%;" width="100%" bgcolor="#f6f6f6">
+      <tr>
+        <td style="font-family: sans-serif; font-size: 14px; vertical-align: top;" valign="top">&nbsp;</td>
+        <td class="container" style="font-family: sans-serif; font-size: 14px; vertical-align: top; display: block; max-width: 580px; padding: 10px; width: 580px; margin: 0 auto;" width="580" valign="top">
+          <div class="content" style="box-sizing: border-box; display: block; margin: 0 auto; max-width: 580px; padding: 10px;">
+
+            <!-- START CENTERED WHITE CONTAINER -->
+            <table role="presentation" class="main" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; background: #ffffff; border-radius: 3px; width: 100%;" width="100%">
+
+              <!-- START MAIN CONTENT AREA -->
+              <tr>
+                <td class="wrapper" style="font-family: sans-serif; font-size: 14px; vertical-align: top; box-sizing: border-box; padding: 20px;" valign="top">
+                  <table role="presentation" border="0" cellpadding="0" cellspacing="0" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%;" width="100%">
+                    <tr>
+                      <td style="font-family: sans-serif; font-size: 14px; vertical-align: top;" valign="top">
+                        <p style="font-family: sans-serif; font-size: 14px; font-weight: normal; margin: 0; margin-bottom: 15px;">$content</p>
+                      </td>
+                    </tr>
+                  </table>
+                </td>
+              </tr>
+
+            <!-- END MAIN CONTENT AREA -->
+            </table>
+            <!-- END CENTERED WHITE CONTAINER -->
+
+            <!-- START FOOTER -->
+            <div class="footer" style="clear: both; margin-top: 10px; text-align: center; width: 100%;">
+              <table role="presentation" border="0" cellpadding="0" cellspacing="0" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%;" width="100%">
+                <tr>
+                  <td class="content-block" style="font-family: sans-serif; vertical-align: top; padding-bottom: 10px; padding-top: 10px; color: #999999; font-size: 12px; text-align: center;" valign="top" align="center">
+                    <span class="apple-link" style="color: #999999; font-size: 12px; text-align: center;">$footer</span>
+                  </td>
+                </tr>
+              </table>
+            </div>
+            <!-- END FOOTER -->
+
+          </div>
+        </td>
+        <td style="font-family: sans-serif; font-size: 14px; vertical-align: top;" valign="top">&nbsp;</td>
+      </tr>
+    </table>
+  </body>
+</html>

pythonhelpers/sentinel-beautify/function.json

@@ -0,0 +1,19 @@
+{
+    "bindings": [
+      {
+        "authLevel": "function",
+        "type": "httpTrigger",
+        "direction": "in",
+        "name": "req",
+        "methods": [
+          "get",
+          "post"
+        ]
+      },
+      {
+        "type": "http",
+        "direction": "out",
+        "name": "$return"
+      }
+    ]
+  }