From f4a1e55cf2ba1e3d702748ac2b098b7dd049be68 Mon Sep 17 00:00:00 2001 From: Adon Metcalfe Date: Thu, 30 Jun 2022 22:44:57 +0800 Subject: [PATCH] function app sentinel helper --- pythonhelpers/sentinel-beautify/__init__.py | 54 +++++++ .../sentinel-beautify/email-template.html | 145 ++++++++++++++++++ pythonhelpers/sentinel-beautify/function.json | 19 +++ 3 files changed, 218 insertions(+) create mode 100644 pythonhelpers/sentinel-beautify/__init__.py create mode 100644 pythonhelpers/sentinel-beautify/email-template.html create mode 100644 pythonhelpers/sentinel-beautify/function.json diff --git a/pythonhelpers/sentinel-beautify/__init__.py b/pythonhelpers/sentinel-beautify/__init__.py new file mode 100644 index 0000000..49a1b73 --- /dev/null +++ b/pythonhelpers/sentinel-beautify/__init__.py @@ -0,0 +1,54 @@ +import logging, json, hashlib, pathlib, os +from string import Template +import azure.functions as func + + +def main(req: func.HttpRequest) -> func.HttpResponse: + logging.info('Beautifying sentinel json and adding html and markdown representations') + + data = req.get_json() + labels = [ + f"SIEM_Severity:{data['Severity']}", + f"SIEM_Status:{data['Status']}", + f"SIEM_Title:{data['Title']}", + ] + + if data.get("Classification"): + labels.append(f"SIEM_Classification:{data['Classification']}") + if data.get("ClassificationReason"): + labels.append(f"SIEM_ClassificationReason:{data['ClassificationReason']}") + if data.get("ProviderName"): + labels.append(f"SIEM_ProviderName:{data['ProviderName']}") + + if data.get("Owner"): + data["Owner"] = json.loads(data["Owner"]) + if data["Owner"].get("email"): + labels.append(f"SIEM_OwnerEmail:{data['Owner']['email']}") + + if data.get("AdditionalData"): + data["AdditionalData"] = json.loads(data["AdditionalData"]) + if data["AdditionalData"].get("alertProductNames"): + labels.append(f"SIEM_alertProductNames:{','.join(data['AdditionalData']['alertProductNames'])}") + if data["AdditionalData"].get("tactics"): + labels.append(f"SIEM_tactics:{','.join(data['AdditionalData']['tactics'])}") + if data["AdditionalData"].get("techniques"): + labels.append(f"SIEM_techniques:{','.join(data['AdditionalData']['techniques'])}") + + urlhash = hashlib.new('sha256') + urlhash.update(data['IncidentUrl'].encode("utf-8")) + urlhash = urlhash.hexdigest() + subject = f"Sentinel Detection - {data['Title']} ({data['Status']}) - urlhash:{urlhash}" + emailTemplate = Template(open(pathlib.Path(__file__).parent / 'email-template.html').read()) + content = f"Sentinel Incident: {data['Title']}" + footer = os.environ.get("FOOTER_HTML", "Set FOOTER_HTML env var to configure this...") + html = emailTemplate.substitute(title=subject, content=content, footer=footer) + + response = { + "subject": subject, + "html": html, + "labels": labels, + "urlhash": urlhash, + "sentinel_data": data + } + + return func.HttpResponse(json.dumps(response), mimetype="application/json") \ No newline at end of file diff --git a/pythonhelpers/sentinel-beautify/email-template.html b/pythonhelpers/sentinel-beautify/email-template.html new file mode 100644 index 0000000..4f72251 --- /dev/null +++ b/pythonhelpers/sentinel-beautify/email-template.html @@ -0,0 +1,145 @@ + + + + + + $title + + + + + + + + + + + + diff --git a/pythonhelpers/sentinel-beautify/function.json b/pythonhelpers/sentinel-beautify/function.json new file mode 100644 index 0000000..b647b47 --- /dev/null +++ b/pythonhelpers/sentinel-beautify/function.json @@ -0,0 +1,19 @@ +{ + "bindings": [ + { + "authLevel": "function", + "type": "httpTrigger", + "direction": "in", + "name": "req", + "methods": [ + "get", + "post" + ] + }, + { + "type": "http", + "direction": "out", + "name": "$return" + } + ] + } \ No newline at end of file