Skip to content

Commit

Permalink
Merge pull request #11118 from FortiNDR-Integration/FortiNDR-Cloud-Se…
Browse files Browse the repository at this point in the history 
…ntinel-add-new-fields-for-detections

FortiNDR Cloud Sentinel add new fields for detections
  • Loading branch information
@v-prasadboke
v-prasadboke authored Oct 1, 2024
2 parents f99e6e8 + c73750c commit 9b540e2
Show file tree
Hide file tree
Showing 13 changed files with 197 additions and 59 deletions.
12 changes: 1 addition & 11 deletions ...net FortiNDR Cloud/Data Connectors/azuredeploy_FortinetFortiNdrCloud_API_FunctionApp.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,14 +60,6 @@
"type": "string",
"defaultValue": ""
},
"IncludePdns": {
"type": "bool",
"defaultValue": false
},
"IncludeDhcp": {
"type": "bool",
"defaultValue": false
},
"IncludeEvents": {
"type": "bool",
"defaultValue": false
Expand Down Expand Up @@ -237,7 +229,7 @@
"alwaysOn": true,
"reserved": true,
"siteConfig": {
"linuxFxVersion": "python|3.10"
"linuxFxVersion": "python|3.11"
}
},
"resources": [
Expand Down Expand Up @@ -269,8 +261,6 @@
"FncApiToken": "[parameters('FncApiToken')]",
"FncAccountUuid": "[parameters('FncAccountUuid')]",
"FncApiDomain": "[parameters('FncApiDomain')]",
"IncludePdns": "[parameters('IncludePdns')]",
"IncludeDhcp": "[parameters('IncludeDhcp')]",
"IncludeEvents": "[parameters('IncludeEvents')]",
"IncludeDescription": "[parameters('IncludeDescription')]",
"IncludeSignature": "[parameters('IncludeSignature')]",
Expand Down
Binary file modified Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn.zip
View file
Binary file not shown.
8 changes: 3 additions & 5 deletions ...DR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/FetchAndSendDetections/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,14 @@
import logging
import os

import FncRestClient
from fnc.api.api_client import ApiContext
from fnc.fnc_client import FncClient
from globalVariables import INTEGRATION_NAME
from sentinel import post_data

API_TOKEN = os.environ.get("FncApiToken")
ACCOUNT_UUID = os.environ.get("FncAccountUuid")
INCLUDE_PDNS = os.environ.get("FncAccountUuid")
INCLUDE_DHCP = os.environ.get("IncludeDhcp")
INCLUDE_EVENTS = os.environ.get("IncludeEvents")
POLLING_DELAY = int(os.environ.get("PollingDelay") or 10)
DOMAIN = os.environ.get("FncApiDomain")
Expand Down Expand Up @@ -80,8 +79,9 @@ def add_events_to_detections(detections, detection_events):
def fetch_and_send_detections(
ctx: ApiContext, event_type: str, start_date: str
):
rest_client = FncRestClient.FncSentinelRestClient()
client = FncClient.get_api_client(
name=INTEGRATION_NAME, api_token=API_TOKEN, domain=DOMAIN
name=INTEGRATION_NAME, api_token=API_TOKEN, domain=DOMAIN, rest_client=rest_client
)
loggerLever = logging.getLevelName(LOGGER_LEVEL.upper())
client.get_logger().set_level(level=loggerLever)
Expand All @@ -94,8 +94,6 @@ def fetch_and_send_detections(
"pull_muted_devices": PULL_MUTED,
"include_description": INCLUDE_DESCRIPTION,
"include_signature": INCLUDE_SIGNATURE,
"include_pdns": INCLUDE_PDNS,
"include_dhcp": INCLUDE_DHCP,
"include_events": INCLUDE_EVENTS,
"filter_training_detections": True,
"start_date": start_date,
Expand Down
8 changes: 3 additions & 5 deletions ...d/Data Connectors/fortinetFortiNdrCloudDataConn/FetchAndSendDetectionsHistory/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,14 @@
import os
from datetime import datetime, timezone

import FncRestClient
from fnc.api.api_client import ApiContext
from fnc.fnc_client import FncClient
from globalVariables import INTEGRATION_NAME
from sentinel import post_data

API_TOKEN = os.environ.get("FncApiToken")
ACCOUNT_UUID = os.environ.get("FncAccountUuid")
INCLUDE_PDNS = os.environ.get("FncAccountUuid")
INCLUDE_DHCP = os.environ.get("IncludeDhcp")
INCLUDE_EVENTS = os.environ.get("IncludeEvents")
POLLING_DELAY = int(os.environ.get("PollingDelay") or 10)
DOMAIN = os.environ.get("FncApiDomain")
Expand Down Expand Up @@ -96,8 +95,9 @@ def add_events_to_detections(detections, detection_events):


def fetch_and_send_detections(ctx: ApiContext, event_type: str, start_date: str):
rest_client = FncRestClient.FncSentinelRestClient()
client = FncClient.get_api_client(
name=INTEGRATION_NAME, api_token=API_TOKEN, domain=DOMAIN
name=INTEGRATION_NAME, api_token=API_TOKEN, domain=DOMAIN, rest_client=rest_client
)
loggerLever = logging.getLevelName(LOGGER_LEVEL.upper())
client.get_logger().set_level(level=loggerLever)
Expand All @@ -110,8 +110,6 @@ def fetch_and_send_detections(ctx: ApiContext, event_type: str, start_date: str)
"pull_muted_devices": PULL_MUTED,
"include_description": INCLUDE_DESCRIPTION,
"include_signature": INCLUDE_SIGNATURE,
"include_pdns": INCLUDE_PDNS,
"include_dhcp": INCLUDE_DHCP,
"include_events": INCLUDE_EVENTS,
"filter_training_detections": True,
"limit": 100,
Expand Down
30 changes: 30 additions & 0 deletions ...ns/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/FncRestClient.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
from fnc.api import FncRestClient
from fnc.errors import ErrorMessages, ErrorType, FncClientError
import requests

class FncSentinelRestClient(FncRestClient):
def validate_request(self, req_args: dict):
if not req_args or 'url' not in req_args:
raise FncClientError(
error_type=ErrorType.REQUEST_VALIDATION_ERROR,
error_message=ErrorMessages.REQUEST_URL_NOT_PROVIDED
)

if 'method' not in req_args:
raise FncClientError(
error_type=ErrorType.REQUEST_VALIDATION_ERROR,
error_message=ErrorMessages.REQUEST_METHOD_NOT_PROVIDED
)

def send_request(self, req_args: dict = None):
url = req_args['url']
method = req_args['method']
headers = req_args.get('headers', {})
timeout = req_args.get('timeout', 70)
verify = req_args.get('verify', True)
parameters = req_args.get('params', {})
json = req_args.get('json', None)
data = req_args.get('data', None)
payload = json or data
response = requests.request(method, url, headers=headers, timeout=timeout, params=parameters, json=payload, verify=verify)
return response
4 changes: 3 additions & 1 deletion ...iNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/OrchestratorWatchdog/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@

import azure.durable_functions as df
import azure.functions as func
import FncRestClient
from azure.durable_functions.models import DurableOrchestrationStatus
from errors import InputError
from fnc.fnc_client import FncClient
Expand Down Expand Up @@ -124,8 +125,9 @@ def get_detection_args():

# Create detection client to get context for history
# and real time detections
rest_client = FncRestClient.FncSentinelRestClient()
detection_client = FncClient.get_api_client(
name=INTEGRATION_NAME, api_token=API_TOKEN, domain=DOMAIN
name=INTEGRATION_NAME, api_token=API_TOKEN, domain=DOMAIN, rest_client=rest_client
)
h_context, context = detection_client.get_splitted_context(
args=detection_args)
Expand Down
2 changes: 1 addition & 1 deletion Solutions/Fortinet FortiNDR Cloud/Data/Solution_FortiNdrCloud.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
"Workbooks/FortinetFortiNdrCloudWorkbook.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Fortinet FortiNDR Cloud",
"Version": "3.0.1",
"Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
Expand Down
Binary file added Solutions/Fortinet FortiNDR Cloud/Package/3.0.2.zip
View file
Binary file not shown.
16 changes: 8 additions & 8 deletions Solutions/Fortinet FortiNDR Cloud/Package/mainTemplate.json
View file

Large diffs are not rendered by default.

12 changes: 7 additions & 5 deletions Solutions/Fortinet FortiNDR Cloud/Parsers/Fortinet_FortiNDR_Cloud.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -310,10 +310,11 @@ let FortiNDR_Cloud_detections_view = view () {
de_username=column_ifexists('username_s', ''),
de_hostname=column_ifexists('hostname_s', ''),
de_category=column_ifexists('rule_category_s', ''),
de_dhcp=column_ifexists('dhcp_s', ''),
de_pdns=column_ifexists('PDNS_s', ''),
de_event_count=column_ifexists('event_count_d', ''),
de_events=column_ifexists('events_s', '')
de_events=column_ifexists('events_s', ''),
de_primary_attack_id=column_ifexists('rule_primary_attack_id_s', ''),
de_secondary_attack_id=column_ifexists('rule_secondary_attack_id_s', ''),
de_rule_url=column_ifexists('rule_url_s', '')
| project
de_device_ip,
de_event_count,
Expand Down Expand Up @@ -343,8 +344,9 @@ let FortiNDR_Cloud_detections_view = view () {
de_uuid,
de_username,
de_hostname,
de_dhcp,
de_pdns,
de_primary_attack_id,
de_secondary_attack_id,
de_rule_url,
Type
};

Expand Down
12 changes: 7 additions & 5 deletions Solutions/Fortinet FortiNDR Cloud/Parsers/Fortinet_FortiNDR_Cloud.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -314,10 +314,11 @@ FunctionQuery: |
de_username=column_ifexists('username_s', ''),
de_hostname=column_ifexists('hostname_s', ''),
de_category=column_ifexists('rule_category_s', ''),
de_dhcp=column_ifexists('dhcp_s', ''),
de_pdns=column_ifexists('PDNS_s', ''),
de_event_count=column_ifexists('event_count_d', ''),
de_events=column_ifexists('events_s', '')
de_events=column_ifexists('events_s', ''),
de_primary_attack_id=column_ifexists('rule_primary_attack_id_s', ''),
de_secondary_attack_id=column_ifexists('rule_secondary_attack_id_s', ''),
de_rule_url=column_ifexists('rule_url_s', '')
| project
de_device_ip,
de_event_count,
Expand Down Expand Up @@ -347,8 +348,9 @@ FunctionQuery: |
de_uuid,
de_username,
de_hostname,
de_dhcp,
de_pdns,
de_primary_attack_id,
de_secondary_attack_id,
de_rule_url,
Type
};
Expand Down
9 changes: 5 additions & 4 deletions Solutions/Fortinet FortiNDR Cloud/ReleaseNotes.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
| 3.0.1 | 31-05-2024 | Replace Metastream with FortiNDR Cloud API |
| 3.0.0 | 29-02-2024 | Initial Solution Release |
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-------------------------------------------------------|
| 3.0.2 | 30-09-2024 | Show mitre attack ids and link to detection rule page |
| 3.0.1 | 31-05-2024 | Replace Metastream with FortiNDR Cloud API |
| 3.0.0 | 29-02-2024 | Initial Solution Release |
143 changes: 129 additions & 14 deletions Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1964,21 +1964,10 @@
}
},
{
"columnMatch": "de_dhcp",
"columnMatch": "de_rule_url",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkLabel": "DHCP",
"linkIsContextBlade": true
}
},
{
"columnMatch": "de_pdns",
"formatter": 7,
"formatOptions": {
"linkTarget": "CellDetails",
"linkLabel": "PDNS",
"linkIsContextBlade": true
"linkTarget": "Url"
}
},
{
Expand All @@ -1991,7 +1980,133 @@
}
],
"rowLimit": 1000,
"filter": true
"filter": true,
"labelSettings": [
{
"columnId": "de_device_ip",
"label": "device_ip"
},
{
"columnId": "de_event_count",
"label": "event_count"
},
{
"columnId": "de_events",
"label": "events"
},
{
"columnId": "de_indicators",
"label": "indicators"
},
{
"columnId": "de_last_seen",
"label": "last_seen"
},
{
"columnId": "de_status",
"label": "status"
},
{
"columnId": "de_rule_name",
"label": "rule_name"
},
{
"columnId": "de_severity",
"label": "severity"
},
{
"columnId": "de_confidence",
"label": "confidence"
},
{
"columnId": "de_resolved_by",
"label": "resolved_by"
},
{
"columnId": "de_resolution",
"label": "resolution"
},
{
"columnId": "de_resolution_comment",
"label": "resolution_comment"
},
{
"columnId": "de_date_resolved",
"label": "date_resolved"
},
{
"columnId": "de_rule_uuid",
"label": "rule_uuid"
},
{
"columnId": "de_category",
"label": "category"
},
{
"columnId": "de_created",
"label": "created"
},
{
"columnId": "de_updated",
"label": "updated"
},
{
"columnId": "de_first_seen",
"label": "first_seen"
},
{
"columnId": "de_muted",
"label": "muted"
},
{
"columnId": "de_rule_muted",
"label": "rule_muted"
},
{
"columnId": "de_mute_comment",
"label": "mute_comment"
},
{
"columnId": "de_muted_by",
"label": "muted_by"
},
{
"columnId": "de_date_muted",
"label": "date_muted"
},
{
"columnId": "de_sensor_id",
"label": "sensor_id"
},
{
"columnId": "de_account_id",
"label": "account_id"
},
{
"columnId": "de_uuid",
"label": "uuid"
},
{
"columnId": "de_username",
"label": "username"
},
{
"columnId": "de_hostname",
"label": "hostname"
},
{
"columnId": "de_primary_attack_id",
"label": "primary_attack_id"
},
{
"columnId": "de_secondary_attack_id",
"label": "secondary_attack_id"
},
{
"columnId": "de_rule_url",
"label": "rule_url"
}
]
},
"tileSettings": {
"showBorder": false
Expand Down

0 comments on commit 9b540e2

Please sign in to comment.