Skip to content

Aligned save expectation traces on crowdstrike behavior #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
impolitepanda wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Aligned save expectation traces on crowdstrike behavior #159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions microsoft-defender/src/openbas_microsoft_defender.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -391,6 +391,7 @@ async def _process_alerts(self, graph_client):
"Found " + str(len(alerts.results)) + " alerts with signatures"
)
# For each expectation, try to find the proper alert to assign a detection or prevention result
traces_to_create: list[dict[str, str]] = []
for expectation in expectations:
if expectation in expectations_not_filled:
# Check expired expectation
Expand Down Expand Up @@ -463,7 +464,7 @@ async def _process_alerts(self, graph_client):
)
expectations_not_filled.remove(expectation)

# Send alert to openbas for current matched expectation. Duplicate alerts are handled by openbas itself
# Save alert to openbas for current matched expectation. Duplicate alerts are handled by openbas itself
self.helper.collector_logger.info(
"Expectation matched, adding trace for expectation "
+ expectation["inject_expectation_inject"]
Expand All @@ -472,8 +473,8 @@ async def _process_alerts(self, graph_client):
+ ")"
)
for evidence in evidences:
self.helper.api.inject_expectation_trace.create(
data={
traces_to_create.append(
{
"inject_expectation_trace_expectation": expectation[
"inject_expectation_id"
],
Expand All @@ -492,6 +493,10 @@ async def _process_alerts(self, graph_client):
}
)

self.helper.api.inject_expectation_trace.bulk_create(
payload={"expectation_traces": traces_to_create}
)

def _process_message(self) -> None:
# Auth
credential = ClientSecretCredential(
Expand Down
10 changes: 7 additions & 3 deletions microsoft-sentinel/src/openbas_microsoft_sentinel.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,7 @@ def _process_alerts(self):

endpoint_per_asset = {}
# For each expectation, try to find the proper alert to assign a detection or prevention result
traces_to_create: list[dict[str, str]] = []
for expectation in expectations:
if expectation["inject_expectation_asset"] not in endpoint_per_asset:
endpoint_per_asset[expectation["inject_expectation_asset"]] = (
Expand Down Expand Up @@ -313,16 +314,16 @@ def _process_alerts(self):
)
expectations_not_filled.remove(expectation)

# Send alert to openbas for current matched expectation. Duplicate alerts are handled by openbas itself
# Save alert to openbas for current matched expectation. Duplicate alerts are handled by openbas itself
self.helper.collector_logger.info(
"Expectation matched, adding trace for expectation "
+ expectation["inject_expectation_inject"]
+ " ("
+ expectation["inject_expectation_type"]
+ ")"
)
self.helper.api.inject_expectation_trace.create(
data={
traces_to_create.append(
{
"inject_expectation_trace_expectation": expectation[
"inject_expectation_id"
],
Expand All @@ -346,6 +347,9 @@ def _process_alerts(self):
],
}
)
self.helper.api.inject_expectation_trace.bulk_create(
payload={"expectation_traces": traces_to_create}
)

def _process_message(self) -> None:
self._process_alerts()
Expand Down
11 changes: 8 additions & 3 deletions tanium-threat-response/src/openbas_tanium_threat_response.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,6 +283,7 @@ def _process_message(self) -> None:
)

# For each expectation, try to find the proper alert to assign a detection or prevention result
traces_to_create: list[dict[str, str]] = []
for expectation in expectations:
if expectation in expectations_not_filled:
# Check expired expectation
Expand Down Expand Up @@ -333,16 +334,16 @@ def _process_message(self) -> None:
)
expectations_not_filled.remove(expectation)

# Send alert to openbas for current matched expectation. Duplicate alerts are handled by openbas itself
# Save alert to openbas for current matched expectation. Duplicate alerts are handled by openbas itself
self.helper.collector_logger.info(
"Expectation matched, adding trace for expectation "
+ expectation["inject_expectation_inject"]
+ " ("
+ expectation["inject_expectation_type"]
+ ")"
)
self.helper.api.inject_expectation_trace.create(
data={
traces_to_create.append(
{
"inject_expectation_trace_expectation": expectation[
"inject_expectation_id"
],
Expand All @@ -361,6 +362,10 @@ def _process_message(self) -> None:
}
)

self.helper.api.inject_expectation_trace.bulk_create(
payload={"expectation_traces": traces_to_create}
)

# Start the main loop
def start(self):
period = self.config.get_conf("collector_period", default=120, is_number=True)
Expand Down