From 9d6e6af741d990687d1c6471e79f4b820188f940 Mon Sep 17 00:00:00 2001 From: "robert.lowery.5@gmail.com" Date: Mon, 20 May 2024 15:28:14 +0100 Subject: [PATCH 1/3] Added support for Jira, Pagerduty and Increased Slack to include webooks and custom fields --- contentctl/objects/alert_action.py | 10 ++++++++ contentctl/objects/deployment_jira.py | 15 ++++++++++++ contentctl/objects/deployment_pagerduty.py | 6 +++++ contentctl/objects/deployment_slack.py | 4 +++- .../templates/savedsearches_detections.j2 | 24 +++++++++++++++++++ 5 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 contentctl/objects/deployment_jira.py create mode 100644 contentctl/objects/deployment_pagerduty.py diff --git a/contentctl/objects/alert_action.py b/contentctl/objects/alert_action.py index f2f745d4..6629aa67 100644 --- a/contentctl/objects/alert_action.py +++ b/contentctl/objects/alert_action.py @@ -7,6 +7,8 @@ from contentctl.objects.deployment_rba import DeploymentRBA from contentctl.objects.deployment_slack import DeploymentSlack from contentctl.objects.deployment_phantom import DeploymentPhantom +from contentctl.objects.deployment_jira import DeploymentJira +from contentctl.objects.deployment_pagerduty import DeploymentPagerDuty class AlertAction(BaseModel): email: Optional[DeploymentEmail] = None @@ -14,6 +16,8 @@ class AlertAction(BaseModel): rba: Optional[DeploymentRBA] = DeploymentRBA() slack: Optional[DeploymentSlack] = None phantom: Optional[DeploymentPhantom] = None + jira: Optional[DeploymentJira] = None + pagerduty: Optional[DeploymentPagerDuty] = None @model_serializer @@ -36,5 +40,11 @@ def serialize_model(self): if self.phantom is not None: raise Exception("Phantom not implemented") + if self.jira is not None: + raise Exception("Jira not implemented") + + if self.pagerduty is not None: + raise Exception("PagerDuty not implemented") + #return the model return model \ No newline at end of file diff --git a/contentctl/objects/deployment_jira.py b/contentctl/objects/deployment_jira.py new file mode 100644 index 00000000..39268c9e --- /dev/null +++ b/contentctl/objects/deployment_jira.py @@ -0,0 +1,15 @@ + +from __future__ import annotations +from pydantic import BaseModel + +class DeploymentJira(BaseModel): + account: str + jira_attachment: str + jira_dedup: str + jira_dedup_content: str + jira_description: str + jira_project: str + jira_issue_type: str + jira_priority: str + jira_priority_dynamic: str + jira_summary: str diff --git a/contentctl/objects/deployment_pagerduty.py b/contentctl/objects/deployment_pagerduty.py new file mode 100644 index 00000000..e2dd4cbb --- /dev/null +++ b/contentctl/objects/deployment_pagerduty.py @@ -0,0 +1,6 @@ +from __future__ import annotations +from pydantic import BaseModel + +class DeploymentPagerDuty(BaseModel): + pagerduty_description: str + integration_url_override: str diff --git a/contentctl/objects/deployment_slack.py b/contentctl/objects/deployment_slack.py index 294836e2..5a8dcfd1 100644 --- a/contentctl/objects/deployment_slack.py +++ b/contentctl/objects/deployment_slack.py @@ -4,4 +4,6 @@ class DeploymentSlack(BaseModel): channel: str - message: str \ No newline at end of file + message: str + webhook_url: str + fields: str diff --git a/contentctl/output/templates/savedsearches_detections.j2 b/contentctl/output/templates/savedsearches_detections.j2 index 92db3833..af84d173 100644 --- a/contentctl/output/templates/savedsearches_detections.j2 +++ b/contentctl/output/templates/savedsearches_detections.j2 @@ -93,6 +93,30 @@ action.slack = 1 action.slack.param.channel = {{ detection.deployment.alert_action.slack.channel | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} action.slack.param.message = {{ detection.deployment.alert_action.slack.message | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} {% endif %} +{% if detection.deployment.alert_action.slack.webhook_url is defined %} +action.slack.param.webhook_url = {{ detection.deployment.alert_action.slack.webhook_url | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +{% endif %} +{% if detection.deployment.alert_action.slack.fields is defined %} +action.slack.param.fields = {{ detection.deployment.alert_action.slack.fields | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +{% endif %} +{% if detection.deployment.alert_action.jira %} +action.jira_service_desk = 1 +action.jira_service_desk.param.account = {{ detection.deployment.alert_action.jira.account | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +action.jira_service_desk.param.jira_attachment = {{ detection.deployment.alert_action.jira.jira_attachment | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +action.jira_service_desk.param.jira_dedup = {{ detection.deployment.alert_action.jira.jira_dedup | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +action.jira_service_desk.param.jira_dedup_content = {{ detection.deployment.alert_action.jira.jira_dedup_content | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +action.jira_service_desk.param.jira_description = {{ detection.deployment.alert_action.jira.jira_description | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +action.jira_service_desk.param.jira_issue_type = {{ detection.deployment.alert_action.jira.jira_issue_type | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +action.jira_service_desk.param.jira_priority = {{ detection.deployment.alert_action.jira.jira_priority | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +action.jira_service_desk.param.jira_priority_dynamic = {{ detection.deployment.alert_action.jira.jira_priority_dynamic | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +action.jira_service_desk.param.jira_summary = {{ detection.deployment.alert_action.jira.jira_summary | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +action.jira_service_desk.param.jira_project = {{ detection.deployment.alert_action.jira.jira_project | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +{% endif %} +{% if detection.deployment.alert_action.pagerduty %} +action.pagerduty = 1 +action.pagerduty.description = {{ detection.deployment.alert_action.pagerduty.pagerduty_description | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +action.pagerduty.param.integration_url_override = {{ detection.deployment.alert_action.pagerduty.integration_url_override | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +{% endif %} {% if detection.deployment.alert_action.phantom%} action.sendtophantom = 1 action.sendtophantom.param._cam_workers = {{ detection.deployment.alert_action.phantom.cam_workers | custom_jinja2_enrichment_filter(detection) }} From 27aad4958591094371a05a6e2977b445e2e882c8 Mon Sep 17 00:00:00 2001 From: Rob Lowery <50412363+0xrob@users.noreply.github.com> Date: Wed, 31 Jul 2024 12:14:46 +0100 Subject: [PATCH 2/3] Update deployment_slack.py --- contentctl/objects/deployment_slack.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contentctl/objects/deployment_slack.py b/contentctl/objects/deployment_slack.py index 5a8dcfd1..aaa4272e 100644 --- a/contentctl/objects/deployment_slack.py +++ b/contentctl/objects/deployment_slack.py @@ -5,5 +5,5 @@ class DeploymentSlack(BaseModel): channel: str message: str - webhook_url: str + webhook_url_override: str fields: str From 0ebe2c587e5dcb3f91fa46d422f1656aa60dd841 Mon Sep 17 00:00:00 2001 From: Rob Lowery <50412363+0xrob@users.noreply.github.com> Date: Wed, 31 Jul 2024 12:15:15 +0100 Subject: [PATCH 3/3] Update savedsearches_detections.j2 --- contentctl/output/templates/savedsearches_detections.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contentctl/output/templates/savedsearches_detections.j2 b/contentctl/output/templates/savedsearches_detections.j2 index af84d173..4b153985 100644 --- a/contentctl/output/templates/savedsearches_detections.j2 +++ b/contentctl/output/templates/savedsearches_detections.j2 @@ -93,8 +93,8 @@ action.slack = 1 action.slack.param.channel = {{ detection.deployment.alert_action.slack.channel | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} action.slack.param.message = {{ detection.deployment.alert_action.slack.message | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} {% endif %} -{% if detection.deployment.alert_action.slack.webhook_url is defined %} -action.slack.param.webhook_url = {{ detection.deployment.alert_action.slack.webhook_url | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} +{% if detection.deployment.alert_action.slack.webhook_url_override is defined %} +action.slack.param.webhook_url_override = {{ detection.deployment.alert_action.slack.webhook_url_override | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }} {% endif %} {% if detection.deployment.alert_action.slack.fields is defined %} action.slack.param.fields = {{ detection.deployment.alert_action.slack.fields | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }}