Added support for MS Sentinel (#12)

* Added support for MS Sentinel

* Incremented version

Author: dacoburn

README.md

@@ -33,4 +33,7 @@ jobs:
           trivy_exclude_dir: "/path/to/ignore"
           sumo_logic_enabled: true
           sumo_logic_http_source_url: https://example/url
+          ms_sentinel_enabled: true
+          ms_sentinel_workspace_id: REPLACE_ME
+          ms_sentinel_shared_key: REPLACE_ME
 ```

src/core/__init__.py

@@ -11,7 +11,7 @@
     "base_github"
 ]
 
-__version__ = "1.0.11"
+__version__ = "1.0.12"
 __author__ = "socket.dev"
 base_github = "https://github.com"
 

src/core/connectors/bandit/__init__.py

@@ -61,3 +61,24 @@ def create_output(data: dict, marker: str, repo: str, commit: str, cwd: str) ->
             md.create_md_file()
             output_str = md.file_data_text.lstrip()
         return output_str, bandit_result
+
+    @staticmethod
+    def transform_bandit_event(event):
+        """Transforms a Bandit security event into the correct Sentinel schema."""
+        return {
+            "TimeGenerated": datetime.utcnow().isoformat(),
+            "SourceComputerId": event.get("cwd", "Unknown"),
+            "OperationStatus": event.get("issue_severity", "Unknown"),
+            "Detail": event.get("issue_text", "Unknown"),
+            "OperationCategory": event.get("test_name", "Static Analysis"),
+            "Solution": event.get("more_info", "No remediation guide available"),
+            "Message": event.get("issue_text", "Unknown issue"),
+            "FilePath": event.get("filename", "Unknown"),
+            "URL": event.get("url", "N/A"),
+            "Timestamp": event.get("timestamp", datetime.utcnow().isoformat()),
+            "Plugin": "Bandit",
+            "Severity": event.get("issue_severity", "Unknown"),
+            "TestID": event.get("test_id", "Unknown"),
+            "CWE_ID": event.get("issue_cwe", {}).get("id", "Unknown"),
+            "CWE_Link": event.get("issue_cwe", {}).get("link", "Unknown")
+        }

src/core/load_plugins.py

@@ -1,5 +1,6 @@
 import os
 from core.plugins.sumologic import Sumologic
+from core.plugins.microsoft_sentinel import Sentinel
 
 
 def load_sumo_logic_plugin():
@@ -8,7 +9,7 @@ def load_sumo_logic_plugin():
 
     :return: Instance of the Sumologic class or None if not enabled/configured.
     """
-    sumo_logic_enabled = os.getenv("SUMO_LOGIC_ENABLED", "false").lower() == "true"
+    sumo_logic_enabled = os.getenv("INPUT_SUMO_LOGIC_ENABLED", "false").lower() == "true"
     if not sumo_logic_enabled:
         print("Sumo Logic integration is disabled.")
         return None
@@ -20,3 +21,23 @@ def load_sumo_logic_plugin():
         return None
 
     return Sumologic(sumo_logic_http_source_url)
+
+def load_ms_sentinel_plugin():
+    """
+    Loads the Microsoft Sentinel plugin if it is enabled and properly configured.
+
+    :return: Instance of the Microsoft Sentinel class or None if not enabled/configured.
+    """
+    ms_sentinel_enabled = os.getenv("INPUT_MS_SENTINEL_ENABLED", "false").lower() == "true"
+    if not ms_sentinel_enabled:
+        print("Microsoft Sentinel integration is disabled.")
+        return None
+
+    MS_SENTINEL_WORKSPACE_ID = os.getenv("INPUT_MS_SENTINEL_WORKSPACE_ID")
+    MS_SENTINEL_SHARED_KEY = os.getenv("INPUT_MS_SENTINEL_SHARED_KEY")
+
+    if not all([MS_SENTINEL_WORKSPACE_ID, MS_SENTINEL_SHARED_KEY]):
+        print("Microsoft Sentinel environment variables are not properly configured!")
+        return None
+
+    return Sentinel(MS_SENTINEL_WORKSPACE_ID, MS_SENTINEL_SHARED_KEY)

src/core/plugins/microsoft_sentinel/__init__.py

@@ -0,0 +1 @@
+from .sentinel import Sentinel

src/core/plugins/microsoft_sentinel/sentinel.py

@@ -0,0 +1,182 @@
+import json
+import hashlib
+import hmac
+import base64
+import requests
+from datetime import datetime, timezone
+
+
+default_log_type = 'SocketSecurityTool'
+
+
+class Sentinel:
+    def __init__(self, workspace_id: str, shared_key: str):
+        """
+        Initializes the Microsoft Sentinel client with credentials and HTTP source URL.
+
+        :param workspace_id: The Microsoft Sentinel Customer ID
+        :param shared_key: The Microsoft Sentinel Shared Key
+        :param log_type: The Microsoft Sentinel Log Type
+        """
+        self.workspace_id = workspace_id
+        self.shared_key = shared_key
+        self.uri = f"https://{self.workspace_id}.ods.opinsights.azure.com/api/logs?api-version=2016-04-01"
+
+    def _generate_signature(self, content_length: int, date: str) -> str:
+        """
+        Generates the HMAC SHA256 signature required for authentication.
+
+        :param content_length: Length of the request body
+        :param date: Current date in RFC 1123 format
+        :return: Authorization signature string
+        """
+        method = 'POST'
+        content_type = 'application/json'
+        resource = '/api/logs'
+        x_headers = f"x-ms-date:{date}"
+        string_to_hash = f"{method}\n{content_length}\n{content_type}\n{x_headers}\n{resource}"
+        bytes_to_hash = bytes(string_to_hash, encoding="utf-8")
+
+        decoded_key = base64.b64decode(self.shared_key)
+        hashed_string = hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()
+        signature = base64.b64encode(hashed_string).decode()
+
+        return f"SharedKey {self.workspace_id}:{signature}"
+
+    def send_events(self, events: list, log_type: str = default_log_type) -> list:
+        """
+        Sends a single event to Microsoft Sentinel.
+
+        :param events: Dictionary representing the event data
+        :param log_type:
+        :return: Response from the Sentinel API
+        """
+        errors = []
+        events = Sentinel.normalize_events(events, log_type)
+        for event in events:
+            response = self.send_event(event, log_type)
+            if response["status_code"] != 200:
+                errors.append(response)
+        return errors
+
+    def send_event(self, event_data: dict, log_type: str = default_log_type) -> dict:
+        """
+        Sends a batch of events to a logging endpoint. This function serializes a
+        list of events into JSON format, computes the necessary authorization
+        headers, and sends them via an HTTP POST request to the configured logging
+        endpoint.
+
+        :param event_data: An event that is serialized to JSON
+            and sent to the logging endpoint.
+        :type event_data: dict
+        :param log_type: The type of log under which the events should be
+            categorized. Defaults to the class's `default_log_type`.
+        :type log_type: str, optional
+        :return: A dictionary with the HTTP response status code and response text
+            from the logging endpoint.
+        :rtype: dict
+        """
+        body = json.dumps(
+            {
+                "detail": event_data,
+                "SourceComputerId": "socket-security-tools"
+            }
+        )
+        content_length = len(body)
+        rfc1123date = datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
+        authorization = self._generate_signature(content_length, rfc1123date)
+
+        headers = {
+            "Content-Type": "application/json",
+            "Authorization": authorization,
+            "Log-Type": log_type,
+            "x-ms-date": rfc1123date
+        }
+
+        response = requests.post(self.uri, data=body, headers=headers)
+        return {
+            "status_code": response.status_code,
+            "response_text": response.text
+        }
+
+    @staticmethod
+    def transform_gosec_event(event):
+        """Transforms a Gosec security event into the correct Sentinel schema."""
+        return {
+            "TimeGenerated": datetime.now(timezone.utc).isoformat(),
+            "SourceComputerId": event.get("cwd", "Unknown"),
+            "OperationStatus": event.get("confidence", "Unknown"),
+            "Detail": event.get("details", "Unknown"),
+            "OperationCategory": "Static Analysis",
+            "Solution": event.get("cwe", {}).get("url", "No remediation guide available"),
+            "Message": event.get("details", "Unknown"),
+            "FilePath": event.get("file", "Unknown"),
+            "URL": event.get("url", "N/A"),
+            "Timestamp": event.get("timestamp", datetime.now(timezone.utc).isoformat()),
+            "Plugin": "Gosec",
+            "Severity": event.get("severity", "Unknown"),
+            "RuleID": event.get("rule_id", "Unknown"),
+            "CWE_ID": event.get("cwe", {}).get("id", "Unknown"),
+        }
+
+    @staticmethod
+    def transform_bandit_event(event):
+        """Transforms a Bandit security event into the correct Sentinel schema."""
+        return {
+            "TimeGenerated": datetime.now(timezone.utc).isoformat(),
+            "SourceComputerId": event.get("cwd", "Unknown"),
+            "OperationStatus": event.get("issue_severity", "Unknown"),
+            "Detail": event.get("issue_text", "Unknown"),
+            "OperationCategory": event.get("test_name", "Static Analysis"),
+            "Solution": event.get("more_info", "No remediation guide available"),
+            "Message": event.get("issue_text", "Unknown issue"),
+            "FilePath": event.get("filename", "Unknown"),
+            "URL": event.get("url", "N/A"),
+            "Timestamp": event.get("timestamp", datetime.now(timezone.utc).isoformat()),
+            "Plugin": "Bandit",
+            "Severity": event.get("issue_severity", "Unknown"),
+            "TestID": event.get("test_id", "Unknown"),
+            "CWE_ID": event.get("issue_cwe", {}).get("id", "Unknown"),
+            "CWE_Link": event.get("issue_cwe", {}).get("link", "Unknown")
+        }
+
+    @staticmethod
+    def transform_trufflehog_event(event):
+        """Transforms a Trufflehog event into the correct Sentinel schema."""
+        return {
+            "TimeGenerated": datetime.now(timezone.utc).isoformat(),
+            "SourceComputerId": event.get("cwd", "Unknown"),
+            "OperationStatus": "Success" if event.get("Verified", False) else "Failure",
+            "Detail": event.get("DetectorName", "Unknown Detection"),
+            "OperationCategory": event.get("SourceName", "Secret Scanning"),
+            "Solution": event.get("ExtraData", {}).get("rotation_guide", "No remediation guide available"),
+            "Message": event.get("Raw", "Potential secret detected"),
+            "FilePath": event.get("SourceMetadata", {}).get("Data", {}).get("Filesystem", {}).get("file", "Unknown"),
+            "Timestamp": event.get("timestamp", datetime.now(timezone.utc).isoformat()),
+            "Plugin": "Trufflehog",
+            "Severity": "HIGH" if not event.get("Verified", False) else "LOW",
+            "SourceType": event.get("SourceType", "Unknown"),
+            "DetectorType": event.get("DetectorType", "Unknown")
+        }
+
+    @staticmethod
+    def normalize_events(events: list, plugin_name: str):
+        """Detects event type and normalizes them for Sentinel ingestion."""
+        formatted_events = []
+
+        for event in events:
+            if isinstance(event, str):
+                try:
+                    event = json.loads(event)  # Convert from string if necessary
+                except json.JSONDecodeError:
+                    print(f"Skipping invalid event: {event}")
+                    continue  # Skip invalid JSON entries
+
+            if "plugin_name" in event:
+                if "bandit" in plugin_name.lower():
+                    formatted_events.append(Sentinel.transform_bandit_event(event))
+                elif "trufflehog" in plugin_name.lower():
+                    formatted_events.append(Sentinel.transform_trufflehog_event(event))
+                elif "gosec" in plugin_name.lower():
+                    formatted_events.append(Sentinel.transform_gosec_event(event))
+        return formatted_events

src/socket_external_tools_runner.py

@@ -8,7 +8,7 @@
 from core.connectors.bandit import Bandit
 from core.connectors.gosec import Gosec
 from core.connectors.trufflehog import Trufflehog
-from core.load_plugins import load_sumo_logic_plugin
+from core.load_plugins import load_sumo_logic_plugin, load_ms_sentinel_plugin
 import os
 
 
@@ -19,6 +19,22 @@
     exit(1)
 
 
+def format_events(events):
+    formatted_events = []
+
+    for event in events:
+        if isinstance(event, str):  # If it's a JSON string, parse it into a dictionary
+            try:
+                event = json.loads(event)  # Convert string to dictionary
+            except json.JSONDecodeError:
+                print(f"Skipping invalid event: {event}")
+                continue  # Skip invalid JSON entries
+
+        formatted_events.append(event)  # Append properly formatted event
+
+    return formatted_events
+
+
 def load_json(name, connector: str, connector_type: str = 'single') -> dict:
     json_data = {}
     if connector_type == 'single':
@@ -45,6 +61,7 @@ def load_json(name, connector: str, connector_type: str = 'single') -> dict:
 
 
 sumo_client = load_sumo_logic_plugin()
+ms_sentinel = load_ms_sentinel_plugin()
 
 tool_bandit_name = "Bandit"
 tool_gosec_name = "Gosec"
@@ -102,6 +119,17 @@ def load_json(name, connector: str, connector_type: str = 'single') -> dict:
         print(errors) if (errors := sumo_client.send_events(bandit_events.get("events"), bandit_name)) else []
         print(errors) if (errors := sumo_client.send_events(gosec_events.get("events"), gosec_name)) else []
         print(errors) if (errors := sumo_client.send_events(truffle_events.get("events"), trufflehog_name)) else []
+    if ms_sentinel:
+        print("Issues detected with Security Tools. Please check Microsoft Sentinel Events")
+        ms_bandit_name = f"SocketSecurityToolsBandit"
+        ms_gosec_name = f"SocketSecurityToolsGosec"
+        ms_trufflehog_name = f"SocketSecurityToolsTrufflehog"
+        ms_bandit_events = format_events(bandit_events.get("events"))
+        ms_gosec_events = format_events(gosec_events.get("events"))
+        ms_trufflehog_events = format_events(truffle_events.get("events"))
+        print(errors) if (errors := ms_sentinel.send_events(ms_bandit_events, ms_bandit_name)) else []
+        print(errors) if (errors := ms_sentinel.send_events(ms_gosec_events, ms_gosec_name)) else []
+        print(errors) if (errors := ms_sentinel.send_events(ms_trufflehog_events, ms_trufflehog_name)) else []
     exit(1)
 else:
     print("No issues detected with Socket Security Tools")