Just initialize this new branch for Cohesity internal collaboration/r… #2
Conversation
There was a problem hiding this comment.
@yinghuang123 , I finished my review. Please submit changes before you submit another round of reviews to Microsoft.
@ishitagupta25 , please chime in, too. In a few comments I specifically tagged you if I think that you should do the change.
DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/local.settings.json
Outdated
Show resolved
Hide resolved
DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/local.settings.json
Outdated
Show resolved
Hide resolved
| * need to rewrite GetAccessTokenAsync function | ||
| * as it uses obsolete technology to get the bearer token. | ||
| */ | ||
| internal async Task<string> GetAccessTokenAsync(string uri) |
There was a problem hiding this comment.
Rewrite GetAccessTokenAsync function as it uses obsolete technology to get the bearer token. Here's the migration guide to new authentication functions. Please remember that the new authentication mechanism may nit need TenantID, ClientID and and ClientKey, so you'll also have to apply changes in local.settings.json and the corresponding ARM templates.
There was a problem hiding this comment.
put this one to lower priority.
There was a problem hiding this comment.
You can also check how other pieces of code authenticate, e.g. https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Tools/Sample%20Code/AzureSentinel-ManagementAPICsharp/AzureSentinel_ManagementAPI/Incidents/IncidentsController.cs.
Also, check how we can put all secrets to the KeyVault to enable key rotation (see example at https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/DataConnectors/AzureStorage#readme)
DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs
Outdated
Show resolved
Hide resolved
Tools/Create-Azure-Sentinel-Solution/input/Solution_CohesitySecurity.json
Outdated
Show resolved
Hide resolved
Tools/Create-Azure-Sentinel-Solution/input/Solution_CohesitySecurity.json
Outdated
Show resolved
Hide resolved
Tools/Create-Azure-Sentinel-Solution/input/Solution_CohesitySecurity.json
Outdated
Show resolved
Hide resolved
Tools/Create-Azure-Sentinel-Solution/input/Solution_CohesitySecurity.json
Outdated
Show resolved
Hide resolved
yinghuang123
force-pushed
the
CohesitySecurity.internal
branch
from
8463ba0 to
2bb8bdb
Compare
There was a problem hiding this comment.
@yinghuang123 , I walked through your changes. The code definitely looks better in terms of handling exceptions and parallelism. I left only a few comments.
DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs
Outdated
Show resolved
Hide resolved
| log.LogError("URI --> " + URI); | ||
| log.LogError("body --> " + body); | ||
| log.LogError("ex --> " + ex.Message); | ||
| throw new Exception(); |
There was a problem hiding this comment.
Move it outside of the catch block, i.e. outside of the exception handler. Place it after the line 71. This way, it'll be clearer that you're intentionally re-throwing the exception if the code didn't reach ln 63: return result. Also, it'd be great to explain in the comments why you're doing it and how to customize your queue wait and retry times.
DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/host.json
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| [FunctionName("IncidentConsumer")] | ||
| [FixedDelayRetry(5, "00:05:00")] |
There was a problem hiding this comment.
I'd move these parameters to host.json file together with other settings (see my another comment in host.json).
.script/tests/KqlvalidationsTests/CustomTables/HeliosAuditNativePoller_CL.json
Outdated
Show resolved
Hide resolved
DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs
Outdated
Show resolved
Hide resolved
| "CohesityQueueName": "your CohesityQueueName", | ||
| "DefaultEndpointsProtocol": "your DefaultEndpointsProtocol", | ||
| "AccountKey": "your AccountKey", | ||
| "BlobEndpoint": "https://127.0.0.1:10000/devstoreaccount1", |
There was a problem hiding this comment.
I don't think that you use the following parameters anywhere.
- "BlobEndpoint": "https://127.0.0.1:10000/devstoreaccount1"
- "QueueEndpoint": "https://127.0.0.1:10001/devstoreaccount1"
- "TableEndpoint": "https://127.0.0.1:10002/devstoreaccount1"
Please remove them.
| "IsEncrypted": false, | ||
| "Values": { | ||
| "AzureWebJobsStorage": "UseDevelopmentStorage=true", | ||
| "apiKey": "11111111-2222-3333-4444-555555555555", |
There was a problem hiding this comment.
Come up with a single standard for naming variables and stick to it. For ex, apiKey is written in camel case starting from the lowercase letter, while CohesityQueueName starts from the uppercase letter.
| } | ||
| else | ||
| { | ||
| throw new InvalidProgramException("Invalid format string"); |
There was a problem hiding this comment.
Make the error message clearer and more specific, e.g. "Invalid storage connection string."
| try | ||
| { | ||
| const string container = "extra-parameters"; | ||
| string Blob = incidentID + "\\" + param; // ID unique to the incident |
There was a problem hiding this comment.
Nit: Come up with a single way for variable naming and stick to it. For ex, Blob starts from the uppercase letter and blobStorageKeys from the lowercase one.
There was a problem hiding this comment.
These 2 variables can be made class variables and can be initialized only once in RunAsync. There's no need to re-initialize them every time in every function call as they never change.
var blobStorageConnectionString = Environment.GetEnvironmentVariable("BlobStorageConnectionString");
var blobStorageKeys = Environment.GetEnvironmentVariable("BlobStorageAccountKeys");
There was a problem hiding this comment.
Also, after your remove the variables above to a different place, will you still need TextWriter function for just 2 lines of code? Probably, it'd be better to remove the function and just directly call
WriteData(incidentID + "\\" + param, value);
|
|
||
| foreach (var alert in alerts) | ||
| { | ||
| await ParseAlertToQueueAsync(outputQueueItem, alert, log); |
There was a problem hiding this comment.
Why are you doing it sequentially now? There was a code here that did all iterations in parallel.
| else | ||
| output.properties.severity = "Medium"; | ||
| break; | ||
| case 0: |
There was a problem hiding this comment.
Nit: Sort the case statements in ascending order for a better readability, like this
case 0:
case 4:
case 7:
case 10:
case 11:
| { | ||
| switch (i) | ||
| { | ||
| case 12: |
There was a problem hiding this comment.
Nit: For a better readability, put case 12 statement to the end of switch as it's easier to read when the values go in ascending order, especially if we plan to extend the amount of extra info.
| { | ||
| try | ||
| { | ||
| const string container = "extra-parameters"; |
There was a problem hiding this comment.
The container name can't be hardcoded as users are supposed to create it prior deployment.
- Create an environment variable with the container name. Make the default value equal to "cohesity-extra-parameters".
- Make sure that the corresponding playbooks are getting it as a parameter as well.
- The corresponding readme-files should be updated with the instructions about creating containers and entering container names during deployment.
I also think that this constant can be initialized only once, e.g. in RunAsync or when the object is created. You can make it a class variable as there's no need to re-initialize it multiple times with every function call.
| { | ||
| var db = Connection.GetDatabase(); | ||
| string apiKey = Environment.GetEnvironmentVariable("apiKey"); | ||
| string redisKey = Environment.GetEnvironmentVariable("workspace") + apiKey; |
There was a problem hiding this comment.
With introducing the storage blob we don't really need storing timestamps in Redis anymore. We can re-use the same container and create there a separate blob with the name equal to Environment.GetEnvironmentVariable("workspace") + apiKey.
It'll reduce monthly bill for the customer.
take back the multi-thread implementation of ParseAlertToQueue
| } | ||
| } | ||
|
|
||
| private static void WriteData(string storageConnectionString, string path, string data) |
There was a problem hiding this comment.
storageConnectionString doesn't change. There's no need to pass it all the time. You can get the value only once at the object creation time or in RunAsync.
private static void WriteData(string path, string data)
| { | ||
| if (CloudStorageAccount.TryParse(storageConnectionString, out var storageAccount)) | ||
| { | ||
| var cloudBlobClient = storageAccount.CreateCloudBlobClient(); |
There was a problem hiding this comment.
The values of these variables don't change much. You can easily set them up during object initialization or in RunAsync.
var cloudBlobClient = storageAccount.CreateCloudBlobClient();
var container = cloudBlobClient.GetContainerReference(containerName);
| try | ||
| { | ||
| const string container = "extra-parameters"; | ||
| string Blob = incidentID + "\\" + param; // ID unique to the incident |
There was a problem hiding this comment.
Also, after your remove the variables above to a different place, will you still need TextWriter function for just 2 lines of code? Probably, it'd be better to remove the function and just directly call
WriteData(incidentID + "\\" + param, value);
…st_Snapshot update to read the details from blob storage.
Updated instructions for SNOW playbook to create automation rule for closing SNOW tickets.
Updated info related to using the KeyVault to store the API Key.
rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel update to use keyvault instead of apiKey from env. rename some playbooks.
…o CohesitySecurity.internal
Typo
rename to Solutions/CohesitySecurity/Data Connectors/
…dent/azuredeploy.json +++ b/Solutions/CohesitySecurity/Playbooks/Cohesity_Close_Helios_Incident/readme.md
Added specific name for the vault
Added specific name for the playbook
- Fixed broken links - Added info about the Cohesity Close Helios Incident playbook - Did some formatting
- Replaced Helios with DataHawk + a few other formatting changes.
- Added info about creating an automation trigger for closing SNOW tickets
Add info about skipping steps if the API key is already stored in the vault.
Typo.
Fixed broken links
Fixed broken links
Fixed broken links
Added connection authorization instructions
Added instructions about connection authorization
Test Azure func deploy
Update 3.0.0.zip of Infoblox Solution
Corrected URL
Adding queries to look for abnormal sch task creation and launch
…-files adding gcp firewall terraform file for quick setup
…torUpdate Updated azuredeploy template of Rubrik Data Connector to prevent public access and cross tenant replicaion in storage account
Update ingestASimSampleData.py
Bumps [System.Text.Json](https://github.com/dotnet/runtime) from 8.0.4 to 8.0.5. - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](dotnet/runtime@v8.0.4...v8.0.5) --- updated-dependencies: - dependency-name: System.Text.Json dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
Fixing "Invalid Login Endpoint" issue
Added TeamCymruScout Solution
…ure-function-v4 Cybersixgill Actionable Alerts Python Version Upgrade
…tors/O365-DataCSharp/Teams.CustomConnector.StorageHandler/System.Text.Json-8.0.5 Bump System.Text.Json from 8.0.4 to 8.0.5 in /DataConnectors/O365 DataCSharp/Teams.CustomConnector.StorageHandler
Updated code to fix the bug in CrowdStrike Replicator V2
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| '{}(method={}) : "{}" field is not set in the environment please set ' | ||
| "the environment variable and run the app.".format( | ||
| self.logs_starts_with, | ||
| __method_name, | ||
| label, | ||
| ) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 4 months ago
To fix the problem, we should avoid logging the names of sensitive environment variables. Instead, we can log a generic message indicating that some required environment variables are missing without specifying which ones. This approach maintains the utility of the log message for debugging purposes while avoiding the exposure of potentially sensitive information.
- Modify the
validate_paramsmethod inSolutions/Team Cymru Scout/Data Connectors/TeamCymruScout/SharedCode/utils.pyto log a generic error message when required environment variables are missing. - Ensure that the log message does not include the names of the missing environment variables.
| @@ -63,7 +63,5 @@ | ||
| applogger.error( | ||
| '{}(method={}) : "{}" field is not set in the environment please set ' | ||
| "the environment variable and run the app.".format( | ||
| '{}(method={}) : A required environment variable is not set. Please check the configuration and set all required environment variables.'.format( | ||
| self.logs_starts_with, | ||
| __method_name, | ||
| label, | ||
| __method_name | ||
| ) |
…eview.
Required items, please complete
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present:
Guidance <- remove section before submitting
Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:
Thank you for your contribution to the Microsoft Sentinel Github repo.
Change(s):
Reason for Change(s):
Version updated:
Testing Completed:
Note: If updating a detection, you must update the version field.
Checked that the validations are passing and have addressed any issues that are present:
Note: Let us know if you have tried fixing the validation error and need help.