Network connectors (#207)

* Refactor customer network connector processing in routes.py

* provision fortinet network connector things

* Fix client ID comparison in delete_agent function

* added network connectors api/types

* added external services pages

* add fortinet dashboards

* Add Fortinet dashboard schema and provisioning logic

* Add FortinetDashboard to provision_dashboards function

* Create fortinet dashboards during provisioning

* Refactor code to collect content pack ID by name in Graylog services

* Refactor content pack input ID retrieval in Graylog services

* decomission of network connector

* Update Docker workflow to notify Discord after successful image build and push

* Update Discord webhook version in Docker workflow

* Update branch name in Docker workflow from network-connectors to main

* Update Docker workflow messages for backend and frontend image updates

* Refactor database name format in create_grafana_datasource function

* crowdstrike content pack templates

* crowdstrike integration markdown

* Add Crowdstrike integration and authentication keys

* crowdstrike provisioning things

* provision and decom crowdstrike

* falconhose

* Update branch name in Docker workflow from network-connectors to main

* Add directory creation for customer docker compose and falconhose cfg

* Replace spaces with underscores in customer names

* Replace spaces with underscores in customer names

* Update Docker Compose volume path for CrowdStrike integration

* update o365 dashboards

* Update branch name in Docker workflow from network-connectors to main

* Add get_customer_default_settings_attribute function to provision.py

* build to fix grafana url in office365

* Update branch name in Docker workflow from network-connectors to main

* lower customer code in office365 index creation and grafana datasource creation

* add validator to customer code

* add grafana orgid to provision request for insert to DB

* Fix typo in create_office365_utc_rule function

* updated dependencies

* updated networkConnectors api

* added services components

* updated networkConnectors page

* updated customer integration components

* Update branch name in Docker workflow from network-connectors to main

* updated networkConnectors api/types

* added customer network connectors components

* updated dependencies

* added fortinet form

* move sap siem to modules

* Update branch name in Docker workflow from network-connectors to main

* Update URLs in SAP SIEM integration to use copilot-sap-module instead of localhost

* updated url check

* chore: Update available content packs overview in Graylog provision route

* chore: Refactor decommission network connector route and service

* refactor: Update Elasticsearch index retrieval to include open indices only

* chore: Update IndicesStats model with optional fields for docs_count and store_size

* added decommissionNetworkConnector feature

* chore: Refactor decommission network connector route and service

* precommit fixes

* chore: Update branch name in Docker workflow

---------

Co-authored-by: Davide Di Modica <[email protected]>

.env.example

@@ -13,31 +13,31 @@ ALERT_FORWARDING_IP=0.0.0.0
 
 # Connector Credentials
 # ! SETTING UP YOUR CONNECTORS DEMOs https://www.youtube.com/@taylorwalton_socfortress/videos! #
-WAZUH_INDEXER_URL=https://1.1.1.1:9200
+WAZUH_INDEXER_URL=https://127.1.1.1:9200
 WAZUH_INDEXER_USERNAME=admin
 WAZUH_INDEXER_PASSWORD=admin
 
-WAZUH_MANAGER_URL=https://1.1.1.1
+WAZUH_MANAGER_URL=https://127.1.1.1
 WAZUH_MANAGER_USERNAME=dummy
 WAZUH_MANAGER_PASSWORD=dummy
 
-GRAYLOG_URL=http://1.1.1.1
+GRAYLOG_URL=http://127.1.1.1
 GRAYLOG_USERNAME=dummy
 GRAYLOG_PASSWORD=dummy
 
-SHUFFLE_URL=https://1.1.1.1
+SHUFFLE_URL=https://127.1.1.1
 SHUFFLER_API_KEY=dummy
 
-DFIR_IRIS_URL=https://1.1.1.1
+DFIR_IRIS_URL=https://127.1.1.1
 DFIR_IRIS_API_KEY=dummy
 
-VELOCIRAPTOR_URL=https://1.1.1.1
+VELOCIRAPTOR_URL=https://127.1.1.1
 VELOCIRAPTOR_API_KEY_PATH=dummy
 
-SUBLIME_URL=http://1.1.1.1
+SUBLIME_URL=http://127.1.1.1
 SUBLIME_API_KEY=dummy
 
-INFLUXDB_URL=http://1.1.1.1
+INFLUXDB_URL=http://127.1.1.1
 INFLUXDB_API_KEY=dummy
 INFLUXDB_ORG_AND_BUCKET=dummy,dummy
 
@@ -47,18 +47,18 @@ ASKSOCFORTRESS_API_KEY=dummy
 SOCFORTRESSTHREATINTEL_URL=https://intel.socfortress.co/search
 SOCFORTRESSTHREATINTEL_API_KEY=dummy
 
-CORTEX_URL=http://1.1.1.1
+CORTEX_URL=http://127.1.1.1
 CORTEX_API_KEY=dummy
 
-GRAFANA_URL=http://1.1.1.1
+GRAFANA_URL=http://127.1.1.1
 GRAFANA_USERNAME=dummy
 GRAFANA_PASSWORD=dummy
 
-WAZUH_WORKER_PROVISIONING_URL=http://1.1.1.1
+WAZUH_WORKER_PROVISIONING_URL=http://127.1.1.1
 
 EVENT_SHIPPER_URL=graylog_host
 GELF_INPUT_PORT=gelf_port
 
-ALERT_CREATION_PROVISIONING_URL=http://1.1.1.1
+ALERT_CREATION_PROVISIONING_URL=http://127.1.1.1
 
-HAPROXY_PROVISIONING_URL=http://1.1.1.1
+HAPROXY_PROVISIONING_URL=http://127.1.1.1

.github/workflows/docker.yml

@@ -31,6 +31,13 @@ jobs:
                   build-args: |
                       COPILOT_API_KEY=${{ secrets.COPILOT_API_KEY }}
 
+            - name: Notify Discord
+              uses: appleboy/[email protected]
+              with:
+                  webhook_id: ${{ secrets.DISCORD_WEBHOOK_ID }}
+                  webhook_token: ${{ secrets.DISCORD_WEBHOOK_TOKEN }}
+                  message: "Docker image for backend has been updated."
+
     build-frontend:
         runs-on: ubuntu-latest
 
@@ -54,3 +61,10 @@ jobs:
                   context: ./frontend
                   push: true
                   tags: ghcr.io/socfortress/copilot-frontend:latest
+
+            - name: Notify Discord
+              uses: appleboy/[email protected]
+              with:
+                  webhook_id: ${{ secrets.DISCORD_WEBHOOK_ID }}
+                  webhook_token: ${{ secrets.DISCORD_WEBHOOK_TOKEN }}
+                  message: "Docker image for frontend has been updated."

README.md

@@ -154,10 +154,6 @@ docker compose up -d
 
 Copilot is designed to be a single pane of glass for your security operations. Think of it as a hub for all your security tools. Copilot Connectors are the glue that binds your security tools to Copilot. We take advantage of the APIs and webhooks provided by your security tools to provide a seamless integration.
 
-## Related repositories
-
--   Provision Wazuh Worker Application: [https://github.com/socfortress/Customer-Provisioning-Worker](https://github.com/socfortress/Customer-Provisioning-Worker)
-
 ## Help
 
 You can reach us on [Discord](https://discord.gg/UN3pNBzaEQ) or by [📧](mailto:[email protected]) if you have any question, issue or idea!

backend/alembic/versions/16855d538921_modify_network_connectors_meta_table.py

@@ -0,0 +1,31 @@
+"""Modify network connectors meta table
+
+Revision ID: 16855d538921
+Revises: 74a095d63af4
+Create Date: 2024-04-28 10:47:04.006263
+
+"""
+from typing import Sequence
+from typing import Union
+
+import sqlalchemy as sa
+
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "16855d538921"
+down_revision: Union[str, None] = "74a095d63af4"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column("customer_network_connectors_meta", sa.Column("graylog_pipeline_id", sa.String(length=1024), nullable=False))
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column("customer_network_connectors_meta", "graylog_pipeline_id")
+    # ### end Alembic commands ###

backend/alembic/versions/d05281d02b0f_add_content_pack_ids_network_connectors_.py

@@ -0,0 +1,33 @@
+"""Add content pack ids network connectors meta table
+
+Revision ID: d05281d02b0f
+Revises: 16855d538921
+Create Date: 2024-05-01 09:35:17.751914
+
+"""
+from typing import Sequence
+from typing import Union
+
+import sqlalchemy as sa
+
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "d05281d02b0f"
+down_revision: Union[str, None] = "16855d538921"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column("customer_network_connectors_meta", sa.Column("graylog_content_pack_input_id", sa.String(length=1024), nullable=False))
+    op.add_column("customer_network_connectors_meta", sa.Column("graylog_content_pack_stream_id", sa.String(length=1024), nullable=False))
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column("customer_network_connectors_meta", "graylog_content_pack_stream_id")
+    op.drop_column("customer_network_connectors_meta", "graylog_content_pack_input_id")
+    # ### end Alembic commands ###

backend/alembic/versions/ec63589cc24d_add_grafana_datasource_uid_to_network_.py

@@ -0,0 +1,31 @@
+"""Add grafana datasource uid to network connectors meta table
+
+Revision ID: ec63589cc24d
+Revises: d05281d02b0f
+Create Date: 2024-05-01 11:05:15.935826
+
+"""
+from typing import Sequence
+from typing import Union
+
+import sqlalchemy as sa
+
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "ec63589cc24d"
+down_revision: Union[str, None] = "d05281d02b0f"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column("customer_network_connectors_meta", sa.Column("grafana_datasource_uid", sa.String(length=1024), nullable=False))
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column("customer_network_connectors_meta", "grafana_datasource_uid")
+    # ### end Alembic commands ###

backend/app/agents/routes/agents.py

@@ -455,7 +455,7 @@ async def delete_agent(
     await delete_agent_wazuh(agent_id)
     client_id = await fetch_velociraptor_id(db=session, agent_id=agent_id)
     logger.info(f"Client ID: {client_id}")
-    if client_id != "n/a":
+    if client_id != "Unknown":
         await delete_agent_velociraptor(client_id)
     await delete_agent_from_database(db=session, agent_id=agent_id)
     return AgentModifyResponse(