def createRTIRIncident(esid): search = get_hits(esid) rtir_url = parser.get('rtir', 'rtir_url') rtir_api = parser.get('rtir', 'rtir_api') rtir_user = parser.get('rtir', 'rtir_user') rtir_pass = parser.get('rtir', 'rtir_pass') rtir_queue = parser.get('rtir', 'rtir_queue') rtir_creator = parser.get('rtir', 'rtir_creator') verify_cert = parser.getboolean('rtir', 'rtir_verifycert', fallback=False) for result in search['hits']['hits']: result = result['_source'] message = result['message'] description = str(message) event = result['event'] rtir_subject = f'New {event["module"]}_{event["dataset"]} Event From Security Onion' rtir_text = description rtir_rt = rt.Rt(rtir_url + '/' + rtir_api, rtir_user, rtir_pass, verify_cert=verify_cert) rtir_rt.login() rtir_rt.create_ticket(Queue=rtir_queue, Owner=rtir_creator, Subject=rtir_subject, Text=rtir_text) rtir_rt.logout() # Redirect to RTIR instance return redirect(rtir_url)
def createFIREvent(esid): search = get_hits(esid) fir_api = '/api/incidents' fir_url = parser.get('fir', 'fir_url') fir_token = parser.get('fir', 'fir_token') actor = parser.get('fir', 'fir_actor') category = parser.get('fir', 'fir_category') confidentiality = parser.get('fir', 'fir_confidentiality') detection = parser.get('fir', 'fir_detection') plan = parser.get('fir', 'fir_plan') severity = parser.get('fir', 'fir_severity') verify_cert = parser.getboolean('fir', 'fir_verifycert', fallback=False) for result in search['hits']['hits']: result = result['_source'] message = result['message'] event = result['event'] description = str(message) subject = f'New {event["module"]}_{event["dataset"]} Event From Security Onion' headers = { 'Authorization': 'Token ' + fir_token, 'Content-type': 'application/json' } data = { "actor": actor, "category": category, "confidentiality": confidentiality, "description": description, "detection": detection, "plan": plan, "severity": int(severity), "subject": subject } requests.post(fir_url + fir_api, headers=headers, data=json.dumps(data), verify=verify_cert) # Redirect to FIR instance return redirect(fir_url + '/events')
def createMISPEvent(esid): search = get_hits(esid) # MISP Stuff misp_url = parser.get('misp', 'misp_url') misp_key = parser.get('misp', 'misp_key') misp_verifycert = parser.getboolean('misp', 'misp_verifycert', fallback=False) distrib = parser.get('misp', 'distrib') threat = parser.get('misp', 'threat') analysis = parser.get('misp', 'analysis') for result in search['hits']['hits']: result = result['_source'] message = result['message'] description = str(message) info = description def init(url, key): return PyMISP(url, key, ssl=misp_verifycert, debug=True) misp = init(misp_url, misp_key) event = misp.new_event(distrib, threat, analysis, info) event_id = str(event['Event']['id']) if result.get('source', {}).get('ip'): data_type = "ip-src" source_ip = result['source']['ip'] misp.add_named_attribute(event_id, data_type, source_ip) if result.get('destination', {}).get('ip'): data_type = "ip-dst" destination_ip = result['destination']['ip'] misp.add_named_attribute(event_id, data_type, destination_ip) # Redirect to MISP instance return redirect(misp_url + '/events/index')
#!/usr/bin/env python # -*- coding: utf-8 -*- import requests from requests.utils import quote from config import parser, es_index esserver = parser.get('es', 'es_url') es_user = parser.get('es', 'es_user', fallback="") es_pass = parser.get('es', "es_pass", fallback="") es_verifycert = parser.getboolean('es', 'es_verifycert', fallback=False) search_index = f'*:{es_index}' def get_hits(esid: str) -> dict: query = {"query": {"bool": {"must": {"match": {'_id': esid}}}}} res_json = __es_search__(query) if res_json['hits']['total']['value'] > 0: return res_json def get_conn(conn_id: str) -> dict: query = {"bool": {"must": [{"match": {"event_type": "bro_conn"}}, {"match": {"uid": conn_id}}]}} res_json = __es_search__(query) if res_json['hits']['total']['value'] > 0: return res_json def do_update(esindex: str, esid: str, tags: str) -> dict: local_index = esindex.split(":")[1] query = {"doc": {"tags": tags}}
import requests from pymisp import PyMISP from config import parser from pymemcache.client.base import Client from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) memcached_host = parser.get('memcached', 'host') memcached_port = int(parser.get('memcached', 'port')) memcached_agetime = int(parser.get('memcached', 'agetime')) memcached_sleeptime = int(parser.get('memcached', 'sleeptime')) memcached = Client((memcached_host, memcached_port)) misp_url = parser.get('misp', 'url') misp_key = parser.get('misp', 'apikey') misp_verifycert = parser.getboolean('misp', 'verifycert') def getAttrs(): def init(url, key): return PyMISP(url, key, misp_verifycert, 'json') misp = init(misp_url, misp_key) call_path = 'attributes/restSearch' with open('misp2elastic.yaml', 'r') as f: mispyaml = yaml.safe_load(f) for i in mispyaml["iocs"]: for t in mispyaml["iocs"][i]["tags"]: search = '{"returnFormat":"json", "type":"' + i + '", "tags":"' + t + '"}' response = misp.direct_call(call_path, search) for event in response['response']['Attribute']:
import uuid import sys import rt import requests import os import base64 import time import jsonpickle import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) es_url = parser.get('es', 'es_url') hive_url = parser.get('hive', 'hive_url') hive_key = parser.get('hive', 'hive_key') hive_verifycert = parser.getboolean('hive', 'hive_verifycert', fallback=False) def hiveInit(): return TheHiveApi(hive_url, hive_key, cert=hive_verifycert) def createHiveAlert(esid): search = get_hits(esid) # Hive Stuff hive_url = parser.get('hive', 'hive_url') hive_api = hiveInit() tlp = int(parser.get('hive', 'hive_tlp')) for item in search['hits']['hits']: # Get initial details result = item['_source']
def thehive_casetemplate_update(issue_id): # Get play metadata - specifically the raw Sigma play_meta = play_metadata(issue_id) # Generate Sigma metadata sigma_meta = sigma_metadata(play_meta['sigma_raw'], play_meta['sigma_dict'], play_meta['playid']) # Check to see if there are any tasks - if so, get them formatted tasks = [] if sigma_meta.get('tasks'): task_order = 0 for task_title, task_desc in sigma_meta.get('tasks').items(): task_order += 1 tasks.append({ "order": task_order, "title": task_title, "description": task_desc }) else: tasks = [] for analyzer in play_meta['case_analyzers']: minimal_name = re.sub(r' - \S*$', '', analyzer) tasks.insert( 0, { "order": 0, "title": f"Analyzer - {minimal_name}", "description": minimal_name }) # Build the case template case_template = \ { "name": play_meta['playid'], "severity": 2, "tlp": 3, "metrics": {}, "customFields": { "playObjective": { "string": sigma_meta['description'] }, "playbookLink": { "string": f"{playbook_url}/issues/{issue_id}" } }, "description": sigma_meta['description'], "tasks": tasks } # Is there a Case Template already created? if play_meta['hiveid']: # Case Template exists - let's update it url = f"{parser.get('hive', 'hive_url')}api/case/template/{play_meta['hiveid']}" requests.patch(url, data=json.dumps(case_template), headers=hive_headers, verify=parser.getboolean('hive', 'hive_verifycert', fallback=False)).json() else: # Case Template does not exist - let's create it url = f"{parser.get('hive', 'hive_url')}api/case/template" r = requests.post(url, data=json.dumps(case_template), headers=hive_headers, verify=parser.getboolean('hive', 'hive_verifycert', fallback=False)) if r.status_code != 201: print(f"TheHive Template Creation Failed: {r.__dict__}", file=sys.stderr) else: # Update Play (on Redmine) with Case Template ID r = r.json() url = f"{playbook_url}/issues/{issue_id}.json" data = '{"issue":{"custom_fields":[{"id":7,"value":"' + r[ 'id'] + '"}]}}' requests.put(url, data=data, headers=playbook_headers, verify=playbook_verifycert) return 200, "success"
from ruamel.yaml.compat import StringIO import ruamel.yaml from config import parser yaml = ruamel.yaml.YAML(typ='safe') playbook_headers = { 'X-Redmine-API-Key': parser.get("playbook", "playbook_key"), 'Content-Type': 'application/json' } playbook_url = parser.get("playbook", "playbook_url") playbook_external_url = parser.get("playbook", "playbook_ext_url") playbook_unit_test_index = parser.get("playbook", "playbook_unit_test_index") playbook_verifycert = parser.getboolean('playbook', 'playbook_verifycert', fallback=False) hive_headers = { 'Authorization': f"Bearer {parser.get('hive', 'hive_key')}", 'Accept': 'application/json, text/plain', 'Content-Type': 'application/json;charset=utf-8' } es_url = parser.get("es", "es_url") es_ip = parser.get("es", "es_ip") es_verifycert = parser.getboolean('es', 'es_verifycert', fallback=False) def navigator_update(): # Get play data from Redmine