def __init__(self): Responder.__init__(self) self.es_host = self.get_param('config.es_host', message='You have to configure an Elasticsearch host') self.es_port = self.get_param('config.es_port', default="9200") self.es_username = self.get_param('config.es_username') self.es_password = self.get_param('config.es_password') self.es_index = self.get_param('config.es_index', default='alert_hashes') self.es_kwargs = { 'hosts': [':'.join([self.es_host, self.es_port])] } if self.es_username: self.es_kwargs['http_auth'] = (self.es_username, self.es_password) self.es_kwargs.update({ 'use_ssl': self.get_param('es_use_ssl', default=False), 'verify_certs': self.get_param('es_verify_certs', default=False), 'client_cert': self.get_param('es_client_cert'), 'client_key': self.get_param('es_client_key'), 'ca_certs': self.get_param('es_ca_certs'), 'timeout': self.get_param('es_timeout', default=20) })
def __init__(self): Responder.__init__(self) self.service = self.get_param("config.service", None, "Service Missing") self.amp_cloud = self.get_param("config.amp_cloud", None, "AMP HOST Missing") self.client_id = self.get_param("config.client_id", None, "Client ID Missing") self.api_key = self.get_param("config.api_key", None, "API Key Missing") if self.service in ("scdadd", "scdremove"): self.scd_guid = self.get_param( "config.scd_guid", None, "Simple Custom Detectoin GUID Missing" ) if self.service in ("moveguid"): self.group_guid = self.get_param( "config.group_guid", None, "Group GUID Missing" ) if self.service in ("isolationstart"): self.unlock_code = self.get_param("config.unlock_code", None) self.amp_session = requests.Session() self.amp_session.auth = (self.client_id, self.api_key) self.amp_session.headers.update( { "User-Agent": "AMPforEndpoints-Cortex-Responder", "Content-Type": "application/json", "Accept": "application/json", "Accept-Encoding": "gzip, deflate", } )
def run(self): Responder.run(self) def api_call(ip_addr, port, command, json_payload, sid): url = 'https://' + str(ip_addr) + ':' + str(port) + '/web_api/' + command if sid == '': request_headers = {'Content-Type' : 'application/json'} else: request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid} r = requests.post(url,data=json.dumps(json_payload), headers=request_headers, verify=False) return r.json() def login(user,password): payload = {'user':user, 'password' : password} response = api_call('192.168.50.52', 443, 'login',payload, '') return response['sid'] sid = login(self.username,self.password) #print("session id: " + sid) new_host_data = {'name':'new host name', 'ip-address':self.host_ip} new_host_result = api_call('192.168.50.52', 443,'add-host', new_host_data ,sid) #print(json.dumps(new_host_result)) publish_result = api_call('192.168.50.52', 443,"publish", {},sid) #print("publish result: " + json.dumps(publish_result)) logout_result = api_call('192.168.50.52', 443,"logout", {},sid)
def __init__(self): Responder.__init__(self) self.flow_master_controller = self.get_param('config.flow_master_controller', None, "Endpoint is Missing") self.thehive_instance = self.get_param('config.thehive_instance', 'localhost:9000') self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE') self.api = TheHiveApi(self.thehive_instance,self.thehive_api_key) self.Cert_Path = self.get_param('config.Cert_Path')
def run(self): Responder.run(self) if self.get_param('data.dataType') == 'domain': domain = self.get_param('data.data', None, 'No artifacts available') dstUrl = "http://" + domain date = datetime.now().strftime("%Y-%m-%dT%XZ") headers = { 'user-agent': 'UmbrellaBlacklister-Cortex-Responder', 'Content-Type': 'application/json' } payload = { "alertTime": date, "deviceId": "cortex_thehive", "deviceVersion": "2.4.81", "dstDomain": domain, "dstUrl": dstUrl, "eventTime": date, "protocolVersion": "1.0a", "providerName": "Security Platform" } r = requests.post(self.integration_url, json=payload, headers=headers) if r.status_code == 200 | 202: self.report({'message': 'Blacklisted in Umbrella.'}) else: self.error('Failed to add to blacklist.') else: self.error('Incorrect dataType. "Domain" expexted.')
def __init__(self): Responder.__init__(self) self.case_data_filter = [ "endDate", "startDate", "title", "createdAt", "caseId", "pap", "tlp", "severity", "owner", "createdBy", "updatedBy", "summary", "tags", "resolutionStatus", "impactStatus", "status", "customFields" ] self.case_observables_filter = [ "data", "dataType", "sighted", "tags", "createdAt", "createdBy", "pap", "tlp", "ioc", "startDate", "status" ] self.case_tasks_filter = [ "caseTasks", "updatedBy", "createdAt", "flag", "description", "title", "createdBy", "updatedAt", "order", "status", "group" ] self.api_key = self.get_param('config.api_key', None, 'Missing API-key') self.https_address = self.get_param('config.https_address', 'localhost') self.https_port = self.get_param('config.https_port', 9000, 'Missing thehive port') self.smtp_host = self.get_param('config.smtp_host', 'localhost') self.smtp_port = self.get_param('config.smtp_port', '25') self.mail_from = self.get_param('config.from', None, 'Missing sender email address') self.api = TheHiveApi( f"https://{self.https_address}:{self.https_port}", self.api_key)
def run(self): Responder.run(self) #data_type = self.get_param('data.dataType') auth = client.login(self.checkpoint_apikey) if self.server_ip == "ip": try: ipaddress.ip_address(self.server_ip) except ValueError: self.error({'message': "Not a valid IPv4/IPv6 address!"}) else: self.error({'message': "Not a valid IPv4/IPv6 address!"}) if auth.success is False: print("Login failed:\n{}".format(auth.error_message)) exit(1) # add a rule to the top of the "Network" layer add_rule_response = client.api_call("add-access-rule", {"name": self.rule_name, "layer": "Network", "position": "top"}) if add_rule_response.success: print("The rule: '{}' has been added successfully".format(self.rule_name)) # publish the result publish_res = client.api_call("publish", {}) if publish_res.success: print("The changes were published successfully.") else: print("Failed to publish the changes.") else: print("Failed to add the access-rule: '{}', Error:\n{}".format(self.rule_name, add_rule_response.error_message))
def run(self): Responder.run(self) title = self.get_param('data.title', None, 'title is missing') description = self.get_param('data.description', None, 'description is missing') mail_to = None if self.data_type == 'thehive:case': # Search recipient address in tags tags = self.get_param('data.tags', None, 'recipient address not found in tags') mail_tags = [t[5:] for t in tags if t.startswith('mail:')] if mail_tags: mail_to = mail_tags.pop() else: self.error('recipient address not found in observables') elif self.data_type == 'thehive:alert': # Search recipient address in artifacts artifacts = self.get_param('data.artifacts', None, 'recipient address not found in observables') mail_artifacts = [a['data'] for a in artifacts if a.get('dataType') == 'mail' and 'data' in a] if mail_artifacts: mail_to = mail_artifacts.pop() else: self.error('recipient address not found in observables') else: self.error('Invalid dataType') msg = MIMEMultipart() msg['Subject'] = title msg['From'] = self.mail_from msg['To'] = mail_to msg.attach(MIMEText(description, 'plain')) s = smtplib.SMTP(self.smtp_host) s.sendmail(self.mail_from, [mail_to], msg.as_string()) s.quit() self.report({'message': 'message sent'})
def run(self): Responder.run(self) auth = (self.wazuh_user, self.wazuh_password) headers = {'Content-Type': 'application/json'} # Check observable to ensure valid IP address if self.observable_type == "filename": try: os.path.isfile(self.observable) except ValueError: self.error({'message': "Not a file!"}) else: self.error({'message': "Not a file!"}) payload = '{"command":"file-encryptor.sh", "arguments": ["-", "' + self.observable + '", "var/log/test.log"], "custom": "True"}' r = requests.put(self.wazuh_manager + '/active-response/' + self.wazuh_agent_id, headers=headers, data=payload, verify=False, auth=auth) if r.status_code == 200: self.report({'message': "File encrypted for " + self.observable}) else: self.error(r.status_code)
def run(self): Responder.run(self) title = self.get_param('data.title', None, 'title is missing') title = title.encode('utf-8') description = self.get_param('data.description', None, 'description is missing') description = description.encode('utf-8') mail_to = None if self.data_type == 'thehive:case': # Search recipient address in tags tags = self.get_param('data.tags', None, 'recipient address not found in tags') mail_tags = [t[5:] for t in tags if t.startswith('mail:')] if mail_tags: mail_to = mail_tags.pop() else: self.error('recipient address not found in observables') elif self.data_type == 'thehive:alert': # Search recipient address in artifacts artifacts = self.get_param( 'data.artifacts', None, 'recipient address not found in observables') mail_artifacts = [ a['data'] for a in artifacts if a.get('dataType') == 'mail' and 'data' in a ] if mail_artifacts: mail_to = mail_artifacts.pop() else: self.error('recipient address not found in observables') else: self.error('Invalid dataType') msg = MIMEMultipart() msg['Subject'] = title msg['From'] = self.mail_from msg['To'] = mail_to msg['Date'] = formatdate(localtime=True) msg['Message-ID'] = make_msgid() msg.attach(MIMEText(description, 'plain')) s = smtplib.SMTP(self.smtp_host, self.smtp_port) if (self.smtp_auth): try: s.starttls() s.login(self.mail_user, self.mail_pass) except: self.error('an error occured with SMTP username/password') try: s.sendmail(self.mail_from, [mail_to], msg.as_string()) s.quit() self.report({'message': 'message sent'}) except: self.error('unable to send email')
def __init__(self): Responder.__init__(self) self.smtp_host = self.get_param('config.smtp_host', 'medusa.psi.unc.edu.ar') self.smtp_port = self.get_param('config.smtp_port', '25') self.mail_from = self.get_param('config.from', None, 'Missing sender email address')
def __init__(self): Responder.__init__(self) self.s1_console_url = self.get_param("config.s1_console_url", None, "S1 console URL is missing!") self.s1_api_key = self.get_param("config.s1_api_key", None, "S1 API key is missing!") self.s1_account_id = self.get_param("config.s1_account_id", None, "Account ID is missing!") self.s1_blacklist_ostype = self.get_param("s1_blacklist_ostype", "windows") self.s1_blacklist_type = "black_hash" self.observable = self.get_param("data.data", None, "Data is empty!") self.observable_type = self.get_param("data.dataType", None, "Data type is empty!") self.headers = { "Authorization": f"ApiToken {self.s1_api_key}", "User-Agent": "Cortex/SentinelOne-Responder", "Content-Type": "application/json", "Accept": "application/json", } self.service = self.get_param("config.service", None, "Service Missing!") self.sha1_re = re.compile(r"^[A-Za-z0-9]{40}$") self.s1_blacklist_api_endpoint = "/web/api/v2.1/restrictions" self.proxies = self.get_param("config.proxy", None)
def run(self): Responder.run(self) if self.get_param("data.dataType") == "username": if self.service in ["lock", "unlock"]: str_username = self.get_param( "data.data", None, "No artifacts available" ) admin_api = duo_client.Admin(self.iKey, self.sKey, self.API_hostname) response = admin_api.get_users_by_name(username=str_username) user_id = response[0]["user_id"] if self.service == "lock": r = admin_api.update_user(user_id=user_id, status="disabled") if r.get("status") == "disabled": self.report({"message": "User is locked in Duo Security."}) else: self.error("Failed to lock User Account in Duo.") elif self.service == "unlock": r = admin_api.update_user(user_id=user_id, status="active") if r.get("status") == "active": self.report( { "message": "User is unlocked in Duo Security. The user must complete secondary authentication." } ) else: self.error("Failed to unlock User Account in Duo.") else: self.error('Incorrect dataType. "username" expected.')
def __init__(self): Responder.__init__(self) # Mail settings server = self.get_param("config.server", None, "Missing server in config") self.username = self.get_param("config.username", None, "Missing username in config") self.password = self.get_param("config.password", None, "Missing password in config") try: fingerprint_path = "{}/fingerprints.txt".format( os.path.dirname(__file__)) fingerprint = json.loads(open(fingerprint_path, "r").read())[server] self.client_args = APIClientArgs(server=server, fingerprint=fingerprint) except: self.error( "Fingerprint check failed. It should be locate here {}".format( fingerprint_path)) self.service = self.get_param("config.service", None) self.group_name = self.get_param("config.group_name", None, "Missing group_name in config") self.exclusions = self.get_param("config.exclusions", []) self.added_tag = self.get_param("config.added_tag", None) self.removed_tag = self.get_param("config.removed_tag", None)
def run(self): Responder.run(self) if self.get_param('data.dataType') == 'username': str_username = self.get_param('data.data', None, 'No artifacts available') admin_api = duo_client.Admin(self.iKey, self.sKey, self.API_hostname) response = admin_api.get_users_by_name(username=str_username) # print(response) user_id=response[0]["user_id"] # print("user_id:",user_id) r = admin_api.update_user(user_id=user_id,status='disabled') # print("response:",r) if r.get('status') == 'disabled': self.report({'message': 'User is locked in Duo Security.'}) else: self.error('Failed to lock User Account in Duo.') else: self.error('Incorrect dataType. "username" expected.')
def run(self): Responder.run(self) for x in self.hosts: with pysftp.Connection(host=x, username='******', password='******', port=22, cnopts=cnopts) as srv: with srv.cd('/tmp'): srv.put(self.wdir + '/loki_linux.tar.gz') srv.execute('rm /tmp/Loki/out.log') srv.execute('tar -xzf /tmp/loki_linux.tar') srv.execute( 'cd /tmp/Loki && ./loki -l /tmp/Loki/out.log --dontwait -p /' ) srv.get('/tmp/Loki/out.log') srv.get('/tmp/Loki/out.log', self.wdir + '/out.log') with open(self.wdir + '/out.log') as f: content = f.read() if 'SYSTEM SEEMS TO BE CLEAN' in content: self.report({'Host %s' % x: 'good'}) else: self.report({'Host %s' % x: 'bad'}) os.remove(self.wdir + '/out.log')
def __init__(self): Responder.__init__(self) self.operations_list = [] self.endpoint = self.get_param( "config.endpoint", message="Endpoint is not configured, aborting!") # Input will be on the form of a list of strings. [ self.add_tag_to_artifact(tag) for tag in self.get_param("config.add_tags_to_artifact") ] [ self.add_tag_to_case(tag) for tag in self.get_param("config.add_tags_to_case") ] # Input will be on the form of a list of stringified JSON objects. [ self.add_operation(op) for op in self.get_param("config.custom_operations") ] self.send_added_tags = self.get_param("config.send_added_tags", default=False)
def run(self): try: Responder.run(self) ioctypes = {"hash": "sha256", "sha256": "sha256", "md5": "md5", "sha1": "sha1", "ip": "ipv4", "ip6": "ipv6", "ipv6": "ipv6", "domain": "domain", "url": "domain"} data_type = self.get_param('data.dataType') if not data_type in ioctypes: self.error("Unsupported IOC type") return ioc = self.get_param('data.data', None, 'No IOC provided') if data_type == "url": match = re.match(r"(http:\/\/|https:\/\/)?([\w\d\-\.]{0,256}).*", ioc) if match is None or match.group(2) is None: self.error("Could not parse domain from URL") return else: ioc=match.group(2) description = self.get_param('data.case.title',None,"Can't get case title") description = str(description).encode('utf-8')[:128] postdata=json.dumps([{"type": ioctypes[data_type], "value": ioc.strip(), "policy": "detect", "description": description, "share_level": "red", "source": "Cortex - FalconCustomIOC ["+description+"]", "expiration_days": 30}]) response=requests.post(self.falconapi_url,data=postdata,headers={"Content-Type":"application/json"},auth=HTTPBasicAuth(self.apiuser,self.apikey)) json_response = json.loads(response.text) if json_response["errors"]: self.error(str(json_response["errors"])) return else: self.report({'message': ioc+" Submitted to Crowdstrike Falcon custom IOC api","api_response":json_response}) except Exception as ex: self.error(traceback.format_exc())
def __init__(self): Responder.__init__(self) self.api_key = self.get_param("config.api_key", "") self.webhook_url = self.get_param("config.webhook_url", "") self.webhook_id = self.get_param("config.webhook_id", "") self.verify = self.get_param('config.verifyssl', True, None) self.data = self.get_param('data')
def run(self): Responder.run(self) title = self.get_param('data.title', None, 'title is missing') description = self.get_param('data.description', None, 'description is missing') mail_to = None if self.data_type == 'thehive:case': # Search recipient address in tags tags = self.get_param('data.tags', None, 'recipient address not found in tags') mail_tags = [t[5:] for t in tags if t.startswith('mail:')] if mail_tags: mail_to = mail_tags.pop() else: self.error('recipient address not found in tags') elif self.data_type == 'thehive:case_task': # Search recipient address in tags descr_array = description.splitlines() if 'mailto:' in descr_array[0]: mail_to = descr_array[0].replace("mailto\:", "") else: self.error('recipient address not found in description') #Set rest of description as body del descr_array[0] description = '\n'.join(descr_array) elif self.data_type == 'thehive:alert': # Search recipient address in artifacts artifacts = self.get_param( 'data.artifacts', None, 'recipient address not found in observables') mail_artifacts = [ a['data'] for a in artifacts if a.get('dataType') == 'mail' and 'data' in a ] if mail_artifacts: mail_to = mail_artifacts.pop() else: self.error('recipient address not found in observables') else: self.error('Invalid dataType') msg = MIMEMultipart() msg['Subject'] = title msg['From'] = self.mail_from msg['To'] = mail_to msg.attach(MIMEText(description, 'plain')) #Add reply-to header msg.add_header('reply-to', self.mail_reply_to) s = smtplib.SMTP(self.smtp_host, self.smtp_port) if self.smtp_auth: s.ehlo() s.starttls() s.login(self.username, self.password) s.sendmail(self.mail_from, mail_to.split(','), msg.as_string()) s.quit() self.report({'message': 'message sent'})
def __init__(self): Responder.__init__(self) self.smtp_host = self.get_param('config.smtp_host', 'localhost') self.smtp_port = self.get_param('config.smtp_port', '25') self.smtp_mail_from = self.get_param('config.smtp_mail_from', None, 'Missing from email') self.smtp_mail_pw = self.get_param('config.smtp_mail_pw', None, 'Missing email password')
def __init__(self): Responder.__init__(self) self.misp_url = self.get_param( 'config.misp_url', 'localhost') self.misp_api_key = self.get_param( 'config.misp_api_key', 'localhost') self.thehive_api_key = self.get_param( 'config.TheHive_Api_Key', None, 'Missing TheHive API KEY')
def __init__(self): Responder.__init__(self) self.falconapi_url = self.get_param( 'config.falconapi_url', None, "Falcon API URL (e.g.:https://falconapi.crowdstrike.com/indicators/entities/iocs/v1)") self.apiuser = self.get_param( 'config.falconapi_user', None, "Falcon query api key missing") self.apikey = self.get_param( 'config.falconapi_key', None, "Falcon query api key missing")
def __init__(self): Responder.__init__(self) self.smtp_host = self.get_param("config.smtp_host", "localhost") self.smtp_port = self.get_param("config.smtp_port", "25") self.mail_from = self.get_param("config.from", None, "Missing sender email address") self.smtp_user = self.get_param("config.smtp_user", "user", None) self.smtp_pwd = self.get_param("config.smtp_pwd", "pwd", None)
def __init__(self): Responder.__init__(self) self.thehive_instance = self.get_param('config.thehive_instance', 'localhost:9000') self.thehive_api = self.get_param('config.thehive_api', 'YOUR_KEY_HERE') self.api = TheHiveApi(self.thehive_instance, self.thehive_api) self.tmpPath = self.get_param('config.tmp_file_location')
def __init__(self): Responder.__init__(self) self.virustotal_apikey = self.get_param('config.virustotal_apikey', None, "Virustotal API key missing!") self.thehive_url = self.get_param('config.thehive_url', None, "TheHive URL missing!") self.thehive_apikey = self.get_param('config.thehive_apikey', None, "TheHive API key missing!")
def __init__(self): Responder.__init__(self) self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW') self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW') self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW') self.name_external_Address_Group = self.get_param('config.Address_group_for_unblock_external_IP_address',"TheHive Block list external IP address") self.TheHive_instance = self.get_param('config.TheHive_instance') self.TheHive_API_key = self.get_param('config.TheHive_API_key', 'YOUR_KEY_HERE') self.api = TheHiveApi(self.TheHive_instance, self.TheHive_API_key)
def __init__(self): Responder.__init__(self) self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW') self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW') self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW') self.name_security_rule = self.get_param('config.Security_rule_for_block_port_external_communication','TheHive Block port for external communication') self.TheHive_instance = self.get_param('config.TheHive_instance') self.TheHive_API_key = self.get_param('config.TheHive_API_key', 'YOUR_KEY_HERE') self.api = TheHiveApi(self.TheHive_instance, self.TheHive_API_key)
def __init__(self): Responder.__init__(self) self.xg_soar_connector_url = self.get_param( 'config.xg_soar_connector_url', None, 'No Connector URL Set') self.xg_soar_connector_token = self.get_param( 'config.xg_soar_connector_token', None, 'No Token set') self.observable = self.get_param('data.data', None, 'Data is empty') self.observable_type = self.get_param('data.dataType', None, 'Data type is empty')
def __init__(self): Responder.__init__(self) self.data = self.get_param('data', None, 'Data is missing') self.url = self.get_param('config.url', None, 'url is missing') self.api = self.get_param('config.api', None, 'api key is missing') # Action for Zerofox Alert : see "POST /alerts/{alert_id}/{action}/" on https://api.zerofox.com/1.0/docs/ self.zfEntity = "alerts" self.zfAction = "request_takedown"
def __init__(self): Responder.__init__(self) self.smtp_host = self.get_param('config.smtp_host', 'localhost') self.smtp_port = self.get_param('config.smtp_port', '25') self.mail_from = self.get_param('config.from', None, 'Missing sender email address') self.use_tls = self.get_param('config.use_tls', False) self.mail_password = self.get_param('config.password', None) self.mail_to = self.get_param('config.to', None, 'Missing receiver email address') self.subject_prefix = self.get_param('config.subject_prefix', None)
def __init__(self): Responder.__init__(self) self.integration_url = self.get_param('config.integration_url', None, "Integration URL Missing")
def __init__(self): Responder.__init__(self) self.smtp_host = self.get_param( 'config.smtp_host', 'localhost') self.mail_from = self.get_param( 'config.from', None, 'Missing sender email address')