def createRTIRIncident(esid): search = getHits(esid) for result in search['hits']['hits']: result = result['_source'] message = result['message'] description = str(message) event_type = result['event_type'] rtir_url = parser.get('rtir', 'rtir_url') rtir_uri = parser.get('rtir', 'rtir_api') rtir_user = parser.get('rtir', 'rtir_user') rtir_pass = parser.get('rtir', 'rtir_pass') rtir_queue = parser.get('rtir', 'rtir_queue') rtir_creator = parser.get('rtir', 'rtir_creator') rtir_subject = 'New ' + event_type + ' event from Security Onion!' rtir_text = description rtir_rt = rt.Rt(rtir_url + '/' + rtir_api, rtir_user, rtir_pass, verify_cert=False) rtir_rt.login() rtir_rt.create_ticket(Queue=rtir_queue, Owner=rtir_creator, Subject=rtir_subject, Text=rtir_text) rtir_rt.logout() # Redirect to RTIR instance return redirect(rtir_url)
def createRTIRIncident(esid, index): search = getHits(esid, index) for result in search['hits']['hits']: result = result['_source'] message = result['message'] description = str(message) event_type = result['event_type'] rtir_text = '' rtir_web = 'Content-type: text/html \n <!DOCTYPE html><html><head></head><body><table>' for key, value in result.items(): rtir_web = rtir_web + '<tr><td>' + str(key) + '</td><td>' + str(value) + '</td></tr>' rtir_text = rtir_text + str(key) + ': ' + str(value) + '\n' rtir_web = rtir_web + '</table></body></html>' rtir_url = parser.get('rtir', 'rtir_url') rtir_api = parser.get('rtir', 'rtir_api') rtir_user = parser.get('rtir', 'rtir_user') rtir_pass = parser.get('rtir', 'rtir_pass') rtir_queue = parser.get('rtir', 'rtir_queue') #rtir_owner = parser.get('rtir', 'rtir_owner') rtir_url_ticket = parser.get('rtir', 'rtir_url_ticket') rtir_classification = parser.get('rtir', 'rtir_classification') rtir_subject_line = parser.get('rtir', 'rtir_subject') rtir_subject = event_type + rtir_subject_line rtir_rt = rt.Rt(str(rtir_url) + '/' + str(rtir_api), rtir_user, rtir_pass, verify_cert=False) rtir_rt.login() rtir_ticket_id = rtir_rt.create_ticket(Queue=rtir_queue, Subject=rtir_subject, Text=rtir_web, **{'CF.{Classification}': rtir_classification}) rtir_rt.logout() rtir_url_ticket_full = rtir_url_ticket + str(rtir_ticket_id) # Redirect to RTIR instance return "Ticket created!" + "\n Ticket url is: " + "<a href=" + rtir_url_ticket_full + ">" + rtir_url_ticket_full + "</a>"
def showESResult(esid): search = getHits(esid) for result in search['hits']['hits']: esindex = result['_index'] result = result['_source'] #print(result) return render_template("result.html", result=result, esindex=esindex)
def eventModifyFields(esid): search = getHits(esid) for result in search['hits']['hits']: esindex = result['_index'] result = result['_source'] tags = result['tags'] form = DefaultForm() return render_template('update_event.html',result=result, esindex=esindex,esid=esid,tags=tags,form=form)
def createStrelkaScan(esid): search = getHits(esid) for result in search['hits']['hits']: result = result['_source'] message = result['message'] event_type = result['event_type'] extracted_file = result['extracted'] conn_id = result['uid'][0] sensorsearch = getConn(conn_id) for result in sensorsearch['hits']['hits']: result = result['_source'] sensor = result['sensor_name'].rsplit('-',1)[0] strelka_scan_drop = "echo " + sensor + "," + extracted_file + " >> /tmp/soctopus/strelkaq.log" os.system(strelka_scan_drop) return render_template('strelka.html', extracted_file=extracted_file, sensor=sensor)
def createFIREvent(esid): search = getHits(esid) for result in search['hits']['hits']: result = result['_source'] message = result['message'] event_type = result['event_type'] description = str(message) fir_api = '/api/incidents' fir_url = parser.get('fir', 'fir_url') fir_token = parser.get('fir', 'fir_token') actor = parser.get('fir', 'fir_actor') category = parser.get('fir', 'fir_category') confidentiality = parser.get('fir', 'fir_confidentiality') detection = parser.get('fir', 'fir_detection') plan = parser.get('fir', 'fir_plan') severity = parser.get('fir', 'fir_severity') subject = str('New ' + event_type + ' event from Security Onion!') headers = { 'Authorization': 'Token ' + fir_token, 'Content-type': 'application/json' } response = requests.get(fir_url + fir_api, headers=headers, verify=False) data = { "actor": actor, "category": category, "confidentiality": confidentiality, "description": description, "detection": detection, "plan": plan, "severity": int(severity), "subject": subject } response = requests.post(fir_url + fir_api, headers=headers, data=json.dumps(data), verify=False) # Redirect to FIR instance return redirect(fir_url + '/events')
def createGRRFlow(esid, flow_name): search = getHits(esid) grr_url = parser.get('grr', 'grr_url') grr_user = parser.get('grr', 'grr_user') grr_pass = parser.get('grr', 'grr_pass') grrapi = api.InitHttp(api_endpoint=grr_url, auth=(grr_user, grr_pass)) for result in search['hits']['hits']: result = result['_source'] message = result['message'] description = str(message) info = description if 'source_ip' in result: source_ip = result['source_ip'] if 'destination_ip' in result: destination_ip = result['destination_ip'] for ip in source_ip, destination_ip: search_result = grrapi.SearchClients(ip) grr_result = {} client_id = '' for client in search_result: # Get client id client_id = client.client_id client_last_seen_at = client.data.last_seen_at grr_result[client_id] = client_last_seen_at #flow_name = "ListProcesses" if client_id is None: pass # Run flow flow_obj = grrapi.Client(client_id) flow_obj.CreateFlow(name=flow_name) if client_id: # Redirect to GRR instance return redirect(grr_url + '/#/clients/' + client_id + '/flows') else: return "No matches found for source or destination ip"
def createSlackAlert(esid): search = getHits(esid) for result in search['hits']['hits']: result = result['_source'] message = result['message'] description = str(message) slack_url = parser.get('slack', 'slack_url') webhook_url = parser.get('slack', 'slack_webhook') slack_data = {'text': description} response = requests.post(webhook_url, data=json.dumps(slack_data), headers={'Content-Type': 'application/json'}) if response.status_code != 200: raise ValueError( 'Request to slack returned an error %s, the response is:\n%s' % (response.status_code, response.text)) # Redirect to Slack workspace return redirect(slack_url)
def createMISPEvent(esid): search = getHits(esid) #MISP Stuff misp_url = parser.get('misp', 'misp_url') misp_key = parser.get('misp', 'misp_key') misp_verifycert = parser.get('misp', 'misp_verifycert') distrib= parser.get('misp', 'distrib') threat = parser.get('misp', 'threat') analysis = parser.get('misp', 'analysis') for result in search['hits']['hits']: result = result['_source'] message = result['message'] description = str(message) info = description def init(url, key): return PyMISP(url, key, misp_verifycert, 'json', debug=True) misp = init(misp_url, misp_key) event = misp.new_event(distrib, threat, analysis, info) event_id = str(event['Event']['id']) if 'source_ip' in result: data_type = "ip-src" source_ip = result['source_ip'] misp.add_named_attribute(event_id, data_type, source_ip ) if 'destination_ip' in result: data_type = "ip-dst" destination_ip = result['destination_ip'] misp.add_named_attribute(event_id, data_type, destination_ip ) # Redirect to MISP instance return redirect(misp_url + '/events/index')
def createHiveAlert(esid): search = getHits(esid) #Hive Stuff #es_url = parser.get('es', 'es_url') hive_url = parser.get('hive', 'hive_url') hive_key = parser.get('hive', 'hive_key') hive_verifycert = parser.get('hive', 'hive_verifycert') tlp = int(parser.get('hive', 'hive_tlp')) # Check if verifying cert if 'False' in hive_verifycert: api = TheHiveApi(hive_url, hive_key, cert=False) else: api = TheHiveApi(hive_url, hive_key, cert=True) #if hits > 0: for result in search['hits']['hits']: # Get initial details message = result['_source']['message'] description = str(message) sourceRef = str(uuid.uuid4())[0:6] tags=["SecurityOnion"] artifacts=[] id = None host = str(result['_index']).split(":")[0] index = str(result['_index']).split(":")[1] event_type = result['_source']['event_type'] if 'source_ip' in result['_source']: src = str(result['_source']['source_ip']) if 'destination_ip' in result['_source']: dst = str(result['_source']['destination_ip']) #if 'source_port' in result['_source']: # srcport = result['_source']['source_port'] #if 'destination_port' in result['_source']: # dstport = result['_source']['destination_port'] # NIDS Alerts if 'snort' in event_type: alert = result['_source']['alert'] category = result['_source']['category'] sensor = result['_source']['interface'] tags.append("nids") tags.append(category) title=alert # Add artifacts artifacts.append(AlertArtifact(dataType='ip', data=src)) artifacts.append(AlertArtifact(dataType='ip', data=dst)) artifacts.append(AlertArtifact(dataType='other', data=sensor)) # Bro logs elif 'bro' in event_type: _map_key_type ={ "conn": "Connection", "dhcp": "DHCP", "dnp3": "DNP3", "dns": "DNS", "files": "Files", "ftp": "FTP", "http": "HTTP", "intel": "Intel", "irc": "IRC", "kerberos": "Kerberos", "modbus": "Modbus", "mysql": "MySQL", "ntlm": "NTLM", "pe": "PE", "radius": "RADIUS", "rdp": "RDP", "rfb": "RFB", "sip" : "SIP", "smb": "SMB", "smtp": "SMTP", "snmp": "SNMP", "ssh": "SSH", "ssl": "SSL", "syslog": "Syslog", "weird": "Weird", "x509": "X509" } def map_key_type(indicator_type): ''' Maps a key type to use in the request URL. ''' return _map_key_type.get(indicator_type) bro_tag = event_type.strip('bro_') bro_tag_title = map_key_type(bro_tag) title= str('New Bro ' + bro_tag_title + ' record!') if 'source_ip' in result['_source']: artifacts.append(AlertArtifact(dataType='ip', data=src)) if 'destination_ip' in result['_source']: artifacts.append(AlertArtifact(dataType='ip', data=dst)) if 'sensor_name' in result['_source']: sensor = str(result['_source']['sensor_name']) artifacts.append(AlertArtifact(dataType='other', data=sensor)) if 'uid' in result['_source']: uid = str(result['_source']['uid']) title= str('New Bro ' + bro_tag_title + ' record! - ' + uid) artifacts.append(AlertArtifact(dataType='other', data=uid)) if 'fuid' in result['_source']: fuid = str(result['_source']['fuid']) title= str('New Bro ' + bro_tag_title + ' record! - ' + fuid) artifacts.append(AlertArtifact(dataType='other', data=fuid)) if 'id' in result['_source']: fuid = str(result['_source']['id']) title= str('New Bro ' + bro_tag_title + ' record! - ' + fuid) artifacts.append(AlertArtifact(dataType='other', data=fuid)) tags.append('bro') tags.append(bro_tag) # Wazuh/OSSEC logs elif 'ossec' in event_type: agent_name = result['_source']['agent']['name'] if 'description' in result['_source']: ossec_desc = result['_source']['description'] else: ossec_desc = result['_source']['full_log'] if 'ip' in result['_source']['agent']: agent_ip = result['_source']['agent']['ip'] artifacts.append(AlertArtifact(dataType='ip', data=agent_ip)) artifacts.append(AlertArtifact(dataType='other', data=agent_name)) else: artifacts.append(AlertArtifact(dataType='other', data=agent_name)) title= ossec_desc tags.append("wazuh") elif 'sysmon' in event_type: if 'ossec' in result['_source']['tags']: agent_name = result['_source']['agent']['name'] agent_ip = result['_source']['agent']['ip'] ossec_desc = result['_source']['full_log'] artifacts.append(AlertArtifact(dataType='ip', data=agent_ip)) artifacts.append(AlertArtifact(dataType='other', data=agent_name)) title= "New Sysmon Event! - " + agent_name tags.append("wazuh") else: title = "New " + event_type + " Event From Security Onion" # Build alert hivealert = Alert( title= title, tlp=tlp, tags=tags, description=description, type='external', source='SecurityOnion', sourceRef=sourceRef, artifacts=artifacts ) # Send it off response = api.create_alert(hivealert) if response.status_code == 201: print(json.dumps(response.json(), indent=4, sort_keys=True)) print('') id = response.json()['id'] # If running standalone / eval tell ES that we sent the alert #es_type = 'doc' #es_index = index #es_headers = {'Content-Type' : 'application/json'} #es_data = '{"script" : {"source": "ctx._source.tags.add(params.tag)","lang": "painless","params" : {"tag" : "Sent to TheHive"}}}' #update_es_event = requests.post(es_url + '/' + es_index + '/' + es_type + '/' + esid + '/_update', headers=es_headers, data=es_data) #print(update_es_event.content) else: print('ko: {}/{}'.format(response.status_code, response.text)) sys.exit(0)
def createHiveAlert(esid): search = getHits(esid) #Hive Stuff #es_url = parser.get('es', 'es_url') hive_url = parser.get('hive', 'hive_url') api = hiveInit() tlp = int(parser.get('hive', 'hive_tlp')) for result in search['hits']['hits']: # Get initial details message = result['_source']['message'] es_id = result['_id'] description = str(message) sourceRef = str(uuid.uuid4())[0:6] tags = ["SecurityOnion"] artifacts = [] id = None host = str(result['_index']).split(":")[0] index = str(result['_index']).split(":")[1] event_type = result['_source']['event_type'] if 'source_ip' in result['_source']: src = str(result['_source']['source_ip']) if 'destination_ip' in result['_source']: dst = str(result['_source']['destination_ip']) if 'source_port' in result['_source']: srcport = str(result['_source']['source_port']) if 'destination_port' in result['_source']: dstport = str(result['_source']['destination_port']) # NIDS Alerts if 'ids' in event_type: alert = result['_source']['alert'] sid = str(result['_source']['sid']) category = result['_source']['category'] sensor = result['_source']['sensor_name'] masterip = str(es_url.split("//")[1].split(":")[0]) tags.append("nids") tags.append(category) title = alert print(alert) sys.stdout.flush() # Add artifacts artifacts.append(AlertArtifact(dataType='ip', data=src)) artifacts.append(AlertArtifact(dataType='ip', data=dst)) artifacts.append(AlertArtifact(dataType='other', data=sensor)) description = "`NIDS Dashboard:` \n\n <https://" + masterip + "/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:" + sid + "')),sort:!('@timestamp',desc))> \n\n `IPs: `" + src + ":" + srcport + "-->" + dst + ":" + dstport + "\n\n `Signature:`" + alert + "\n\n `PCAP:` " + "https://" + masterip + "/kibana/app//sensoroni/securityonion/joblookup?redirectUrl=/sensoroni/&esid=" + es_id # Bro logs elif 'bro' in event_type: _map_key_type = { "conn": "Connection", "dhcp": "DHCP", "dnp3": "DNP3", "dns": "DNS", "files": "Files", "ftp": "FTP", "http": "HTTP", "intel": "Intel", "irc": "IRC", "kerberos": "Kerberos", "modbus": "Modbus", "mysql": "MySQL", "ntlm": "NTLM", "pe": "PE", "radius": "RADIUS", "rdp": "RDP", "rfb": "RFB", "sip": "SIP", "smb": "SMB", "smtp": "SMTP", "snmp": "SNMP", "ssh": "SSH", "ssl": "SSL", "syslog": "Syslog", "weird": "Weird", "x509": "X509" } def map_key_type(indicator_type): ''' Maps a key type to use in the request URL. ''' return _map_key_type.get(indicator_type) bro_tag = event_type.strip('bro_') bro_tag_title = map_key_type(bro_tag) title = str('New Bro ' + bro_tag_title + ' record!') if 'source_ip' in result['_source']: artifacts.append(AlertArtifact(dataType='ip', data=src)) if 'destination_ip' in result['_source']: artifacts.append(AlertArtifact(dataType='ip', data=dst)) if 'sensor_name' in result['_source']: sensor = str(result['_source']['sensor_name']) artifacts.append(AlertArtifact(dataType='other', data=sensor)) if 'uid' in result['_source']: uid = str(result['_source']['uid']) title = str('New Bro ' + bro_tag_title + ' record! - ' + uid) artifacts.append(AlertArtifact(dataType='other', data=uid)) if 'fuid' in result['_source']: fuid = str(result['_source']['fuid']) title = str('New Bro ' + bro_tag_title + ' record! - ' + fuid) artifacts.append(AlertArtifact(dataType='other', data=fuid)) if 'id' in result['_source']: fuid = str(result['_source']['id']) title = str('New Bro ' + bro_tag_title + ' record! - ' + fuid) artifacts.append(AlertArtifact(dataType='other', data=fuid)) tags.append('bro') tags.append(bro_tag) # Wazuh/OSSEC logs elif 'ossec' in event_type: agent_name = result['_source']['agent']['name'] if 'description' in result['_source']: ossec_desc = result['_source']['description'] else: ossec_desc = result['_source']['full_log'] if 'ip' in result['_source']['agent']: agent_ip = result['_source']['agent']['ip'] artifacts.append(AlertArtifact(dataType='ip', data=agent_ip)) artifacts.append( AlertArtifact(dataType='other', data=agent_name)) else: artifacts.append( AlertArtifact(dataType='other', data=agent_name)) title = ossec_desc tags.append("wazuh") elif 'sysmon' in event_type: if 'ossec' in result['_source']['tags']: agent_name = result['_source']['agent']['name'] agent_ip = result['_source']['agent']['ip'] ossec_desc = result['_source']['full_log'] artifacts.append(AlertArtifact(dataType='ip', data=agent_ip)) artifacts.append( AlertArtifact(dataType='other', data=agent_name)) tags.append("wazuh") elif 'beat' in result['_source']['tags']: agent_name = str(result['_source']['beat']['hostname']) if 'beat_host' in result['_source']: os_name = str(result['_source']['beat_host']['os']['name']) artifacts.append( AlertArtifact(dataType='other', data=os_name)) if 'source_hostname' in result['_source']: source_hostname = str(result['_source']['source_hostname']) artifacts.append( AlertArtifact(dataType='fqdn', data=source_hostname)) if 'source_ip' in result['_source']: source_ip = str(result['_source']['source_ip']) artifacts.append( AlertArtifact(dataType='ip', data=source_ip)) if 'destination_ip' in result['_source']: destination_ip = str(result['_source']['destination_ip']) artifacts.append( AlertArtifact(dataType='ip', data=destination_ip)) if 'image_path' in result['_source']: image_path = str(result['_source']['image_path']) artifacts.append( AlertArtifact(dataType='filename', data=image_path)) if 'Hashes' in result['_source']['event_data']: hashes = result['_source']['event_data']['Hashes'] for hash in hashes.split(','): if hash.startswith('MD5') or hash.startswith('SHA256'): artifacts.append( AlertArtifact(dataType='hash', data=hash.split('=')[1])) tags.append("beats") else: agent_name = '' title = "New Sysmon Event! - " + agent_name else: title = "New " + event_type + " Event From Security Onion" form = DefaultForm() artifact_string = jsonpickle.encode(artifacts) return render_template('hive.html', title=title, tlp=tlp, tags=tags, description=description, artifact_string=artifact_string, sourceRef=sourceRef, form=form)
def createGRRFlow(esid, flow_name): search = getHits(esid) tlp = int(parser.get('hive', 'hive_tlp')) # Check if verifying cert if 'False' in hive_verifycert: hiveapi = TheHiveApi(hive_url, hive_key, cert=False) else: hiveapi = TheHiveApi(hive_url, hive_key, cert=True) grr_url = parser.get('grr', 'grr_url') grr_user = parser.get('grr', 'grr_user') grr_pass = parser.get('grr', 'grr_pass') grrapi = api.InitHttp(api_endpoint=grr_url, auth=(grr_user, grr_pass)) base64string = '%s:%s' % (grr_user, grr_pass) base64string = base64.b64encode(bytes(base64string, "utf-8")) authheader = "Basic %s" % base64string index_response = requests.get(grr_url, auth=HTTPBasicAuth(grr_user, grr_pass)) csrf_token = index_response.cookies.get("csrftoken") headers = { "Authorization": authheader, "x-csrftoken": csrf_token, "x-requested-with": "XMLHttpRequest" } cookies = {"csrftoken": csrf_token} for result in search['hits']['hits']: result = result['_source'] message = result['message'] description = str(message) info = description if 'source_ip' in result: source_ip = result['source_ip'] if 'destination_ip' in result: destination_ip = result['destination_ip'] for ip in source_ip, destination_ip: search_result = grrapi.SearchClients(ip) grr_result = {} client_id = '' for client in search_result: # Get client id client_id = client.client_id client_last_seen_at = client.data.last_seen_at grr_result[client_id] = client_last_seen_at #flow_name = "ListProcesses" if client_id is None: pass # Process flow and get flow id flow_id = listProcessFlow(client_id, grr_url, headers, cookies, grr_user, grr_pass) # Get status status = checkFlowStatus(client_id, grr_url, flow_id, headers, cookies, grr_user, grr_pass) # Keep checking to see if complete while status != "terminated": time.sleep(15) print( "Flow not yet completed..watiing 15 secs before attempting to check status again..." ) status = checkFlowStatus(client_id, grr_url, flow_id, headers, cookies, grr_user, grr_pass) # If terminated, run the download if status == "terminated": downloadFlowResults(client_id, grr_url, flow_id, headers, cookies, grr_user, grr_pass) #print("Done!") # Run flow via API client #flow_obj = grrapi.Client(client_id) #flow_obj.CreateFlow(name=flow_name) title = "Test Alert with GRR Flow" description = str(message) sourceRef = str(uuid.uuid4())[0:6] tags = ["SecurityOnion", "GRR"] artifacts = [] id = None filepath = "/tmp/soctopus/" + client_id + ".zip" artifacts.append( AlertArtifact(dataType='file', data=str(filepath))) # Build alert hivealert = Alert(title=title, tlp=tlp, tags=tags, description=description, type='external', source='SecurityOnion', sourceRef=sourceRef, artifacts=artifacts) # Send it off response = hiveapi.create_alert(hivealert) if client_id: # Redirect to GRR instance return redirect(grr_url + '/#/clients/' + client_id + '/flows') else: return "No matches found for source or destination ip"
def createHiveAlert(esid): search = getHits(esid) #Hive Stuff #es_url = parser.get('es', 'es_url') hive_url = parser.get('hive', 'hive_url') hive_key = parser.get('hive', 'hive_key') hive_verifycert = parser.get('hive', 'hive_verifycert') tlp = int(parser.get('hive', 'hive_tlp')) # Check if verifying cert if 'False' in hive_verifycert: api = TheHiveApi(hive_url, hive_key, cert=False) else: api = TheHiveApi(hive_url, hive_key, cert=True) #if hits > 0: for result in search['hits']['hits']: # Get initial details message = result['_source']['message'] description = str(message) sourceRef = str(uuid.uuid4())[0:6] tags=["SecurityOnion"] artifacts=[] id = None host = str(result['_index']).split(":")[0] index = str(result['_index']).split(":")[1] event_type = result['_source']['event_type'] if 'source_ip' in result['_source']: src = str(result['_source']['source_ip']) if 'destination_ip' in result['_source']: dst = str(result['_source']['destination_ip']) #if 'source_port' in result['_source']: # srcport = result['_source']['source_port'] #if 'destination_port' in result['_source']: # dstport = result['_source']['destination_port'] # NIDS Alerts if 'snort' in event_type: alert = result['_source']['alert'] category = result['_source']['category'] sensor = result['_source']['interface'] tags.append("nids") tags.append(category) title=alert # Add artifacts artifacts.append(AlertArtifact(dataType='ip', data=src)) artifacts.append(AlertArtifact(dataType='ip', data=dst)) artifacts.append(AlertArtifact(dataType='other', data=sensor)) # Bro logs elif 'bro' in event_type: _map_key_type ={ "conn": "Connection", "dhcp": "DHCP", "dnp3": "DNP3", "dns": "DNS", "files": "Files", "ftp": "FTP", "http": "HTTP", "intel": "Intel", "irc": "IRC", "kerberos": "Kerberos", "modbus": "Modbus", "mysql": "MySQL", "ntlm": "NTLM", "pe": "PE", "radius": "RADIUS", "rdp": "RDP", "rfb": "RFB", "sip" : "SIP", "smb": "SMB", "smtp": "SMTP", "snmp": "SNMP", "ssh": "SSH", "ssl": "SSL", "syslog": "Syslog", "weird": "Weird", "x509": "X509" } def map_key_type(indicator_type): ''' Maps a key type to use in the request URL. ''' return _map_key_type.get(indicator_type) bro_tag = event_type.strip('bro_') bro_tag_title = map_key_type(bro_tag) title= str('New Bro ' + bro_tag_title + ' record!') if 'source_ip' in result['_source']: artifacts.append(AlertArtifact(dataType='ip', data=src)) if 'destination_ip' in result['_source']: artifacts.append(AlertArtifact(dataType='ip', data=dst)) if 'sensor_name' in result['_source']: sensor = str(result['_source']['sensor_name']) artifacts.append(AlertArtifact(dataType='other', data=sensor)) if 'uid' in result['_source']: uid = str(result['_source']['uid']) title= str('New Bro ' + bro_tag_title + ' record! - ' + uid) artifacts.append(AlertArtifact(dataType='other', data=uid)) if 'fuid' in result['_source']: fuid = str(result['_source']['fuid']) title= str('New Bro ' + bro_tag_title + ' record! - ' + fuid) artifacts.append(AlertArtifact(dataType='other', data=fuid)) if 'id' in result['_source']: fuid = str(result['_source']['id']) title= str('New Bro ' + bro_tag_title + ' record! - ' + fuid) artifacts.append(AlertArtifact(dataType='other', data=fuid)) tags.append('bro') tags.append(bro_tag) # Wazuh/OSSEC logs elif 'ossec' in event_type: agent_name = result['_source']['agent']['name'] if 'description' in result['_source']: ossec_desc = result['_source']['description'] else: ossec_desc = result['_source']['full_log'] if 'ip' in result['_source']['agent']: agent_ip = result['_source']['agent']['ip'] artifacts.append(AlertArtifact(dataType='ip', data=agent_ip)) artifacts.append(AlertArtifact(dataType='other', data=agent_name)) else: artifacts.append(AlertArtifact(dataType='other', data=agent_name)) title= ossec_desc tags.append("wazuh") elif 'sysmon' in event_type: if 'ossec' in result['_source']['tags']: agent_name = result['_source']['agent']['name'] agent_ip = result['_source']['agent']['ip'] ossec_desc = result['_source']['full_log'] artifacts.append(AlertArtifact(dataType='ip', data=agent_ip)) artifacts.append(AlertArtifact(dataType='other', data=agent_name)) tags.append("wazuh") elif 'beat' in result['_source']['tags']: agent_name = str(result['_source']['beat']['hostname']) if 'beat_host' in result['_source']: os_name = str(result['_source']['beat_host']['os']['name']) artifacts.append(AlertArtifact(dataType='other', data=os_name)) if 'source_hostname' in result['_source']: source_hostname = str(result['_source']['source_hostname']) artifacts.append(AlertArtifact(dataType='fqdn', data=source_hostname)) if 'source_ip' in result['_source']: source_ip = str(result['_source']['source_ip']) artifacts.append(AlertArtifact(dataType='ip', data=source_ip)) if 'destination_ip' in result['_source']: destination_ip = str(result['_source']['destination_ip']) artifacts.append(AlertArtifact(dataType='ip', data=destination_ip)) if 'image_path' in result['_source']: image_path = str(result['_source']['image_path']) artifacts.append(AlertArtifact(dataType='filename', data=image_path)) if 'Hashes' in result['_source']['event_data']: hashes = result['_source']['event_data']['Hashes'] for hash in hashes.split(','): if hash.startswith('MD5') or hash.startswith('SHA256'): artifacts.append(AlertArtifact(dataType='hash', data=hash.split('=')[1])) tags.append("beats") else: agent_name = '' title= "New Sysmon Event! - " + agent_name else: title = "New " + event_type + " Event From Security Onion" form = DefaultForm() artifact_string = jsonpickle.encode(artifacts) return render_template('hive.html', title=title, tlp=tlp,tags=tags, description=description, artifact_string=artifact_string, sourceRef=sourceRef, form=form)