def playbookWebhook(webhook_content):
"""
Process incoming playbook webhook.
"""
action = webhook_content['payload']['action']
issue_tracker_name = webhook_content['payload']['issue']['tracker']['name']
issue_id = webhook_content['payload']['issue']['id']
issue_status_name = webhook_content['payload']['issue']['status']['name']
if action == 'updated' and issue_tracker_name == 'Play':
journal_details = webhook_content['payload']['journal']['details']
detection_updated = False
for item in journal_details:
# Check to see if the Sigma field has changed
if item['prop_key'] == '9':
# Sigma field updated (Sigma field ID is 9) --> Call function - Update Play metadata
playbook.play_update(issue_id)
# Run Play Unit Test (If Target Log exists)
playbook.play_unit_test(issue_id, "Sigma Updated")
# Create/Update ElastAlert config
if issue_status_name == "Active" and not detection_updated:
detection_updated = True
playbook.elastalert_update(issue_id)
playbook.thehive_casetemplate_update(issue_id)
elif issue_status_name == "Inactive" and not detection_updated:
detection_updated = True
playbook.elastalert_disable(issue_id)
# Check to see if the Play status has changed to Active or Inactive
elif item['prop_key'] == 'status_id' and not detection_updated:
if item['value'] == '3':
# Status = Active --> Enable EA & TheHive
detection_updated = True
playbook.elastalert_update(issue_id)
playbook.thehive_casetemplate_update(issue_id)
elif item['value'] == '4':
# Status = Inactive --> Disable EA
detection_updated = True
playbook.elastalert_disable(issue_id)
# Check to see if the Play Target Log (Field ID 21) has been updated - if so, run a Unit Test
elif item['prop_key'] == '21' and item['old_value'] == "":
# First time Target Log has been updated - Normalize log only
playbook.play_unit_test(issue_id, "Target Log Updated", True)
elif item['prop_key'] == '21' and item['old_value'] != "":
# Normalize log (if needed) & run Play unit test
playbook.play_unit_test(issue_id, "Target Log Updated")
return "success"
def playbookWebhook(webhook_content):
"""
Process incoming playbook webhook.
"""
action = webhook_content['payload']['action']
issue_tracker_name = webhook_content['payload']['issue']['tracker']['name']
issue_id = webhook_content['payload']['issue']['id']
issue_status_name = webhook_content['payload']['issue']['status']['name']
if action == 'opened' and issue_tracker_name == 'Sigma Import':
playbook.play_create(str(issue_id))
elif action == 'updated' and issue_tracker_name == 'Play':
journal_details = webhook_content['payload']['journal']['details']
detection_updated = False
for item in journal_details:
# Check to see if the Sigma field has changed
if item['prop_key'] == '21':
# Sigma field updated --> Call function - Update Play metadata
playbook.play_update(issue_id)
# Create/Update ElastAlert config
if issue_status_name == "Active" and not detection_updated:
detection_updated = True
playbook.elastalert_update(issue_id)
playbook.navigator_update()
playbook.thehive_casetemplate_update(issue_id)
elif issue_status_name == "Inactive" and not detection_updated:
detection_updated = True
playbook.elastalert_disable(issue_id)
playbook.navigator_update()
# Check to see if the Play status has changed to Active or Inactive
elif item['prop_key'] == 'status_id' and not detection_updated:
if item['value'] == '3':
# Status = Active --> Enable EA & TheHive
detection_updated = True
playbook.elastalert_update(issue_id)
playbook.navigator_update()
playbook.thehive_casetemplate_update(issue_id)
elif item['value'] == '4':
# Status = Inactive --> Disable EA
detection_updated = True
playbook.elastalert_disable(issue_id)
playbook.navigator_update()
return "success"
all_plays = []
offset = 0
playbook_headers = {
'X-Redmine-API-Key': parser.get("playbook", "playbook_key"),
'Content-Type': 'application/json'
}
playbook_url = parser.get("playbook", "playbook_url")
print(f"\n-= Started: {datetime.now()}-=\n")
# Get all plays from Playbook
url = f"{playbook_url}/issues.json?offset=0&tracker_id=1&limit=100"
response = requests.get(url, headers=playbook_headers, verify=False).json()
for i in response['issues']:
all_plays.append(i)
while offset < response['total_count']:
offset += 100
url = f"{playbook_url}/issues.json?offset={offset}&tracker_id=1&limit=100"
response = requests.get(url, headers=playbook_headers, verify=False).json()
print(f"Active offset: {offset}")
for i in response['issues']:
all_plays.append(i)
print(f"\n-= Parsed Playbook Plays: {len(all_plays)} -=\n")
for play in all_plays:
playbook.play_update(play['id'])
print(f"\nIssue-ID - {play['id']}\n")