def create_hive45_dict(id, rule_name, alert_date, alert_age, *args): logging.info("Updating 45M SLA dictionary") hive_45_dict.update({ id: rule_name, }) slack_bot_notice_alert(channel, id, rule_name, alert_date, alert_age) make_call(id)
def create_hive60_dict(id, rule_name, alert_date, alert_age, *args): hive_60_dict.update({ id: rule_name, }) slack_bot_notice_alert(channel, id, rule_name, alert_date, alert_age) logging.info(' Alert ID: ' + id + ' Rule Name: ' + rule_name + ' Alert Date: ' + alert_date + ' Alert Age: ' + alert_age)
def create_hive30_dict(id, rule_name, alert_date, alert_age, *args): logging.info("Updating 30M SLA dictionary") hive_30_dict.update({ id: rule_name, }) slack_bot_notice_alert(channel, id, rule_name, alert_date, alert_age) send_sms(*args)
def add_to_called_list(alert_id): """ This method adds the alert_id to the called_list """ logging.info("Adding %s to called list" % alert_id) called_list.append(alert_id) return alert_id
def clean_ignore_list(alert_id): """ This method clears the ignore_list after 30 minutes. """ t.sleep(3600) logging.info("Removing %s from ignore list" % alert_id) ignore_list.remove(alert_id)
def ignore(alert_id): """ This method adds the alert_id to the ignore list and updates the original Slack message """ add_to_temp_ignore(alert_id) ignore_id = add_to_temp_ignore(alert_id) logging.info("Ignoring ID: %s" % ignore_id) Slack().slack_chat_ignore(alert_id) return ('', 204)
def post_notice(self, alert_id, rule_name, alert_date, alert_age): escalation_check(alert_id) if alert_id in seen_list: logging.warning("SLACK_API: Previously seen / ignored: %s" % alert_id) else: logging.info("Executing SLACK_API Call") res = self.slack_client.chat_postMessage(channel=self.channel, text="TheHive SLA Monitor: SLA Breach", blocks=slack_bot_alert_notice_template(alert_id, rule_name, alert_date, alert_age)) alert_dict[id] = {'channel': res['channel'], 'ts': res['message']['ts'], 'rule_name': rule_name, 'alert_date': alert_date, 'alert_age': alert_age} seen_list.append(alert_id)
def add_to_temp_ignore(alert_id): """ This method adds the alert_id to the ignore_list as a thread to avoid being re-alerted on. """ logging.info("Adding %s to ignore list" % alert_id) ignore_list.append(alert_id) ignore_thread = threading.Thread(target=clean_ignore_list, args=(alert_id, )) ignore_thread.start() return alert_id
def promote_to_case(case_id): logging.info("Promoting Alert " + case_id) response = api.promote_alert_to_case(case_id) if response.status_code == 201: data = json.dumps(response.json()) jdata = json.loads(data) case_id = (jdata['id']) return case_id else: logging.error('ko: {}/{}'.format(response.status_code, response.text))
def make_call(id): if id in called_list: logging.info("User has been called regarding ID: " + id) else: call = twilio_client.calls.create(url=twimlet, to='$insert_phone_number', from_=twilio_number) logging.info("Call Sent: " + str(call.sid)) try: add_to_called_list(id) except Exception as error: logging.error("Error when adding to list after making call: " + str(error))
def complete(alert_id): """ This method executes a promotion via the Hive for the selected alert_id The original Slack message is also updated The user is redirected to the approriate case via the Hive """ case_id = promote_to_case(alert_id) # if case_id != None: # Handle if TheHive alert doesn't exist logging.info("ID: %s. Case ID: %s" % (alert_id, case_id)) Slack().slack_chat_update(alert_id) hive_link = "http://%s:%d/index.html#!/case/%s/details" % ( HIVE_SERVER_IP, HIVE_SERVER_PORT, case_id) return redirect(hive_link, code=302)
def promote_to_case(case_id): """ This method promotes a provided alert to an case via the Hive """ logging.info("Promoting Alert %s" % case_id) response = HIVE_API.promote_alert_to_case(case_id) if response.status_code == 201: data = json.dumps(response.json()) jdata = json.loads(data) case_id = (jdata['id']) return case_id else: logging.error('TheHive: {}/{}'.format(response.status_code, response.text))
def ignore(id): add_to_temp_ignore(id) ignore_id = add_to_temp_ignore(id) logging.info("Ignoring ID: " + ignore_id) res = slack_client.chat.update(channel=alert_dict[id]['channel'], ts=alert_dict[id]["ts"], text="TheHive SLA Monitor: Case Ignored", blocks=slack_bot_alert_notice_ignore( id, alert_dict[id]['rule_name'], alert_dict[id]['alert_date'], alert_dict[id]['alert_age'])) res = slack_client.chat.getPermalink(channel=alert_dict[id]["channel"], message_ts=alert_dict[id]["ts"]) return ('', 204)
def complete(id): case_id = promote_to_case(id) logging.info("ID: " + id + " Case ID: " + case_id) res = slack_client.chat.update(channel=alert_dict[id]['channel'], ts=alert_dict[id]["ts"], text="TheHive SLA Monitor: Case Promoted", blocks=slack_bot_alert_notice_update( id, alert_dict[id]['rule_name'], alert_dict[id]['alert_date'], alert_dict[id]['alert_age'])) res = slack_client.chat.getPermalink(channel=alert_dict[id]["channel"], message_ts=alert_dict[id]["ts"]) hive_link = "https://%s/hive/index.html#/case/{}/details" % ( configuration.SYSTEM_SETTINGS['HIVE_URL'], format(case_id)) return redirect(hive_link, code=302)
def send_sms(*args): for alert_id, alert_name in hive_30_dict.items(): if alert_id in hive_30_list: logging.warning("Already sent SMS regarding ID: " + alert_id) else: if not is_empty(args): for alert_data in args: alert_dump = json.dumps(alert_data, indent=2) # logging.info(alert_dump) # If you want to see all items in Hive response alert_json = json.loads(alert_dump) severity = (alert_json['severity']) # I want severity all_artifacts = (alert_json['artifacts'] ) # I want all artifacts data_artifacts = ( alert_json['artifacts'][0]['data'] ) # I want only the data item which lies under the artifacts element msg_body = severity # Send only the severity # msg_body = severity + " " + data_artifacts # Send severity and data_artifacts else: msg_body = 'Please attend immediately!' twilio_msg_body = 'TheHive SLA Alert - %s \n %s' % (alert_id, msg_body) message = twilio_client.messages.create( body=twilio_msg_body, from_=configuration.TWILIO_SETTINGS['TWILIO_SENDER'], to=configuration.TWILIO_SETTINGS['TWILIO_RTCP']) t.sleep(2) logging.info('SMS Sent: ' + str(message.sid)) try: add_to_30m(alert_id) except Exception as re: logging.error("Error when adding to list after sending SMS: " + str(re))
def clean_ignore_list(id): t.sleep(3600) logging.info("Removing " + id + " from ignore list") ignore_list.remove(id)
def add_to_high_sev(self, id): if id in high_sev_list: logging.info('Already added - HIGH severity SLA list: %s' % id) else: high_sev_list.append(id)
def add_to_45m(id): if id in hive_45_list: logging.info('Already added - 45 minute SLA list: ' + id) else: logging.info('Appending - 45 minute SLA list: ' + id) hive_45_list.append(id)
def add_to_60m(id): if id in hive_60_list: logging.info('Already added - 60 minute SLA list: ' + id) else: logging.info('Appending - 60 minute SLA list: ' + id) hive_60_list.append(id)
def add_to_temp_ignore(id): logging.info("Adding " + id + " to ignore list") ignore_list.append(id) ignore_thread = threading.Thread(target=clean_ignore_list) ignore_thread.start() return id
def add_to_low_sev(self, id): if id in low_sev_list: logging.info('Already added - LOW severity SLA list: %s' % id) else: low_sev_list.append(id)
def add_to_med_sev(self, id): if id in med_sev_list: logging.info('Already added - MEDIUM severity SLA list: %s' % id) else: med_sev_list.append(id)
def add_to_called_list(id): logging.info("Adding " + id + " to called list") called_list.append(id) return id
def search(title, query): current_date = datetime.now().strftime('%Y-%m-%d %H:%M:%S') current_date = datetime.strptime(current_date, '%Y-%m-%d %H:%M:%S') response = api.find_alerts(query=query) if response.status_code == 200: data = json.dumps(response.json()) jdata = json.loads(data) for d in jdata: if d['severity'] == 3: ts = int(d['createdAt']) ts /= 1000 alert_date = datetime.fromtimestamp(ts).strftime( '%Y-%m-%d %H:%M:%S') logging.info("Found: " + d['id'] + " " + d['title'] + " " + str(alert_date)) alert_date = datetime.strptime(alert_date, '%Y-%m-%d %H:%M:%S') diff = (current_date - alert_date) if sla_30 < diff.total_seconds( ) and sla_45 > diff.total_seconds(): logging.info("30/M SLA: " + str(diff) + " " + d['id']) create_hive30_dict(d['id'], d['title'], str(alert_date), str(diff), d) add_to_30m(d['id']) elif sla_45 < diff.total_seconds( ) and sla_60 > diff.total_seconds(): logging.info("45/M SLA: " + str(diff) + " " + d['id']) create_hive45_dict(d['id'], d['title'], str(alert_date), str(diff), d) add_to_45m(d['id']) elif sla_60 < diff.total_seconds(): logging.info("60/M SLA: " + str(diff) + " " + d['id']) create_hive60_dict(d['id'], d['title'], str(alert_date), str(diff), d) add_to_60m(d['id']) logging.info('') else: logging.info('ko: {}/{}'.format(response.status_code, response.text))