def createRTIRIncident(esid):
search = get_hits(esid)
rtir_url = parser.get('rtir', 'rtir_url')
rtir_api = parser.get('rtir', 'rtir_api')
rtir_user = parser.get('rtir', 'rtir_user')
rtir_pass = parser.get('rtir', 'rtir_pass')
rtir_queue = parser.get('rtir', 'rtir_queue')
rtir_creator = parser.get('rtir', 'rtir_creator')
verify_cert = parser.getboolean('rtir', 'rtir_verifycert', fallback=False)
for result in search['hits']['hits']:
result = result['_source']
message = result['message']
description = str(message)
event = result['event']
rtir_subject = f'New {event["module"]}_{event["dataset"]} Event From Security Onion'
rtir_text = description
rtir_rt = rt.Rt(rtir_url + '/' + rtir_api,
rtir_user,
rtir_pass,
verify_cert=verify_cert)
rtir_rt.login()
rtir_rt.create_ticket(Queue=rtir_queue,
Owner=rtir_creator,
Subject=rtir_subject,
Text=rtir_text)
rtir_rt.logout()
# Redirect to RTIR instance
return redirect(rtir_url)
def createFIREvent(esid):
search = get_hits(esid)
fir_api = '/api/incidents'
fir_url = parser.get('fir', 'fir_url')
fir_token = parser.get('fir', 'fir_token')
actor = parser.get('fir', 'fir_actor')
category = parser.get('fir', 'fir_category')
confidentiality = parser.get('fir', 'fir_confidentiality')
detection = parser.get('fir', 'fir_detection')
plan = parser.get('fir', 'fir_plan')
severity = parser.get('fir', 'fir_severity')
verify_cert = parser.getboolean('fir', 'fir_verifycert', fallback=False)
for result in search['hits']['hits']:
result = result['_source']
message = result['message']
event = result['event']
description = str(message)
subject = f'New {event["module"]}_{event["dataset"]} Event From Security Onion'
headers = {
'Authorization': 'Token ' + fir_token,
'Content-type': 'application/json'
}
data = {
"actor": actor,
"category": category,
"confidentiality": confidentiality,
"description": description,
"detection": detection,
"plan": plan,
"severity": int(severity),
"subject": subject
}
requests.post(fir_url + fir_api,
headers=headers,
data=json.dumps(data),
verify=verify_cert)
# Redirect to FIR instance
return redirect(fir_url + '/events')
def createMISPEvent(esid):
search = get_hits(esid)
# MISP Stuff
misp_url = parser.get('misp', 'misp_url')
misp_key = parser.get('misp', 'misp_key')
misp_verifycert = parser.getboolean('misp',
'misp_verifycert',
fallback=False)
distrib = parser.get('misp', 'distrib')
threat = parser.get('misp', 'threat')
analysis = parser.get('misp', 'analysis')
for result in search['hits']['hits']:
result = result['_source']
message = result['message']
description = str(message)
info = description
def init(url, key):
return PyMISP(url, key, ssl=misp_verifycert, debug=True)
misp = init(misp_url, misp_key)
event = misp.new_event(distrib, threat, analysis, info)
event_id = str(event['Event']['id'])
if result.get('source', {}).get('ip'):
data_type = "ip-src"
source_ip = result['source']['ip']
misp.add_named_attribute(event_id, data_type, source_ip)
if result.get('destination', {}).get('ip'):
data_type = "ip-dst"
destination_ip = result['destination']['ip']
misp.add_named_attribute(event_id, data_type, destination_ip)
# Redirect to MISP instance
return redirect(misp_url + '/events/index')
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
from requests.utils import quote
from config import parser, es_index
esserver = parser.get('es', 'es_url')
es_user = parser.get('es', 'es_user', fallback="")
es_pass = parser.get('es', "es_pass", fallback="")
es_verifycert = parser.getboolean('es', 'es_verifycert', fallback=False)
search_index = f'*:{es_index}'
def get_hits(esid: str) -> dict:
query = {"query": {"bool": {"must": {"match": {'_id': esid}}}}}
res_json = __es_search__(query)
if res_json['hits']['total']['value'] > 0:
return res_json
def get_conn(conn_id: str) -> dict:
query = {"bool": {"must": [{"match": {"event_type": "bro_conn"}}, {"match": {"uid": conn_id}}]}}
res_json = __es_search__(query)
if res_json['hits']['total']['value'] > 0:
return res_json
def do_update(esindex: str, esid: str, tags: str) -> dict:
local_index = esindex.split(":")[1]
query = {"doc": {"tags": tags}}
import requests
from pymisp import PyMISP
from config import parser
from pymemcache.client.base import Client
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
memcached_host = parser.get('memcached', 'host')
memcached_port = int(parser.get('memcached', 'port'))
memcached_agetime = int(parser.get('memcached', 'agetime'))
memcached_sleeptime = int(parser.get('memcached', 'sleeptime'))
memcached = Client((memcached_host, memcached_port))
misp_url = parser.get('misp', 'url')
misp_key = parser.get('misp', 'apikey')
misp_verifycert = parser.getboolean('misp', 'verifycert')
def getAttrs():
def init(url, key):
return PyMISP(url, key, misp_verifycert, 'json')
misp = init(misp_url, misp_key)
call_path = 'attributes/restSearch'
with open('misp2elastic.yaml', 'r') as f:
mispyaml = yaml.safe_load(f)
for i in mispyaml["iocs"]:
for t in mispyaml["iocs"][i]["tags"]:
search = '{"returnFormat":"json", "type":"' + i + '", "tags":"' + t + '"}'
response = misp.direct_call(call_path, search)
for event in response['response']['Attribute']:
import uuid
import sys
import rt
import requests
import os
import base64
import time
import jsonpickle
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
es_url = parser.get('es', 'es_url')
hive_url = parser.get('hive', 'hive_url')
hive_key = parser.get('hive', 'hive_key')
hive_verifycert = parser.getboolean('hive', 'hive_verifycert', fallback=False)
def hiveInit():
return TheHiveApi(hive_url, hive_key, cert=hive_verifycert)
def createHiveAlert(esid):
search = get_hits(esid)
# Hive Stuff
hive_url = parser.get('hive', 'hive_url')
hive_api = hiveInit()
tlp = int(parser.get('hive', 'hive_tlp'))
for item in search['hits']['hits']:
# Get initial details
result = item['_source']
def thehive_casetemplate_update(issue_id):
# Get play metadata - specifically the raw Sigma
play_meta = play_metadata(issue_id)
# Generate Sigma metadata
sigma_meta = sigma_metadata(play_meta['sigma_raw'],
play_meta['sigma_dict'], play_meta['playid'])
# Check to see if there are any tasks - if so, get them formatted
tasks = []
if sigma_meta.get('tasks'):
task_order = 0
for task_title, task_desc in sigma_meta.get('tasks').items():
task_order += 1
tasks.append({
"order": task_order,
"title": task_title,
"description": task_desc
})
else:
tasks = []
for analyzer in play_meta['case_analyzers']:
minimal_name = re.sub(r' - \S*$', '', analyzer)
tasks.insert(
0, {
"order": 0,
"title": f"Analyzer - {minimal_name}",
"description": minimal_name
})
# Build the case template
case_template = \
{
"name": play_meta['playid'],
"severity": 2,
"tlp": 3,
"metrics": {},
"customFields": {
"playObjective": {
"string": sigma_meta['description']
},
"playbookLink": {
"string": f"{playbook_url}/issues/{issue_id}"
}
},
"description": sigma_meta['description'],
"tasks": tasks
}
# Is there a Case Template already created?
if play_meta['hiveid']:
# Case Template exists - let's update it
url = f"{parser.get('hive', 'hive_url')}api/case/template/{play_meta['hiveid']}"
requests.patch(url,
data=json.dumps(case_template),
headers=hive_headers,
verify=parser.getboolean('hive',
'hive_verifycert',
fallback=False)).json()
else:
# Case Template does not exist - let's create it
url = f"{parser.get('hive', 'hive_url')}api/case/template"
r = requests.post(url,
data=json.dumps(case_template),
headers=hive_headers,
verify=parser.getboolean('hive',
'hive_verifycert',
fallback=False))
if r.status_code != 201:
print(f"TheHive Template Creation Failed: {r.__dict__}",
file=sys.stderr)
else:
# Update Play (on Redmine) with Case Template ID
r = r.json()
url = f"{playbook_url}/issues/{issue_id}.json"
data = '{"issue":{"custom_fields":[{"id":7,"value":"' + r[
'id'] + '"}]}}'
requests.put(url,
data=data,
headers=playbook_headers,
verify=playbook_verifycert)
return 200, "success"
from ruamel.yaml.compat import StringIO
import ruamel.yaml
from config import parser
yaml = ruamel.yaml.YAML(typ='safe')
playbook_headers = {
'X-Redmine-API-Key': parser.get("playbook", "playbook_key"),
'Content-Type': 'application/json'
}
playbook_url = parser.get("playbook", "playbook_url")
playbook_external_url = parser.get("playbook", "playbook_ext_url")
playbook_unit_test_index = parser.get("playbook", "playbook_unit_test_index")
playbook_verifycert = parser.getboolean('playbook',
'playbook_verifycert',
fallback=False)
hive_headers = {
'Authorization': f"Bearer {parser.get('hive', 'hive_key')}",
'Accept': 'application/json, text/plain',
'Content-Type': 'application/json;charset=utf-8'
}
es_url = parser.get("es", "es_url")
es_ip = parser.get("es", "es_ip")
es_verifycert = parser.getboolean('es', 'es_verifycert', fallback=False)
def navigator_update():
# Get play data from Redmine
