def phishingAlert(): report = dict() report['success'] = bool() tempAttachment = None cfg = getConf() ewsConnector = EwsConnector(cfg) folder_name = cfg.get('EWS', 'folder_name') unread = ewsConnector.scan(folder_name) theHiveConnector = TheHiveConnector(cfg) for email in unread: conversationId = email.conversation_id.id alertTitle = str(email.subject) alertDescription = ('```\n' + 'Alert created by Synapse\n' + 'conversation_id: "' + str(email.conversation_id.id) + '"\n' + '```') alertArtifacts = [] alertTags = ['CAT 7'] for msg in email.attachments: try: #print(type(msg)) q = dict() q['sourceRef'] = str(conversationId) esAlertId = theHiveConnector.findAlert(q) tempAttachment = TempAttachment(msg) if not tempAttachment.isInline: #print('here') tmpFilepath = tempAttachment.writeFile() with open(tmpFilepath, 'rb') as fhdl: raw_email = fhdl.read() parsed_eml = eml_parser.eml_parser.decode_email_b( raw_email) #print(parsed_eml['header']['header']['to']) #print(json.dumps(parsed_eml, default=json_serial, indent=4, sort_keys=True)) alertArtifacts.append( theHiveConnector.craftAlertArtifact( dataType='file', message="Phishing Email", data=tmpFilepath, tags=['Synapse'])) alertArtifacts.append( theHiveConnector.craftAlertArtifact( dataType='other', message="Message Id", data=parsed_eml['header']['header']['message-id'] [0], tags=['Synapse'])) for i in parsed_eml['header']['received_ip']: alertArtifacts.append( theHiveConnector.craftAlertArtifact( dataType='ip', message="Source IP", data=i, tags=['Synapse'])) alertArtifacts.append( theHiveConnector.craftAlertArtifact( dataType='mail_subject', message="Phishing Email Subject", data=parsed_eml['header']['subject'], tags=['Synapse'])) for i in parsed_eml['header']['to']: alertArtifacts.append( theHiveConnector.craftAlertArtifact( dataType='mail', message="Recipients", data=i, tags=['Synapse'])) for i in parsed_eml['header']['header']['return-path']: alertArtifacts.append( theHiveConnector.craftAlertArtifact( dataType='mail', message="Return Path", data=i, tags=['Synapse'])) if 'x-originating-ip' in parsed_eml['header']['header']: alertArtifacts.append( theHiveConnector.craftAlertArtifact( dataType='mail', message="Origin IP", data=parsed_eml['header']['header'] ['x-originating-ip'], tags=['Synapse'])) alert = theHiveConnector.craftAlert( alertTitle, alertDescription, severity=2, tlp=2, status="New", date=(int(time.time() * 1000)), tags=alertTags, type="Phishing", source="Phishing Mailbox", sourceRef=email.conversation_id.id, artifacts=alertArtifacts, caseTemplate="Category 7 - Phishing") theHiveEsAlertId = theHiveConnector.createAlert( alert)['id'] except Exception as e: #msg_obj = msg_parser.msg_parser.Message(msg) #print(msg_obj.get_message_as_json()) #msg_properties_dict = msg_obj.get_properties() print('Failed to create alert from attachment') readMsg = ewsConnector.markAsRead(email)
def createQradarAlert(): logger = logging.getLogger(__name__) logger.info('%s.createQradarAlert starts', __name__) report = dict() report['success'] = bool() try: cfg = getConf() qradarConnector = QRadarConnector(cfg) theHiveConnector = TheHiveConnector(cfg) #Retrieve QRadar offenses with "OPEN" status response = qradarConnector.getOffenses() for offense in response: #Check if offense is already imported in TheHive theHive_alert = theHiveConnector.getAlerts({ 'sourceRef': 'QR' + str(offense['id']) }).json() if theHive_alert == []: print('QR' + str(offense['id']) + ' not imported') #Import opened offense in TheHive ##Create a list of AlertArtifact objects artifact_fields = { 'source_network': ('domain', 'STRING'), 'destination_networks': ('domain', 'STRING_LIST'), 'offense_source': ('ip', 'STRING') } artifacts_dict = defaultdict(list) for field in artifact_fields: if artifact_fields[field][1] == 'STRING_LIST': for elmt in offense[field]: artifacts_dict[artifact_fields[field][0]].append( elmt) elif artifact_fields[field][1] == 'STRING': artifacts_dict[artifact_fields[field][0]].append( offense[field]) artifacts_list = theHiveConnector.craftAlertArtifact( artifacts_dict) print(artifacts_dict) print(artifacts_list) ##Prepare other fields for an alert title = "#" + str( offense['id']) + " QRadar - " + offense['description'] description = ' / '.join(offense['categories']) if offense['severity'] < 3: severity = 1 elif offense['severity'] > 6: severity = 3 else: severity = 2 date = offense['start_time'] tags = [ 'Synapse', 'src:QRadar', 'QRadarID:' + str(offense['id']) ] sourceRef = 'QR' + str(offense['id']) ##Create Alert object and send it to TheHive alert = theHiveConnector.craftAlert(title, description, severity, date, tags, sourceRef, artifacts_list) theHiveConnector.createAlert(alert) else: print('QR' + str(offense['id']) + ' already imported') report['success'] = True return report except Exception as e: logger.error('Failed to create alert from QRadar offense', exc_info=True) report['success'] = False return report