def rapid7IDRAlerts2Alerts(alert_data, org_name): logger = logging.getLogger('workflows.' + __name__) logger.info('%s.rapid7IDRAlerts2Alert starts', __name__) result = {} result['success'] = bool() conf = getConf() theHiveConnector = TheHiveConnector(conf) logger.info("Building custom fields ...") customFields = CustomFieldHelper()\ .add_string('client', org_name)\ .build() tags = [] now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M") alert_date = dateutil_parser.parse(alert_data.get('timestamp', now)) for user in alert_data.get('actors', {}).get('users', []): tags.append(user.get('name', "")) for asset in alert_data.get('actors', {}).get('assets', []): tags.append(asset.get('shortname', "")) logger.info("Building description ...") description = descriptionCrafter(alert_data, org_name) logger.info("Building alert ...") alert = theHiveConnector.craftAlert( title=alert_data.get( 'title', alert_data.get('name', "New alert from Rapid7 Insight IDR")), description=description, severity=2, #is there a way to determine efficiently this thing ? date=int(alert_date.timestamp()) * 1000, tags=tags, tlp=2, status="New", type="SIEM", source="Rapid7 Insight IDR", sourceRef=alert_data.get('investigationId', str(uuid.uuid4())), artifacts=artifactsCrafter(alert_data), caseTemplate="Insight IDR Case", customFields=customFields) logger.info("Sending alert to TheHive ...") try: ret = theHiveConnector.createAlert(alert) logger.info("Alert {} created in TheHive".format(str(ret['id']))) result['success'] = True except ValueError: logger.warning("Alert creation failed, trying to update ...") try: ret = theHiveConnector.updateAlert(alert.sourceRef, alert) logger.info("Alert {} updated in TheHive".format(str(ret['id']))) result['success'] = True except Exception as error: logger.error("Alert update failed ! {}".format(error)) result['success'] = False return result
def allNotifs2Alert(): logger = logging.getLogger('workflows.' + __name__) logger.info('%s.allNotifs2Alert starts', __name__) result = dict() result['success'] = bool() result['message'] = str() try: carbonBlack = CBConnector() # DEBUG PURPOSES ONLY ! #logger.info(str(allNotifications)) conf = getConf() theHiveConnector = TheHiveConnector(conf) with open(os.path.join(current_dir, "..", "conf", "carbonblack.json")) as fd: organizations = json.load(fd)['orgs'] for org in organizations: notifications = carbonBlack.getAllNotifications( org['notifications_profile'], org['alerts_profile']) for notification in notifications: #TODO: maybe we should set ALL the variables containing relevant info here to avoid .get() everywhere, btw is .get() actually usefull ? #TODO: maybe cut a lot of this variable process in a few (or a lot of) functions, juste like "descriptionCrafter" and "artifactCrafter" # This and the next try...catch is to avoid backslashes '\' in a tag, as it is breaking TheHive sorting mechanism orgName = org['name'] orgTagName = org['tag-name'] orgShortName = org['short-name'] orgId = org['orgId'] client = org['jira-project'] deviceName = str(notification['deviceInfo']['deviceName']) summary = str(notification['threatInfo']['summary']) severity = int(SEVERITIES[int( notification['threatInfo']['score'])]) date_created = int(notification['eventTime']) source_ref = "{}-{}".format( orgShortName, str(notification['threatInfo']['incidentId'])) sensor_id = str(notification['deviceInfo']['deviceId']) offense_id = str(notification['threatInfo']['incidentId']) tags = [] customFields = CustomFieldHelper()\ .add_string('client', client)\ .add_string('sensorID', sensor_id)\ .add_string('hostname', deviceName)\ .build() artifacts = artifactCrafter(notification, theHiveConnector, tags) artifacts.append( AlertArtifact(dataType='carbon_black_alert_id', data=offense_id, message="ID of alert in Carbon Black", tags=[offense_id], ignoreSimilarity=True)) alert = theHiveConnector.craftAlert( title=summary, description=descriptionCrafter(notification, orgName, orgId), severity=severity, date=date_created, tags=tags, tlp=2, status="New", type='EDR', source='Carbon Black', sourceRef=source_ref, artifacts=artifacts, caseTemplate='Carbon Black Case', customFields=customFields) try: ret = theHiveConnector.createAlert(alert) logger.info('Alert {} created in TheHive'.format( str(ret['id']))) except ValueError: logger.warning('Failed to create alert trying to update') try: ret = theHiveConnector.updateAlert( alert.sourceRef, alert) logger.info('Alert {} updated in TheHive'.format( str(ret['id']))) except ValueError as error: logger.error( "Failed to create alert ! {}".format(error)) result['success'] = True except Exception as error: result['success'] = False result['message'] = str(error) return result