def create_alarm(self,
title,
source_ref=None,
description='N/A',
alert_type='external',
source='LogRhythm',
iocs=None,
additional_fields=None,
additional_tags=None,
tlp=TLP.AMBER,
pap=PAP.AMBER,
severity=HiveSeverity.MEDIUM):
if source_ref is None:
source_ref = str(uuid.uuid4())[0:6]
alert_tags = self.alert_tags.copy()
if additional_tags is not None:
for additional_tag in additional_tags:
alert_tags.append(additional_tag)
custom_fields_helper = CustomFieldHelper()
if additional_fields is not None:
for field in additional_fields:
custom_fields_helper.add_string(field['name'], field['value'])
custom_fields = custom_fields_helper.build()
artifacts = list()
if iocs is not None:
for ioc in iocs:
artifacts.append(
AlertArtifact(dataType=ioc['type'].value,
data=ioc['value']))
hive_alert = Alert(title=title,
tlp=tlp.value,
tags=alert_tags,
description=description,
type=alert_type,
source=source,
sourceRef=source_ref,
pap=pap.value,
artifacts=artifacts,
customFields=custom_fields,
severity=severity.value)
response = self.api.create_alert(hive_alert)
if response.status_code == 201:
print('Alerta Creada Exitosamente')
print(json.dumps(response.json(), indent=4, sort_keys=True))
else:
print('Error')
print(response.text)
return response.json()
def CreateHiveAlertFromSentinel(api, title, description, incidentnumber,
severity, source, artifacts, alertIds,
incidentURL):
tags = []
if severity == "Low":
theHiveSeverity = 1
elif severity == "Informational":
theHiveSeverity = 1
elif severity == "Medium":
theHiveSeverity = 2
elif severity == "High":
theHiveSeverity = 3
alertIdsStr = ' '.join(map(str, alertIds))
customFields = CustomFieldHelper()
customFields.add_number('sentinelIncidentNumber', incidentnumber)
customFields.add_string('alertIds', alertIdsStr)
customFields.add_string('incidentURL', incidentURL)
customFields = customFields.build()
alert = Alert(title=title,
tlp=2,
tags=tags,
description=description,
type='Sentinel',
severity=theHiveSeverity,
source='Sentinel:' + source,
customFields=customFields,
sourceRef="Sentinel" + str(incidentnumber),
artifacts=artifacts)
# Create the Alert
response = api.create_alert(alert)
if response.status_code == 201:
logging.info(
'Alert created: ' + 'Sentinel' + str(incidentnumber) + ': ' +
source + ': ' + title +
'. StatusCode: {}/{}'.format(response.status_code, response.text))
elif (response.status_code == 400
and response.json()['type'] == "ConflictError"):
logging.info(
'Duplicate alert: ' + 'Sentinel' + str(incidentnumber) + ': ' +
source + ': ' + title +
'. StatusCode: {}/{}'.format(response.status_code, response.text))
else:
logging.error(
'failed to create alert: ' + source + ' ' + title + ' Sentinel' +
str(incidentnumber) +
'. StatusCode: {}/{}'.format(response.status_code, response.text))
sys.exit(0)
def create_case(self,
title,
tasks=None,
tlp=TLP.AMBER,
pap=PAP.AMBER,
severity=HiveSeverity.MEDIUM,
additional_fields=None,
additional_tags=None,
flag=False,
description='N/A'):
case_tags = self.case_tags.copy()
if additional_tags is not None:
for additional_tag in additional_tags:
case_tags.append(additional_tag)
custom_fields_helper = CustomFieldHelper()
if additional_fields is not None:
for field in additional_fields:
custom_fields_helper.add_string(field['name'], field['value'])
custom_fields = custom_fields_helper.build()
new_tasks = list()
if tasks is not None:
for task in tasks:
new_tasks.append(CaseTask(title=task))
hive_case = Case(title=title,
tlp=tlp.value,
pap=pap.value,
description=description,
tags=case_tags,
severity=severity.value,
flag=flag,
customFields=custom_fields,
tasks=new_tasks)
response = self.api.create_case(hive_case)
if response.status_code == 201:
print('Caso Creada Exitosamente')
print(json.dumps(response.json(), indent=4, sort_keys=True))
else:
print('Error')
print(response.text)
return response.json()
def build(fields: Dict) -> Dict:
custom_field_helper = CustomFieldHelper()
for key, field_value in fields.items():
if ('time' in key.lower() or 'date' in key.lower()) and isinstance(field_value, int):
custom_field_helper.add_date(key, field_value * 1000)
elif isinstance(field_value, datetime):
custom_field_helper.add_number(key, int(field_value.timestamp()) * 1000)
elif isinstance(field_value, bool):
custom_field_helper.add_boolean(key, field_value)
elif isinstance(field_value, int):
custom_field_helper.add_number(key, field_value)
elif isinstance(field_value, str):
custom_field_helper.add_string(key, field_value)
else:
try:
custom_field_helper.add_string(key, field_value)
except (TypeError, ValueError):
pass
return custom_field_helper.build()
'"{}","{}","{}","{}"'.format(offense_id, aql_id, 'username',
'Open'))
records = qr.get_aql_results(aql_id)
if records:
retval = parse_get_aql(records, 'username')
if retval:
for item in retval:
if item != None:
username_list.append(item)
sl.update_record(enrichment_table, 'status',
'Closed', 'enrichment_id', aql_id)
# # Adding custom_fields values to the case - static mapping.
custom_fields = CustomFieldHelper()
custom_fields.add_number('qradar_id', offense_id)
custom_fields.add_string('offense_source', offense_source)
custom_fields.build()
tlp = offense_severity_mapper(offense_magnitude)['sev']
# #Case - Offense summary md.
build_desc = """|Offense Summary:|\n|---|\n|Offense Description: {}|\n|Source NW: {}|\n|Destination NW: {}|\n|Source IPs: {}|\n|Local Destination IPs: {}|\n|Remote Destination IPs: {}|\n|Usernames: {}|\n---\nLink to the Offense: {}""".format(
offense_desc, offense_src_nw, offense_dst_nw, source_address_list,
local_dest_list, remote_dest_list, username_list, offense_link)
# #Some sample tasks-response actions for posting in the case. Customize per your reqs.
# #TODO: You can also utilize - thehive-playbook-creator - for dynamic task/playbook assignment using your QRadar Rule groups.
tasks = [
CaseTask(title='PB:- Phase:Identification'),
CaseTask(title='PB: - Phase:Remediation'),
CaseTask(title='PB: - Phase:Lessons Learned',