def __init__(self):
Responder.__init__(self)
self.es_host = self.get_param('config.es_host', message='You have to configure an Elasticsearch host')
self.es_port = self.get_param('config.es_port', default="9200")
self.es_username = self.get_param('config.es_username')
self.es_password = self.get_param('config.es_password')
self.es_index = self.get_param('config.es_index', default='alert_hashes')
self.es_kwargs = {
'hosts': [':'.join([self.es_host, self.es_port])]
}
if self.es_username:
self.es_kwargs['http_auth'] = (self.es_username, self.es_password)
self.es_kwargs.update({
'use_ssl': self.get_param('es_use_ssl', default=False),
'verify_certs': self.get_param('es_verify_certs', default=False),
'client_cert': self.get_param('es_client_cert'),
'client_key': self.get_param('es_client_key'),
'ca_certs': self.get_param('es_ca_certs'),
'timeout': self.get_param('es_timeout', default=20)
})
def __init__(self):
Responder.__init__(self)
self.service = self.get_param("config.service", None, "Service Missing")
self.amp_cloud = self.get_param("config.amp_cloud", None, "AMP HOST Missing")
self.client_id = self.get_param("config.client_id", None, "Client ID Missing")
self.api_key = self.get_param("config.api_key", None, "API Key Missing")
if self.service in ("scdadd", "scdremove"):
self.scd_guid = self.get_param(
"config.scd_guid", None, "Simple Custom Detectoin GUID Missing"
)
if self.service in ("moveguid"):
self.group_guid = self.get_param(
"config.group_guid", None, "Group GUID Missing"
)
if self.service in ("isolationstart"):
self.unlock_code = self.get_param("config.unlock_code", None)
self.amp_session = requests.Session()
self.amp_session.auth = (self.client_id, self.api_key)
self.amp_session.headers.update(
{
"User-Agent": "AMPforEndpoints-Cortex-Responder",
"Content-Type": "application/json",
"Accept": "application/json",
"Accept-Encoding": "gzip, deflate",
}
)
def run(self):
Responder.run(self)
def api_call(ip_addr, port, command, json_payload, sid):
url = 'https://' + str(ip_addr) + ':' + str(port) + '/web_api/' + command
if sid == '':
request_headers = {'Content-Type' : 'application/json'}
else:
request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
r = requests.post(url,data=json.dumps(json_payload), headers=request_headers, verify=False)
return r.json()
def login(user,password):
payload = {'user':user, 'password' : password}
response = api_call('192.168.50.52', 443, 'login',payload, '')
return response['sid']
sid = login(self.username,self.password)
#print("session id: " + sid)
new_host_data = {'name':'new host name', 'ip-address':self.host_ip}
new_host_result = api_call('192.168.50.52', 443,'add-host', new_host_data ,sid)
#print(json.dumps(new_host_result))
publish_result = api_call('192.168.50.52', 443,"publish", {},sid)
#print("publish result: " + json.dumps(publish_result))
logout_result = api_call('192.168.50.52', 443,"logout", {},sid)
def __init__(self):
Responder.__init__(self)
self.flow_master_controller = self.get_param('config.flow_master_controller', None, "Endpoint is Missing")
self.thehive_instance = self.get_param('config.thehive_instance', 'localhost:9000')
self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE')
self.api = TheHiveApi(self.thehive_instance,self.thehive_api_key)
self.Cert_Path = self.get_param('config.Cert_Path')
def run(self):
Responder.run(self)
if self.get_param('data.dataType') == 'domain':
domain = self.get_param('data.data', None, 'No artifacts available')
dstUrl = "http://" + domain
date = datetime.now().strftime("%Y-%m-%dT%XZ")
headers = {
'user-agent': 'UmbrellaBlacklister-Cortex-Responder',
'Content-Type': 'application/json'
}
payload = {
"alertTime": date,
"deviceId": "cortex_thehive",
"deviceVersion": "2.4.81",
"dstDomain": domain,
"dstUrl": dstUrl,
"eventTime": date,
"protocolVersion": "1.0a",
"providerName": "Security Platform"
}
r = requests.post(self.integration_url, json=payload, headers=headers)
if r.status_code == 200 | 202:
self.report({'message': 'Blacklisted in Umbrella.'})
else:
self.error('Failed to add to blacklist.')
else:
self.error('Incorrect dataType. "Domain" expexted.')
def __init__(self):
Responder.__init__(self)
self.case_data_filter = [
"endDate", "startDate", "title", "createdAt", "caseId", "pap",
"tlp", "severity", "owner", "createdBy", "updatedBy", "summary",
"tags", "resolutionStatus", "impactStatus", "status",
"customFields"
]
self.case_observables_filter = [
"data", "dataType", "sighted", "tags", "createdAt", "createdBy",
"pap", "tlp", "ioc", "startDate", "status"
]
self.case_tasks_filter = [
"caseTasks", "updatedBy", "createdAt", "flag", "description",
"title", "createdBy", "updatedAt", "order", "status", "group"
]
self.api_key = self.get_param('config.api_key', None,
'Missing API-key')
self.https_address = self.get_param('config.https_address',
'localhost')
self.https_port = self.get_param('config.https_port', 9000,
'Missing thehive port')
self.smtp_host = self.get_param('config.smtp_host', 'localhost')
self.smtp_port = self.get_param('config.smtp_port', '25')
self.mail_from = self.get_param('config.from', None,
'Missing sender email address')
self.api = TheHiveApi(
f"https://{self.https_address}:{self.https_port}", self.api_key)
def run(self):
Responder.run(self)
#data_type = self.get_param('data.dataType')
auth = client.login(self.checkpoint_apikey)
if self.server_ip == "ip":
try:
ipaddress.ip_address(self.server_ip)
except ValueError:
self.error({'message': "Not a valid IPv4/IPv6 address!"})
else:
self.error({'message': "Not a valid IPv4/IPv6 address!"})
if auth.success is False:
print("Login failed:\n{}".format(auth.error_message))
exit(1)
# add a rule to the top of the "Network" layer
add_rule_response = client.api_call("add-access-rule",
{"name": self.rule_name, "layer": "Network", "position": "top"})
if add_rule_response.success:
print("The rule: '{}' has been added successfully".format(self.rule_name))
# publish the result
publish_res = client.api_call("publish", {})
if publish_res.success:
print("The changes were published successfully.")
else:
print("Failed to publish the changes.")
else:
print("Failed to add the access-rule: '{}', Error:\n{}".format(self.rule_name, add_rule_response.error_message))
def run(self):
Responder.run(self)
title = self.get_param('data.title', None, 'title is missing')
description = self.get_param('data.description', None, 'description is missing')
mail_to = None
if self.data_type == 'thehive:case':
# Search recipient address in tags
tags = self.get_param('data.tags', None, 'recipient address not found in tags')
mail_tags = [t[5:] for t in tags if t.startswith('mail:')]
if mail_tags:
mail_to = mail_tags.pop()
else:
self.error('recipient address not found in observables')
elif self.data_type == 'thehive:alert':
# Search recipient address in artifacts
artifacts = self.get_param('data.artifacts', None, 'recipient address not found in observables')
mail_artifacts = [a['data'] for a in artifacts if a.get('dataType') == 'mail' and 'data' in a]
if mail_artifacts:
mail_to = mail_artifacts.pop()
else:
self.error('recipient address not found in observables')
else:
self.error('Invalid dataType')
msg = MIMEMultipart()
msg['Subject'] = title
msg['From'] = self.mail_from
msg['To'] = mail_to
msg.attach(MIMEText(description, 'plain'))
s = smtplib.SMTP(self.smtp_host)
s.sendmail(self.mail_from, [mail_to], msg.as_string())
s.quit()
self.report({'message': 'message sent'})
def run(self):
Responder.run(self)
auth = (self.wazuh_user, self.wazuh_password)
headers = {'Content-Type': 'application/json'}
# Check observable to ensure valid IP address
if self.observable_type == "filename":
try:
os.path.isfile(self.observable)
except ValueError:
self.error({'message': "Not a file!"})
else:
self.error({'message': "Not a file!"})
payload = '{"command":"file-encryptor.sh", "arguments": ["-", "' + self.observable + '", "var/log/test.log"], "custom": "True"}'
r = requests.put(self.wazuh_manager + '/active-response/' +
self.wazuh_agent_id,
headers=headers,
data=payload,
verify=False,
auth=auth)
if r.status_code == 200:
self.report({'message': "File encrypted for " + self.observable})
else:
self.error(r.status_code)
def run(self):
Responder.run(self)
title = self.get_param('data.title', None, 'title is missing')
title = title.encode('utf-8')
description = self.get_param('data.description', None,
'description is missing')
description = description.encode('utf-8')
mail_to = None
if self.data_type == 'thehive:case':
# Search recipient address in tags
tags = self.get_param('data.tags', None,
'recipient address not found in tags')
mail_tags = [t[5:] for t in tags if t.startswith('mail:')]
if mail_tags:
mail_to = mail_tags.pop()
else:
self.error('recipient address not found in observables')
elif self.data_type == 'thehive:alert':
# Search recipient address in artifacts
artifacts = self.get_param(
'data.artifacts', None,
'recipient address not found in observables')
mail_artifacts = [
a['data'] for a in artifacts
if a.get('dataType') == 'mail' and 'data' in a
]
if mail_artifacts:
mail_to = mail_artifacts.pop()
else:
self.error('recipient address not found in observables')
else:
self.error('Invalid dataType')
msg = MIMEMultipart()
msg['Subject'] = title
msg['From'] = self.mail_from
msg['To'] = mail_to
msg['Date'] = formatdate(localtime=True)
msg['Message-ID'] = make_msgid()
msg.attach(MIMEText(description, 'plain'))
s = smtplib.SMTP(self.smtp_host, self.smtp_port)
if (self.smtp_auth):
try:
s.starttls()
s.login(self.mail_user, self.mail_pass)
except:
self.error('an error occured with SMTP username/password')
try:
s.sendmail(self.mail_from, [mail_to], msg.as_string())
s.quit()
self.report({'message': 'message sent'})
except:
self.error('unable to send email')
def __init__(self):
Responder.__init__(self)
self.smtp_host = self.get_param('config.smtp_host',
'medusa.psi.unc.edu.ar')
self.smtp_port = self.get_param('config.smtp_port', '25')
self.mail_from = self.get_param('config.from', None,
'Missing sender email address')
def __init__(self):
Responder.__init__(self)
self.s1_console_url = self.get_param("config.s1_console_url", None,
"S1 console URL is missing!")
self.s1_api_key = self.get_param("config.s1_api_key", None,
"S1 API key is missing!")
self.s1_account_id = self.get_param("config.s1_account_id", None,
"Account ID is missing!")
self.s1_blacklist_ostype = self.get_param("s1_blacklist_ostype",
"windows")
self.s1_blacklist_type = "black_hash"
self.observable = self.get_param("data.data", None, "Data is empty!")
self.observable_type = self.get_param("data.dataType", None,
"Data type is empty!")
self.headers = {
"Authorization": f"ApiToken {self.s1_api_key}",
"User-Agent": "Cortex/SentinelOne-Responder",
"Content-Type": "application/json",
"Accept": "application/json",
}
self.service = self.get_param("config.service", None,
"Service Missing!")
self.sha1_re = re.compile(r"^[A-Za-z0-9]{40}$")
self.s1_blacklist_api_endpoint = "/web/api/v2.1/restrictions"
self.proxies = self.get_param("config.proxy", None)
def run(self):
Responder.run(self)
if self.get_param("data.dataType") == "username":
if self.service in ["lock", "unlock"]:
str_username = self.get_param(
"data.data", None, "No artifacts available"
)
admin_api = duo_client.Admin(self.iKey, self.sKey, self.API_hostname)
response = admin_api.get_users_by_name(username=str_username)
user_id = response[0]["user_id"]
if self.service == "lock":
r = admin_api.update_user(user_id=user_id, status="disabled")
if r.get("status") == "disabled":
self.report({"message": "User is locked in Duo Security."})
else:
self.error("Failed to lock User Account in Duo.")
elif self.service == "unlock":
r = admin_api.update_user(user_id=user_id, status="active")
if r.get("status") == "active":
self.report(
{
"message": "User is unlocked in Duo Security. The user must complete secondary authentication."
}
)
else:
self.error("Failed to unlock User Account in Duo.")
else:
self.error('Incorrect dataType. "username" expected.')
def __init__(self):
Responder.__init__(self)
# Mail settings
server = self.get_param("config.server", None,
"Missing server in config")
self.username = self.get_param("config.username", None,
"Missing username in config")
self.password = self.get_param("config.password", None,
"Missing password in config")
try:
fingerprint_path = "{}/fingerprints.txt".format(
os.path.dirname(__file__))
fingerprint = json.loads(open(fingerprint_path,
"r").read())[server]
self.client_args = APIClientArgs(server=server,
fingerprint=fingerprint)
except:
self.error(
"Fingerprint check failed. It should be locate here {}".format(
fingerprint_path))
self.service = self.get_param("config.service", None)
self.group_name = self.get_param("config.group_name", None,
"Missing group_name in config")
self.exclusions = self.get_param("config.exclusions", [])
self.added_tag = self.get_param("config.added_tag", None)
self.removed_tag = self.get_param("config.removed_tag", None)
def run(self):
Responder.run(self)
if self.get_param('data.dataType') == 'username':
str_username = self.get_param('data.data', None, 'No artifacts available')
admin_api = duo_client.Admin(self.iKey, self.sKey, self.API_hostname)
response = admin_api.get_users_by_name(username=str_username)
# print(response)
user_id=response[0]["user_id"]
# print("user_id:",user_id)
r = admin_api.update_user(user_id=user_id,status='disabled')
# print("response:",r)
if r.get('status') == 'disabled':
self.report({'message': 'User is locked in Duo Security.'})
else:
self.error('Failed to lock User Account in Duo.')
else:
self.error('Incorrect dataType. "username" expected.')
def run(self):
Responder.run(self)
for x in self.hosts:
with pysftp.Connection(host=x,
username='******',
password='******',
port=22,
cnopts=cnopts) as srv:
with srv.cd('/tmp'):
srv.put(self.wdir + '/loki_linux.tar.gz')
srv.execute('rm /tmp/Loki/out.log')
srv.execute('tar -xzf /tmp/loki_linux.tar')
srv.execute(
'cd /tmp/Loki && ./loki -l /tmp/Loki/out.log --dontwait -p /'
)
srv.get('/tmp/Loki/out.log')
srv.get('/tmp/Loki/out.log', self.wdir + '/out.log')
with open(self.wdir + '/out.log') as f:
content = f.read()
if 'SYSTEM SEEMS TO BE CLEAN' in content:
self.report({'Host %s' % x: 'good'})
else:
self.report({'Host %s' % x: 'bad'})
os.remove(self.wdir + '/out.log')
def __init__(self):
Responder.__init__(self)
self.operations_list = []
self.endpoint = self.get_param(
"config.endpoint", message="Endpoint is not configured, aborting!")
# Input will be on the form of a list of strings.
[
self.add_tag_to_artifact(tag)
for tag in self.get_param("config.add_tags_to_artifact")
]
[
self.add_tag_to_case(tag)
for tag in self.get_param("config.add_tags_to_case")
]
# Input will be on the form of a list of stringified JSON objects.
[
self.add_operation(op)
for op in self.get_param("config.custom_operations")
]
self.send_added_tags = self.get_param("config.send_added_tags",
default=False)
def run(self):
try:
Responder.run(self)
ioctypes = {"hash": "sha256", "sha256": "sha256", "md5": "md5", "sha1": "sha1",
"ip": "ipv4", "ip6": "ipv6", "ipv6": "ipv6", "domain": "domain", "url": "domain"}
data_type = self.get_param('data.dataType')
if not data_type in ioctypes:
self.error("Unsupported IOC type")
return
ioc = self.get_param('data.data', None, 'No IOC provided')
if data_type == "url":
match = re.match(r"(http:\/\/|https:\/\/)?([\w\d\-\.]{0,256}).*", ioc)
if match is None or match.group(2) is None:
self.error("Could not parse domain from URL")
return
else:
ioc=match.group(2)
description = self.get_param('data.case.title',None,"Can't get case title")
description = str(description).encode('utf-8')[:128]
postdata=json.dumps([{"type": ioctypes[data_type], "value": ioc.strip(), "policy": "detect", "description": description, "share_level": "red", "source": "Cortex - FalconCustomIOC ["+description+"]", "expiration_days": 30}])
response=requests.post(self.falconapi_url,data=postdata,headers={"Content-Type":"application/json"},auth=HTTPBasicAuth(self.apiuser,self.apikey))
json_response = json.loads(response.text)
if json_response["errors"]:
self.error(str(json_response["errors"]))
return
else:
self.report({'message': ioc+" Submitted to Crowdstrike Falcon custom IOC api","api_response":json_response})
except Exception as ex:
self.error(traceback.format_exc())
def __init__(self):
Responder.__init__(self)
self.api_key = self.get_param("config.api_key", "")
self.webhook_url = self.get_param("config.webhook_url", "")
self.webhook_id = self.get_param("config.webhook_id", "")
self.verify = self.get_param('config.verifyssl', True, None)
self.data = self.get_param('data')
def run(self):
Responder.run(self)
title = self.get_param('data.title', None, 'title is missing')
description = self.get_param('data.description', None,
'description is missing')
mail_to = None
if self.data_type == 'thehive:case':
# Search recipient address in tags
tags = self.get_param('data.tags', None,
'recipient address not found in tags')
mail_tags = [t[5:] for t in tags if t.startswith('mail:')]
if mail_tags:
mail_to = mail_tags.pop()
else:
self.error('recipient address not found in tags')
elif self.data_type == 'thehive:case_task':
# Search recipient address in tags
descr_array = description.splitlines()
if 'mailto:' in descr_array[0]:
mail_to = descr_array[0].replace("mailto\:", "")
else:
self.error('recipient address not found in description')
#Set rest of description as body
del descr_array[0]
description = '\n'.join(descr_array)
elif self.data_type == 'thehive:alert':
# Search recipient address in artifacts
artifacts = self.get_param(
'data.artifacts', None,
'recipient address not found in observables')
mail_artifacts = [
a['data'] for a in artifacts
if a.get('dataType') == 'mail' and 'data' in a
]
if mail_artifacts:
mail_to = mail_artifacts.pop()
else:
self.error('recipient address not found in observables')
else:
self.error('Invalid dataType')
msg = MIMEMultipart()
msg['Subject'] = title
msg['From'] = self.mail_from
msg['To'] = mail_to
msg.attach(MIMEText(description, 'plain'))
#Add reply-to header
msg.add_header('reply-to', self.mail_reply_to)
s = smtplib.SMTP(self.smtp_host, self.smtp_port)
if self.smtp_auth:
s.ehlo()
s.starttls()
s.login(self.username, self.password)
s.sendmail(self.mail_from, mail_to.split(','), msg.as_string())
s.quit()
self.report({'message': 'message sent'})
def __init__(self):
Responder.__init__(self)
self.smtp_host = self.get_param('config.smtp_host', 'localhost')
self.smtp_port = self.get_param('config.smtp_port', '25')
self.smtp_mail_from = self.get_param('config.smtp_mail_from', None,
'Missing from email')
self.smtp_mail_pw = self.get_param('config.smtp_mail_pw', None,
'Missing email password')
def __init__(self):
Responder.__init__(self)
self.misp_url = self.get_param(
'config.misp_url', 'localhost')
self.misp_api_key = self.get_param(
'config.misp_api_key', 'localhost')
self.thehive_api_key = self.get_param(
'config.TheHive_Api_Key', None, 'Missing TheHive API KEY')
def __init__(self):
Responder.__init__(self)
self.falconapi_url = self.get_param(
'config.falconapi_url', None, "Falcon API URL (e.g.:https://falconapi.crowdstrike.com/indicators/entities/iocs/v1)")
self.apiuser = self.get_param(
'config.falconapi_user', None, "Falcon query api key missing")
self.apikey = self.get_param(
'config.falconapi_key', None, "Falcon query api key missing")
def __init__(self):
Responder.__init__(self)
self.smtp_host = self.get_param("config.smtp_host", "localhost")
self.smtp_port = self.get_param("config.smtp_port", "25")
self.mail_from = self.get_param("config.from", None,
"Missing sender email address")
self.smtp_user = self.get_param("config.smtp_user", "user", None)
self.smtp_pwd = self.get_param("config.smtp_pwd", "pwd", None)
def __init__(self):
Responder.__init__(self)
self.thehive_instance = self.get_param('config.thehive_instance',
'localhost:9000')
self.thehive_api = self.get_param('config.thehive_api',
'YOUR_KEY_HERE')
self.api = TheHiveApi(self.thehive_instance, self.thehive_api)
self.tmpPath = self.get_param('config.tmp_file_location')
def __init__(self):
Responder.__init__(self)
self.virustotal_apikey = self.get_param('config.virustotal_apikey',
None,
"Virustotal API key missing!")
self.thehive_url = self.get_param('config.thehive_url', None,
"TheHive URL missing!")
self.thehive_apikey = self.get_param('config.thehive_apikey', None,
"TheHive API key missing!")
def __init__(self):
Responder.__init__(self)
self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW')
self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW')
self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW')
self.name_external_Address_Group = self.get_param('config.Address_group_for_unblock_external_IP_address',"TheHive Block list external IP address")
self.TheHive_instance = self.get_param('config.TheHive_instance')
self.TheHive_API_key = self.get_param('config.TheHive_API_key', 'YOUR_KEY_HERE')
self.api = TheHiveApi(self.TheHive_instance, self.TheHive_API_key)
def __init__(self):
Responder.__init__(self)
self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW')
self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW')
self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW')
self.name_security_rule = self.get_param('config.Security_rule_for_block_port_external_communication','TheHive Block port for external communication')
self.TheHive_instance = self.get_param('config.TheHive_instance')
self.TheHive_API_key = self.get_param('config.TheHive_API_key', 'YOUR_KEY_HERE')
self.api = TheHiveApi(self.TheHive_instance, self.TheHive_API_key)
def __init__(self):
Responder.__init__(self)
self.xg_soar_connector_url = self.get_param(
'config.xg_soar_connector_url', None, 'No Connector URL Set')
self.xg_soar_connector_token = self.get_param(
'config.xg_soar_connector_token', None, 'No Token set')
self.observable = self.get_param('data.data', None, 'Data is empty')
self.observable_type = self.get_param('data.dataType', None,
'Data type is empty')
def __init__(self):
Responder.__init__(self)
self.data = self.get_param('data', None, 'Data is missing')
self.url = self.get_param('config.url', None, 'url is missing')
self.api = self.get_param('config.api', None, 'api key is missing')
# Action for Zerofox Alert : see "POST /alerts/{alert_id}/{action}/" on https://api.zerofox.com/1.0/docs/
self.zfEntity = "alerts"
self.zfAction = "request_takedown"
def __init__(self):
Responder.__init__(self)
self.smtp_host = self.get_param('config.smtp_host', 'localhost')
self.smtp_port = self.get_param('config.smtp_port', '25')
self.mail_from = self.get_param('config.from', None, 'Missing sender email address')
self.use_tls = self.get_param('config.use_tls', False)
self.mail_password = self.get_param('config.password', None)
self.mail_to = self.get_param('config.to', None, 'Missing receiver email address')
self.subject_prefix = self.get_param('config.subject_prefix', None)
def __init__(self):
Responder.__init__(self)
self.integration_url = self.get_param('config.integration_url', None, "Integration URL Missing")
def __init__(self):
Responder.__init__(self)
self.smtp_host = self.get_param(
'config.smtp_host', 'localhost')
self.mail_from = self.get_param(
'config.from', None, 'Missing sender email address')
