def rapid7IDRAlerts2Alerts(alert_data, org_name):
logger = logging.getLogger('workflows.' + __name__)
logger.info('%s.rapid7IDRAlerts2Alert starts', __name__)
result = {}
result['success'] = bool()
conf = getConf()
theHiveConnector = TheHiveConnector(conf)
logger.info("Building custom fields ...")
customFields = CustomFieldHelper()\
.add_string('client', org_name)\
.build()
tags = []
now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M")
alert_date = dateutil_parser.parse(alert_data.get('timestamp', now))
for user in alert_data.get('actors', {}).get('users', []):
tags.append(user.get('name', ""))
for asset in alert_data.get('actors', {}).get('assets', []):
tags.append(asset.get('shortname', ""))
logger.info("Building description ...")
description = descriptionCrafter(alert_data, org_name)
logger.info("Building alert ...")
alert = theHiveConnector.craftAlert(
title=alert_data.get(
'title', alert_data.get('name',
"New alert from Rapid7 Insight IDR")),
description=description,
severity=2, #is there a way to determine efficiently this thing ?
date=int(alert_date.timestamp()) * 1000,
tags=tags,
tlp=2,
status="New",
type="SIEM",
source="Rapid7 Insight IDR",
sourceRef=alert_data.get('investigationId', str(uuid.uuid4())),
artifacts=artifactsCrafter(alert_data),
caseTemplate="Insight IDR Case",
customFields=customFields)
logger.info("Sending alert to TheHive ...")
try:
ret = theHiveConnector.createAlert(alert)
logger.info("Alert {} created in TheHive".format(str(ret['id'])))
result['success'] = True
except ValueError:
logger.warning("Alert creation failed, trying to update ...")
try:
ret = theHiveConnector.updateAlert(alert.sourceRef, alert)
logger.info("Alert {} updated in TheHive".format(str(ret['id'])))
result['success'] = True
except Exception as error:
logger.error("Alert update failed ! {}".format(error))
result['success'] = False
return result
def allNotifs2Alert():
logger = logging.getLogger('workflows.' + __name__)
logger.info('%s.allNotifs2Alert starts', __name__)
result = dict()
result['success'] = bool()
result['message'] = str()
try:
carbonBlack = CBConnector()
# DEBUG PURPOSES ONLY !
#logger.info(str(allNotifications))
conf = getConf()
theHiveConnector = TheHiveConnector(conf)
with open(os.path.join(current_dir, "..", "conf",
"carbonblack.json")) as fd:
organizations = json.load(fd)['orgs']
for org in organizations:
notifications = carbonBlack.getAllNotifications(
org['notifications_profile'], org['alerts_profile'])
for notification in notifications:
#TODO: maybe we should set ALL the variables containing relevant info here to avoid .get() everywhere, btw is .get() actually usefull ?
#TODO: maybe cut a lot of this variable process in a few (or a lot of) functions, juste like "descriptionCrafter" and "artifactCrafter"
# This and the next try...catch is to avoid backslashes '\' in a tag, as it is breaking TheHive sorting mechanism
orgName = org['name']
orgTagName = org['tag-name']
orgShortName = org['short-name']
orgId = org['orgId']
client = org['jira-project']
deviceName = str(notification['deviceInfo']['deviceName'])
summary = str(notification['threatInfo']['summary'])
severity = int(SEVERITIES[int(
notification['threatInfo']['score'])])
date_created = int(notification['eventTime'])
source_ref = "{}-{}".format(
orgShortName,
str(notification['threatInfo']['incidentId']))
sensor_id = str(notification['deviceInfo']['deviceId'])
offense_id = str(notification['threatInfo']['incidentId'])
tags = []
customFields = CustomFieldHelper()\
.add_string('client', client)\
.add_string('sensorID', sensor_id)\
.add_string('hostname', deviceName)\
.build()
artifacts = artifactCrafter(notification, theHiveConnector,
tags)
artifacts.append(
AlertArtifact(dataType='carbon_black_alert_id',
data=offense_id,
message="ID of alert in Carbon Black",
tags=[offense_id],
ignoreSimilarity=True))
alert = theHiveConnector.craftAlert(
title=summary,
description=descriptionCrafter(notification, orgName,
orgId),
severity=severity,
date=date_created,
tags=tags,
tlp=2,
status="New",
type='EDR',
source='Carbon Black',
sourceRef=source_ref,
artifacts=artifacts,
caseTemplate='Carbon Black Case',
customFields=customFields)
try:
ret = theHiveConnector.createAlert(alert)
logger.info('Alert {} created in TheHive'.format(
str(ret['id'])))
except ValueError:
logger.warning('Failed to create alert trying to update')
try:
ret = theHiveConnector.updateAlert(
alert.sourceRef, alert)
logger.info('Alert {} updated in TheHive'.format(
str(ret['id'])))
except ValueError as error:
logger.error(
"Failed to create alert ! {}".format(error))
result['success'] = True
except Exception as error:
result['success'] = False
result['message'] = str(error)
return result