def create_hive45_dict(id, rule_name, alert_date, alert_age, *args):
logging.info("Updating 45M SLA dictionary")
hive_45_dict.update({
id: rule_name,
})
slack_bot_notice_alert(channel, id, rule_name, alert_date, alert_age)
make_call(id)
def create_hive60_dict(id, rule_name, alert_date, alert_age, *args):
hive_60_dict.update({
id: rule_name,
})
slack_bot_notice_alert(channel, id, rule_name, alert_date, alert_age)
logging.info(' Alert ID: ' + id + ' Rule Name: ' + rule_name +
' Alert Date: ' + alert_date + ' Alert Age: ' + alert_age)
def create_hive30_dict(id, rule_name, alert_date, alert_age, *args):
logging.info("Updating 30M SLA dictionary")
hive_30_dict.update({
id: rule_name,
})
slack_bot_notice_alert(channel, id, rule_name, alert_date, alert_age)
send_sms(*args)
def add_to_called_list(alert_id):
"""
This method adds the alert_id to the called_list
"""
logging.info("Adding %s to called list" % alert_id)
called_list.append(alert_id)
return alert_id
def clean_ignore_list(alert_id):
"""
This method clears the ignore_list after 30 minutes.
"""
t.sleep(3600)
logging.info("Removing %s from ignore list" % alert_id)
ignore_list.remove(alert_id)
def ignore(alert_id):
"""
This method adds the alert_id to the ignore list and updates the original Slack message
"""
add_to_temp_ignore(alert_id)
ignore_id = add_to_temp_ignore(alert_id)
logging.info("Ignoring ID: %s" % ignore_id)
Slack().slack_chat_ignore(alert_id)
return ('', 204)
def post_notice(self, alert_id, rule_name, alert_date, alert_age):
escalation_check(alert_id)
if alert_id in seen_list:
logging.warning("SLACK_API: Previously seen / ignored: %s" % alert_id)
else:
logging.info("Executing SLACK_API Call")
res = self.slack_client.chat_postMessage(channel=self.channel, text="TheHive SLA Monitor: SLA Breach", blocks=slack_bot_alert_notice_template(alert_id, rule_name, alert_date, alert_age))
alert_dict[id] = {'channel': res['channel'], 'ts': res['message']['ts'], 'rule_name': rule_name, 'alert_date': alert_date, 'alert_age': alert_age}
seen_list.append(alert_id)
def add_to_temp_ignore(alert_id):
"""
This method adds the alert_id to the ignore_list as a thread to avoid being re-alerted on.
"""
logging.info("Adding %s to ignore list" % alert_id)
ignore_list.append(alert_id)
ignore_thread = threading.Thread(target=clean_ignore_list,
args=(alert_id, ))
ignore_thread.start()
return alert_id
def promote_to_case(case_id):
logging.info("Promoting Alert " + case_id)
response = api.promote_alert_to_case(case_id)
if response.status_code == 201:
data = json.dumps(response.json())
jdata = json.loads(data)
case_id = (jdata['id'])
return case_id
else:
logging.error('ko: {}/{}'.format(response.status_code, response.text))
def make_call(id):
if id in called_list:
logging.info("User has been called regarding ID: " + id)
else:
call = twilio_client.calls.create(url=twimlet,
to='$insert_phone_number',
from_=twilio_number)
logging.info("Call Sent: " + str(call.sid))
try:
add_to_called_list(id)
except Exception as error:
logging.error("Error when adding to list after making call: " +
str(error))
def complete(alert_id):
"""
This method executes a promotion via the Hive for the selected alert_id
The original Slack message is also updated
The user is redirected to the approriate case via the Hive
"""
case_id = promote_to_case(alert_id)
# if case_id != None: # Handle if TheHive alert doesn't exist
logging.info("ID: %s. Case ID: %s" % (alert_id, case_id))
Slack().slack_chat_update(alert_id)
hive_link = "http://%s:%d/index.html#!/case/%s/details" % (
HIVE_SERVER_IP, HIVE_SERVER_PORT, case_id)
return redirect(hive_link, code=302)
def promote_to_case(case_id):
"""
This method promotes a provided alert to an case via the Hive
"""
logging.info("Promoting Alert %s" % case_id)
response = HIVE_API.promote_alert_to_case(case_id)
if response.status_code == 201:
data = json.dumps(response.json())
jdata = json.loads(data)
case_id = (jdata['id'])
return case_id
else:
logging.error('TheHive: {}/{}'.format(response.status_code,
response.text))
def ignore(id):
add_to_temp_ignore(id)
ignore_id = add_to_temp_ignore(id)
logging.info("Ignoring ID: " + ignore_id)
res = slack_client.chat.update(channel=alert_dict[id]['channel'],
ts=alert_dict[id]["ts"],
text="TheHive SLA Monitor: Case Ignored",
blocks=slack_bot_alert_notice_ignore(
id, alert_dict[id]['rule_name'],
alert_dict[id]['alert_date'],
alert_dict[id]['alert_age']))
res = slack_client.chat.getPermalink(channel=alert_dict[id]["channel"],
message_ts=alert_dict[id]["ts"])
return ('', 204)
def complete(id):
case_id = promote_to_case(id)
logging.info("ID: " + id + " Case ID: " + case_id)
res = slack_client.chat.update(channel=alert_dict[id]['channel'],
ts=alert_dict[id]["ts"],
text="TheHive SLA Monitor: Case Promoted",
blocks=slack_bot_alert_notice_update(
id, alert_dict[id]['rule_name'],
alert_dict[id]['alert_date'],
alert_dict[id]['alert_age']))
res = slack_client.chat.getPermalink(channel=alert_dict[id]["channel"],
message_ts=alert_dict[id]["ts"])
hive_link = "https://%s/hive/index.html#/case/{}/details" % (
configuration.SYSTEM_SETTINGS['HIVE_URL'], format(case_id))
return redirect(hive_link, code=302)
def send_sms(*args):
for alert_id, alert_name in hive_30_dict.items():
if alert_id in hive_30_list:
logging.warning("Already sent SMS regarding ID: " + alert_id)
else:
if not is_empty(args):
for alert_data in args:
alert_dump = json.dumps(alert_data, indent=2)
# logging.info(alert_dump) # If you want to see all items in Hive response
alert_json = json.loads(alert_dump)
severity = (alert_json['severity']) # I want severity
all_artifacts = (alert_json['artifacts']
) # I want all artifacts
data_artifacts = (
alert_json['artifacts'][0]['data']
) # I want only the data item which lies under the artifacts element
msg_body = severity # Send only the severity
# msg_body = severity + " " + data_artifacts # Send severity and data_artifacts
else:
msg_body = 'Please attend immediately!'
twilio_msg_body = 'TheHive SLA Alert - %s \n %s' % (alert_id,
msg_body)
message = twilio_client.messages.create(
body=twilio_msg_body,
from_=configuration.TWILIO_SETTINGS['TWILIO_SENDER'],
to=configuration.TWILIO_SETTINGS['TWILIO_RTCP'])
t.sleep(2)
logging.info('SMS Sent: ' + str(message.sid))
try:
add_to_30m(alert_id)
except Exception as re:
logging.error("Error when adding to list after sending SMS: " +
str(re))
def clean_ignore_list(id):
t.sleep(3600)
logging.info("Removing " + id + " from ignore list")
ignore_list.remove(id)
def add_to_high_sev(self, id):
if id in high_sev_list:
logging.info('Already added - HIGH severity SLA list: %s' % id)
else:
high_sev_list.append(id)
def add_to_45m(id):
if id in hive_45_list:
logging.info('Already added - 45 minute SLA list: ' + id)
else:
logging.info('Appending - 45 minute SLA list: ' + id)
hive_45_list.append(id)
def add_to_60m(id):
if id in hive_60_list:
logging.info('Already added - 60 minute SLA list: ' + id)
else:
logging.info('Appending - 60 minute SLA list: ' + id)
hive_60_list.append(id)
def add_to_temp_ignore(id):
logging.info("Adding " + id + " to ignore list")
ignore_list.append(id)
ignore_thread = threading.Thread(target=clean_ignore_list)
ignore_thread.start()
return id
def add_to_low_sev(self, id):
if id in low_sev_list:
logging.info('Already added - LOW severity SLA list: %s' % id)
else:
low_sev_list.append(id)
def add_to_med_sev(self, id):
if id in med_sev_list:
logging.info('Already added - MEDIUM severity SLA list: %s' % id)
else:
med_sev_list.append(id)
def add_to_called_list(id):
logging.info("Adding " + id + " to called list")
called_list.append(id)
return id
def search(title, query):
current_date = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
current_date = datetime.strptime(current_date, '%Y-%m-%d %H:%M:%S')
response = api.find_alerts(query=query)
if response.status_code == 200:
data = json.dumps(response.json())
jdata = json.loads(data)
for d in jdata:
if d['severity'] == 3:
ts = int(d['createdAt'])
ts /= 1000
alert_date = datetime.fromtimestamp(ts).strftime(
'%Y-%m-%d %H:%M:%S')
logging.info("Found: " + d['id'] + " " + d['title'] + " " +
str(alert_date))
alert_date = datetime.strptime(alert_date, '%Y-%m-%d %H:%M:%S')
diff = (current_date - alert_date)
if sla_30 < diff.total_seconds(
) and sla_45 > diff.total_seconds():
logging.info("30/M SLA: " + str(diff) + " " + d['id'])
create_hive30_dict(d['id'], d['title'], str(alert_date),
str(diff), d)
add_to_30m(d['id'])
elif sla_45 < diff.total_seconds(
) and sla_60 > diff.total_seconds():
logging.info("45/M SLA: " + str(diff) + " " + d['id'])
create_hive45_dict(d['id'], d['title'], str(alert_date),
str(diff), d)
add_to_45m(d['id'])
elif sla_60 < diff.total_seconds():
logging.info("60/M SLA: " + str(diff) + " " + d['id'])
create_hive60_dict(d['id'], d['title'], str(alert_date),
str(diff), d)
add_to_60m(d['id'])
logging.info('')
else:
logging.info('ko: {}/{}'.format(response.status_code, response.text))
