def main():
api = TheHiveApi(HiveWEB, HiveAPI)
S1Management = Management(hostname=S1WEB, api_token=S1API)
tod = datetime.datetime.now()
d = datetime.timedelta(days=DAYS)
filter = ThreatQueryFilter()
filter.apply("createdAt", tod - d, op="gt")
filter.apply("resolved", False, op="eq")
threats = S1Management.threats.get(query_filter=filter)
i = 0
while True:
threat = threats.json["data"][i]
string = searchCaseByDescription(api, threat["id"])
if string is None:
threat_values = createKeys(threat)
description = createCaseDescription(threat_values)
case = Case(
title=threat["description"],
tlp=0,
pap=0,
severity=1,
flag=False,
tags=[
"Sentinel One",
threat["classification"],
threat["agentOsType"],
],
description=description,
tasks=[],
status="Open",
createdAt=threat["createdDate"],
)
response = api.create_case(case)
if response.status_code == 201:
logging.info(json.dumps(response.json(), indent=4, sort_keys=True))
id = response.json()["id"]
postUpdate(api, id, threat)
else:
logging.error("ko: {}/{}".format(response.status_code, response.text))
i += 1
if i == len(threats.json["data"]):
cursor = threats.pagination["nextCursor"]
if not cursor:
break
threats = S1Management.threats.get(cursor=cursor)
i = 0
async def create_alert_artifact(self,
apikey,
url,
alert_id,
dataType,
data,
message=None,
tlp="2",
ioc="False",
sighted="False",
ignoreSimilarity="False",
tags=None):
self.thehive = TheHiveApi(url, apikey, cert=False, version=4)
if tlp:
tlp = int(tlp)
else:
tlp = 2
ioc = ioc.lower().strip() == "true"
sighted = sighted.lower().strip() == "true"
ignoreSimilarity = ignoreSimilarity.lower().strip() == "true"
if tags:
tags = [x.strip() for x in tags.split(",")]
else:
tags = []
alert_artifact = thehive4py.models.AlertArtifact(
dataType=dataType,
data=data,
message=message,
tlp=tlp,
ioc=ioc,
sighted=sighted,
ignoreSimilarity=ignoreSimilarity,
tags=tags)
try:
ret = self.thehive.create_alert_artifact(alert_id, alert_artifact)
except requests.exceptions.ConnectionError as e:
return "ConnectionError: %s" % e
if ret.status_code > 299:
raise ConnectionError(ret.text)
return ret.text
def prepare_alert(subject, indicatorlevel, emailbody, alerttype, tag):
hive_address = ''.join(settings.stored_hive_address[0])
hive_api = ''.join(settings.stored_api_key[0])
#Define the connection to thehive installation (including the generated API key).
api = TheHiveApi(hive_address, hive_api, None, {'http': '', 'https': ''})
# Prepare the sample Alert
print("Preparing the alert for", alerttype)
sourceRef = str(uuid.uuid4())[0:6]
alert = Alert(title=subject,
tlp=indicatorlevel,
tags=[tag],
description=emailbody,
type=alerttype,
source='instance1',
sourceRef=sourceRef,
artifacts="")
# Create the Alert
print('Create Alert')
print('-----------------------------')
id = None
response = api.create_alert(alert)
if response.status_code == 201:
print("Alert created sucessfully!")
# print(json.dumps(response.json(), indent=4, sort_keys=True))
# print('')
id = response.json()['id']
else:
print("Unable to create alert")
# print('ko: {}/{}'.format(response.status_code, response.text))
sys.exit(0)
# Get all the details of the created alert
print('Get created alert {}'.format(id))
print('-----------------------------')
response = api.get_alert(id)
if response.status_code == requests.codes.ok:
# print(json.dumps(response.json(), indent=4, sort_keys=True))
print('')
else:
print("Error retreiving the alert!")
print('ko: {}/{}'.format(response.status_code, response.text))
def alert(self, matches):
connection_details = self.rule['hive_connection']
api = TheHiveApi(
'{hive_host}:{hive_port}'.format(**connection_details),
'{hive_username}'.format(**connection_details),
'{hive_password}'.format(**connection_details),
connection_details.get('hive_proxies', {'http': '', 'https': ''}))
for match in matches:
context = {'rule': self.rule, 'match': match}
artifacts = []
for mapping in self.rule.get('hive_observable_data_mapping', []):
for observable_type, match_data_key in mapping.iteritems():
try:
artifacts.append(AlertArtifact(dataType=observable_type, data=match_data_key.format(**context)))
except KeyError:
raise KeyError('\nformat string\n{}\nmatch data\n{}'.format(match_data_key, context))
alert_config = {
'artifacts': artifacts,
'sourceRef': str(uuid.uuid4())[0:6],
'title': '{rule[index]}_{rule[name]}'.format(**context)
}
alert_config.update(self.rule.get('hive_alert_config', {}))
for alert_config_field, alert_config_value in alert_config.iteritems():
if isinstance(alert_config_value, basestring):
alert_config[alert_config_field] = alert_config_value.format(**context)
elif isinstance(alert_config_value, (list, tuple)):
formatted_list = []
for element in alert_config_value:
try:
formatted_list.append(element.format(**context))
except:
formatted_list.append(element)
alert_config[alert_config_field] = formatted_list
alert = Alert(**alert_config)
response = api.create_alert(alert)
if response.status_code != 201:
raise Exception('alert not successfully created in TheHive\n{}'.format(response.text))
def send_to_thehive(self, alert_config):
connection_details = self.rule['hive_connection']
api = TheHiveApi(connection_details.get('hive_host', ''),
connection_details.get('hive_apikey', ''),
proxies=connection_details.get(
'hive_proxies', {
'http': '',
'https': ''
}),
cert=connection_details.get('hive_verify', False))
alert = Alert(**alert_config)
response = api.create_alert(alert)
if response.status_code != 201:
raise Exception(
'alert not successfully created in TheHive\n{}'.format(
response.text))
async def create_case(self, url, api_key, title, description="", tlp=2, severity=1, tags=None):
tags = tags if tags else []
if not url.startswith("http"):
url = f"http://{url}"
api = TheHiveApi(url, api_key)
self.logger.info('Creating a case in TheHive...')
case_helper = CaseHelper(api)
tags.append(f"walkoff_execution_id: {self.current_execution_id}")
case_kwargs = {
"tlp": tlp,
"severity": severity,
"tags": tags if tags is not None else []
}
return case_helper.create(title, description, **case_kwargs).id
async def unlock_hive_user(self, url, api_key, users):
if not url.startswith("http"):
url = f"http://{url}"
api = TheHiveApi(url, api_key)
result = {}
for user in users:
self.logger.info(f'Unlocking user {user} in TheHive...')
r = api.do_patch(f'/api/user/{user}', **{'status': "Ok"})
if r.status_code == 200:
result[user] = r.json()
else:
self.logger.info(f'Error Unlocking user {user} in TheHive: {r.text()}')
return result
def create_th_alerts(config, alerts):
"""
:param config: TheHive config
:type config: dict
:param alerts: List of alerts
:type alerts: list
:return: create TH alert
"""
thapi = TheHiveApi(config.get('url', None),
config.get('key'),
config.get('password', None),
config.get('proxies'))
for a in alerts:
response = thapi.create_alert(a)
logging.debug('API TheHive - status code: {}'.format(
response.status_code))
if response.status_code > 299:
logging.debug('API TheHive - raw error output: {}'.format(
response.raw.read()))
def test_api(server, apikey):
"""Test API connectivity to TheHive
:param server: Server IP address or URL
:param apikey: API Key to connect to TheHive server
:return: Connectivity status
:rtype: boolean
"""
# Basic API call; this happens quite frequently throughout the script, and was easier to model here.
api_test = TheHiveApi(server, apikey)
try:
api_test.find_first()
# TODO: Let's see if we can make this more TheHive exception specific
except KeyError:
print("WARNING: API Key failed\n")
return False
except TheHiveException:
print("WARNING: Cannot reach hostname provided\n")
return False
return True
def run(self, task_id):
api = TheHiveApi(self.config['thehive_url'],
self.config['thehive_api_key'])
response = api.find_tasks(query=Eq('_id', task_id))
if response.status_code == 200:
tasks = response.json()
if len(tasks) == 1:
task = CaseTask(json=tasks[0])
task.id = task_id
task.status = 'InProgress'
task.owner = self.config['thehive_bot_username']
api.update_case_task(task)
else:
raise ValueError('[TakeTaskAction]: no tasks with this id')
else:
raise ValueError('[TakeTaskAction]: status_code %d' %
response.status_code)
return True
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
config = (
yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path)
else {}
)
self.helper = OpenCTIConnectorHelper(config)
# Extra config
self.thehive_url = get_config_variable(
"THEHIVE_URL", ["thehive", "url"], config
)
self.thehive_api_key = get_config_variable(
"THEHIVE_API_KEY", ["thehive", "api_key"], config
)
self.thehive_check_ssl = get_config_variable(
"THEHIVE_CHECK_SSL", ["thehive", "check_ssl"], config, False, True
)
self.thehive_organization_name = get_config_variable(
"THEHIVE_ORGANIZATION_NAME", ["thehive", "organization_name"], config
)
self.thehive_import_from_date = get_config_variable(
"THEHIVE_IMPORT_FROM_DATE",
["thehive", "import_from_date"],
config,
False,
datetime.utcfromtimestamp(int(time.time())).strftime("%Y-%m-%d %H:%M:%S"),
)
self.update_existing_data = get_config_variable(
"CONNECTOR_UPDATE_EXISTING_DATA",
["connector", "update_existing_data"],
config,
)
self.identity = self.helper.api.identity.create(
type="Organization",
name=self.thehive_organization_name,
description=self.thehive_organization_name,
)
self.thehive_api = TheHiveApi(
self.thehive_url, self.thehive_api_key, cert=self.thehive_check_ssl
)
async def update_case_observable(self,
url,
api_key,
case_id,
obs_id,
description=None,
tlp=0,
is_ioc=False,
is_sighted=False,
tags=None,
tags_mode=None):
self.logger.info(
f'Updating observable {obs_id} in case {case_id} in TheHive...')
if not url.startswith("http"):
url = f"http://{url}"
api = TheHiveApi(url, api_key)
obs_list = api.get_case_observables(case_id).json()
obs_json = [obs for obs in obs_list if obs["id"] == obs_id][0]
obs = CaseObservable(**obs_json)
obs.id = obs_id
if description:
obs.description = description
if tlp:
obs.tlp = tlp
if is_ioc is not None:
obs.ioc = is_ioc
if is_sighted is not None:
obs.sighted = is_sighted
if tags is not None:
if tags_mode == "append":
tags = obs.tags + tags
obs.tags = tags
r = api.update_case_observables(obs)
if r.status_code == 200:
return r.json()
else:
raise IOError(r.text)
def connect(self, params):
url = '{}://{}:{}'.format(params.get('protocol'), params.get('host').rstrip('/'), params.get('port'))
self.password = params.get('credentials').get('password')
self.username = params.get('credentials').get('username')
self.verify = params.get('verify', True)
self.logger.info('URL: %s', url)
if not params.get('proxy'):
self.proxy = {}
else:
self.proxy = params.get('proxy')
self.logger.info('Proxy specified: %s', self.proxy)
self.logger.info("Connect: Connecting...")
self.logger.info("SSL Verify: %s" % str(self.verify))
self.client = TheHiveApi(url=url,
principal=self.username,
password=self.password,
proxies=self.proxy,
cert=self.verify)
async def search_query(self, apikey, url, search_for, custom_query):
self.thehive = TheHiveApi(url, apikey, cert=False)
try:
query = json.loads(custom_query)
except:
raise IOError("Invalid JSON payload received.")
if search_for == "alert":
response = self.thehive.find_alerts(query=query,
range="all",
sort=[])
else:
response = self.thehive.find_cases(query=query,
range="all",
sort=[])
if response.status_code == 200:
return response.text
else:
raise IOError(response.text)
async def close_case(self, case_id, url, api_key, resolution_status, impact_status, summary, tags=None,
tags_mode="append"):
self.logger.info(f'Closing case {case_id} in TheHive...')
if not url.startswith("http"):
url = f"http://{url}"
api = TheHiveApi(url, api_key)
case_helper = CaseHelper(api)
case_kwargs = {"status": "Resolved",
"resolutionStatus": resolution_status,
"impactStatus": impact_status,
"summary": summary}
if tags is not None:
if tags_mode == "append":
tags = case_helper(case_id).tags + tags
case_kwargs["tags"] = tags
return case_helper.update(case_id, **case_kwargs).id
def main():
"""Returns global dictionary data object
Calls The Hives API then checks if a result was returned.
If a result was returned, check the results and time since the result was created.
"""
data = {}
api = TheHiveApi(server_address, api_credentials)
r = api.find_cases(query=Eq('status', 'Open'), range='all', sort=[])
if r.status_code == 200:
i = 0
data = {}
while i < len(r.json()):
check_date = datetime.date.today() - datetime.timedelta(days=7)
if (r.json()[i]['createdAt'] / 1000) < time.mktime(
check_date.timetuple()):
tasks = api.get_case_tasks(r.json()[i]['id'])
inc, cnt = 0, 0
while inc < len(tasks.json()):
if (tasks.json()[inc]['status']
== ('Waiting')) or (tasks.json()[inc]['status']
== ('InProgress')):
cnt += 1
inc += 1
data[(i)] = {
'id':
r.json()[i]['id'],
'owner':
r.json()[i]['owner'],
'createdAt': (time.strftime(
'%m/%d/%Y %H:%M:%S',
time.gmtime(r.json()[i]['createdAt'] / 1000.))),
'totalTasks':
len(tasks.json()),
'pendingTasks':
cnt
}
i += 1
build(data)
def set_case_resolved(alert_id):
api = TheHiveApi(hiveURL, apiKey, None, {'http': '', 'https': ''})
case_promote_alert = api.promote_alert_to_case(alert_id).content
# Obtengo ID del caso
case_json = json.loads(case_promote_alert)
case_id = case_json["id"]
case_idCase = case_json["caseId"]
# print(case_id)
# print(case_idCase)
# Ponemos el caso resuelto
case = api.case(case_id)
case.status = 'Resolved'
case.resolutionStatus = 'TruePositive'
case.impactStatus = 'NoImpact'
case.summary = 'Resuelto automaticamente por The Hive Webhooks'
hiveResponse = api.update_case(case, ['status', 'resolutionStatus', 'impactStatus', 'tags', 'summary'])
def prepare_file_observable(id, file_array):
#We will need to run through the arrays to extract the values.
#Define the connection to thehive installation (including the generated API key).
hive_address = ''.join(settings.stored_hive_address[0])
hive_api = ''.join(settings.stored_api_key[0])
api = TheHiveApi(hive_address, hive_api, None, {'http': '', 'https': ''})
for fileaddress in file_array:
print(
str(datetime.datetime.now()) + " Creating file observable:" +
fileaddress)
print('Create file observable')
print('---------------------')
domain = CaseObservable(dataType='file',
data=[fileaddress],
tlp=0,
ioc=False,
tags=['AttachedFiles'],
message='Files Attached')
response = api.create_case_observable(id, domain)
if response.status_code == 201:
# print(json.dumps(response.json(), indent=4, sort_keys=True))
print(
str(datetime.datetime.now()) +
" Observable succesfully created.")
elif response.status_code == 400:
print(str(datetime.datetime.now()) + " Attachment already exists")
else:
print(
str(datetime.datetime.now()) +
" Error creating URL Observables.")
print('ko: {}/{}'.format(response.status_code, response.text))
sys.exit(0)
def test_get_case(mock_get):
thehive = TheHiveApi('http://127.0.0.1:9000', 'username', 'password', {
'http': '',
'https': ''
})
test_id = 'AV55EOIsPQ_zDQrlj4a9'
test_json = {
'_type': 'case',
'caseId': 5,
'createdAt': 1505269703195,
'createdBy': 'username',
'customFields': {},
'description': 'test description',
'flag': False,
'id': test_id,
'metrics': {},
'owner': 'username',
'severity': 2,
'startDate': 1505269703000,
'status': 'Open',
'tags': [],
'title': 'test case',
'tlp': 2,
'user': '******'
}
mock_response = mock.Mock()
mock_response.json.return_value = test_json
mock_response.status_code = 200
mock_get.return_value = mock_response
case = thehive.case(test_id)
assert mock_response.json.call_count == 1
assert case.id == test_id
def find_task_log_id(query):
hive_address = ''.join(settings.stored_hive_address[0])
hive_api = ''.join(settings.stored_api_key[0])
#Define the connection to thehive installation (including the generated API key).
api = TheHiveApi(hive_address, hive_api, None, {'http': '', 'https': ''})
response = api.get_case_tasks(case_id=query, range="all", sort=[])
if response.status_code == 200:
test = json.dumps(response.json(), indent=4, sort_keys=True)
resp = json.loads(test)
#I now need to search for a task called History
for item in resp:
if item['title'] == 'History':
full_task_id = item['id']
print("I found the task, it id:", full_task_id)
return full_task_id
print(str(datetime.datetime.now()) + " I didn't find a History task!")
else:
print('ko: {}/{}'.format(response.status_code, response.text))
print("NOT HERE")
sys.exit(0)
async def update_case_task(self, url, api_key, task_id, title=None, description=None, status=None, flag=None):
self.logger.info(f'Updating task {task_id} in TheHive...')
if not url.startswith("http"):
url = f"http://{url}"
api = TheHiveApi(url, api_key)
task = CaseTask(**api.get_case_task(task_id).json())
task.id = task_id
if title:
task.title = title
if description:
task.description = description
if status:
task.status = status
if flag is not None:
task.flag = flag
r = api.update_case_task(task)
if r.status_code == 200:
return r.json()
else:
raise IOError(r.text)
async def add_observable(self, apikey, url, case_id, data, datatype, tags):
self.thehive = TheHiveApi(url, apikey, cert=False)
if tags:
if ", " in tags:
tags = tags.split(", ")
elif "," in tags:
tags = tags.split(",")
else:
tags = [tags]
else:
tags = []
item = thehive4py.models.CaseObservable(
dataType=datatype,
data=data,
tlp=1,
ioc=False,
sighted=False,
tags=["Shuffle"],
message="Created by shuffle",
)
return self.thehive.create_case_observable(case_id, item).text
def search(title, query, range, sort):
#this function can be used to perform specific searches and may be helpful for designing custom searches
# to use is follow the following function examples:
#search("Case of title containing 'test hey now allstar'", String("title:'test hey now allstar'"), 'all', [])
#search("Case of description containing albertid", String("description:" +AlbertID), 'all', [])
#for full test cases visit this link: https://github.com/TheHive-Project/TheHive4py/tree/master/samples
api = TheHiveApi(config['thehiveURL'], config['thehiveUser'],
config['thehivePassword'], {
'http': '',
'https': ''
})
print(title)
print('-----------------------------')
response = api.find_cases(query=query, range=range, sort=sort)
if response.status_code == 200:
print("Success")
print(json.dumps(response.json(), indent=4, sort_keys=True))
print('')
else:
print('ko: {}/{}'.format(response.status_code, response.text))
sys.exit(0)
def createHiveAlert(esid):
search = getHits(esid)
#Hive Stuff
#es_url = parser.get('es', 'es_url')
hive_url = parser.get('hive', 'hive_url')
hive_key = parser.get('hive', 'hive_key')
hive_verifycert = parser.get('hive', 'hive_verifycert')
tlp = int(parser.get('hive', 'hive_tlp'))
# Check if verifying cert
if 'False' in hive_verifycert:
api = TheHiveApi(hive_url, hive_key, cert=False)
else:
api = TheHiveApi(hive_url, hive_key, cert=True)
#if hits > 0:
for result in search['hits']['hits']:
# Get initial details
message = result['_source']['message']
description = str(message)
sourceRef = str(uuid.uuid4())[0:6]
tags=["SecurityOnion"]
artifacts=[]
id = None
host = str(result['_index']).split(":")[0]
index = str(result['_index']).split(":")[1]
event_type = result['_source']['event_type']
if 'source_ip' in result['_source']:
src = str(result['_source']['source_ip'])
if 'destination_ip' in result['_source']:
dst = str(result['_source']['destination_ip'])
#if 'source_port' in result['_source']:
# srcport = result['_source']['source_port']
#if 'destination_port' in result['_source']:
# dstport = result['_source']['destination_port']
# NIDS Alerts
if 'snort' in event_type:
alert = result['_source']['alert']
category = result['_source']['category']
sensor = result['_source']['interface']
tags.append("nids")
tags.append(category)
title=alert
# Add artifacts
artifacts.append(AlertArtifact(dataType='ip', data=src))
artifacts.append(AlertArtifact(dataType='ip', data=dst))
artifacts.append(AlertArtifact(dataType='other', data=sensor))
# Bro logs
elif 'bro' in event_type:
_map_key_type ={
"conn": "Connection",
"dhcp": "DHCP",
"dnp3": "DNP3",
"dns": "DNS",
"files": "Files",
"ftp": "FTP",
"http": "HTTP",
"intel": "Intel",
"irc": "IRC",
"kerberos": "Kerberos",
"modbus": "Modbus",
"mysql": "MySQL",
"ntlm": "NTLM",
"pe": "PE",
"radius": "RADIUS",
"rdp": "RDP",
"rfb": "RFB",
"sip" : "SIP",
"smb": "SMB",
"smtp": "SMTP",
"snmp": "SNMP",
"ssh": "SSH",
"ssl": "SSL",
"syslog": "Syslog",
"weird": "Weird",
"x509": "X509"
}
def map_key_type(indicator_type):
'''
Maps a key type to use in the request URL.
'''
return _map_key_type.get(indicator_type)
bro_tag = event_type.strip('bro_')
bro_tag_title = map_key_type(bro_tag)
title= str('New Bro ' + bro_tag_title + ' record!')
if 'source_ip' in result['_source']:
artifacts.append(AlertArtifact(dataType='ip', data=src))
if 'destination_ip' in result['_source']:
artifacts.append(AlertArtifact(dataType='ip', data=dst))
if 'sensor_name' in result['_source']:
sensor = str(result['_source']['sensor_name'])
artifacts.append(AlertArtifact(dataType='other', data=sensor))
if 'uid' in result['_source']:
uid = str(result['_source']['uid'])
title= str('New Bro ' + bro_tag_title + ' record! - ' + uid)
artifacts.append(AlertArtifact(dataType='other', data=uid))
if 'fuid' in result['_source']:
fuid = str(result['_source']['fuid'])
title= str('New Bro ' + bro_tag_title + ' record! - ' + fuid)
artifacts.append(AlertArtifact(dataType='other', data=fuid))
if 'id' in result['_source']:
fuid = str(result['_source']['id'])
title= str('New Bro ' + bro_tag_title + ' record! - ' + fuid)
artifacts.append(AlertArtifact(dataType='other', data=fuid))
tags.append('bro')
tags.append(bro_tag)
# Wazuh/OSSEC logs
elif 'ossec' in event_type:
agent_name = result['_source']['agent']['name']
if 'description' in result['_source']:
ossec_desc = result['_source']['description']
else:
ossec_desc = result['_source']['full_log']
if 'ip' in result['_source']['agent']:
agent_ip = result['_source']['agent']['ip']
artifacts.append(AlertArtifact(dataType='ip', data=agent_ip))
artifacts.append(AlertArtifact(dataType='other', data=agent_name))
else:
artifacts.append(AlertArtifact(dataType='other', data=agent_name))
title= ossec_desc
tags.append("wazuh")
elif 'sysmon' in event_type:
if 'ossec' in result['_source']['tags']:
agent_name = result['_source']['agent']['name']
agent_ip = result['_source']['agent']['ip']
ossec_desc = result['_source']['full_log']
artifacts.append(AlertArtifact(dataType='ip', data=agent_ip))
artifacts.append(AlertArtifact(dataType='other', data=agent_name))
title= "New Sysmon Event! - " + agent_name
tags.append("wazuh")
else:
title = "New " + event_type + " Event From Security Onion"
# Build alert
hivealert = Alert(
title= title,
tlp=tlp,
tags=tags,
description=description,
type='external',
source='SecurityOnion',
sourceRef=sourceRef,
artifacts=artifacts
)
# Send it off
response = api.create_alert(hivealert)
if response.status_code == 201:
print(json.dumps(response.json(), indent=4, sort_keys=True))
print('')
id = response.json()['id']
# If running standalone / eval tell ES that we sent the alert
#es_type = 'doc'
#es_index = index
#es_headers = {'Content-Type' : 'application/json'}
#es_data = '{"script" : {"source": "ctx._source.tags.add(params.tag)","lang": "painless","params" : {"tag" : "Sent to TheHive"}}}'
#update_es_event = requests.post(es_url + '/' + es_index + '/' + es_type + '/' + esid + '/_update', headers=es_headers, data=es_data)
#print(update_es_event.content)
else:
print('ko: {}/{}'.format(response.status_code, response.text))
sys.exit(0)
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from thehive4py.api import TheHiveApi
thehive = TheHiveApi('http://127.0.0.1:9000', 'username', 'password', {
'http': '',
'https': ''
})
# Create a new case
case = thehive.case.create(title='From TheHive4Py',
description='N/A',
tlp=3,
flag=True,
tags=['TheHive4Py', 'sample'],
tasks=[])
# Save the new case's ID for later use
case_id = case.id
# Change some attributes of the new case
case.tlp = 1
case.severity = 1
case.flag = False
# Update the case
thehive.update_case(case)
# Retrieve the case from the server and check the updated values
new_case = thehive.case(case_id)
except:
print('Misp not connected')
pymisp = False
misp_event_url = '#'
# The Hive #
try:
from thehive4py.api import TheHiveApi
import thehive4py.exceptions
from theHiveKEYS import the_hive_url, the_hive_key, the_hive_verifycert
if the_hive_url == '':
HiveApi = False
hive_case_url = '#'
print('The HIVE not connected')
else:
HiveApi = TheHiveApi(the_hive_url,
the_hive_key,
cert=the_hive_verifycert)
hive_case_url = the_hive_url + '/index.html#/case/id_here/details'
except:
print('The HIVE not connected')
HiveApi = False
hive_case_url = '#'
if HiveApi != False:
try:
HiveApi.get_alert(0)
print('The Hive connected')
except thehive4py.exceptions.AlertException:
HiveApi = False
print('The Hive not connected')
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from __future__ import print_function
from __future__ import unicode_literals
import sys
import json
from thehive4py.api import TheHiveApi
from thehive4py.models import Case, CaseObservable
api = TheHiveApi('http://127.0.0.1:9000', '**YOUR_API_KEY**')
print('Create case')
print('-----------------------------')
case = Case(title='From TheHive4Py based on the Phishing template',
description='N/A',
tlp=2,
tags=['thehive4py'])
print(case.jsonify())
response = api.create_case(case)
if response.status_code == 201:
print(json.dumps(response.json(), indent=4, sort_keys=True))
print('')
id = response.json()['id']
else:
print('ko: {}/{}'.format(response.status_code, response.text))
sys.exit(0)
print('Create domain observable')
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Requires sentinel-mgmt-sdk-0.9.8
# Sentinel One Auto-Importer to TheHive SIRP via Python 2.x
from __future__ import print_function
from __future__ import unicode_literals
from thehive4py.api import TheHiveApi
from thehive4py.models import Case, CaseTask, CaseTaskLog, CaseObservable, AlertArtifact, Alert, CustomFieldHelper
from thehive4py.query import Eq
from management.mgmtsdk_v2.mgmt import Management
import requests, logging, json, time, sys, os, pprint
#environmental variables
S1API = ('')
S1WEB = ('')
api = TheHiveApi('', '')
S1Management = Management(hostname=S1WEB, api_token=S1API)
threats = S1Management.threats.get(resolved=False)
currentNum = threats.pagination['totalItems']
check = True
def main(api):
i = 0
while i < (currentNum):
check = True
string = searchCaseByDescription(threats.json['data'][i]['id'])
if string == None and check == True:
threat = createKeys(threats.json['data'][i], i)
parsed = createAlertDescription(threat, i)
case = Case(title=threats.json['data'][i]['description'],
from __future__ import unicode_literals
import sys
import json
from thehive4py.api import TheHiveApi
from thehive4py.query import *
from thehive4py.models import CaseObservable
import boto3
import os
CORRELATION_ID_TOKEN = "DLP-Correlation-ID: "
STATE_FILENAME = "ep.state"
bucket = 'mailparser-parsedmail'
temp_directory = 'temp/'
api = TheHiveApi('http://127.0.0.1:9000', '06rKYFdFSDpDVh0q8/zEPl9+W5ObCMmc')
s3 = boto3.client('s3')
def search_cases(title, query, range, sort):
new_cases = {}
response = api.find_cases(query=query, range=range, sort=sort)
#get correlation ids by parsing description
if response.status_code == 200:
resp = response.json()
print("Found " + str(len(resp)) + " new case(s)")
for r in resp:
desc = r["description"]
case_id = r["id"]
def createGRRFlow(esid, flow_name):
search = getHits(esid)
tlp = int(parser.get('hive', 'hive_tlp'))
# Check if verifying cert
if 'False' in hive_verifycert:
hiveapi = TheHiveApi(hive_url, hive_key, cert=False)
else:
hiveapi = TheHiveApi(hive_url, hive_key, cert=True)
grr_url = parser.get('grr', 'grr_url')
grr_user = parser.get('grr', 'grr_user')
grr_pass = parser.get('grr', 'grr_pass')
grrapi = api.InitHttp(api_endpoint=grr_url, auth=(grr_user, grr_pass))
base64string = '%s:%s' % (grr_user, grr_pass)
base64string = base64.b64encode(bytes(base64string, "utf-8"))
authheader = "Basic %s" % base64string
index_response = requests.get(grr_url,
auth=HTTPBasicAuth(grr_user, grr_pass))
csrf_token = index_response.cookies.get("csrftoken")
headers = {
"Authorization": authheader,
"x-csrftoken": csrf_token,
"x-requested-with": "XMLHttpRequest"
}
cookies = {"csrftoken": csrf_token}
for result in search['hits']['hits']:
result = result['_source']
message = result['message']
description = str(message)
info = description
if 'source_ip' in result:
source_ip = result['source_ip']
if 'destination_ip' in result:
destination_ip = result['destination_ip']
for ip in source_ip, destination_ip:
search_result = grrapi.SearchClients(ip)
grr_result = {}
client_id = ''
for client in search_result:
# Get client id
client_id = client.client_id
client_last_seen_at = client.data.last_seen_at
grr_result[client_id] = client_last_seen_at
#flow_name = "ListProcesses"
if client_id is None:
pass
# Process flow and get flow id
flow_id = listProcessFlow(client_id, grr_url, headers, cookies,
grr_user, grr_pass)
# Get status
status = checkFlowStatus(client_id, grr_url, flow_id, headers,
cookies, grr_user, grr_pass)
# Keep checking to see if complete
while status != "terminated":
time.sleep(15)
print(
"Flow not yet completed..watiing 15 secs before attempting to check status again..."
)
status = checkFlowStatus(client_id, grr_url, flow_id,
headers, cookies, grr_user,
grr_pass)
# If terminated, run the download
if status == "terminated":
downloadFlowResults(client_id, grr_url, flow_id, headers,
cookies, grr_user, grr_pass)
#print("Done!")
# Run flow via API client
#flow_obj = grrapi.Client(client_id)
#flow_obj.CreateFlow(name=flow_name)
title = "Test Alert with GRR Flow"
description = str(message)
sourceRef = str(uuid.uuid4())[0:6]
tags = ["SecurityOnion", "GRR"]
artifacts = []
id = None
filepath = "/tmp/soctopus/" + client_id + ".zip"
artifacts.append(
AlertArtifact(dataType='file', data=str(filepath)))
# Build alert
hivealert = Alert(title=title,
tlp=tlp,
tags=tags,
description=description,
type='external',
source='SecurityOnion',
sourceRef=sourceRef,
artifacts=artifacts)
# Send it off
response = hiveapi.create_alert(hivealert)
if client_id:
# Redirect to GRR instance
return redirect(grr_url + '/#/clients/' + client_id + '/flows')
else:
return "No matches found for source or destination ip"