def main(): api = TheHiveApi(HiveWEB, HiveAPI) S1Management = Management(hostname=S1WEB, api_token=S1API) tod = datetime.datetime.now() d = datetime.timedelta(days=DAYS) filter = ThreatQueryFilter() filter.apply("createdAt", tod - d, op="gt") filter.apply("resolved", False, op="eq") threats = S1Management.threats.get(query_filter=filter) i = 0 while True: threat = threats.json["data"][i] string = searchCaseByDescription(api, threat["id"]) if string is None: threat_values = createKeys(threat) description = createCaseDescription(threat_values) case = Case( title=threat["description"], tlp=0, pap=0, severity=1, flag=False, tags=[ "Sentinel One", threat["classification"], threat["agentOsType"], ], description=description, tasks=[], status="Open", createdAt=threat["createdDate"], ) response = api.create_case(case) if response.status_code == 201: logging.info(json.dumps(response.json(), indent=4, sort_keys=True)) id = response.json()["id"] postUpdate(api, id, threat) else: logging.error("ko: {}/{}".format(response.status_code, response.text)) i += 1 if i == len(threats.json["data"]): cursor = threats.pagination["nextCursor"] if not cursor: break threats = S1Management.threats.get(cursor=cursor) i = 0
async def create_alert_artifact(self, apikey, url, alert_id, dataType, data, message=None, tlp="2", ioc="False", sighted="False", ignoreSimilarity="False", tags=None): self.thehive = TheHiveApi(url, apikey, cert=False, version=4) if tlp: tlp = int(tlp) else: tlp = 2 ioc = ioc.lower().strip() == "true" sighted = sighted.lower().strip() == "true" ignoreSimilarity = ignoreSimilarity.lower().strip() == "true" if tags: tags = [x.strip() for x in tags.split(",")] else: tags = [] alert_artifact = thehive4py.models.AlertArtifact( dataType=dataType, data=data, message=message, tlp=tlp, ioc=ioc, sighted=sighted, ignoreSimilarity=ignoreSimilarity, tags=tags) try: ret = self.thehive.create_alert_artifact(alert_id, alert_artifact) except requests.exceptions.ConnectionError as e: return "ConnectionError: %s" % e if ret.status_code > 299: raise ConnectionError(ret.text) return ret.text
def prepare_alert(subject, indicatorlevel, emailbody, alerttype, tag): hive_address = ''.join(settings.stored_hive_address[0]) hive_api = ''.join(settings.stored_api_key[0]) #Define the connection to thehive installation (including the generated API key). api = TheHiveApi(hive_address, hive_api, None, {'http': '', 'https': ''}) # Prepare the sample Alert print("Preparing the alert for", alerttype) sourceRef = str(uuid.uuid4())[0:6] alert = Alert(title=subject, tlp=indicatorlevel, tags=[tag], description=emailbody, type=alerttype, source='instance1', sourceRef=sourceRef, artifacts="") # Create the Alert print('Create Alert') print('-----------------------------') id = None response = api.create_alert(alert) if response.status_code == 201: print("Alert created sucessfully!") # print(json.dumps(response.json(), indent=4, sort_keys=True)) # print('') id = response.json()['id'] else: print("Unable to create alert") # print('ko: {}/{}'.format(response.status_code, response.text)) sys.exit(0) # Get all the details of the created alert print('Get created alert {}'.format(id)) print('-----------------------------') response = api.get_alert(id) if response.status_code == requests.codes.ok: # print(json.dumps(response.json(), indent=4, sort_keys=True)) print('') else: print("Error retreiving the alert!") print('ko: {}/{}'.format(response.status_code, response.text))
def alert(self, matches): connection_details = self.rule['hive_connection'] api = TheHiveApi( '{hive_host}:{hive_port}'.format(**connection_details), '{hive_username}'.format(**connection_details), '{hive_password}'.format(**connection_details), connection_details.get('hive_proxies', {'http': '', 'https': ''})) for match in matches: context = {'rule': self.rule, 'match': match} artifacts = [] for mapping in self.rule.get('hive_observable_data_mapping', []): for observable_type, match_data_key in mapping.iteritems(): try: artifacts.append(AlertArtifact(dataType=observable_type, data=match_data_key.format(**context))) except KeyError: raise KeyError('\nformat string\n{}\nmatch data\n{}'.format(match_data_key, context)) alert_config = { 'artifacts': artifacts, 'sourceRef': str(uuid.uuid4())[0:6], 'title': '{rule[index]}_{rule[name]}'.format(**context) } alert_config.update(self.rule.get('hive_alert_config', {})) for alert_config_field, alert_config_value in alert_config.iteritems(): if isinstance(alert_config_value, basestring): alert_config[alert_config_field] = alert_config_value.format(**context) elif isinstance(alert_config_value, (list, tuple)): formatted_list = [] for element in alert_config_value: try: formatted_list.append(element.format(**context)) except: formatted_list.append(element) alert_config[alert_config_field] = formatted_list alert = Alert(**alert_config) response = api.create_alert(alert) if response.status_code != 201: raise Exception('alert not successfully created in TheHive\n{}'.format(response.text))
def send_to_thehive(self, alert_config): connection_details = self.rule['hive_connection'] api = TheHiveApi(connection_details.get('hive_host', ''), connection_details.get('hive_apikey', ''), proxies=connection_details.get( 'hive_proxies', { 'http': '', 'https': '' }), cert=connection_details.get('hive_verify', False)) alert = Alert(**alert_config) response = api.create_alert(alert) if response.status_code != 201: raise Exception( 'alert not successfully created in TheHive\n{}'.format( response.text))
async def create_case(self, url, api_key, title, description="", tlp=2, severity=1, tags=None): tags = tags if tags else [] if not url.startswith("http"): url = f"http://{url}" api = TheHiveApi(url, api_key) self.logger.info('Creating a case in TheHive...') case_helper = CaseHelper(api) tags.append(f"walkoff_execution_id: {self.current_execution_id}") case_kwargs = { "tlp": tlp, "severity": severity, "tags": tags if tags is not None else [] } return case_helper.create(title, description, **case_kwargs).id
async def unlock_hive_user(self, url, api_key, users): if not url.startswith("http"): url = f"http://{url}" api = TheHiveApi(url, api_key) result = {} for user in users: self.logger.info(f'Unlocking user {user} in TheHive...') r = api.do_patch(f'/api/user/{user}', **{'status': "Ok"}) if r.status_code == 200: result[user] = r.json() else: self.logger.info(f'Error Unlocking user {user} in TheHive: {r.text()}') return result
def create_th_alerts(config, alerts): """ :param config: TheHive config :type config: dict :param alerts: List of alerts :type alerts: list :return: create TH alert """ thapi = TheHiveApi(config.get('url', None), config.get('key'), config.get('password', None), config.get('proxies')) for a in alerts: response = thapi.create_alert(a) logging.debug('API TheHive - status code: {}'.format( response.status_code)) if response.status_code > 299: logging.debug('API TheHive - raw error output: {}'.format( response.raw.read()))
def test_api(server, apikey): """Test API connectivity to TheHive :param server: Server IP address or URL :param apikey: API Key to connect to TheHive server :return: Connectivity status :rtype: boolean """ # Basic API call; this happens quite frequently throughout the script, and was easier to model here. api_test = TheHiveApi(server, apikey) try: api_test.find_first() # TODO: Let's see if we can make this more TheHive exception specific except KeyError: print("WARNING: API Key failed\n") return False except TheHiveException: print("WARNING: Cannot reach hostname provided\n") return False return True
def run(self, task_id): api = TheHiveApi(self.config['thehive_url'], self.config['thehive_api_key']) response = api.find_tasks(query=Eq('_id', task_id)) if response.status_code == 200: tasks = response.json() if len(tasks) == 1: task = CaseTask(json=tasks[0]) task.id = task_id task.status = 'InProgress' task.owner = self.config['thehive_bot_username'] api.update_case_task(task) else: raise ValueError('[TakeTaskAction]: no tasks with this id') else: raise ValueError('[TakeTaskAction]: status_code %d' % response.status_code) return True
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml" config = ( yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {} ) self.helper = OpenCTIConnectorHelper(config) # Extra config self.thehive_url = get_config_variable( "THEHIVE_URL", ["thehive", "url"], config ) self.thehive_api_key = get_config_variable( "THEHIVE_API_KEY", ["thehive", "api_key"], config ) self.thehive_check_ssl = get_config_variable( "THEHIVE_CHECK_SSL", ["thehive", "check_ssl"], config, False, True ) self.thehive_organization_name = get_config_variable( "THEHIVE_ORGANIZATION_NAME", ["thehive", "organization_name"], config ) self.thehive_import_from_date = get_config_variable( "THEHIVE_IMPORT_FROM_DATE", ["thehive", "import_from_date"], config, False, datetime.utcfromtimestamp(int(time.time())).strftime("%Y-%m-%d %H:%M:%S"), ) self.update_existing_data = get_config_variable( "CONNECTOR_UPDATE_EXISTING_DATA", ["connector", "update_existing_data"], config, ) self.identity = self.helper.api.identity.create( type="Organization", name=self.thehive_organization_name, description=self.thehive_organization_name, ) self.thehive_api = TheHiveApi( self.thehive_url, self.thehive_api_key, cert=self.thehive_check_ssl )
async def update_case_observable(self, url, api_key, case_id, obs_id, description=None, tlp=0, is_ioc=False, is_sighted=False, tags=None, tags_mode=None): self.logger.info( f'Updating observable {obs_id} in case {case_id} in TheHive...') if not url.startswith("http"): url = f"http://{url}" api = TheHiveApi(url, api_key) obs_list = api.get_case_observables(case_id).json() obs_json = [obs for obs in obs_list if obs["id"] == obs_id][0] obs = CaseObservable(**obs_json) obs.id = obs_id if description: obs.description = description if tlp: obs.tlp = tlp if is_ioc is not None: obs.ioc = is_ioc if is_sighted is not None: obs.sighted = is_sighted if tags is not None: if tags_mode == "append": tags = obs.tags + tags obs.tags = tags r = api.update_case_observables(obs) if r.status_code == 200: return r.json() else: raise IOError(r.text)
def connect(self, params): url = '{}://{}:{}'.format(params.get('protocol'), params.get('host').rstrip('/'), params.get('port')) self.password = params.get('credentials').get('password') self.username = params.get('credentials').get('username') self.verify = params.get('verify', True) self.logger.info('URL: %s', url) if not params.get('proxy'): self.proxy = {} else: self.proxy = params.get('proxy') self.logger.info('Proxy specified: %s', self.proxy) self.logger.info("Connect: Connecting...") self.logger.info("SSL Verify: %s" % str(self.verify)) self.client = TheHiveApi(url=url, principal=self.username, password=self.password, proxies=self.proxy, cert=self.verify)
async def search_query(self, apikey, url, search_for, custom_query): self.thehive = TheHiveApi(url, apikey, cert=False) try: query = json.loads(custom_query) except: raise IOError("Invalid JSON payload received.") if search_for == "alert": response = self.thehive.find_alerts(query=query, range="all", sort=[]) else: response = self.thehive.find_cases(query=query, range="all", sort=[]) if response.status_code == 200: return response.text else: raise IOError(response.text)
async def close_case(self, case_id, url, api_key, resolution_status, impact_status, summary, tags=None, tags_mode="append"): self.logger.info(f'Closing case {case_id} in TheHive...') if not url.startswith("http"): url = f"http://{url}" api = TheHiveApi(url, api_key) case_helper = CaseHelper(api) case_kwargs = {"status": "Resolved", "resolutionStatus": resolution_status, "impactStatus": impact_status, "summary": summary} if tags is not None: if tags_mode == "append": tags = case_helper(case_id).tags + tags case_kwargs["tags"] = tags return case_helper.update(case_id, **case_kwargs).id
def main(): """Returns global dictionary data object Calls The Hives API then checks if a result was returned. If a result was returned, check the results and time since the result was created. """ data = {} api = TheHiveApi(server_address, api_credentials) r = api.find_cases(query=Eq('status', 'Open'), range='all', sort=[]) if r.status_code == 200: i = 0 data = {} while i < len(r.json()): check_date = datetime.date.today() - datetime.timedelta(days=7) if (r.json()[i]['createdAt'] / 1000) < time.mktime( check_date.timetuple()): tasks = api.get_case_tasks(r.json()[i]['id']) inc, cnt = 0, 0 while inc < len(tasks.json()): if (tasks.json()[inc]['status'] == ('Waiting')) or (tasks.json()[inc]['status'] == ('InProgress')): cnt += 1 inc += 1 data[(i)] = { 'id': r.json()[i]['id'], 'owner': r.json()[i]['owner'], 'createdAt': (time.strftime( '%m/%d/%Y %H:%M:%S', time.gmtime(r.json()[i]['createdAt'] / 1000.))), 'totalTasks': len(tasks.json()), 'pendingTasks': cnt } i += 1 build(data)
def set_case_resolved(alert_id): api = TheHiveApi(hiveURL, apiKey, None, {'http': '', 'https': ''}) case_promote_alert = api.promote_alert_to_case(alert_id).content # Obtengo ID del caso case_json = json.loads(case_promote_alert) case_id = case_json["id"] case_idCase = case_json["caseId"] # print(case_id) # print(case_idCase) # Ponemos el caso resuelto case = api.case(case_id) case.status = 'Resolved' case.resolutionStatus = 'TruePositive' case.impactStatus = 'NoImpact' case.summary = 'Resuelto automaticamente por The Hive Webhooks' hiveResponse = api.update_case(case, ['status', 'resolutionStatus', 'impactStatus', 'tags', 'summary'])
def prepare_file_observable(id, file_array): #We will need to run through the arrays to extract the values. #Define the connection to thehive installation (including the generated API key). hive_address = ''.join(settings.stored_hive_address[0]) hive_api = ''.join(settings.stored_api_key[0]) api = TheHiveApi(hive_address, hive_api, None, {'http': '', 'https': ''}) for fileaddress in file_array: print( str(datetime.datetime.now()) + " Creating file observable:" + fileaddress) print('Create file observable') print('---------------------') domain = CaseObservable(dataType='file', data=[fileaddress], tlp=0, ioc=False, tags=['AttachedFiles'], message='Files Attached') response = api.create_case_observable(id, domain) if response.status_code == 201: # print(json.dumps(response.json(), indent=4, sort_keys=True)) print( str(datetime.datetime.now()) + " Observable succesfully created.") elif response.status_code == 400: print(str(datetime.datetime.now()) + " Attachment already exists") else: print( str(datetime.datetime.now()) + " Error creating URL Observables.") print('ko: {}/{}'.format(response.status_code, response.text)) sys.exit(0)
def test_get_case(mock_get): thehive = TheHiveApi('http://127.0.0.1:9000', 'username', 'password', { 'http': '', 'https': '' }) test_id = 'AV55EOIsPQ_zDQrlj4a9' test_json = { '_type': 'case', 'caseId': 5, 'createdAt': 1505269703195, 'createdBy': 'username', 'customFields': {}, 'description': 'test description', 'flag': False, 'id': test_id, 'metrics': {}, 'owner': 'username', 'severity': 2, 'startDate': 1505269703000, 'status': 'Open', 'tags': [], 'title': 'test case', 'tlp': 2, 'user': '******' } mock_response = mock.Mock() mock_response.json.return_value = test_json mock_response.status_code = 200 mock_get.return_value = mock_response case = thehive.case(test_id) assert mock_response.json.call_count == 1 assert case.id == test_id
def find_task_log_id(query): hive_address = ''.join(settings.stored_hive_address[0]) hive_api = ''.join(settings.stored_api_key[0]) #Define the connection to thehive installation (including the generated API key). api = TheHiveApi(hive_address, hive_api, None, {'http': '', 'https': ''}) response = api.get_case_tasks(case_id=query, range="all", sort=[]) if response.status_code == 200: test = json.dumps(response.json(), indent=4, sort_keys=True) resp = json.loads(test) #I now need to search for a task called History for item in resp: if item['title'] == 'History': full_task_id = item['id'] print("I found the task, it id:", full_task_id) return full_task_id print(str(datetime.datetime.now()) + " I didn't find a History task!") else: print('ko: {}/{}'.format(response.status_code, response.text)) print("NOT HERE") sys.exit(0)
async def update_case_task(self, url, api_key, task_id, title=None, description=None, status=None, flag=None): self.logger.info(f'Updating task {task_id} in TheHive...') if not url.startswith("http"): url = f"http://{url}" api = TheHiveApi(url, api_key) task = CaseTask(**api.get_case_task(task_id).json()) task.id = task_id if title: task.title = title if description: task.description = description if status: task.status = status if flag is not None: task.flag = flag r = api.update_case_task(task) if r.status_code == 200: return r.json() else: raise IOError(r.text)
async def add_observable(self, apikey, url, case_id, data, datatype, tags): self.thehive = TheHiveApi(url, apikey, cert=False) if tags: if ", " in tags: tags = tags.split(", ") elif "," in tags: tags = tags.split(",") else: tags = [tags] else: tags = [] item = thehive4py.models.CaseObservable( dataType=datatype, data=data, tlp=1, ioc=False, sighted=False, tags=["Shuffle"], message="Created by shuffle", ) return self.thehive.create_case_observable(case_id, item).text
def search(title, query, range, sort): #this function can be used to perform specific searches and may be helpful for designing custom searches # to use is follow the following function examples: #search("Case of title containing 'test hey now allstar'", String("title:'test hey now allstar'"), 'all', []) #search("Case of description containing albertid", String("description:" +AlbertID), 'all', []) #for full test cases visit this link: https://github.com/TheHive-Project/TheHive4py/tree/master/samples api = TheHiveApi(config['thehiveURL'], config['thehiveUser'], config['thehivePassword'], { 'http': '', 'https': '' }) print(title) print('-----------------------------') response = api.find_cases(query=query, range=range, sort=sort) if response.status_code == 200: print("Success") print(json.dumps(response.json(), indent=4, sort_keys=True)) print('') else: print('ko: {}/{}'.format(response.status_code, response.text)) sys.exit(0)
def createHiveAlert(esid): search = getHits(esid) #Hive Stuff #es_url = parser.get('es', 'es_url') hive_url = parser.get('hive', 'hive_url') hive_key = parser.get('hive', 'hive_key') hive_verifycert = parser.get('hive', 'hive_verifycert') tlp = int(parser.get('hive', 'hive_tlp')) # Check if verifying cert if 'False' in hive_verifycert: api = TheHiveApi(hive_url, hive_key, cert=False) else: api = TheHiveApi(hive_url, hive_key, cert=True) #if hits > 0: for result in search['hits']['hits']: # Get initial details message = result['_source']['message'] description = str(message) sourceRef = str(uuid.uuid4())[0:6] tags=["SecurityOnion"] artifacts=[] id = None host = str(result['_index']).split(":")[0] index = str(result['_index']).split(":")[1] event_type = result['_source']['event_type'] if 'source_ip' in result['_source']: src = str(result['_source']['source_ip']) if 'destination_ip' in result['_source']: dst = str(result['_source']['destination_ip']) #if 'source_port' in result['_source']: # srcport = result['_source']['source_port'] #if 'destination_port' in result['_source']: # dstport = result['_source']['destination_port'] # NIDS Alerts if 'snort' in event_type: alert = result['_source']['alert'] category = result['_source']['category'] sensor = result['_source']['interface'] tags.append("nids") tags.append(category) title=alert # Add artifacts artifacts.append(AlertArtifact(dataType='ip', data=src)) artifacts.append(AlertArtifact(dataType='ip', data=dst)) artifacts.append(AlertArtifact(dataType='other', data=sensor)) # Bro logs elif 'bro' in event_type: _map_key_type ={ "conn": "Connection", "dhcp": "DHCP", "dnp3": "DNP3", "dns": "DNS", "files": "Files", "ftp": "FTP", "http": "HTTP", "intel": "Intel", "irc": "IRC", "kerberos": "Kerberos", "modbus": "Modbus", "mysql": "MySQL", "ntlm": "NTLM", "pe": "PE", "radius": "RADIUS", "rdp": "RDP", "rfb": "RFB", "sip" : "SIP", "smb": "SMB", "smtp": "SMTP", "snmp": "SNMP", "ssh": "SSH", "ssl": "SSL", "syslog": "Syslog", "weird": "Weird", "x509": "X509" } def map_key_type(indicator_type): ''' Maps a key type to use in the request URL. ''' return _map_key_type.get(indicator_type) bro_tag = event_type.strip('bro_') bro_tag_title = map_key_type(bro_tag) title= str('New Bro ' + bro_tag_title + ' record!') if 'source_ip' in result['_source']: artifacts.append(AlertArtifact(dataType='ip', data=src)) if 'destination_ip' in result['_source']: artifacts.append(AlertArtifact(dataType='ip', data=dst)) if 'sensor_name' in result['_source']: sensor = str(result['_source']['sensor_name']) artifacts.append(AlertArtifact(dataType='other', data=sensor)) if 'uid' in result['_source']: uid = str(result['_source']['uid']) title= str('New Bro ' + bro_tag_title + ' record! - ' + uid) artifacts.append(AlertArtifact(dataType='other', data=uid)) if 'fuid' in result['_source']: fuid = str(result['_source']['fuid']) title= str('New Bro ' + bro_tag_title + ' record! - ' + fuid) artifacts.append(AlertArtifact(dataType='other', data=fuid)) if 'id' in result['_source']: fuid = str(result['_source']['id']) title= str('New Bro ' + bro_tag_title + ' record! - ' + fuid) artifacts.append(AlertArtifact(dataType='other', data=fuid)) tags.append('bro') tags.append(bro_tag) # Wazuh/OSSEC logs elif 'ossec' in event_type: agent_name = result['_source']['agent']['name'] if 'description' in result['_source']: ossec_desc = result['_source']['description'] else: ossec_desc = result['_source']['full_log'] if 'ip' in result['_source']['agent']: agent_ip = result['_source']['agent']['ip'] artifacts.append(AlertArtifact(dataType='ip', data=agent_ip)) artifacts.append(AlertArtifact(dataType='other', data=agent_name)) else: artifacts.append(AlertArtifact(dataType='other', data=agent_name)) title= ossec_desc tags.append("wazuh") elif 'sysmon' in event_type: if 'ossec' in result['_source']['tags']: agent_name = result['_source']['agent']['name'] agent_ip = result['_source']['agent']['ip'] ossec_desc = result['_source']['full_log'] artifacts.append(AlertArtifact(dataType='ip', data=agent_ip)) artifacts.append(AlertArtifact(dataType='other', data=agent_name)) title= "New Sysmon Event! - " + agent_name tags.append("wazuh") else: title = "New " + event_type + " Event From Security Onion" # Build alert hivealert = Alert( title= title, tlp=tlp, tags=tags, description=description, type='external', source='SecurityOnion', sourceRef=sourceRef, artifacts=artifacts ) # Send it off response = api.create_alert(hivealert) if response.status_code == 201: print(json.dumps(response.json(), indent=4, sort_keys=True)) print('') id = response.json()['id'] # If running standalone / eval tell ES that we sent the alert #es_type = 'doc' #es_index = index #es_headers = {'Content-Type' : 'application/json'} #es_data = '{"script" : {"source": "ctx._source.tags.add(params.tag)","lang": "painless","params" : {"tag" : "Sent to TheHive"}}}' #update_es_event = requests.post(es_url + '/' + es_index + '/' + es_type + '/' + esid + '/_update', headers=es_headers, data=es_data) #print(update_es_event.content) else: print('ko: {}/{}'.format(response.status_code, response.text)) sys.exit(0)
#!/usr/bin/env python # -*- coding: utf-8 -*- from thehive4py.api import TheHiveApi thehive = TheHiveApi('http://127.0.0.1:9000', 'username', 'password', { 'http': '', 'https': '' }) # Create a new case case = thehive.case.create(title='From TheHive4Py', description='N/A', tlp=3, flag=True, tags=['TheHive4Py', 'sample'], tasks=[]) # Save the new case's ID for later use case_id = case.id # Change some attributes of the new case case.tlp = 1 case.severity = 1 case.flag = False # Update the case thehive.update_case(case) # Retrieve the case from the server and check the updated values new_case = thehive.case(case_id)
except: print('Misp not connected') pymisp = False misp_event_url = '#' # The Hive # try: from thehive4py.api import TheHiveApi import thehive4py.exceptions from theHiveKEYS import the_hive_url, the_hive_key, the_hive_verifycert if the_hive_url == '': HiveApi = False hive_case_url = '#' print('The HIVE not connected') else: HiveApi = TheHiveApi(the_hive_url, the_hive_key, cert=the_hive_verifycert) hive_case_url = the_hive_url + '/index.html#/case/id_here/details' except: print('The HIVE not connected') HiveApi = False hive_case_url = '#' if HiveApi != False: try: HiveApi.get_alert(0) print('The Hive connected') except thehive4py.exceptions.AlertException: HiveApi = False print('The Hive not connected')
#!/usr/bin/env python # -*- coding: utf-8 -*- from __future__ import print_function from __future__ import unicode_literals import sys import json from thehive4py.api import TheHiveApi from thehive4py.models import Case, CaseObservable api = TheHiveApi('http://127.0.0.1:9000', '**YOUR_API_KEY**') print('Create case') print('-----------------------------') case = Case(title='From TheHive4Py based on the Phishing template', description='N/A', tlp=2, tags=['thehive4py']) print(case.jsonify()) response = api.create_case(case) if response.status_code == 201: print(json.dumps(response.json(), indent=4, sort_keys=True)) print('') id = response.json()['id'] else: print('ko: {}/{}'.format(response.status_code, response.text)) sys.exit(0) print('Create domain observable')
#!/usr/bin/env python # -*- coding: utf-8 -*- # Requires sentinel-mgmt-sdk-0.9.8 # Sentinel One Auto-Importer to TheHive SIRP via Python 2.x from __future__ import print_function from __future__ import unicode_literals from thehive4py.api import TheHiveApi from thehive4py.models import Case, CaseTask, CaseTaskLog, CaseObservable, AlertArtifact, Alert, CustomFieldHelper from thehive4py.query import Eq from management.mgmtsdk_v2.mgmt import Management import requests, logging, json, time, sys, os, pprint #environmental variables S1API = ('') S1WEB = ('') api = TheHiveApi('', '') S1Management = Management(hostname=S1WEB, api_token=S1API) threats = S1Management.threats.get(resolved=False) currentNum = threats.pagination['totalItems'] check = True def main(api): i = 0 while i < (currentNum): check = True string = searchCaseByDescription(threats.json['data'][i]['id']) if string == None and check == True: threat = createKeys(threats.json['data'][i], i) parsed = createAlertDescription(threat, i) case = Case(title=threats.json['data'][i]['description'],
from __future__ import unicode_literals import sys import json from thehive4py.api import TheHiveApi from thehive4py.query import * from thehive4py.models import CaseObservable import boto3 import os CORRELATION_ID_TOKEN = "DLP-Correlation-ID: " STATE_FILENAME = "ep.state" bucket = 'mailparser-parsedmail' temp_directory = 'temp/' api = TheHiveApi('http://127.0.0.1:9000', '06rKYFdFSDpDVh0q8/zEPl9+W5ObCMmc') s3 = boto3.client('s3') def search_cases(title, query, range, sort): new_cases = {} response = api.find_cases(query=query, range=range, sort=sort) #get correlation ids by parsing description if response.status_code == 200: resp = response.json() print("Found " + str(len(resp)) + " new case(s)") for r in resp: desc = r["description"] case_id = r["id"]
def createGRRFlow(esid, flow_name): search = getHits(esid) tlp = int(parser.get('hive', 'hive_tlp')) # Check if verifying cert if 'False' in hive_verifycert: hiveapi = TheHiveApi(hive_url, hive_key, cert=False) else: hiveapi = TheHiveApi(hive_url, hive_key, cert=True) grr_url = parser.get('grr', 'grr_url') grr_user = parser.get('grr', 'grr_user') grr_pass = parser.get('grr', 'grr_pass') grrapi = api.InitHttp(api_endpoint=grr_url, auth=(grr_user, grr_pass)) base64string = '%s:%s' % (grr_user, grr_pass) base64string = base64.b64encode(bytes(base64string, "utf-8")) authheader = "Basic %s" % base64string index_response = requests.get(grr_url, auth=HTTPBasicAuth(grr_user, grr_pass)) csrf_token = index_response.cookies.get("csrftoken") headers = { "Authorization": authheader, "x-csrftoken": csrf_token, "x-requested-with": "XMLHttpRequest" } cookies = {"csrftoken": csrf_token} for result in search['hits']['hits']: result = result['_source'] message = result['message'] description = str(message) info = description if 'source_ip' in result: source_ip = result['source_ip'] if 'destination_ip' in result: destination_ip = result['destination_ip'] for ip in source_ip, destination_ip: search_result = grrapi.SearchClients(ip) grr_result = {} client_id = '' for client in search_result: # Get client id client_id = client.client_id client_last_seen_at = client.data.last_seen_at grr_result[client_id] = client_last_seen_at #flow_name = "ListProcesses" if client_id is None: pass # Process flow and get flow id flow_id = listProcessFlow(client_id, grr_url, headers, cookies, grr_user, grr_pass) # Get status status = checkFlowStatus(client_id, grr_url, flow_id, headers, cookies, grr_user, grr_pass) # Keep checking to see if complete while status != "terminated": time.sleep(15) print( "Flow not yet completed..watiing 15 secs before attempting to check status again..." ) status = checkFlowStatus(client_id, grr_url, flow_id, headers, cookies, grr_user, grr_pass) # If terminated, run the download if status == "terminated": downloadFlowResults(client_id, grr_url, flow_id, headers, cookies, grr_user, grr_pass) #print("Done!") # Run flow via API client #flow_obj = grrapi.Client(client_id) #flow_obj.CreateFlow(name=flow_name) title = "Test Alert with GRR Flow" description = str(message) sourceRef = str(uuid.uuid4())[0:6] tags = ["SecurityOnion", "GRR"] artifacts = [] id = None filepath = "/tmp/soctopus/" + client_id + ".zip" artifacts.append( AlertArtifact(dataType='file', data=str(filepath))) # Build alert hivealert = Alert(title=title, tlp=tlp, tags=tags, description=description, type='external', source='SecurityOnion', sourceRef=sourceRef, artifacts=artifacts) # Send it off response = hiveapi.create_alert(hivealert) if client_id: # Redirect to GRR instance return redirect(grr_url + '/#/clients/' + client_id + '/flows') else: return "No matches found for source or destination ip"