def get_formatted_alert_as_cef(self, result_fields):
"""Format message as CEFEvent."""
cef_event = CEFEvent()
timestamp = result_fields['timestamp'].isoformat(
) if result_fields['timestamp'] else None
hostname = socket.getfqdn()
for field_name, field_value in [("deviceVendor", "Cymmetria"),
("deviceProduct", "Honeycomb"),
("deviceVersion",
six.text_type(__version__))]:
cef_event.set_field(field_name, field_value)
result = None
for field_name, field_value in six.iteritems(result_fields):
if field_name not in cef_dict:
continue
cef_field_name = cef_dict[field_name].field_name
if isinstance(cef_field_name, CEFCustomString):
result = cef_event.set_field(
six.text_type(cef_field_name.field_name),
six.text_type(field_value))
cef_event.set_field(
six.text_type(cef_field_name.field_label),
six.text_type(cef_field_name.field_label_text))
else:
result = cef_event.set_field(six.text_type(cef_field_name),
six.text_type(field_value))
if not result:
self.logger.warning(
"cef field {} didn't defined well to cef to alert_id {}".
format(field_name, result_fields['id']))
entry = "{timestamp} {host} {cef_message}".format(
timestamp=timestamp,
host=hostname,
cef_message=cef_event.build_cef())
return entry
def format_smc_logs_to_cef(record):
c = CEFEvent()
c.set_field('name', 'Event Name')
c.set_field('deviceVendor', 'Forcepoint')
c.set_field('deviceProduct', 'NGFW')
c.set_field('deviceVersion', '6.60')
c.set_field('name', create_event_name(record))
c.set_field(
'severity',
normalize_severity_ngfw(record),
)
c.set_field('signatureId', record['Event ID'])
c.extensions = {
'applicationProtocol': record.get('Network Application', 'N/A'),
'deviceCustomString1': record.get('Rule Tag', 'N/A'),
'src': record['Src Addrs'],
'destinationAddress': record.get('Dst Addrs', '0.0.0.0'),
'sourcePort': int(record.get('Src Port', 0)),
'destinationPort': int(record.get('Dst Port', 0)),
'deviceAction': record.get('Action', 'Action'),
'transportProtocol': record.get('IP Protocol', 'TProto'),
'startTime': datetime_to_timestamp(record['Creation Time']),
'deviceEventCategory': record.get('Situation Type', 'ECategory'),
}
return c.build_cef()
def get_messages(self, wp_report: Dict[str, Any]) -> List[str]:
"""
Return a list of CEF formatted messages
"""
from cefevent import CEFEvent
messages = []
for v in self.EVENTS.keys():
# make sure items is a list, cast error string to list
items = wp_report[v] if isinstance(wp_report[v],
list) else [wp_report[v]]
for msg_data in items:
if msg_data:
log.debug(f"Message data: {msg_data}")
c = CEFEvent()
# WPWatcher related fields
c.set_prefix("deviceVendor", self.DEVICE_VENDOR)
c.set_prefix("deviceProduct", self.DEVICE_PRODUCT)
c.set_prefix("deviceVersion", self.DEVICE_VERSION)
# Message common fields
c.set_prefix("signatureId", self.EVENTS[v][0])
c.set_prefix("name", self.EVENTS[v][1])
c.set_prefix("severity", self.EVENTS[v][2])
# Message supp infos
c.set_field("message", msg_data[:1022])
c.set_field("sourceHostName", wp_report["site"][:1022])
msg = c.build_cef()
log.debug(f"Message CEF: {msg}")
messages.append(msg)
return messages
def cef_format(self, obj):
for breach in obj:
c = CEFEvent()
c.set_field(
'startTime',
self.get_epoch(dateutil.parser.parse(breach['BreachDate'])))
c.set_field(
'endTime',
self.get_epoch(dateutil.parser.parse(breach['AddedDate'])))
c.set_field('deviceCustomString1', '|'.join(breach['DataClasses']))
c.set_field('deviceCustomString1Label', 'Categories')
c.set_field('message', breach['Description'])
c.set_field('requestUrl', breach['Domain'])
c.set_field('destinationUserName', breach['Email'])
c.set_field('name', 'Account Breach at {}'.format(breach['Name']))
c.set_field('deviceVendor', 'HPE Brazil SecLab')
c.set_field('deviceProduct', 'LeakedAccounts')
c.set_field('deviceCustomNumber1', breach['PwnCount'])
c.set_field('deviceCustomNumber1Label', 'Pwn Count')
yield c
def get_cef_syslog_message(wp_report):
from cefevent import CEFEvent
c = CEFEvent()
c.set_field('name', 'WPWatcher scan report')
c.set_field('deviceVendor', 'Github')
c.set_field('deviceProduct', 'WPWatcher')
c.set_field('deviceVersion', VERSION)
c.set_field('severity', ( 9 if wp_report['status'] == 'ALERT'
else 7 if wp_report['status'] == 'WARNING'
else 5 if wp_report['status'] == 'ERROR'
else 3 ))
c.set_field('message', wp_report['summary']['line'] )
c.set_field("sourceHostName", wp_report['site'])
c.set_field("deviceCustomString1", "\n\n".join(wp_report['alerts'])[:1023])
c.set_field("deviceCustomString1Label", "alerts")
c.set_field("deviceCustomString2", "\n\n".join(wp_report['warnings'])[:1023])
c.set_field("deviceCustomString2Label", "warnings")
c.set_field("deviceCustomString3", "\n\n".join(wp_report['infos'])[:1023])
c.set_field("deviceCustomString3Label", "infos")
c.set_field("deviceCustomString4", "\n\n".join(wp_report['fixed'][:1023]))
c.set_field("deviceCustomString4Label", "fixed")
c.set_field("deviceCustomString5", wp_report['error'])
c.set_field("deviceCustomString5Label", "error")
return c.build_cef()
def get_mock_message(index):
c = CEFEvent()
c.set_field('name', 'Mock Event Name')
c.set_field('deviceVendor', 'MCPforLife')
c.set_field('deviceProduct', 'cefevent')
c.set_field('dvchost', 'www.mcpforlife.com')
message = "This is a test event (Answer=" + str(index) + ")"
c.set_field('message', message)
c.set_field('sourceAddress', '192.168.67.1')
c.set_field('sourcePort', 12345)
return c.build_cef()
def get_messages(self, wp_report):
"""
Return a list of CEF formatted messages
"""
from cefevent import CEFEvent
messages = []
for v in self.EVENTS.keys():
# make sure items is a list, cast error string to list
items = wp_report[v] if isinstance(wp_report[v],
list) else [wp_report[v]]
for msg_data in items:
if msg_data:
log.debug("Message data: {}".format(msg_data))
c = CEFEvent()
# WPWatcher related fields
c.set_prefix('deviceVendor', self.DEVICE_VENDOR)
c.set_prefix('deviceProduct', self.DEVICE_PRODUCT)
c.set_prefix('deviceVersion', VERSION)
# Message common fields
c.set_prefix('signatureId', self.EVENTS[v][0])
c.set_prefix('name', self.EVENTS[v][1])
c.set_prefix('severity', self.EVENTS[v][2])
# Message supp infos
c.set_field('message', msg_data[:1022])
c.set_field("sourceHostName", wp_report['site'][:1022])
msg = c.build_cef()
log.debug("Message CEF: {}".format(msg))
messages.append(msg)
return messages