def playbookWebhook(webhook_content): """ Process incoming playbook webhook. """ action = webhook_content['payload']['action'] issue_tracker_name = webhook_content['payload']['issue']['tracker']['name'] issue_id = webhook_content['payload']['issue']['id'] issue_status_name = webhook_content['payload']['issue']['status']['name'] if action == 'updated' and issue_tracker_name == 'Play': journal_details = webhook_content['payload']['journal']['details'] detection_updated = False for item in journal_details: # Check to see if the Sigma field has changed if item['prop_key'] == '9': # Sigma field updated (Sigma field ID is 9) --> Call function - Update Play metadata playbook.play_update(issue_id) # Run Play Unit Test (If Target Log exists) playbook.play_unit_test(issue_id, "Sigma Updated") # Create/Update ElastAlert config if issue_status_name == "Active" and not detection_updated: detection_updated = True playbook.elastalert_update(issue_id) playbook.thehive_casetemplate_update(issue_id) elif issue_status_name == "Inactive" and not detection_updated: detection_updated = True playbook.elastalert_disable(issue_id) # Check to see if the Play status has changed to Active or Inactive elif item['prop_key'] == 'status_id' and not detection_updated: if item['value'] == '3': # Status = Active --> Enable EA & TheHive detection_updated = True playbook.elastalert_update(issue_id) playbook.thehive_casetemplate_update(issue_id) elif item['value'] == '4': # Status = Inactive --> Disable EA detection_updated = True playbook.elastalert_disable(issue_id) # Check to see if the Play Target Log (Field ID 21) has been updated - if so, run a Unit Test elif item['prop_key'] == '21' and item['old_value'] == "": # First time Target Log has been updated - Normalize log only playbook.play_unit_test(issue_id, "Target Log Updated", True) elif item['prop_key'] == '21' and item['old_value'] != "": # Normalize log (if needed) & run Play unit test playbook.play_unit_test(issue_id, "Target Log Updated") return "success"
def playbookWebhook(webhook_content): """ Process incoming playbook webhook. """ action = webhook_content['payload']['action'] issue_tracker_name = webhook_content['payload']['issue']['tracker']['name'] issue_id = webhook_content['payload']['issue']['id'] issue_status_name = webhook_content['payload']['issue']['status']['name'] if action == 'opened' and issue_tracker_name == 'Sigma Import': playbook.play_create(str(issue_id)) elif action == 'updated' and issue_tracker_name == 'Play': journal_details = webhook_content['payload']['journal']['details'] detection_updated = False for item in journal_details: # Check to see if the Sigma field has changed if item['prop_key'] == '21': # Sigma field updated --> Call function - Update Play metadata playbook.play_update(issue_id) # Create/Update ElastAlert config if issue_status_name == "Active" and not detection_updated: detection_updated = True playbook.elastalert_update(issue_id) playbook.navigator_update() playbook.thehive_casetemplate_update(issue_id) elif issue_status_name == "Inactive" and not detection_updated: detection_updated = True playbook.elastalert_disable(issue_id) playbook.navigator_update() # Check to see if the Play status has changed to Active or Inactive elif item['prop_key'] == 'status_id' and not detection_updated: if item['value'] == '3': # Status = Active --> Enable EA & TheHive detection_updated = True playbook.elastalert_update(issue_id) playbook.navigator_update() playbook.thehive_casetemplate_update(issue_id) elif item['value'] == '4': # Status = Inactive --> Disable EA detection_updated = True playbook.elastalert_disable(issue_id) playbook.navigator_update() return "success"
all_plays = [] offset = 0 playbook_headers = { 'X-Redmine-API-Key': parser.get("playbook", "playbook_key"), 'Content-Type': 'application/json' } playbook_url = parser.get("playbook", "playbook_url") print(f"\n-= Started: {datetime.now()}-=\n") # Get all plays from Playbook url = f"{playbook_url}/issues.json?offset=0&tracker_id=1&limit=100" response = requests.get(url, headers=playbook_headers, verify=False).json() for i in response['issues']: all_plays.append(i) while offset < response['total_count']: offset += 100 url = f"{playbook_url}/issues.json?offset={offset}&tracker_id=1&limit=100" response = requests.get(url, headers=playbook_headers, verify=False).json() print(f"Active offset: {offset}") for i in response['issues']: all_plays.append(i) print(f"\n-= Parsed Playbook Plays: {len(all_plays)} -=\n") for play in all_plays: playbook.play_update(play['id']) print(f"\nIssue-ID - {play['id']}\n")