def playbookWebhook(webhook_content):
"""
Process incoming playbook webhook.
"""
action = webhook_content['payload']['action']
issue_tracker_name = webhook_content['payload']['issue']['tracker']['name']
issue_id = webhook_content['payload']['issue']['id']
issue_status_name = webhook_content['payload']['issue']['status']['name']
if action == 'updated' and issue_tracker_name == 'Play':
journal_details = webhook_content['payload']['journal']['details']
detection_updated = False
for item in journal_details:
# Check to see if the Sigma field has changed
if item['prop_key'] == '9':
# Sigma field updated (Sigma field ID is 9) --> Call function - Update Play metadata
playbook.play_update(issue_id)
# Run Play Unit Test (If Target Log exists)
playbook.play_unit_test(issue_id, "Sigma Updated")
# Create/Update ElastAlert config
if issue_status_name == "Active" and not detection_updated:
detection_updated = True
playbook.elastalert_update(issue_id)
playbook.thehive_casetemplate_update(issue_id)
elif issue_status_name == "Inactive" and not detection_updated:
detection_updated = True
playbook.elastalert_disable(issue_id)
# Check to see if the Play status has changed to Active or Inactive
elif item['prop_key'] == 'status_id' and not detection_updated:
if item['value'] == '3':
# Status = Active --> Enable EA & TheHive
detection_updated = True
playbook.elastalert_update(issue_id)
playbook.thehive_casetemplate_update(issue_id)
elif item['value'] == '4':
# Status = Inactive --> Disable EA
detection_updated = True
playbook.elastalert_disable(issue_id)
# Check to see if the Play Target Log (Field ID 21) has been updated - if so, run a Unit Test
elif item['prop_key'] == '21' and item['old_value'] == "":
# First time Target Log has been updated - Normalize log only
playbook.play_unit_test(issue_id, "Target Log Updated", True)
elif item['prop_key'] == '21' and item['old_value'] != "":
# Normalize log (if needed) & run Play unit test
playbook.play_unit_test(issue_id, "Target Log Updated")
return "success"
def playbookWebhook(webhook_content):
"""
Process incoming playbook webhook.
"""
action = webhook_content['payload']['action']
issue_tracker_name = webhook_content['payload']['issue']['tracker']['name']
issue_id = webhook_content['payload']['issue']['id']
issue_status_name = webhook_content['payload']['issue']['status']['name']
if action == 'opened' and issue_tracker_name == 'Sigma Import':
playbook.play_create(str(issue_id))
elif action == 'updated' and issue_tracker_name == 'Play':
journal_details = webhook_content['payload']['journal']['details']
detection_updated = False
for item in journal_details:
# Check to see if the Sigma field has changed
if item['prop_key'] == '21':
# Sigma field updated --> Call function - Update Play metadata
playbook.play_update(issue_id)
# Create/Update ElastAlert config
if issue_status_name == "Active" and not detection_updated:
detection_updated = True
playbook.elastalert_update(issue_id)
playbook.navigator_update()
playbook.thehive_casetemplate_update(issue_id)
elif issue_status_name == "Inactive" and not detection_updated:
detection_updated = True
playbook.elastalert_disable(issue_id)
playbook.navigator_update()
# Check to see if the Play status has changed to Active or Inactive
elif item['prop_key'] == 'status_id' and not detection_updated:
if item['value'] == '3':
# Status = Active --> Enable EA & TheHive
detection_updated = True
playbook.elastalert_update(issue_id)
playbook.navigator_update()
playbook.thehive_casetemplate_update(issue_id)
elif item['value'] == '4':
# Status = Inactive --> Disable EA
detection_updated = True
playbook.elastalert_disable(issue_id)
playbook.navigator_update()
return "success"
print(f"\n\n{play_id} -- {play_hiveid}")
play_file = f"/etc/playbook-rules/{play_id}.yaml"
if os.path.exists(play_file):
print('All Good - Elastalert Config Exists')
else:
print('Warning - Elastalert Config Doesnt Exist')
active_elastalert_counter += 1
playbook.elastalert_update(play['id'])
time.sleep(.5)
if (play_hiveid == "") or (play_id is None):
print('Warning - HiveID doesnt exist')
active_hive_counter += 1
playbook.thehive_casetemplate_update(play['id'])
else:
print('All Good - HiveID Exists')
# Get inactive plays from Playbook - id = 4
url = f"{playbook_url}/issues.json?offset=0&tracker_id=1&limit=100&status_id=4"
inactive_response = requests.get(url, headers=playbook_headers,
verify=False).json()
for i in inactive_response['issues']:
inactive_plays.append(i)
while offset < inactive_response['total_count']:
offset += 100
url = f"{playbook_url}/issues.json?offset={offset}&tracker_id=1&limit=100&status_id=3"
inactive_response = requests.get(url,