def add_filters_to_jinja(self):
"""add_filters_to_jinja used to setup the jinja filters as a part of the environment
"""
ds_filter = {
"regex_escape": DLPListener.regex_escape,
"dt_to_milli_epoch": DLPListener.dt_to_milli_epoch
}
env = template_functions.environment()
env.globals.update(ds_filter)
def __init__(self):
# Add the timestamp-parse function to the global JINJA environment
env = environment()
env.globals.update({
"resilient_datetimeformat": jinja_resilient_datetimeformat,
"resilient_substitute": jinja_resilient_substitute
})
env.filters.update({
"resilient_datetimeformat": jinja_resilient_datetimeformat,
"resilient_substitute": jinja_resilient_substitute
})
def add_methods_to_global():
# Add ds_to_millis to global env so it can be used in filters
ds_filter = {
"ds_to_millis": ds_to_millis,
"is_valid_ipv4_addr": is_valid_ipv4_addr,
"is_valid_ipv6_addr": is_valid_ipv6_addr,
"custom_regex_escape": regex_escape,
"is_list": is_list,
"represents_int": represents_int
}
env = environment()
env.globals.update(ds_filter)
def main(self):
options = self.options
if int(options.get("esm_polling_interval", 0)) > 0:
# Add ds_to_millis to global for use in filters
ds_filter = {"ds_to_millis": ds_to_millis}
env = environment()
env.globals.update(ds_filter)
# Create and start polling thread
thread = Thread(target=self.esm_polling_thread)
thread.daemon = True
thread.start()
log.info("Polling for cases in ESM is occurring")
else:
log.info("Polling for cases in ESM is not occurring")
def polling_main(self):
"""Spawn second thread to query alerts from the Microsoft Security Graph API and create incidents in the
Resilient platform if they do not already exist"""
options = self.options
if int(options.get("msg_polling_interval", 0)) > 0:
# Add ds_to_millis to global for use in Jinja templates
ds_filter = {"ds_to_millis": ds_to_millis}
env = environment()
env.globals.update(ds_filter)
# Create and start polling thread
thread = Thread(target=self.msg_polling_thread)
thread.daemon = True
thread.start()
log.info("Polling for alerts in Microsoft Security Graph is occurring.")
else:
log.info("Polling for alerts in Microsoft Security Graph is not occurring.")
def __init__(self, opts):
"""constructor provides access to the configuration options"""
super(Bit9PollComponent, self).__init__(opts)
self.log = logging.getLogger(__name__)
self._load_options(opts)
# Add the timestamp-parse function to the global JINJA environment
env = environment()
env.globals.update({"timestamp_to_millis": timestamp_to_millis})
env.filters.update({"timestamp_to_millis": timestamp_to_millis})
# Set up a one-off timer for polling the first time
if self.escalation_interval:
self.log.info(
u"CbProtect escalation initialized, polling interval %s seconds",
self.escalation_interval)
Timer(min((self.escalation_interval, 5)), Poll(),
persist=False).register(self)
def test_build_incident_dto(self):
ds_filter = {"ds_to_millis": ds_to_millis}
env = environment()
env.globals.update(ds_filter)
alert_data = {"eventDateTime": "2018-11-01T19:48:16.3432936Z", "lastModifiedDateTime": "2018-11-01T19:51:19.0619566Z", "malwareStates": [], "networkConnections": [], "fileStates": [], "registryKeyStates": [], "description": "Sign-in from an anonymous IP address (e.g. Tor browser, anonymizer VPNs)", "createdDateTime": "2018-11-01T19:48:16.3432936Z", "title": "Anonymous IP address", "assignedTo": "", "cloudAppStates": [], "recommendedActions": [], "id": "ea1921b334a655056acfa2b7f4f5d5679dc0976a29e55882edf8e58f9e390c55", "riskScore": "", "severity": "medium", "processes": [], "comments": [], "hostStates": [], "confidence": 0, "vendorInformation": {"providerVersion": "3.0", "provider": "IPC", "vendor": "Microsoft"}, "azureTenantId": "07218a5e-c310-4a41-8eaf-f6b542f1ef5c", "triggers": [], "tags": [], "azureSubscriptionId": "", "vulnerabilityStates": [], "userStates": [{"logonIp": "51.15.43.205", "logonLocation": "Santpoort-Zuid, Noord-Holland, NL", "accountName": "brian_admin", "emailRole": "unknown", "riskScore": "0", "userPrincipalName": "*****@*****.**"}], "detectionIds": [], "category": "AnonymousLogin", "sourceMaterials": [], "status": "newAlert"}
inc_dto = build_incident_dto(alert_data)
expected = {
"description": {
"format": "html",
"content": "Sign-in from an anonymous IP address (e.g. Tor browser, anonymizer VPNs)"
},
"discovered_date": 1541101696000,
"name": "Microsoft Security Graph Alert: 2018-11-01T19:48:16.3432936Z",
"properties": {
"microsoft_security_graph_alert_id": "ea1921b334a655056acfa2b7f4f5d5679dc0976a29e55882edf8e58f9e390c55"
}
}
assert json.loads(inc_dto) == expected
def __init__(self, opts):
"""constructor provides access to the configuration options"""
super(SecureworksCTPPollComponent, self).__init__(opts)
self._load_options(opts)
if not self.polling_interval:
LOG.info(
u"Secureworks CTP escalation interval is not configured. Automated escalation is disabled."
)
return
# Add the timestamp-parse function to the global JINJA environment
env = environment()
env.globals.update({"readable_datetime": readable_datetime})
env.filters.update({"readable_datetime": readable_datetime})
# If close_codes are defined in the app.config, then load them into the select input list.
if self.close_codes:
response = self._init_close_codes(self.close_codes)
LOG.info(u"Secureworks CTP escalation initiated, polling interval %s",
self.polling_interval)
Timer(self.polling_interval, Poll(), persist=False).register(self)
def add_methods_to_global():
# Add ds_to_millis to global env so it can be used in filters
ds_filter = {"ds_to_millis": ds_to_millis}
env = environment()
env.globals.update(ds_filter)
