def rapid7IDRAlerts2Alerts(alert_data, org_name): logger = logging.getLogger('workflows.' + __name__) logger.info('%s.rapid7IDRAlerts2Alert starts', __name__) result = {} result['success'] = bool() conf = getConf() theHiveConnector = TheHiveConnector(conf) logger.info("Building custom fields ...") customFields = CustomFieldHelper()\ .add_string('client', org_name)\ .build() tags = [] now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M") alert_date = dateutil_parser.parse(alert_data.get('timestamp', now)) for user in alert_data.get('actors', {}).get('users', []): tags.append(user.get('name', "")) for asset in alert_data.get('actors', {}).get('assets', []): tags.append(asset.get('shortname', "")) logger.info("Building description ...") description = descriptionCrafter(alert_data, org_name) logger.info("Building alert ...") alert = theHiveConnector.craftAlert( title=alert_data.get( 'title', alert_data.get('name', "New alert from Rapid7 Insight IDR")), description=description, severity=2, #is there a way to determine efficiently this thing ? date=int(alert_date.timestamp()) * 1000, tags=tags, tlp=2, status="New", type="SIEM", source="Rapid7 Insight IDR", sourceRef=alert_data.get('investigationId', str(uuid.uuid4())), artifacts=artifactsCrafter(alert_data), caseTemplate="Insight IDR Case", customFields=customFields) logger.info("Sending alert to TheHive ...") try: ret = theHiveConnector.createAlert(alert) logger.info("Alert {} created in TheHive".format(str(ret['id']))) result['success'] = True except ValueError: logger.warning("Alert creation failed, trying to update ...") try: ret = theHiveConnector.updateAlert(alert.sourceRef, alert) logger.info("Alert {} updated in TheHive".format(str(ret['id']))) result['success'] = True except Exception as error: logger.error("Alert update failed ! {}".format(error)) result['success'] = False return result
def createQradarAlert(): logger = logging.getLogger(__name__) logger.info('%s.createQradarAlert starts', __name__) report = dict() report['success'] = bool() try: cfg = getConf() qradarConnector = QRadarConnector(cfg) theHiveConnector = TheHiveConnector(cfg) #Retrieve QRadar offenses with "OPEN" status response = qradarConnector.getOffenses() for offense in response: #Check if offense is already imported in TheHive theHive_alert = theHiveConnector.getAlerts({ 'sourceRef': 'QR' + str(offense['id']) }).json() if theHive_alert == []: print('QR' + str(offense['id']) + ' not imported') #Import opened offense in TheHive ##Create a list of AlertArtifact objects artifact_fields = { 'source_network': ('domain', 'STRING'), 'destination_networks': ('domain', 'STRING_LIST'), 'offense_source': ('ip', 'STRING') } artifacts_dict = defaultdict(list) for field in artifact_fields: if artifact_fields[field][1] == 'STRING_LIST': for elmt in offense[field]: artifacts_dict[artifact_fields[field][0]].append( elmt) elif artifact_fields[field][1] == 'STRING': artifacts_dict[artifact_fields[field][0]].append( offense[field]) artifacts_list = theHiveConnector.craftAlertArtifact( artifacts_dict) print(artifacts_dict) print(artifacts_list) ##Prepare other fields for an alert title = "#" + str( offense['id']) + " QRadar - " + offense['description'] description = ' / '.join(offense['categories']) if offense['severity'] < 3: severity = 1 elif offense['severity'] > 6: severity = 3 else: severity = 2 date = offense['start_time'] tags = [ 'Synapse', 'src:QRadar', 'QRadarID:' + str(offense['id']) ] sourceRef = 'QR' + str(offense['id']) ##Create Alert object and send it to TheHive alert = theHiveConnector.craftAlert(title, description, severity, date, tags, sourceRef, artifacts_list) theHiveConnector.createAlert(alert) else: print('QR' + str(offense['id']) + ' already imported') report['success'] = True return report except Exception as e: logger.error('Failed to create alert from QRadar offense', exc_info=True) report['success'] = False return report
def phishingAlert(): report = dict() report['success'] = bool() tempAttachment = None cfg = getConf() ewsConnector = EwsConnector(cfg) folder_name = cfg.get('EWS', 'folder_name') unread = ewsConnector.scan(folder_name) theHiveConnector = TheHiveConnector(cfg) for email in unread: conversationId = email.conversation_id.id alertTitle = str(email.subject) alertDescription = ('```\n' + 'Alert created by Synapse\n' + 'conversation_id: "' + str(email.conversation_id.id) + '"\n' + '```') alertArtifacts = [] alertTags = ['CAT 7'] for msg in email.attachments: try: #print(type(msg)) q = dict() q['sourceRef'] = str(conversationId) esAlertId = theHiveConnector.findAlert(q) tempAttachment = TempAttachment(msg) if not tempAttachment.isInline: #print('here') tmpFilepath = tempAttachment.writeFile() with open(tmpFilepath, 'rb') as fhdl: raw_email = fhdl.read() parsed_eml = eml_parser.eml_parser.decode_email_b( raw_email) #print(parsed_eml['header']['header']['to']) #print(json.dumps(parsed_eml, default=json_serial, indent=4, sort_keys=True)) alertArtifacts.append( theHiveConnector.craftAlertArtifact( dataType='file', message="Phishing Email", data=tmpFilepath, tags=['Synapse'])) alertArtifacts.append( theHiveConnector.craftAlertArtifact( dataType='other', message="Message Id", data=parsed_eml['header']['header']['message-id'] [0], tags=['Synapse'])) for i in parsed_eml['header']['received_ip']: alertArtifacts.append( theHiveConnector.craftAlertArtifact( dataType='ip', message="Source IP", data=i, tags=['Synapse'])) alertArtifacts.append( theHiveConnector.craftAlertArtifact( dataType='mail_subject', message="Phishing Email Subject", data=parsed_eml['header']['subject'], tags=['Synapse'])) for i in parsed_eml['header']['to']: alertArtifacts.append( theHiveConnector.craftAlertArtifact( dataType='mail', message="Recipients", data=i, tags=['Synapse'])) for i in parsed_eml['header']['header']['return-path']: alertArtifacts.append( theHiveConnector.craftAlertArtifact( dataType='mail', message="Return Path", data=i, tags=['Synapse'])) if 'x-originating-ip' in parsed_eml['header']['header']: alertArtifacts.append( theHiveConnector.craftAlertArtifact( dataType='mail', message="Origin IP", data=parsed_eml['header']['header'] ['x-originating-ip'], tags=['Synapse'])) alert = theHiveConnector.craftAlert( alertTitle, alertDescription, severity=2, tlp=2, status="New", date=(int(time.time() * 1000)), tags=alertTags, type="Phishing", source="Phishing Mailbox", sourceRef=email.conversation_id.id, artifacts=alertArtifacts, caseTemplate="Category 7 - Phishing") theHiveEsAlertId = theHiveConnector.createAlert( alert)['id'] except Exception as e: #msg_obj = msg_parser.msg_parser.Message(msg) #print(msg_obj.get_message_as_json()) #msg_properties_dict = msg_obj.get_properties() print('Failed to create alert from attachment') readMsg = ewsConnector.markAsRead(email)
def allNotifs2Alert(): logger = logging.getLogger('workflows.' + __name__) logger.info('%s.allNotifs2Alert starts', __name__) result = dict() result['success'] = bool() result['message'] = str() try: carbonBlack = CBConnector() # DEBUG PURPOSES ONLY ! #logger.info(str(allNotifications)) conf = getConf() theHiveConnector = TheHiveConnector(conf) with open(os.path.join(current_dir, "..", "conf", "carbonblack.json")) as fd: organizations = json.load(fd)['orgs'] for org in organizations: notifications = carbonBlack.getAllNotifications( org['notifications_profile'], org['alerts_profile']) for notification in notifications: #TODO: maybe we should set ALL the variables containing relevant info here to avoid .get() everywhere, btw is .get() actually usefull ? #TODO: maybe cut a lot of this variable process in a few (or a lot of) functions, juste like "descriptionCrafter" and "artifactCrafter" # This and the next try...catch is to avoid backslashes '\' in a tag, as it is breaking TheHive sorting mechanism orgName = org['name'] orgTagName = org['tag-name'] orgShortName = org['short-name'] orgId = org['orgId'] client = org['jira-project'] deviceName = str(notification['deviceInfo']['deviceName']) summary = str(notification['threatInfo']['summary']) severity = int(SEVERITIES[int( notification['threatInfo']['score'])]) date_created = int(notification['eventTime']) source_ref = "{}-{}".format( orgShortName, str(notification['threatInfo']['incidentId'])) sensor_id = str(notification['deviceInfo']['deviceId']) offense_id = str(notification['threatInfo']['incidentId']) tags = [] customFields = CustomFieldHelper()\ .add_string('client', client)\ .add_string('sensorID', sensor_id)\ .add_string('hostname', deviceName)\ .build() artifacts = artifactCrafter(notification, theHiveConnector, tags) artifacts.append( AlertArtifact(dataType='carbon_black_alert_id', data=offense_id, message="ID of alert in Carbon Black", tags=[offense_id], ignoreSimilarity=True)) alert = theHiveConnector.craftAlert( title=summary, description=descriptionCrafter(notification, orgName, orgId), severity=severity, date=date_created, tags=tags, tlp=2, status="New", type='EDR', source='Carbon Black', sourceRef=source_ref, artifacts=artifacts, caseTemplate='Carbon Black Case', customFields=customFields) try: ret = theHiveConnector.createAlert(alert) logger.info('Alert {} created in TheHive'.format( str(ret['id']))) except ValueError: logger.warning('Failed to create alert trying to update') try: ret = theHiveConnector.updateAlert( alert.sourceRef, alert) logger.info('Alert {} updated in TheHive'.format( str(ret['id']))) except ValueError as error: logger.error( "Failed to create alert ! {}".format(error)) result['success'] = True except Exception as error: result['success'] = False result['message'] = str(error) return result