def phishingAlert():
report = dict()
report['success'] = bool()
tempAttachment = None
cfg = getConf()
ewsConnector = EwsConnector(cfg)
folder_name = cfg.get('EWS', 'folder_name')
unread = ewsConnector.scan(folder_name)
theHiveConnector = TheHiveConnector(cfg)
for email in unread:
conversationId = email.conversation_id.id
alertTitle = str(email.subject)
alertDescription = ('```\n' + 'Alert created by Synapse\n' +
'conversation_id: "' +
str(email.conversation_id.id) + '"\n' + '```')
alertArtifacts = []
alertTags = ['CAT 7']
for msg in email.attachments:
try:
#print(type(msg))
q = dict()
q['sourceRef'] = str(conversationId)
esAlertId = theHiveConnector.findAlert(q)
tempAttachment = TempAttachment(msg)
if not tempAttachment.isInline:
#print('here')
tmpFilepath = tempAttachment.writeFile()
with open(tmpFilepath, 'rb') as fhdl:
raw_email = fhdl.read()
parsed_eml = eml_parser.eml_parser.decode_email_b(
raw_email)
#print(parsed_eml['header']['header']['to'])
#print(json.dumps(parsed_eml, default=json_serial, indent=4, sort_keys=True))
alertArtifacts.append(
theHiveConnector.craftAlertArtifact(
dataType='file',
message="Phishing Email",
data=tmpFilepath,
tags=['Synapse']))
alertArtifacts.append(
theHiveConnector.craftAlertArtifact(
dataType='other',
message="Message Id",
data=parsed_eml['header']['header']['message-id']
[0],
tags=['Synapse']))
for i in parsed_eml['header']['received_ip']:
alertArtifacts.append(
theHiveConnector.craftAlertArtifact(
dataType='ip',
message="Source IP",
data=i,
tags=['Synapse']))
alertArtifacts.append(
theHiveConnector.craftAlertArtifact(
dataType='mail_subject',
message="Phishing Email Subject",
data=parsed_eml['header']['subject'],
tags=['Synapse']))
for i in parsed_eml['header']['to']:
alertArtifacts.append(
theHiveConnector.craftAlertArtifact(
dataType='mail',
message="Recipients",
data=i,
tags=['Synapse']))
for i in parsed_eml['header']['header']['return-path']:
alertArtifacts.append(
theHiveConnector.craftAlertArtifact(
dataType='mail',
message="Return Path",
data=i,
tags=['Synapse']))
if 'x-originating-ip' in parsed_eml['header']['header']:
alertArtifacts.append(
theHiveConnector.craftAlertArtifact(
dataType='mail',
message="Origin IP",
data=parsed_eml['header']['header']
['x-originating-ip'],
tags=['Synapse']))
alert = theHiveConnector.craftAlert(
alertTitle,
alertDescription,
severity=2,
tlp=2,
status="New",
date=(int(time.time() * 1000)),
tags=alertTags,
type="Phishing",
source="Phishing Mailbox",
sourceRef=email.conversation_id.id,
artifacts=alertArtifacts,
caseTemplate="Category 7 - Phishing")
theHiveEsAlertId = theHiveConnector.createAlert(
alert)['id']
except Exception as e:
#msg_obj = msg_parser.msg_parser.Message(msg)
#print(msg_obj.get_message_as_json())
#msg_properties_dict = msg_obj.get_properties()
print('Failed to create alert from attachment')
readMsg = ewsConnector.markAsRead(email)
def createQradarAlert():
logger = logging.getLogger(__name__)
logger.info('%s.createQradarAlert starts', __name__)
report = dict()
report['success'] = bool()
try:
cfg = getConf()
qradarConnector = QRadarConnector(cfg)
theHiveConnector = TheHiveConnector(cfg)
#Retrieve QRadar offenses with "OPEN" status
response = qradarConnector.getOffenses()
for offense in response:
#Check if offense is already imported in TheHive
theHive_alert = theHiveConnector.getAlerts({
'sourceRef':
'QR' + str(offense['id'])
}).json()
if theHive_alert == []:
print('QR' + str(offense['id']) + ' not imported')
#Import opened offense in TheHive
##Create a list of AlertArtifact objects
artifact_fields = {
'source_network': ('domain', 'STRING'),
'destination_networks': ('domain', 'STRING_LIST'),
'offense_source': ('ip', 'STRING')
}
artifacts_dict = defaultdict(list)
for field in artifact_fields:
if artifact_fields[field][1] == 'STRING_LIST':
for elmt in offense[field]:
artifacts_dict[artifact_fields[field][0]].append(
elmt)
elif artifact_fields[field][1] == 'STRING':
artifacts_dict[artifact_fields[field][0]].append(
offense[field])
artifacts_list = theHiveConnector.craftAlertArtifact(
artifacts_dict)
print(artifacts_dict)
print(artifacts_list)
##Prepare other fields for an alert
title = "#" + str(
offense['id']) + " QRadar - " + offense['description']
description = ' / '.join(offense['categories'])
if offense['severity'] < 3:
severity = 1
elif offense['severity'] > 6:
severity = 3
else:
severity = 2
date = offense['start_time']
tags = [
'Synapse', 'src:QRadar', 'QRadarID:' + str(offense['id'])
]
sourceRef = 'QR' + str(offense['id'])
##Create Alert object and send it to TheHive
alert = theHiveConnector.craftAlert(title, description,
severity, date, tags,
sourceRef, artifacts_list)
theHiveConnector.createAlert(alert)
else:
print('QR' + str(offense['id']) + ' already imported')
report['success'] = True
return report
except Exception as e:
logger.error('Failed to create alert from QRadar offense',
exc_info=True)
report['success'] = False
return report