def CreateHiveAlertFromSentinel(api, title, description, incidentnumber, severity, source, artifacts, alertIds, incidentURL): tags = [] if severity == "Low": theHiveSeverity = 1 elif severity == "Informational": theHiveSeverity = 1 elif severity == "Medium": theHiveSeverity = 2 elif severity == "High": theHiveSeverity = 3 alertIdsStr = ' '.join(map(str, alertIds)) customFields = CustomFieldHelper() customFields.add_number('sentinelIncidentNumber', incidentnumber) customFields.add_string('alertIds', alertIdsStr) customFields.add_string('incidentURL', incidentURL) customFields = customFields.build() alert = Alert(title=title, tlp=2, tags=tags, description=description, type='Sentinel', severity=theHiveSeverity, source='Sentinel:' + source, customFields=customFields, sourceRef="Sentinel" + str(incidentnumber), artifacts=artifacts) # Create the Alert response = api.create_alert(alert) if response.status_code == 201: logging.info( 'Alert created: ' + 'Sentinel' + str(incidentnumber) + ': ' + source + ': ' + title + '. StatusCode: {}/{}'.format(response.status_code, response.text)) elif (response.status_code == 400 and response.json()['type'] == "ConflictError"): logging.info( 'Duplicate alert: ' + 'Sentinel' + str(incidentnumber) + ': ' + source + ': ' + title + '. StatusCode: {}/{}'.format(response.status_code, response.text)) else: logging.error( 'failed to create alert: ' + source + ' ' + title + ' Sentinel' + str(incidentnumber) + '. StatusCode: {}/{}'.format(response.status_code, response.text)) sys.exit(0)
def build(fields: Dict) -> Dict: custom_field_helper = CustomFieldHelper() for key, field_value in fields.items(): if ('time' in key.lower() or 'date' in key.lower()) and isinstance(field_value, int): custom_field_helper.add_date(key, field_value * 1000) elif isinstance(field_value, datetime): custom_field_helper.add_number(key, int(field_value.timestamp()) * 1000) elif isinstance(field_value, bool): custom_field_helper.add_boolean(key, field_value) elif isinstance(field_value, int): custom_field_helper.add_number(key, field_value) elif isinstance(field_value, str): custom_field_helper.add_string(key, field_value) else: try: custom_field_helper.add_string(key, field_value) except (TypeError, ValueError): pass return custom_field_helper.build()
enrichment_table, 'id, enrichment_id, enrichment_type, status', '"{}","{}","{}","{}"'.format(offense_id, aql_id, 'username', 'Open')) records = qr.get_aql_results(aql_id) if records: retval = parse_get_aql(records, 'username') if retval: for item in retval: if item != None: username_list.append(item) sl.update_record(enrichment_table, 'status', 'Closed', 'enrichment_id', aql_id) # # Adding custom_fields values to the case - static mapping. custom_fields = CustomFieldHelper() custom_fields.add_number('qradar_id', offense_id) custom_fields.add_string('offense_source', offense_source) custom_fields.build() tlp = offense_severity_mapper(offense_magnitude)['sev'] # #Case - Offense summary md. build_desc = """|Offense Summary:|\n|---|\n|Offense Description: {}|\n|Source NW: {}|\n|Destination NW: {}|\n|Source IPs: {}|\n|Local Destination IPs: {}|\n|Remote Destination IPs: {}|\n|Usernames: {}|\n---\nLink to the Offense: {}""".format( offense_desc, offense_src_nw, offense_dst_nw, source_address_list, local_dest_list, remote_dest_list, username_list, offense_link) # #Some sample tasks-response actions for posting in the case. Customize per your reqs. # #TODO: You can also utilize - thehive-playbook-creator - for dynamic task/playbook assignment using your QRadar Rule groups. tasks = [ CaseTask(title='PB:- Phase:Identification'), CaseTask(title='PB: - Phase:Remediation'),