def create_alarm(self,
                     title,
                     source_ref=None,
                     description='N/A',
                     alert_type='external',
                     source='LogRhythm',
                     iocs=None,
                     additional_fields=None,
                     additional_tags=None,
                     tlp=TLP.AMBER,
                     pap=PAP.AMBER,
                     severity=HiveSeverity.MEDIUM):

        if source_ref is None:
            source_ref = str(uuid.uuid4())[0:6]

        alert_tags = self.alert_tags.copy()
        if additional_tags is not None:
            for additional_tag in additional_tags:
                alert_tags.append(additional_tag)

        custom_fields_helper = CustomFieldHelper()
        if additional_fields is not None:
            for field in additional_fields:
                custom_fields_helper.add_string(field['name'], field['value'])
        custom_fields = custom_fields_helper.build()

        artifacts = list()
        if iocs is not None:
            for ioc in iocs:
                artifacts.append(
                    AlertArtifact(dataType=ioc['type'].value,
                                  data=ioc['value']))

        hive_alert = Alert(title=title,
                           tlp=tlp.value,
                           tags=alert_tags,
                           description=description,
                           type=alert_type,
                           source=source,
                           sourceRef=source_ref,
                           pap=pap.value,
                           artifacts=artifacts,
                           customFields=custom_fields,
                           severity=severity.value)

        response = self.api.create_alert(hive_alert)
        if response.status_code == 201:
            print('Alerta Creada Exitosamente')
            print(json.dumps(response.json(), indent=4, sort_keys=True))
        else:
            print('Error')
            print(response.text)

        return response.json()
def CreateHiveAlertFromSentinel(api, title, description, incidentnumber,
                                severity, source, artifacts, alertIds,
                                incidentURL):
    tags = []

    if severity == "Low":
        theHiveSeverity = 1
    elif severity == "Informational":
        theHiveSeverity = 1
    elif severity == "Medium":
        theHiveSeverity = 2
    elif severity == "High":
        theHiveSeverity = 3

    alertIdsStr = ' '.join(map(str, alertIds))

    customFields = CustomFieldHelper()
    customFields.add_number('sentinelIncidentNumber', incidentnumber)
    customFields.add_string('alertIds', alertIdsStr)
    customFields.add_string('incidentURL', incidentURL)

    customFields = customFields.build()
    alert = Alert(title=title,
                  tlp=2,
                  tags=tags,
                  description=description,
                  type='Sentinel',
                  severity=theHiveSeverity,
                  source='Sentinel:' + source,
                  customFields=customFields,
                  sourceRef="Sentinel" + str(incidentnumber),
                  artifacts=artifacts)

    # Create the Alert
    response = api.create_alert(alert)
    if response.status_code == 201:
        logging.info(
            'Alert created: ' + 'Sentinel' + str(incidentnumber) + ': ' +
            source + ': ' + title +
            '. StatusCode: {}/{}'.format(response.status_code, response.text))
    elif (response.status_code == 400
          and response.json()['type'] == "ConflictError"):
        logging.info(
            'Duplicate alert: ' + 'Sentinel' + str(incidentnumber) + ': ' +
            source + ': ' + title +
            '. StatusCode: {}/{}'.format(response.status_code, response.text))
    else:
        logging.error(
            'failed to create alert: ' + source + ' ' + title + ' Sentinel' +
            str(incidentnumber) +
            '. StatusCode: {}/{}'.format(response.status_code, response.text))
        sys.exit(0)
    def create_case(self,
                    title,
                    tasks=None,
                    tlp=TLP.AMBER,
                    pap=PAP.AMBER,
                    severity=HiveSeverity.MEDIUM,
                    additional_fields=None,
                    additional_tags=None,
                    flag=False,
                    description='N/A'):

        case_tags = self.case_tags.copy()
        if additional_tags is not None:
            for additional_tag in additional_tags:
                case_tags.append(additional_tag)

        custom_fields_helper = CustomFieldHelper()
        if additional_fields is not None:
            for field in additional_fields:
                custom_fields_helper.add_string(field['name'], field['value'])
        custom_fields = custom_fields_helper.build()

        new_tasks = list()
        if tasks is not None:
            for task in tasks:
                new_tasks.append(CaseTask(title=task))

        hive_case = Case(title=title,
                         tlp=tlp.value,
                         pap=pap.value,
                         description=description,
                         tags=case_tags,
                         severity=severity.value,
                         flag=flag,
                         customFields=custom_fields,
                         tasks=new_tasks)

        response = self.api.create_case(hive_case)
        if response.status_code == 201:
            print('Caso Creada Exitosamente')
            print(json.dumps(response.json(), indent=4, sort_keys=True))
        else:
            print('Error')
            print(response.text)

        return response.json()
 def build(fields: Dict) -> Dict:
     custom_field_helper = CustomFieldHelper()
     for key, field_value in fields.items():
         if ('time' in key.lower() or 'date' in key.lower()) and isinstance(field_value, int):
             custom_field_helper.add_date(key, field_value * 1000)
         elif isinstance(field_value, datetime):
             custom_field_helper.add_number(key, int(field_value.timestamp()) * 1000)
         elif isinstance(field_value, bool):
             custom_field_helper.add_boolean(key, field_value)
         elif isinstance(field_value, int):
             custom_field_helper.add_number(key, field_value)
         elif isinstance(field_value, str):
             custom_field_helper.add_string(key, field_value)
         else:
             try:
                 custom_field_helper.add_string(key, field_value)
             except (TypeError, ValueError):
                 pass
     return custom_field_helper.build()
示例#5
0
                '"{}","{}","{}","{}"'.format(offense_id, aql_id, 'username',
                                             'Open'))
            records = qr.get_aql_results(aql_id)
            if records:
                retval = parse_get_aql(records, 'username')
                if retval:
                    for item in retval:
                        if item != None:
                            username_list.append(item)
                            sl.update_record(enrichment_table, 'status',
                                             'Closed', 'enrichment_id', aql_id)

    # # Adding custom_fields values to the case - static mapping.
    custom_fields = CustomFieldHelper()
    custom_fields.add_number('qradar_id', offense_id)
    custom_fields.add_string('offense_source', offense_source)
    custom_fields.build()

    tlp = offense_severity_mapper(offense_magnitude)['sev']

    # #Case - Offense summary md.
    build_desc = """|Offense Summary:|\n|---|\n|Offense Description: {}|\n|Source NW: {}|\n|Destination NW: {}|\n|Source IPs: {}|\n|Local Destination IPs: {}|\n|Remote Destination IPs: {}|\n|Usernames: {}|\n---\nLink to the Offense: {}""".format(
        offense_desc, offense_src_nw, offense_dst_nw, source_address_list,
        local_dest_list, remote_dest_list, username_list, offense_link)

    # #Some sample tasks-response actions for posting in the case. Customize per your reqs.
    # #TODO: You can also utilize - thehive-playbook-creator - for dynamic task/playbook assignment using your QRadar Rule groups.
    tasks = [
        CaseTask(title='PB:- Phase:Identification'),
        CaseTask(title='PB: - Phase:Remediation'),
        CaseTask(title='PB: - Phase:Lessons Learned',