Responder/umbrella blacklister (#383)

* Initial Umbrella Blacklister Responder commit * Initial Umbrella Blacklister Responder commit * Modify required datatype * Modify required datatype * Add operation AddTagToArtifact
TheHive-Project · Dec 4, 2018 · f042128 · f042128
1 parent 6e94b1a
commit f042128
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 0 deletions.
diff --git a/responders/UmbrellaBlacklister/UmbrellaBlacklister.json b/responders/UmbrellaBlacklister/UmbrellaBlacklister.json
@@ -0,0 +1,20 @@
+{
+  "name": "Umbrella Blacklister",
+  "version": "1.0",
+  "author": "Kyle Parrish",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Add domain to Umbrella blacklist via Enforcement API.",
+  "dataTypeList": ["thehive:case_artifact"],
+  "command": "UmbrellaBlacklister/UmbrellaBlacklister.py",
+  "baseConfig": "UmbrellaBlacklister",
+  "configurationItems": [
+    {
+      "name": "integration_url",
+      "description": "Custom integration url",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ]
+}
diff --git a/responders/UmbrellaBlacklister/UmbrellaBlacklister.py b/responders/UmbrellaBlacklister/UmbrellaBlacklister.py
@@ -0,0 +1,51 @@
+#!/usr/bin/env python
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+import requests
+from datetime import datetime
+
+class UmbrellaBlacklister(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.integration_url = self.get_param('config.integration_url', None, "Integration URL Missing")
+
+    def run(self):
+        Responder.run(self)
+
+        if self.get_param('data.dataType') == 'domain':
+
+            domain = self.get_param('data.data', None, 'No artifacts available')
+
+            dstUrl = "http://" + domain
+            date = datetime.now().strftime("%Y-%m-%dT%XZ")
+
+            headers = {
+                'user-agent': 'UmbrellaBlacklister-Cortex-Responder',
+                'Content-Type': 'application/json'
+            }
+
+            payload = {
+                "alertTime": date,
+                "deviceId": "cortex_thehive",
+                "deviceVersion": "2.4.81",
+                "dstDomain": domain,
+                "dstUrl": dstUrl,
+                "eventTime": date,
+                "protocolVersion": "1.0a",
+                "providerName": "Security Platform"
+            }
+
+            r = requests.post(self.integration_url, json=payload, headers=headers)
+            if r.status_code == 200 | 202:
+                self.report({'message': 'Blacklisted in Umbrella.'})
+            else:
+                self.error('Failed to add to blacklist.')
+	else:
+	    self.error('Incorrect dataType. "Domain" expexted.')
+
+    def operations(self, raw):
+        return [self.build_operation('AddTagToArtifact', tag='Umbrella:blocked')]
+
+if __name__ == '__main__':
+        UmbrellaBlacklister().run()
diff --git a/responders/UmbrellaBlacklister/requirements.txt b/responders/UmbrellaBlacklister/requirements.txt
@@ -0,0 +1 @@
+datetime