From fa9b600788e714bd75ed75faf88d195c7859023e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Leonard?= Date: Wed, 11 Sep 2019 18:00:05 +0200 Subject: [PATCH] #532 Zerofox request for takedown --- .../ZEROFOX_Takedown_request.json | 29 +++++++++ .../ZEROFOX_Takedown_request.py | 60 +++++++++++++++++++ .../ZEROFOX_Takedown_request/requirements.txt | 1 + 3 files changed, 90 insertions(+) create mode 100644 responders/ZEROFOX_Takedown_request/ZEROFOX_Takedown_request.json create mode 100755 responders/ZEROFOX_Takedown_request/ZEROFOX_Takedown_request.py create mode 100644 responders/ZEROFOX_Takedown_request/requirements.txt diff --git a/responders/ZEROFOX_Takedown_request/ZEROFOX_Takedown_request.json b/responders/ZEROFOX_Takedown_request/ZEROFOX_Takedown_request.json new file mode 100644 index 000000000..f0d0573da --- /dev/null +++ b/responders/ZEROFOX_Takedown_request/ZEROFOX_Takedown_request.json @@ -0,0 +1,29 @@ +{ + "name": "ZEROFOX_Takedown_request", + "version": "1.0", + "author": "TheHive-Project", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Request for a takedown regarding the alert in Zerofox", + "dataTypeList": ["thehive:case"], + "command": "ZEROFOX_Takedown_request/ZEROFOX_Takedown_request.py", + "baseConfig": "ZEROFOX", + "configurationItems": [ + { + "name": "url", + "description": "URL for Zerofox API", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.zerofox.com/1.0" + }, + { + "name": "api", + "description": "Key API for Zerofox", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "" + } + ] +} diff --git a/responders/ZEROFOX_Takedown_request/ZEROFOX_Takedown_request.py b/responders/ZEROFOX_Takedown_request/ZEROFOX_Takedown_request.py new file mode 100755 index 000000000..03e29da28 --- /dev/null +++ b/responders/ZEROFOX_Takedown_request/ZEROFOX_Takedown_request.py @@ -0,0 +1,60 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + + +from cortexutils.responder import Responder +import re +import requests + + +class CloseAlert(Responder): + def __init__(self): + Responder.__init__(self) + self.data = self.get_param('data', None, 'Data is missing') + self.url = self.get_param('config.url', None, 'url is missing') + self.api = self.get_param('config.api', None, 'api key is missing') + + # Action for Zerofox Alert : see "POST /alerts/{alert_id}/{action}/" on https://api.zerofox.com/1.0/docs/ + self.zfEntity = "alerts" + self.zfAction = "request_takedown" + + + def operations(self, raw): + return [self.build_operation('AddTagToCase', tag='TheHive:Responders=Zerofox Alert Closed')] + + def ZerofoxAlert(self, tags): + """ + + :param tags: list + :return: bool + """ + zfalert="src:ZEROFOX" + if tags: + for tag in tags: + zf_id = re.match("^ZF:Id=(\d+)", tag) + if zf_id and zfalert in tags: + return zf_id.group(1) + return 0 + + + def run(self): + Responder.run(self) + tags = self.get_param('data.tags', None) + action_request = "{}/{}/{}/{}/".format(self.url, self.zfEntity, self.ZerofoxAlert(tags), self.zfAction) + + + # Manage mail addresses + if self.data_type == 'thehive:case': + if self.ZerofoxAlert(tags): + try: + response = requests.post(action_request, headers={'Authorization': + 'Token {}'.format(self.api)}) + if response.status_code == 200: + self.report({'message': 'Alert {} has been closed'.format(self.ZerofoxAlert(tags))}) + elif response.status_code == 400: + self.error('HTTP 400 : Request body schema error') + except Exception as ex: + self.error(ex) + +if __name__ == '__main__': + CloseAlert().run() diff --git a/responders/ZEROFOX_Takedown_request/requirements.txt b/responders/ZEROFOX_Takedown_request/requirements.txt new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/responders/ZEROFOX_Takedown_request/requirements.txt @@ -0,0 +1 @@ +