[OSCD Sprint #2] Final Pull Request / Summary

analyzers/EmlParser/input/input.json

@@ -0,0 +1,17 @@
+ {
+    "dataType":"file",
+    "file": "Payment Notification 00000307700.eml",
+    "filename": "filetest",
+    "config":{
+        "manalyze_enable": false,
+        "manalyze_enable_docker": false,
+        "proxy_http": null,
+        "proxy_https": null,
+        "cacerts": null,
+        "jobTimeout": 10,
+        "check_tlp": false,
+        "max_tlp": 2,
+        "check_pap": false,
+        "max_pap": 2
+    }
+}

analyzers/EmlParser/output/output.json

@@ -0,0 +1 @@
+{"success": true, "summary": {"taxonomies": [{"level": "info", "namespace": "EmlParser", "predicate": "Attachments", "value": 1}]}, "artifacts": [{"dataType": "ip", "data": "18.23.71.149"}, {"dataType": "ip", "data": "165.199.8.49"}, {"dataType": "ip", "data": "87.227.176.38"}, {"dataType": "mail", "data": "[email protected]"}, {"dataType": "mail", "data": "[email protected]"}, {"dataType": "hash", "data": "4dd9dfc92887e8c02cbc54a2abf73fb2"}, {"dataType": "hash", "data": "f7586d41577ed314ef5794072ddffef838996088"}, {"dataType": "hash", "data": "bfee589efb80fccdc2c19e16b54fa19d2a9ee7f5c359e0340cd568dce09f8ecb"}, {"dataType": "file", "file": "tmpu4zg7dbi", "filename": "Inv_307700_Service_04086.xlsm"}], "full": {"subject": "Payment Notification 00000307700", "date": "Mon, 22 Jun 2020 14:15:37 +0200", "receivers": "", "displayFrom": "[email protected]", "sender": "", "topic": "", "bcc": "", "displayTo": "<>", "headers": "Received: from ([87.227.176.38]) by [removed] for [removed];\n\tMon, 22 Jun 2020 12:15:38 +0000 (UTC)\nReceived: from [18.23.71.149] (account [email protected] HELO TIQOPOP.GAFYWOG.bwd) by customer.orbitel.bg (Exim 4.89)\twith ESMTPA id 89509C7C5024 for [removed]; Mon, 22 Jun 2020 14:15:37 +0200\nReceived: from ([165.199.8.49]) by customer.orbitel.bg with SMTP id 3943963C; Mon, 22 Jun 2020 14:15:37 +0200\nDate: Mon, 22 Jun 2020 14:15:37 +0200\nContent-Class: urn:content-classes:message\nSubject: Payment Notification 00000307700\nFrom: \"Billing Support\" <[email protected]>\n", "body": "Thank you very much for your business and continued support.\n\nPlease open the attached file to view your Invoice.\n\n    Invoice Due Date:      06/22/2020\n    Invoice Total Amount:  $1,278.00\n\nBest Regards\n", "attachments": [{"filename": "Inv_307700_Service_04086.xlsm", "mime": "Microsoft Excel 2007+", "extension": "xlsm", "md5": "4dd9dfc92887e8c02cbc54a2abf73fb2", "sha1": "f7586d41577ed314ef5794072ddffef838996088", "sha256": "bfee589efb80fccdc2c19e16b54fa19d2a9ee7f5c359e0340cd568dce09f8ecb", "path": "/job/output/Inv_307700_Service_04086.xlsm"}]}}

analyzers/Splunk/requirements.txt

@@ -1 +1,2 @@
 splunk-sdk
+cortexutils

responders/AzureTokenRevoker/AzureTokenRevoker.json

@@ -0,0 +1,32 @@
+{
+    "name": "AzureTokenRevoker",
+    "version": "1.0",
+    "author": "Daniel Weiner @dmweiner",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Revoke all Microsoft Azure authentication session tokens for a list of User Principal Names",
+    "dataTypeList": ["thehive:case"],
+    "command": "AzureTokenRevoker.py",
+    "baseConfig": "AzureTokenRevoker",
+    "configurationItems": [
+        {"name": "redirect_uri",
+        "description": "Azure AD Application URI (Example: https://login.microsoftonline.com/TENANTIDHERE/oauth2/token)",
+        "type": "string",
+        "multi": false,
+        "required": true
+        },
+        {"name": "client_id",
+        "description": "Client ID/Application ID of Azure AD Registered App",
+        "type": "string",
+        "multi": false,
+        "required": true
+        },
+        {"name": "client_secret",
+        "description": "Secret for Azure AD Registered Application",
+        "type": "string",
+        "multi": false,
+        "required": true
+        }
+    ]
+
+}

responders/AzureTokenRevoker/AzureTokenRevoker.py

@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+# Author: Daniel Weiner @dmweiner
+import requests
+import traceback
+import datetime
+from cortexutils.responder import Responder
+
+# Initialize Azure Class
+class AzureTokenRevoker(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.client_id = self.get_params('config.client_id', None, 'Azure AD Application ID/Client ID Missing')
+        self.client_secret = self.get_params('config.client_secret', None, 'Azure AD Registered Application Client Secret Missing')
+        self.redirect_uri = self.get_params('config.redirect_uri', None, 'Set a redirect URI in Azure AD Registered Application. (ex. https://logon.microsoftonline.<tenant id>/oauth2/token)')
+        self.time = ''
+    def run(self):
+        try:
+            self.user = self.get_params('data.data', None, 'No UPN supplied to revoke credentials for')
+            if not self.user:
+                self.error("No user supplied")
+            base_resource = "https://graph.microsoft.com"
+
+            token_data = {
+                "grant_type": "client_credentials",
+                'client_id': self.client_id,
+                'client_secret': self.client_secret,
+                'resource': 'https://graph.microsoft.com',
+                'scope': 'https://graph.microsoft.com'
+                }
+
+
+            #Authenticate to the graph api 
+
+            token_r = requests.post(self.redirect_uri, data=token_data)
+            token = token_r.json().get('access_token')
+
+            if token_r.status_code != 200:
+                self.error('Failure to obtain azure access token: {}'.format(token_r.content))
+
+            # Set headers for future requests
+            headers = {
+                'Authorization': 'Bearer {}'.format(token)
+            }
+
+            base_url = 'https://graph.microsoft.com/v1.0/'
+
+            r = requests.post(base_url + 'users/{}/revokeSignInSessions'.format(self.user), headers=headers)
+
+            if r.status_code != 200:
+                self.error('Failure to revoke access tokens of user {}: {}'.format(self.user, r.content))
+
+            else:
+                #record time of successful auth token revokation
+                self.time = datetime.datetime.utcnow()
+
+        except Exception as ex:
+            self.error(traceback.format_exc())
+        # Build report to return to Cortex
+        full_report = {"message": "User {} authentication tokens successfully revoked at {}".format(self.user, self.time)}
+        self.report(full_report)
+
+
+if __name__ == '__main__':
+    AzureTokenRevoker().run()

responders/AzureTokenRevoker/requirements.txt

@@ -0,0 +1,3 @@
+cortexutils
+requests
+datetime

responders/Duo_Security/DuoLockUserAccount.json

@@ -0,0 +1,34 @@
+{
+  "name": "DuoLockUserAccount",
+  "version": "1.0",
+  "author": "Sven Kutzer / Gyorgy Acs, @oscd_initiative",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Lock User Account in Duo Security via AdminAPI (The user will not be able to log in)",
+  "dataTypeList": ["thehive:case_artifact"],
+  "command": "Duo_Security/duoLockUserAccount.py",
+  "baseConfig": "Duo_Security_main",
+  "configurationItems": [
+    {
+      "name": "API_hostname",
+      "description": "Duo Admin API hostname, api-XXXXXXXX.duosecurity.com",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+   {
+      "name": "Integration_Key",
+      "description": "Integration Key",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Secret_Key",
+      "description": "Secret Key",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ]
+}

responders/Duo_Security/DuoUnlockUserAccount.json

@@ -0,0 +1,34 @@
+{
+  "name": "DuoUnlockUserAccount",
+  "version": "1.0",
+  "author": "Sven Kutzer / Gyorgy Acs, @oscd_initiative",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Unlock User Account in Duo Security via AdminAPI (The user must complete secondary authentication)",
+  "dataTypeList": ["thehive:case_artifact"],
+  "command": "Duo_Security/duoUnlockUserAccount.py",
+  "baseConfig": "Duo_Security_main",
+  "configurationItems": [
+    {
+      "name": "API_hostname",
+      "description": "Duo Admin API hostname, api-XXXXXXXX.duosecurity.com",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+   {
+      "name": "Integration_Key",
+      "description": "Integration Key",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Secret_Key",
+      "description": "Secret Key",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ]
+}

responders/Duo_Security/README.md

@@ -0,0 +1,31 @@
+### CortexResponder_DuoUserAccount
+Rep. for Cortex Responder (TheHive project - https://github.com/TheHive-Project/CortexDocs)
+to Lock/Unlock User Accounts in the Duo Admin Portal (Cisco Security)
+
+
+There are two Responder available in order to change the status of a User in Duo Security via the AdminAPI (https://duo.com/docs/adminapi)
+
+**DuoLockUserAccount** -> changes the "status" to “disabled” - The user will not be able to log in.
+
+**DuoUnlockUserAccount** ->  changes the "status" to “active” - The user must complete secondary authentication.
+
+The Responder is looking for a "**username**" as input and queries the Duo Admin API, to receive the associated UserID.
+The UserID is used to change the "status" of the particular user.
+
+#### How to install:
+  * copy the folders "DuoLockUserAccount" & "DuoUnlockUserAccount" into your Cortex responders path
+  * install necessary python modules from the requirements.txt (**pip install -r requirements.txt**)
+  * restart Cortex to initialize the new Responder "**systemctl restart cortex**"
+  * add the ResponderConfig 
+  * ![ResponderConfig](assets/ResponderConfig.jpg)
+  * enable the Responder Actions
+  * ![Responders](assets/Responders.jpg)
+
+#### Add Observable type in TheHive**
+  * per default TheHive has no "username" Observable type, so we have to add this in the Admin settings
+  * ![AddObservableType](assets/AddObservableType.jpg)
+
+#### Run the Responder action in TheHive
+
+If you have add an observable, you can now take action and lock/unlock the User in Duo Security
+ * ![Demo_Lock-Unlock_DuoUser](assets/Demo_Lock-Unlock_DuoUser.gif)

responders/Duo_Security/duoLockUserAccount.py

@@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+import requests
+import duo_client
+from datetime import datetime
+
+class DuoLockUserAccount(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.API_hostname = self.get_param('config.API_hostname', None, "API hostname is missing")
+        self.iKey = self.get_param('config.Integration_Key', None, "Integration Key is missing")
+        self.sKey = self.get_param('config.Secret_Key', None, "Secret Key is  missing")
+
+    def run(self):
+        Responder.run(self)
+
+        if self.get_param('data.dataType') == 'username':
+
+            str_username = self.get_param('data.data', None, 'No artifacts available')
+
+            admin_api = duo_client.Admin(self.iKey, self.sKey, self.API_hostname)
+
+            response = admin_api.get_users_by_name(username=str_username)
+
+#            print(response)
+
+            user_id=response[0]["user_id"]
+
+#            print("user_id:",user_id)
+
+            r = admin_api.update_user(user_id=user_id,status='disabled')
+
+#            print("response:",r)
+
+            if r.get('status') == 'disabled':
+                self.report({'message': 'User is locked in Duo Security.'})
+            else:
+                self.error('Failed to lock User Account in Duo.')
+        else:
+            self.error('Incorrect dataType. "username" expected.')
+
+    def operations(self, raw):
+        return [self.build_operation('AddTagToArtifact', tag='Duo User: locked')]
+
+if __name__ == '__main__':
+        DuoLockUserAccount().run()

responders/Duo_Security/duoUnlockUserAccount.py

@@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+import requests
+import duo_client
+from datetime import datetime
+
+class DuoUnlockUserAccount(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.API_hostname = self.get_param('config.API_hostname', None, "API hostname is missing")
+        self.iKey = self.get_param('config.Integration_Key', None, "Integration Key is missing")
+        self.sKey = self.get_param('config.Secret_Key', None, "Secret Key is  missing")
+
+    def run(self):
+        Responder.run(self)
+
+        if self.get_param('data.dataType') == 'username':
+
+            str_username = self.get_param('data.data', None, 'No artifacts available')
+
+            admin_api = duo_client.Admin(self.iKey, self.sKey, self.API_hostname)
+
+            response = admin_api.get_users_by_name(username=str_username)
+
+#            print(response)
+
+            user_id=response[0]["user_id"]
+
+#            print("user_id:",user_id)
+
+            r = admin_api.update_user(user_id=user_id,status='active')
+
+#            print("response:",r)
+
+            if r.get('status') == 'active':
+                self.report({'message': 'User is unlocked in Duo Security. The user must complete secondary authentication.'})
+            else:
+                self.error('Failed to unlock User Account in Duo.')
+        else:
+            self.error('Incorrect dataType. "username" expected.')
+
+    def operations(self, raw):
+        return [self.build_operation('AddTagToArtifact', tag='Duo User: reactivated')]
+
+if __name__ == '__main__':
+        DuoUnlockUserAccount().run()

responders/Duo_Security/requirements.txt

@@ -0,0 +1,4 @@
+cortexutils
+requests
+datetime
+duo_client

responders/Gmail/Dockerfile

@@ -0,0 +1,6 @@
+FROM python:3
+
+WORKDIR /worker
+COPY . Gmail
+RUN pip install --no-cache-dir -r Gmail/requirements.txt
+ENTRYPOINT Gmail/Gmail.py