-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathqradar2thehive.py
123 lines (102 loc) · 5.02 KB
/
qradar2thehive.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from __future__ import print_function
from __future__ import unicode_literals
import json
import requests
import warnings
import json
import time
import uuid
import sys
import time
from thehive4py.api import TheHiveApi
from thehive4py.models import Case, CustomFieldHelper, CaseTask, CaseObservable
#To use this script correctly please configure the following lines
file_id = "</path/to/id_file.txt>"
api = TheHiveApi('<URL_THE_HIVE>', '<THE_HIVE_API_KEY>')
warnings.filterwarnings('ignore')
url = 'https://<QRadar_IP_address>/api/siem/offenses?fields=id%2Cstatus%2Cdescription%2Coffense_type%2Coffense_source%2Cmagnitude%2Csource_network%2Cdestination_networks%2Cassigned_to%2Cstart_time%2Cevent_count'
headers = {'accept': 'application/json', 'SEC': '<QRADAR_API_KEY>', 'Version': '9.0'}
#If you're using JIRA as ticketing platform in the task 'Communication' you can add the URL of your JIRA, else delete the description parameter.
tasks = [
CaseTask(title='Tracking'),
CaseTask(title='Communication', description= '**[Ticket creation](https://PATH/TO/JIRA/CreateIssue!default.jspa)**'),
CaseTask(title='Investigation', status='Waiting', flag=True)
]
def OffensesRequest():
#If you're using a selfsigned certificate on your QRadar instance you have to use "verify=false" parameter:
response_1 = requests.get(url,headers=headers,verify=False)
if (response_1.status_code) == 200:
data = response_1.json()
last_id = (str((data[0]['id'])))
with open(file_id) as f:
data_file = f.readlines()
if data_file == []:
last_line = int(last_id)-1
fichier = open(file_id, "w")
fichier.write(last_id)
fichier.close()
print("File was empty. To avoid errors, the file has been updated with the ID of the penultimate QRadar offense: "+ str(last_line))
else:
last_line = data_file[-1]
if int(last_line) < int(last_id):
first_new_offense = int(last_line)
file = open(file_id, "w")
file.write(last_id)
file.close()
diff = int(last_id) - first_new_offense
for j in range(0,diff):
i=diff-j
offenseId = int(data[i]['id'])
offenseDescription = str(data[i]['description'])
offenseSource = str(data[i]['offense_source'])
offenseMagnitude = int(data[i]['magnitude'])
offenseSourceNetwork = str(data[i]['source_network'])
offenseDestinationNetworks = str(data[i]['destination_networks'])
offenseEventCount = int(data[i]['event_count'])
#To use the following custom fields you have to create them on The Hive with the same internal reference (offenseId,...) and the same type (number,string...)
#.add_<type>('<internal reference>', <value>)
customFields = CustomFieldHelper()\
.add_number('offenseId', offenseId)\
.add_number('offenseMagnitude', offenseMagnitude)\
.add_number('offenseEventCount', offenseEventCount)\
.add_string('offenseSource', offenseSource)\
.add_string('offenseSourceNetwork', offenseSourceNetwork)\
.add_string('offenseDestinationNetworks', offenseDestinationNetworks)\
.add_string('reasonForClosing', "null")\
.build()
case = Case(title=offenseDescription,
tlp=3,
flag=True,
tags=['offense', 'qradar'],
description=offenseDescription,
tasks=tasks,
customFields=customFields)
id = None
response_2 = api.create_case(case)
if response_2.status_code == 201:
id = response_2.json()['id']
else:
print('ko: {}/{}'.format(response_2.status_code, response_2.text))
sys.exit(0)
#Observables can be use with Cortex analyzers
source_ip_observable = CaseObservable(dataType='ip',
data=[str(data[i]['offense_source'])],
tlp=3,
ioc=True,
tags=['Source IP'],
message="Offense source IP"
)
response_3 = api.create_case_observable(id, source_ip_observable)
if response_3.status_code == 201:
id = response_3.json()['id']
else:
print('ko: {}/{}'.format(response_3.status_code, response_3.text))
sys.exit(0)
else:
diff = int(last_id) - int(last_line)
print(str(diff) + " new offenses.")
else:
print("Can't get offenses, check the configuration.")
OffensesRequest()