фвв

responders/PaloAltoNGFW_block_external_IP_address/Block_ip.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+from thehive4py.api import TheHiveApi
+from panos import firewall
+import panos.objects
+
+class Block_ip(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW')
+        self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW')
+        self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW')
+        self.name_external_Address_Group = self.get_param('config.name_external_Address_Group')
+        self.thehive_instance = self.get_param('config.thehive_instance')
+        self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE')
+        self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key)
+
+    def run(self):
+        alertId = self.get_param('data.id')
+        response = self.api.get_alert(alertId)
+        ioc=None
+        ioc_clear=[]
+        for i in list(response.json().get("artifacts")):
+            if 'ip' in str(i):
+                ioc = i.get("data")
+                for i in ioc:
+                    if i == "[" or i == "]":
+                        continue
+                    else:
+                        ioc_clear.append(i)
+                ioc="".join(ioc_clear)
+        fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW)
+        panos.objects.AddressObject.refreshall(fw)
+        if ioc not in str(fw.find(ioc, panos.objects.AddressObject)):
+            new_ioc_object = panos.objects.AddressObject(ioc, ioc, description="Blocked ip address")
+            fw.add(new_ioc_object)
+            new_ioc_object.create()        
+        panos.objects.AddressGroup.refreshall(fw)
+        block_list = fw.find(self.name_external_Address_Group, panos.objects.AddressGroup)
+        ioc_list = block_list.about().get('static_value')
+        if ioc not in ioc_list:
+            ioc_list.append(ioc)
+            temp1 = panos.objects.AddressGroup(self.name_external_Address_Group, static_value=ioc_list)
+            fw.add(temp1)
+            temp1.apply()
+        self.report({'message': 'message sent'})
+
+if __name__ == '__main__':
+    Block_ip().run()

responders/PaloAltoNGFW_block_external_IP_address/PaloAltoNGFW_block_external_IP_address.json

@@ -0,0 +1,55 @@
+{
+  "name": "PaloAltoNGFW_block_external_IP_address",
+  "version": "1.0.0",
+  "author": "Maxim Konakin",
+  "url": "",
+  "license": "AGPL-V3",
+  "description": "Block external IP address",
+  "dataTypeList": ["thehive:alert"],
+  "command": "PaloAltoNGFW_block_external_IP_address/Block_ip.py",
+  "baseConfig": "PaloAltoNGFW_block_external_IP_address",
+  "configurationItems": [
+    {
+      "name": "Hostname_PaloAltoNGFW",
+      "description": "Hostname_PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "User_PaloAltoNGFW",
+      "description": "User_PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Password_PaloAltoNGFW",
+      "description": "User_PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "name_external_Address_Group",
+      "description": "name_external_Address_Group",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+	{
+        "name": "thehive_instance",
+        "description": "URL of the Thehive instance to query",
+        "type": "string",
+        "multi": false,
+        "required": true
+      },
+      {
+        "name": "thehive_api_key",
+        "description": "TheHive API key with read access",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+  ]
+}

responders/PaloAltoNGFW_block_external_IP_address/README.md

@@ -0,0 +1,21 @@
+# Block external IP address for Palo Alto NGFW
+
+Response module for block external IP address for Palo Alto NGFW
+
+# Installation
+
+need install:
+1. pan-os-python
+2. thehive4py
+
+# ToDo
+
+to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in  "name_external_Address_Group".
+https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/monitor/monitor-block-ip-list
+
+principle of operation:
+1. the value is selected from the alert the hive.
+2. ioc compare against already added AddressObject.
+3. if ioc not in AddressObject, will add
+4. if ioc in AddressObject, next step
+5. checks if there is already a blocking list, if not, ioc will add

responders/PaloAltoNGFW_block_external_domain/Block_domain.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+from thehive4py.api import TheHiveApi
+from panos import firewall
+import panos.objects
+
+class Block_domain(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW')
+        self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW')
+        self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW')
+        self.name_external_Address_Group_for_domain = self.get_param('config.name_external_Address_Group')
+        self.thehive_instance = self.get_param('config.thehive_instance')
+        self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE')
+        self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key)
+
+    def run(self):
+        alertId = self.get_param('data.id')
+        response = self.api.get_alert(alertId)
+        ioc=None
+        ioc_clear=[]
+        for i in list(response.json().get("artifacts")):
+            if 'hostname' in str(i):
+                ioc = i.get("data")
+                for i in ioc:
+                    if i == "[" or i == "]":
+                        continue
+                    else:
+                        ioc_clear.append(i)
+                ioc="".join(ioc_clear)
+        fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW)
+        panos.objects.AddressObject.refreshall(fw)
+        if ioc not in str(fw.find(ioc, panos.objects.AddressObject)):
+            new_ioc_object = panos.objects.AddressObject(ioc, ioc, description="Blocked fqdn",type="fqdn")
+            fw.add(new_ioc_object)
+            new_ioc_object.create()
+        panos.objects.AddressGroup.refreshall(fw)
+        block_list = fw.find(self.name_external_Address_Group_for_domain, panos.objects.AddressGroup)
+        ioc_list = block_list.about().get('static_value')
+        if ioc not in ioc_list:
+            ioc_list.append(ioc)
+            temp1 = panos.objects.AddressGroup(self.name_external_Address_Group_for_domain, static_value=ioc_list)
+            fw.add(temp1)
+            temp1.apply()
+        self.report({'message': 'message sent'})
+
+if __name__ == '__main__':
+    Block_domain().run()

responders/PaloAltoNGFW_block_external_domain/PaloAltoNGFW_block_external_domain.json

@@ -0,0 +1,55 @@
+{
+  "name": "PaloAltoNGFW_block_external_domain",
+  "version": "1.0.0",
+  "author": "Maxim Konakin",
+  "url": "",
+  "license": "AGPL-V3",
+  "description": "Block external domain",
+  "dataTypeList": ["thehive:alert"],
+  "command": "PaloAltoNGFW_block_external_domain/Block_domain.py",
+  "baseConfig": "PaloAltoNGFW_block_external_domain",
+  "configurationItems": [
+    {
+      "name": "Hostname_PaloAltoNGFW",
+      "description": "Hostname_PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "User_PaloAltoNGFW",
+      "description": "User_PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Password_PaloAltoNGFW",
+      "description": "User_PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "name_external_Address_Group",
+      "description": "name_external_Address_Group_for_domain",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+	{
+        "name": "thehive_instance",
+        "description": "URL of the Thehive instance to query",
+        "type": "string",
+        "multi": false,
+        "required": true
+      },
+      {
+        "name": "thehive_api_key",
+        "description": "TheHive API key with read access",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+  ]
+}

responders/PaloAltoNGFW_block_external_domain/README.md

@@ -0,0 +1,21 @@
+# Block external IP address for Palo Alto NGFW
+
+Response module for block external IP address for Palo Alto NGFW
+
+# Installation
+
+need install:
+1. pan-os-python
+2. thehive4py
+
+# ToDo
+
+to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in  "name_external_Address_Group".
+https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/monitor/monitor-block-ip-list
+
+principle of operation:
+1. the value is selected from the alert the hive.
+2. ioc compare against already added AddressObject.
+3. if ioc not in AddressObject, will add
+4. if ioc in AddressObject, next step
+5. checks if there is already a blocking list (Address_Group), if not, ioc will add

responders/PaloAltoNGFW_block_external_port/Block_port.py

@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+from thehive4py.api import TheHiveApi
+from panos import firewall
+import panos.objects
+import re
+class Block_port(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW')
+        self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW')
+        self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW')
+        self.name_external_Service_Group = self.get_param('config.name_external_Service_Group')
+        self.thehive_instance = self.get_param('config.thehive_instance')
+        self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE')
+        self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key)
+
+    def run(self):
+        alertId = self.get_param('data.id')
+        response = self.api.get_alert(alertId)
+        data_list=[]
+        data=None
+        for i in response.json().get("artifacts"):
+            if "'port'," in str(i):
+               ioc = i.get("data")
+               data_list.append(i.get("data"))
+            elif "'protocol'," in str(i):
+               ioc = i.get("data")
+               data_list.append(i.get("data"))
+            data=" ".join(data_list)
+        protocol=re.findall(r'[a-z]+',str(data)); protocol=str("".join(protocol)).lower()
+        port=re.findall(r'[0-9]+',str(data)); port="".join(port)
+        fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW)
+        panos.objects.ServiceObject.refreshall(fw)
+        if port not in str(fw.find(port, panos.objects.ServiceObject)):
+            new_port_object = panos.objects.ServiceObject(port, protocol, description="Blocked port",destination_port=port)
+            fw.add(new_port_object)
+            new_port_object.create()    
+
+
+        panos.objects.ServiceGroup.refreshall(fw)
+        block_list = fw.find(self.name_external_Service_Group, panos.objects.ServiceGroup)
+        port_list = block_list.about().get('value')
+        if port not in port_list:
+            port_list.append(port)
+            temp1 = panos.objects.ServiceGroup(self.name_external_Service_Group, value=port_list)
+            fw.add(temp1)
+            temp1.apply()
+        self.report({'message': 'message sent'})
+
+if __name__ == '__main__':
+    Block_port().run()

responders/PaloAltoNGFW_block_external_port/PaloAltoNGFW_block_external_port.json

@@ -0,0 +1,55 @@
+{
+  "name": "PaloAltoNGFW_block_external_port",
+  "version": "1.0.0",
+  "author": "Maxim Konakin",
+  "url": "",
+  "license": "AGPL-V3",
+  "description": "Block external port",
+  "dataTypeList": ["thehive:alert"],
+  "command": "PaloAltoNGFW_block_external_port/Block_port.py",
+  "baseConfig": "PaloAltoNGFW_block_external_port",
+  "configurationItems": [
+    {
+      "name": "Hostname_PaloAltoNGFW",
+      "description": "Hostname_PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "User_PaloAltoNGFW",
+      "description": "User_PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Password_PaloAltoNGFW",
+      "description": "User_PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "name_external_Service_Group",
+      "description": "name_external_Service_Group",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+	{
+        "name": "thehive_instance",
+        "description": "URL of the Thehive instance to query",
+        "type": "string",
+        "multi": false,
+        "required": true
+      },
+      {
+        "name": "thehive_api_key",
+        "description": "TheHive API key with read access",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+  ]
+}

responders/PaloAltoNGFW_block_external_port/README.md

@@ -0,0 +1,23 @@
+# Block external IP address for Palo Alto NGFW
+
+Response module for block external IP address for Palo Alto NGFW
+
+# Installation
+
+need install:
+1. pan-os-python
+2. thehive4py
+
+# ToDo
+
+to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in  "name_external_Service_Group".
+
+First: you need add field "port" and "protocol" to "Observable types management" in the hive.
+or you can change script and call your field names
+
+principle of operation:
+1. the value is selected from the alert the hive.
+2. ioc compare against already added Service_Group.
+3. if ioc not in Service_Group, will add field port and protocol
+4. if ioc in Service_Group, next step
+5. checks if there is already a blocking list, if not, ioc will add