From 677c830713eeaaaf45c9afd4011b852271224e5c Mon Sep 17 00:00:00 2001 From: staf711 <40694301+staf711@users.noreply.github.com> Date: Tue, 20 Oct 2020 20:52:55 +0300 Subject: [PATCH] =?UTF-8?q?=D1=84=D0=B2=D0=B2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Block_ip.py | 51 ++++++++++++++ ...aloAltoNGFW_block_external_IP_address.json | 55 +++++++++++++++ .../README.md | 21 ++++++ .../Block_domain.py | 51 ++++++++++++++ .../PaloAltoNGFW_block_external_domain.json | 55 +++++++++++++++ .../README.md | 21 ++++++ .../Block_port.py | 54 +++++++++++++++ .../PaloAltoNGFW_block_external_port.json | 55 +++++++++++++++ .../README.md | 23 +++++++ .../Block_url.py | 46 +++++++++++++ .../PaloAltoNGFW_block_external_url.json | 55 +++++++++++++++ .../PaloAltoNGFW_block_external_url/README.md | 19 ++++++ .../Block_ip.py | 51 ++++++++++++++ ...aloAltoNGFW_block_internal_IP_address.json | 55 +++++++++++++++ .../README.md | 21 ++++++ .../Block_domain.py | 51 ++++++++++++++ .../PaloAltoNGFW_block_internal_domain.json | 55 +++++++++++++++ .../README.md | 21 ++++++ .../Block_port.py | 54 +++++++++++++++ .../PaloAltoNGFW_block_internal_port.json | 55 +++++++++++++++ .../README.md | 23 +++++++ .../Block_url.py | 46 +++++++++++++ .../PaloAltoNGFW_block_internal_url.json | 55 +++++++++++++++ .../PaloAltoNGFW_block_internal_url/README.md | 21 ++++++ .../PaloAltoNGFW_unblock_domain.json | 62 +++++++++++++++++ .../PaloAltoNGFW_unblock_domain/README.md | 18 +++++ .../Unblock_domain.py | 61 +++++++++++++++++ .../PaloAltoNGFW_unblock_ip.json | 62 +++++++++++++++++ responders/PaloAltoNGFW_unblock_ip/README.md | 18 +++++ .../PaloAltoNGFW_unblock_ip/Unblock_ip.py | 61 +++++++++++++++++ .../.Unblock_port.py.swp | Bin 0 -> 12288 bytes .../PaloAltoNGFW_unblock_port.json | 62 +++++++++++++++++ .../PaloAltoNGFW_unblock_port/README.md | 19 ++++++ .../PaloAltoNGFW_unblock_port/Unblock_port.py | 63 ++++++++++++++++++ 34 files changed, 1440 insertions(+) create mode 100644 responders/PaloAltoNGFW_block_external_IP_address/Block_ip.py create mode 100644 responders/PaloAltoNGFW_block_external_IP_address/PaloAltoNGFW_block_external_IP_address.json create mode 100644 responders/PaloAltoNGFW_block_external_IP_address/README.md create mode 100644 responders/PaloAltoNGFW_block_external_domain/Block_domain.py create mode 100644 responders/PaloAltoNGFW_block_external_domain/PaloAltoNGFW_block_external_domain.json create mode 100644 responders/PaloAltoNGFW_block_external_domain/README.md create mode 100644 responders/PaloAltoNGFW_block_external_port/Block_port.py create mode 100644 responders/PaloAltoNGFW_block_external_port/PaloAltoNGFW_block_external_port.json create mode 100644 responders/PaloAltoNGFW_block_external_port/README.md create mode 100644 responders/PaloAltoNGFW_block_external_url/Block_url.py create mode 100644 responders/PaloAltoNGFW_block_external_url/PaloAltoNGFW_block_external_url.json create mode 100644 responders/PaloAltoNGFW_block_external_url/README.md create mode 100644 responders/PaloAltoNGFW_block_internal_IP_address/Block_ip.py create mode 100644 responders/PaloAltoNGFW_block_internal_IP_address/PaloAltoNGFW_block_internal_IP_address.json create mode 100644 responders/PaloAltoNGFW_block_internal_IP_address/README.md create mode 100644 responders/PaloAltoNGFW_block_internal_domain/Block_domain.py create mode 100644 responders/PaloAltoNGFW_block_internal_domain/PaloAltoNGFW_block_internal_domain.json create mode 100644 responders/PaloAltoNGFW_block_internal_domain/README.md create mode 100644 responders/PaloAltoNGFW_block_internal_port/Block_port.py create mode 100644 responders/PaloAltoNGFW_block_internal_port/PaloAltoNGFW_block_internal_port.json create mode 100644 responders/PaloAltoNGFW_block_internal_port/README.md create mode 100644 responders/PaloAltoNGFW_block_internal_url/Block_url.py create mode 100644 responders/PaloAltoNGFW_block_internal_url/PaloAltoNGFW_block_internal_url.json create mode 100644 responders/PaloAltoNGFW_block_internal_url/README.md create mode 100644 responders/PaloAltoNGFW_unblock_domain/PaloAltoNGFW_unblock_domain.json create mode 100644 responders/PaloAltoNGFW_unblock_domain/README.md create mode 100644 responders/PaloAltoNGFW_unblock_domain/Unblock_domain.py create mode 100644 responders/PaloAltoNGFW_unblock_ip/PaloAltoNGFW_unblock_ip.json create mode 100644 responders/PaloAltoNGFW_unblock_ip/README.md create mode 100644 responders/PaloAltoNGFW_unblock_ip/Unblock_ip.py create mode 100644 responders/PaloAltoNGFW_unblock_port/.Unblock_port.py.swp create mode 100644 responders/PaloAltoNGFW_unblock_port/PaloAltoNGFW_unblock_port.json create mode 100644 responders/PaloAltoNGFW_unblock_port/README.md create mode 100644 responders/PaloAltoNGFW_unblock_port/Unblock_port.py diff --git a/responders/PaloAltoNGFW_block_external_IP_address/Block_ip.py b/responders/PaloAltoNGFW_block_external_IP_address/Block_ip.py new file mode 100644 index 000000000..da280475c --- /dev/null +++ b/responders/PaloAltoNGFW_block_external_IP_address/Block_ip.py @@ -0,0 +1,51 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.responder import Responder +from thehive4py.api import TheHiveApi +from panos import firewall +import panos.objects + +class Block_ip(Responder): + def __init__(self): + Responder.__init__(self) + self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW') + self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW') + self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW') + self.name_external_Address_Group = self.get_param('config.name_external_Address_Group') + self.thehive_instance = self.get_param('config.thehive_instance') + self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE') + self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key) + + def run(self): + alertId = self.get_param('data.id') + response = self.api.get_alert(alertId) + ioc=None + ioc_clear=[] + for i in list(response.json().get("artifacts")): + if 'ip' in str(i): + ioc = i.get("data") + for i in ioc: + if i == "[" or i == "]": + continue + else: + ioc_clear.append(i) + ioc="".join(ioc_clear) + fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW) + panos.objects.AddressObject.refreshall(fw) + if ioc not in str(fw.find(ioc, panos.objects.AddressObject)): + new_ioc_object = panos.objects.AddressObject(ioc, ioc, description="Blocked ip address") + fw.add(new_ioc_object) + new_ioc_object.create() + panos.objects.AddressGroup.refreshall(fw) + block_list = fw.find(self.name_external_Address_Group, panos.objects.AddressGroup) + ioc_list = block_list.about().get('static_value') + if ioc not in ioc_list: + ioc_list.append(ioc) + temp1 = panos.objects.AddressGroup(self.name_external_Address_Group, static_value=ioc_list) + fw.add(temp1) + temp1.apply() + self.report({'message': 'message sent'}) + +if __name__ == '__main__': + Block_ip().run() diff --git a/responders/PaloAltoNGFW_block_external_IP_address/PaloAltoNGFW_block_external_IP_address.json b/responders/PaloAltoNGFW_block_external_IP_address/PaloAltoNGFW_block_external_IP_address.json new file mode 100644 index 000000000..761727b33 --- /dev/null +++ b/responders/PaloAltoNGFW_block_external_IP_address/PaloAltoNGFW_block_external_IP_address.json @@ -0,0 +1,55 @@ +{ + "name": "PaloAltoNGFW_block_external_IP_address", + "version": "1.0.0", + "author": "Maxim Konakin", + "url": "", + "license": "AGPL-V3", + "description": "Block external IP address", + "dataTypeList": ["thehive:alert"], + "command": "PaloAltoNGFW_block_external_IP_address/Block_ip.py", + "baseConfig": "PaloAltoNGFW_block_external_IP_address", + "configurationItems": [ + { + "name": "Hostname_PaloAltoNGFW", + "description": "Hostname_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "User_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "Password_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "name_external_Address_Group", + "description": "name_external_Address_Group", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_instance", + "description": "URL of the Thehive instance to query", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_api_key", + "description": "TheHive API key with read access", + "type": "string", + "multi": false, + "required": true + } + ] +} diff --git a/responders/PaloAltoNGFW_block_external_IP_address/README.md b/responders/PaloAltoNGFW_block_external_IP_address/README.md new file mode 100644 index 000000000..e58e9dd68 --- /dev/null +++ b/responders/PaloAltoNGFW_block_external_IP_address/README.md @@ -0,0 +1,21 @@ +# Block external IP address for Palo Alto NGFW + +Response module for block external IP address for Palo Alto NGFW + +# Installation + +need install: +1. pan-os-python +2. thehive4py + +# ToDo + +to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in "name_external_Address_Group". +https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/monitor/monitor-block-ip-list + +principle of operation: +1. the value is selected from the alert the hive. +2. ioc compare against already added AddressObject. +3. if ioc not in AddressObject, will add +4. if ioc in AddressObject, next step +5. checks if there is already a blocking list, if not, ioc will add \ No newline at end of file diff --git a/responders/PaloAltoNGFW_block_external_domain/Block_domain.py b/responders/PaloAltoNGFW_block_external_domain/Block_domain.py new file mode 100644 index 000000000..b1557d77f --- /dev/null +++ b/responders/PaloAltoNGFW_block_external_domain/Block_domain.py @@ -0,0 +1,51 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.responder import Responder +from thehive4py.api import TheHiveApi +from panos import firewall +import panos.objects + +class Block_domain(Responder): + def __init__(self): + Responder.__init__(self) + self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW') + self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW') + self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW') + self.name_external_Address_Group_for_domain = self.get_param('config.name_external_Address_Group') + self.thehive_instance = self.get_param('config.thehive_instance') + self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE') + self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key) + + def run(self): + alertId = self.get_param('data.id') + response = self.api.get_alert(alertId) + ioc=None + ioc_clear=[] + for i in list(response.json().get("artifacts")): + if 'hostname' in str(i): + ioc = i.get("data") + for i in ioc: + if i == "[" or i == "]": + continue + else: + ioc_clear.append(i) + ioc="".join(ioc_clear) + fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW) + panos.objects.AddressObject.refreshall(fw) + if ioc not in str(fw.find(ioc, panos.objects.AddressObject)): + new_ioc_object = panos.objects.AddressObject(ioc, ioc, description="Blocked fqdn",type="fqdn") + fw.add(new_ioc_object) + new_ioc_object.create() + panos.objects.AddressGroup.refreshall(fw) + block_list = fw.find(self.name_external_Address_Group_for_domain, panos.objects.AddressGroup) + ioc_list = block_list.about().get('static_value') + if ioc not in ioc_list: + ioc_list.append(ioc) + temp1 = panos.objects.AddressGroup(self.name_external_Address_Group_for_domain, static_value=ioc_list) + fw.add(temp1) + temp1.apply() + self.report({'message': 'message sent'}) + +if __name__ == '__main__': + Block_domain().run() diff --git a/responders/PaloAltoNGFW_block_external_domain/PaloAltoNGFW_block_external_domain.json b/responders/PaloAltoNGFW_block_external_domain/PaloAltoNGFW_block_external_domain.json new file mode 100644 index 000000000..28de7ece6 --- /dev/null +++ b/responders/PaloAltoNGFW_block_external_domain/PaloAltoNGFW_block_external_domain.json @@ -0,0 +1,55 @@ +{ + "name": "PaloAltoNGFW_block_external_domain", + "version": "1.0.0", + "author": "Maxim Konakin", + "url": "", + "license": "AGPL-V3", + "description": "Block external domain", + "dataTypeList": ["thehive:alert"], + "command": "PaloAltoNGFW_block_external_domain/Block_domain.py", + "baseConfig": "PaloAltoNGFW_block_external_domain", + "configurationItems": [ + { + "name": "Hostname_PaloAltoNGFW", + "description": "Hostname_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "User_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "Password_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "name_external_Address_Group", + "description": "name_external_Address_Group_for_domain", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_instance", + "description": "URL of the Thehive instance to query", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_api_key", + "description": "TheHive API key with read access", + "type": "string", + "multi": false, + "required": true + } + ] +} diff --git a/responders/PaloAltoNGFW_block_external_domain/README.md b/responders/PaloAltoNGFW_block_external_domain/README.md new file mode 100644 index 000000000..dfa67ff6d --- /dev/null +++ b/responders/PaloAltoNGFW_block_external_domain/README.md @@ -0,0 +1,21 @@ +# Block external IP address for Palo Alto NGFW + +Response module for block external IP address for Palo Alto NGFW + +# Installation + +need install: +1. pan-os-python +2. thehive4py + +# ToDo + +to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in "name_external_Address_Group". +https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/monitor/monitor-block-ip-list + +principle of operation: +1. the value is selected from the alert the hive. +2. ioc compare against already added AddressObject. +3. if ioc not in AddressObject, will add +4. if ioc in AddressObject, next step +5. checks if there is already a blocking list (Address_Group), if not, ioc will add \ No newline at end of file diff --git a/responders/PaloAltoNGFW_block_external_port/Block_port.py b/responders/PaloAltoNGFW_block_external_port/Block_port.py new file mode 100644 index 000000000..6f1a919bc --- /dev/null +++ b/responders/PaloAltoNGFW_block_external_port/Block_port.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.responder import Responder +from thehive4py.api import TheHiveApi +from panos import firewall +import panos.objects +import re +class Block_port(Responder): + def __init__(self): + Responder.__init__(self) + self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW') + self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW') + self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW') + self.name_external_Service_Group = self.get_param('config.name_external_Service_Group') + self.thehive_instance = self.get_param('config.thehive_instance') + self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE') + self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key) + + def run(self): + alertId = self.get_param('data.id') + response = self.api.get_alert(alertId) + data_list=[] + data=None + for i in response.json().get("artifacts"): + if "'port'," in str(i): + ioc = i.get("data") + data_list.append(i.get("data")) + elif "'protocol'," in str(i): + ioc = i.get("data") + data_list.append(i.get("data")) + data=" ".join(data_list) + protocol=re.findall(r'[a-z]+',str(data)); protocol=str("".join(protocol)).lower() + port=re.findall(r'[0-9]+',str(data)); port="".join(port) + fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW) + panos.objects.ServiceObject.refreshall(fw) + if port not in str(fw.find(port, panos.objects.ServiceObject)): + new_port_object = panos.objects.ServiceObject(port, protocol, description="Blocked port",destination_port=port) + fw.add(new_port_object) + new_port_object.create() + + + panos.objects.ServiceGroup.refreshall(fw) + block_list = fw.find(self.name_external_Service_Group, panos.objects.ServiceGroup) + port_list = block_list.about().get('value') + if port not in port_list: + port_list.append(port) + temp1 = panos.objects.ServiceGroup(self.name_external_Service_Group, value=port_list) + fw.add(temp1) + temp1.apply() + self.report({'message': 'message sent'}) + +if __name__ == '__main__': + Block_port().run() diff --git a/responders/PaloAltoNGFW_block_external_port/PaloAltoNGFW_block_external_port.json b/responders/PaloAltoNGFW_block_external_port/PaloAltoNGFW_block_external_port.json new file mode 100644 index 000000000..540be6dc7 --- /dev/null +++ b/responders/PaloAltoNGFW_block_external_port/PaloAltoNGFW_block_external_port.json @@ -0,0 +1,55 @@ +{ + "name": "PaloAltoNGFW_block_external_port", + "version": "1.0.0", + "author": "Maxim Konakin", + "url": "", + "license": "AGPL-V3", + "description": "Block external port", + "dataTypeList": ["thehive:alert"], + "command": "PaloAltoNGFW_block_external_port/Block_port.py", + "baseConfig": "PaloAltoNGFW_block_external_port", + "configurationItems": [ + { + "name": "Hostname_PaloAltoNGFW", + "description": "Hostname_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "User_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "Password_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "name_external_Service_Group", + "description": "name_external_Service_Group", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_instance", + "description": "URL of the Thehive instance to query", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_api_key", + "description": "TheHive API key with read access", + "type": "string", + "multi": false, + "required": true + } + ] +} diff --git a/responders/PaloAltoNGFW_block_external_port/README.md b/responders/PaloAltoNGFW_block_external_port/README.md new file mode 100644 index 000000000..9b84128e4 --- /dev/null +++ b/responders/PaloAltoNGFW_block_external_port/README.md @@ -0,0 +1,23 @@ +# Block external IP address for Palo Alto NGFW + +Response module for block external IP address for Palo Alto NGFW + +# Installation + +need install: +1. pan-os-python +2. thehive4py + +# ToDo + +to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in "name_external_Service_Group". + +First: you need add field "port" and "protocol" to "Observable types management" in the hive. +or you can change script and call your field names + +principle of operation: +1. the value is selected from the alert the hive. +2. ioc compare against already added Service_Group. +3. if ioc not in Service_Group, will add field port and protocol +4. if ioc in Service_Group, next step +5. checks if there is already a blocking list, if not, ioc will add \ No newline at end of file diff --git a/responders/PaloAltoNGFW_block_external_url/Block_url.py b/responders/PaloAltoNGFW_block_external_url/Block_url.py new file mode 100644 index 000000000..33eb834ad --- /dev/null +++ b/responders/PaloAltoNGFW_block_external_url/Block_url.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.responder import Responder +from thehive4py.api import TheHiveApi +from panos import firewall +import panos.objects + +class Block_url(Responder): + def __init__(self): + Responder.__init__(self) + self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW') + self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW') + self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW') + self.name_external_URL_category = self.get_param('config.name_external_URL_category') + self.thehive_instance = self.get_param('config.thehive_instance') + self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE') + self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key) + + def run(self): + alertId = self.get_param('data.id') + response = self.api.get_alert(alertId) + ioc=None + ioc_clear=[] + for i in list(response.json().get("artifacts")): + if 'url' in str(i): + ioc = i.get("data") + for i in ioc: + if i == "[" or i == "]": + continue + else: + ioc_clear.append(i) + ioc="".join(ioc_clear) + fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW) + panos.objects.CustomUrlCategory.refreshall(fw) + block_list = fw.find(self.name_external_URL_category, panos.objects.CustomUrlCategory) + ioc_list = block_list.about().get('url_value') + if ioc not in ioc_list: + ioc_list.append(ioc) + temp1 = panos.objects.CustomUrlCategory(self.name_external_URL_category, url_value=ioc_list) + fw.add(temp1) + temp1.create() + self.report({'message': 'message sent'}) + +if __name__ == '__main__': + Block_url().run() diff --git a/responders/PaloAltoNGFW_block_external_url/PaloAltoNGFW_block_external_url.json b/responders/PaloAltoNGFW_block_external_url/PaloAltoNGFW_block_external_url.json new file mode 100644 index 000000000..fbeee7697 --- /dev/null +++ b/responders/PaloAltoNGFW_block_external_url/PaloAltoNGFW_block_external_url.json @@ -0,0 +1,55 @@ +{ + "name": "PaloAltoNGFW_block_external_url", + "version": "1.0.0", + "author": "Maxim Konakin", + "url": "", + "license": "AGPL-V3", + "description": "Block external domain", + "dataTypeList": ["thehive:alert"], + "command": "PaloAltoNGFW_block_external_url/Block_url.py", + "baseConfig": "PaloAltoNGFW_block_external_url", + "configurationItems": [ + { + "name": "Hostname_PaloAltoNGFW", + "description": "Hostname_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "User_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "Password_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "name_external_URL_category", + "description": "name_external_URL_category", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_instance", + "description": "URL of the Thehive instance to query", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_api_key", + "description": "TheHive API key with read access", + "type": "string", + "multi": false, + "required": true + } + ] +} diff --git a/responders/PaloAltoNGFW_block_external_url/README.md b/responders/PaloAltoNGFW_block_external_url/README.md new file mode 100644 index 000000000..a97c170ef --- /dev/null +++ b/responders/PaloAltoNGFW_block_external_url/README.md @@ -0,0 +1,19 @@ +# Block external IP address for Palo Alto NGFW + +Response module for block external IP address for Palo Alto NGFW + +# Installation + +need install: +1. pan-os-python +2. thehive4py + +# ToDo + +to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in "name_external_URL_category". + + +principle of operation: +1. the value is selected from the alert the hive. +2. ioc compare against already added URL_category. +3. checks if there is already a blocking list, if not, ioc will add \ No newline at end of file diff --git a/responders/PaloAltoNGFW_block_internal_IP_address/Block_ip.py b/responders/PaloAltoNGFW_block_internal_IP_address/Block_ip.py new file mode 100644 index 000000000..6a0db4d52 --- /dev/null +++ b/responders/PaloAltoNGFW_block_internal_IP_address/Block_ip.py @@ -0,0 +1,51 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.responder import Responder +from thehive4py.api import TheHiveApi +from panos import firewall +import panos.objects + +class Block_ip(Responder): + def __init__(self): + Responder.__init__(self) + self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW') + self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW') + self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW') + self.name_internal_Address_Group = self.get_param('config.name_internal_Address_Group') + self.thehive_instance = self.get_param('config.thehive_instance') + self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE') + self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key) + + def run(self): + alertId = self.get_param('data.id') + response = self.api.get_alert(alertId) + ioc=None + ioc_clear=[] + for i in list(response.json().get("artifacts")): + if 'ip' in str(i): + ioc = i.get("data") + for i in ioc: + if i == "[" or i == "]": + continue + else: + ioc_clear.append(i) + ioc="".join(ioc_clear) + fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW) + panos.objects.AddressObject.refreshall(fw) + if ioc not in str(fw.find(ioc, panos.objects.AddressObject)): + new_ioc_object = panos.objects.AddressObject(ioc, ioc, description="Blocked ip address") + fw.add(new_ioc_object) + new_ioc_object.create() + panos.objects.AddressGroup.refreshall(fw) + block_list = fw.find(self.name_internal_Address_Group, panos.objects.AddressGroup) + ioc_list = block_list.about().get('static_value') + if ioc not in ioc_list: + ioc_list.append(ioc) + temp1 = panos.objects.AddressGroup(self.name_internal_Address_Group, static_value=ioc_list) + fw.add(temp1) + temp1.apply() + self.report({'message': 'message sent'}) + +if __name__ == '__main__': + Block_ip().run() diff --git a/responders/PaloAltoNGFW_block_internal_IP_address/PaloAltoNGFW_block_internal_IP_address.json b/responders/PaloAltoNGFW_block_internal_IP_address/PaloAltoNGFW_block_internal_IP_address.json new file mode 100644 index 000000000..36ef81cd9 --- /dev/null +++ b/responders/PaloAltoNGFW_block_internal_IP_address/PaloAltoNGFW_block_internal_IP_address.json @@ -0,0 +1,55 @@ +{ + "name": "PaloAltoNGFW_block_internal_IP_address", + "version": "1.0.0", + "author": "Maxim Konakin", + "url": "", + "license": "AGPL-V3", + "description": "Block internal IP address", + "dataTypeList": ["thehive:alert"], + "command": "PaloAltoNGFW_block_internal_IP_address/Block_ip.py", + "baseConfig": "PaloAltoNGFW_block_internal_IP_address", + "configurationItems": [ + { + "name": "Hostname_PaloAltoNGFW", + "description": "Hostname_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "User_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "Password_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "name_internal_Address_Group", + "description": "name_internal_Address_Group", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_instance", + "description": "URL of the Thehive instance to query", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_api_key", + "description": "TheHive API key with read access", + "type": "string", + "multi": false, + "required": true + } + ] +} diff --git a/responders/PaloAltoNGFW_block_internal_IP_address/README.md b/responders/PaloAltoNGFW_block_internal_IP_address/README.md new file mode 100644 index 000000000..e58e9dd68 --- /dev/null +++ b/responders/PaloAltoNGFW_block_internal_IP_address/README.md @@ -0,0 +1,21 @@ +# Block external IP address for Palo Alto NGFW + +Response module for block external IP address for Palo Alto NGFW + +# Installation + +need install: +1. pan-os-python +2. thehive4py + +# ToDo + +to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in "name_external_Address_Group". +https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/monitor/monitor-block-ip-list + +principle of operation: +1. the value is selected from the alert the hive. +2. ioc compare against already added AddressObject. +3. if ioc not in AddressObject, will add +4. if ioc in AddressObject, next step +5. checks if there is already a blocking list, if not, ioc will add \ No newline at end of file diff --git a/responders/PaloAltoNGFW_block_internal_domain/Block_domain.py b/responders/PaloAltoNGFW_block_internal_domain/Block_domain.py new file mode 100644 index 000000000..cb1d1ce96 --- /dev/null +++ b/responders/PaloAltoNGFW_block_internal_domain/Block_domain.py @@ -0,0 +1,51 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.responder import Responder +from thehive4py.api import TheHiveApi +from panos import firewall +import panos.objects + +class Block_domain(Responder): + def __init__(self): + Responder.__init__(self) + self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW') + self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW') + self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW') + self.name_internal_Address_Group_for_domain = self.get_param('config.name_internal_Address_Group') + self.thehive_instance = self.get_param('config.thehive_instance') + self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE') + self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key) + + def run(self): + alertId = self.get_param('data.id') + response = self.api.get_alert(alertId) + ioc=None + ioc_clear=[] + for i in list(response.json().get("artifacts")): + if 'hostname' in str(i): + ioc = i.get("data") + for i in ioc: + if i == "[" or i == "]": + continue + else: + ioc_clear.append(i) + ioc="".join(ioc_clear) + fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW) + panos.objects.AddressObject.refreshall(fw) + if ioc not in str(fw.find(ioc, panos.objects.AddressObject)): + new_ioc_object = panos.objects.AddressObject(ioc, ioc, description="Blocked fqdn",type="fqdn") + fw.add(new_ioc_object) + new_ioc_object.create() + panos.objects.AddressGroup.refreshall(fw) + block_list = fw.find(self.name_internal_Address_Group_for_domain, panos.objects.AddressGroup) + ioc_list = block_list.about().get('static_value') + if ioc not in ioc_list: + ioc_list.append(ioc) + temp1 = panos.objects.AddressGroup(self.name_internal_Address_Group_for_domain, static_value=ioc_list) + fw.add(temp1) + temp1.apply() + self.report({'message': 'message sent'}) + +if __name__ == '__main__': + Block_domain().run() diff --git a/responders/PaloAltoNGFW_block_internal_domain/PaloAltoNGFW_block_internal_domain.json b/responders/PaloAltoNGFW_block_internal_domain/PaloAltoNGFW_block_internal_domain.json new file mode 100644 index 000000000..e52db2720 --- /dev/null +++ b/responders/PaloAltoNGFW_block_internal_domain/PaloAltoNGFW_block_internal_domain.json @@ -0,0 +1,55 @@ +{ + "name": "PaloAltoNGFW_block_internal_domain", + "version": "1.0.0", + "author": "Maxim Konakin", + "url": "", + "license": "AGPL-V3", + "description": "Block internal domain", + "dataTypeList": ["thehive:alert"], + "command": "PaloAltoNGFW_block_internal_domain/Block_domain.py", + "baseConfig": "PaloAltoNGFW_block_internal_domain", + "configurationItems": [ + { + "name": "Hostname_PaloAltoNGFW", + "description": "Hostname_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "User_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "Password_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "name_internal_Address_Group", + "description": "name_internal_Address_Group_for_domain", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_instance", + "description": "URL of the Thehive instance to query", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_api_key", + "description": "TheHive API key with read access", + "type": "string", + "multi": false, + "required": true + } + ] +} diff --git a/responders/PaloAltoNGFW_block_internal_domain/README.md b/responders/PaloAltoNGFW_block_internal_domain/README.md new file mode 100644 index 000000000..bda74a5f2 --- /dev/null +++ b/responders/PaloAltoNGFW_block_internal_domain/README.md @@ -0,0 +1,21 @@ +# Block external IP address for Palo Alto NGFW + +Response module for block external IP address for Palo Alto NGFW + +# Installation + +need install: +1. pan-os-python +2. thehive4py + +# ToDo + +to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in "name_internal_Address_Group_for_domain". +https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/monitor/monitor-block-ip-list + +principle of operation: +1. the value is selected from the alert the hive. +2. ioc compare against already added AddressObject. +3. if ioc not in AddressObject, will add +4. if ioc in AddressObject, next step +5. checks if there is already a blocking list, if not, ioc will add \ No newline at end of file diff --git a/responders/PaloAltoNGFW_block_internal_port/Block_port.py b/responders/PaloAltoNGFW_block_internal_port/Block_port.py new file mode 100644 index 000000000..3d2e00fa1 --- /dev/null +++ b/responders/PaloAltoNGFW_block_internal_port/Block_port.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.responder import Responder +from thehive4py.api import TheHiveApi +from panos import firewall +import panos.objects +import re +class Block_port(Responder): + def __init__(self): + Responder.__init__(self) + self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW') + self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW') + self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW') + self.name_internal_Service_Group = self.get_param('config.name_internal_Service_Group') + self.thehive_instance = self.get_param('config.thehive_instance') + self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE') + self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key) + + def run(self): + alertId = self.get_param('data.id') + response = self.api.get_alert(alertId) + data_list=[] + data=None + for i in response.json().get("artifacts"): + if "'port'," in str(i): + ioc = i.get("data") + data_list.append(i.get("data")) + elif "'protocol'," in str(i): + ioc = i.get("data") + data_list.append(i.get("data")) + data=" ".join(data_list) + protocol=re.findall(r'[a-z]+',str(data)); protocol=str("".join(protocol)).lower() + port=re.findall(r'[0-9]+',str(data)); port="".join(port) + fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW) + panos.objects.ServiceObject.refreshall(fw) + if port not in str(fw.find(port, panos.objects.ServiceObject)): + new_port_object = panos.objects.ServiceObject(port, protocol, description="Blocked port",destination_port=port) + fw.add(new_port_object) + new_port_object.create() + + + panos.objects.ServiceGroup.refreshall(fw) + block_list = fw.find(self.name_internal_Service_Group, panos.objects.ServiceGroup) + port_list = block_list.about().get('value') + if port not in port_list: + port_list.append(port) + temp1 = panos.objects.ServiceGroup(self.name_internal_Service_Group, value=port_list) + fw.add(temp1) + temp1.apply() + self.report({'message': 'message sent'}) + +if __name__ == '__main__': + Block_port().run() diff --git a/responders/PaloAltoNGFW_block_internal_port/PaloAltoNGFW_block_internal_port.json b/responders/PaloAltoNGFW_block_internal_port/PaloAltoNGFW_block_internal_port.json new file mode 100644 index 000000000..e2b3c94dc --- /dev/null +++ b/responders/PaloAltoNGFW_block_internal_port/PaloAltoNGFW_block_internal_port.json @@ -0,0 +1,55 @@ +{ + "name": "PaloAltoNGFW_block_internal_port", + "version": "1.0.0", + "author": "Maxim Konakin", + "url": "", + "license": "AGPL-V3", + "description": "Block internal port", + "dataTypeList": ["thehive:alert"], + "command": "PaloAltoNGFW_block_internal_port/Block_port.py", + "baseConfig": "PaloAltoNGFW_block_internal_port", + "configurationItems": [ + { + "name": "Hostname_PaloAltoNGFW", + "description": "Hostname_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "User_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "Password_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "name_internal_Service_Group", + "description": "name_internal_Service_Group", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_instance", + "description": "URL of the Thehive instance to query", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_api_key", + "description": "TheHive API key with read access", + "type": "string", + "multi": false, + "required": true + } + ] +} diff --git a/responders/PaloAltoNGFW_block_internal_port/README.md b/responders/PaloAltoNGFW_block_internal_port/README.md new file mode 100644 index 000000000..ef1df5628 --- /dev/null +++ b/responders/PaloAltoNGFW_block_internal_port/README.md @@ -0,0 +1,23 @@ +# Block external IP address for Palo Alto NGFW + +Response module for block external IP address for Palo Alto NGFW + +# Installation + +need install: +1. pan-os-python +2. thehive4py + +# ToDo + +to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in "name_internal_Service_Group". + +First: you need add field "port" and "protocol" to "Observable types management" in the hive. +or you can change script and call your field names + +principle of operation: +1. the value is selected from the alert the hive. +2. ioc compare against already added Service_Group. +3. if ioc not in Service_Group, will add field port and protocol +4. if ioc in Service_Group, next step +5. checks if there is already a blocking list, if not, ioc will add \ No newline at end of file diff --git a/responders/PaloAltoNGFW_block_internal_url/Block_url.py b/responders/PaloAltoNGFW_block_internal_url/Block_url.py new file mode 100644 index 000000000..39793efef --- /dev/null +++ b/responders/PaloAltoNGFW_block_internal_url/Block_url.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.responder import Responder +from thehive4py.api import TheHiveApi +from panos import firewall +import panos.objects + +class Block_url(Responder): + def __init__(self): + Responder.__init__(self) + self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW') + self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW') + self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW') + self.name_internal_URL_category = self.get_param('config.name_internal_URL_category') + self.thehive_instance = self.get_param('config.thehive_instance') + self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE') + self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key) + + def run(self): + alertId = self.get_param('data.id') + response = self.api.get_alert(alertId) + ioc=None + ioc_clear=[] + for i in list(response.json().get("artifacts")): + if 'url' in str(i): + ioc = i.get("data") + for i in ioc: + if i == "[" or i == "]": + continue + else: + ioc_clear.append(i) + ioc="".join(ioc_clear) + fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW) + panos.objects.CustomUrlCategory.refreshall(fw) + block_list = fw.find(self.name_internal_URL_category, panos.objects.CustomUrlCategory) + ioc_list = block_list.about().get('url_value') + if ioc not in ioc_list: + ioc_list.append(ioc) + temp1 = panos.objects.CustomUrlCategory(self.name_internal_URL_category, url_value=ioc_list) + fw.add(temp1) + temp1.create() + self.report({'message': 'message sent'}) + +if __name__ == '__main__': + Block_url().run() diff --git a/responders/PaloAltoNGFW_block_internal_url/PaloAltoNGFW_block_internal_url.json b/responders/PaloAltoNGFW_block_internal_url/PaloAltoNGFW_block_internal_url.json new file mode 100644 index 000000000..04258ecd7 --- /dev/null +++ b/responders/PaloAltoNGFW_block_internal_url/PaloAltoNGFW_block_internal_url.json @@ -0,0 +1,55 @@ +{ + "name": "PaloAltoNGFW_block_internal_url", + "version": "1.0.0", + "author": "Maxim Konakin", + "url": "", + "license": "AGPL-V3", + "description": "Block internal domain", + "dataTypeList": ["thehive:alert"], + "command": "PaloAltoNGFW_block_internal_url/Block_url.py", + "baseConfig": "PaloAltoNGFW_block_internal_url", + "configurationItems": [ + { + "name": "Hostname_PaloAltoNGFW", + "description": "Hostname_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "User_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "Password_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "name_internal_URL_category", + "description": "name_internal_URL_category", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_instance", + "description": "URL of the Thehive instance to query", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_api_key", + "description": "TheHive API key with read access", + "type": "string", + "multi": false, + "required": true + } + ] +} diff --git a/responders/PaloAltoNGFW_block_internal_url/README.md b/responders/PaloAltoNGFW_block_internal_url/README.md new file mode 100644 index 000000000..bda74a5f2 --- /dev/null +++ b/responders/PaloAltoNGFW_block_internal_url/README.md @@ -0,0 +1,21 @@ +# Block external IP address for Palo Alto NGFW + +Response module for block external IP address for Palo Alto NGFW + +# Installation + +need install: +1. pan-os-python +2. thehive4py + +# ToDo + +to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in "name_internal_Address_Group_for_domain". +https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/monitor/monitor-block-ip-list + +principle of operation: +1. the value is selected from the alert the hive. +2. ioc compare against already added AddressObject. +3. if ioc not in AddressObject, will add +4. if ioc in AddressObject, next step +5. checks if there is already a blocking list, if not, ioc will add \ No newline at end of file diff --git a/responders/PaloAltoNGFW_unblock_domain/PaloAltoNGFW_unblock_domain.json b/responders/PaloAltoNGFW_unblock_domain/PaloAltoNGFW_unblock_domain.json new file mode 100644 index 000000000..e93782451 --- /dev/null +++ b/responders/PaloAltoNGFW_unblock_domain/PaloAltoNGFW_unblock_domain.json @@ -0,0 +1,62 @@ +{ + "name": "PaloAltoNGFW_unblock_domain", + "version": "1.0.0", + "author": "Maxim Konakin", + "url": "", + "license": "AGPL-V3", + "description": "Unblock domain", + "dataTypeList": ["thehive:alert"], + "command": "PaloAltoNGFW_unblock_domain/Unblock_domain.py", + "baseConfig": "PaloAltoNGFW_unblock_domain", + "configurationItems": [ + { + "name": "Hostname_PaloAltoNGFW", + "description": "Hostname_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "User_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "Password_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "name_internal_Address_Group", + "description": "name_internal_Address_Group_for_domain", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "name_external_Address_Group", + "description": "name_external_Address_Group_for_domain", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_instance", + "description": "URL of the Thehive instance to query", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_api_key", + "description": "TheHive API key with read access", + "type": "string", + "multi": false, + "required": true + } + ] +} diff --git a/responders/PaloAltoNGFW_unblock_domain/README.md b/responders/PaloAltoNGFW_unblock_domain/README.md new file mode 100644 index 000000000..cfa6e002f --- /dev/null +++ b/responders/PaloAltoNGFW_unblock_domain/README.md @@ -0,0 +1,18 @@ +# Block external IP address for Palo Alto NGFW + +Response module for block external IP address for Palo Alto NGFW + +# Installation + +need install: +1. pan-os-python +2. thehive4py + +# ToDo + +to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in "name_internal_Address_Group_for_domain" and "name_external_Address_Group_for_domain" + +principle of operation: +1. the value is selected from the alert the hive. +2. if ioc added in Address_Groups, script deleted ioc +3. if ioc in AddressObject, script deleted ioc \ No newline at end of file diff --git a/responders/PaloAltoNGFW_unblock_domain/Unblock_domain.py b/responders/PaloAltoNGFW_unblock_domain/Unblock_domain.py new file mode 100644 index 000000000..8b4c96e54 --- /dev/null +++ b/responders/PaloAltoNGFW_unblock_domain/Unblock_domain.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.responder import Responder +from thehive4py.api import TheHiveApi +from panos import firewall +import panos.objects + +class Unblock_domain(Responder): + def __init__(self): + Responder.__init__(self) + self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW') + self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW') + self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW') + self.name_internal_Address_Group_for_domain = self.get_param('config.name_internal_Address_Group') + self.name_external_Address_Group_for_domain = self.get_param('config.name_external_Address_Group') + self.thehive_instance = self.get_param('config.thehive_instance') + self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE') + self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key) + + def run(self): + alertId = self.get_param('data.id') + response = self.api.get_alert(alertId) + ioc=None + ioc_clear=[] + for i in list(response.json().get("artifacts")): + if 'hostname' in str(i): + ioc = i.get("data") + for i in ioc: + if i == "[" or i == "]": + continue + else: + ioc_clear.append(i) + ioc="".join(ioc_clear) + fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW) + panos.objects.AddressGroup.refreshall(fw) + block_list = fw.find(self.name_internal_Address_Group_for_domain, panos.objects.AddressGroup) + ioc_list = block_list.about().get('static_value') + if ioc in ioc_list: + ioc_list.remove(ioc) + temp1 = panos.objects.AddressGroup(self.name_internal_Address_Group_for_domain, static_value=ioc_list) + fw.add(temp1) + temp1.apply() + + block_list = fw.find(self.name_external_Address_Group_for_domain, panos.objects.AddressGroup) + ioc_list = block_list.about().get('static_value') + if ioc in ioc_list: + ioc_list.remove(ioc) + temp1 = panos.objects.AddressGroup(self.name_external_Address_Group_for_domain, static_value=ioc_list) + fw.add(temp1) + temp1.apply() + + panos.objects.AddressObject.refreshall(fw) + if ioc in str(fw.find(ioc, panos.objects.AddressObject)): + deleted_ioc = fw.find(ioc, panos.objects.AddressObject) + deleted_ioc.delete() + + self.report({'message': 'message sent'}) + +if __name__ == '__main__': + Unblock_domain().run() diff --git a/responders/PaloAltoNGFW_unblock_ip/PaloAltoNGFW_unblock_ip.json b/responders/PaloAltoNGFW_unblock_ip/PaloAltoNGFW_unblock_ip.json new file mode 100644 index 000000000..b5c2bacb6 --- /dev/null +++ b/responders/PaloAltoNGFW_unblock_ip/PaloAltoNGFW_unblock_ip.json @@ -0,0 +1,62 @@ +{ + "name": "PaloAltoNGFW_unblock_ip", + "version": "1.0.0", + "author": "Maxim Konakin", + "url": "", + "license": "AGPL-V3", + "description": "Unblock ip", + "dataTypeList": ["thehive:alert"], + "command": "PaloAltoNGFW_unblock_ip/Unblock_ip.py", + "baseConfig": "PaloAltoNGFW_unblock_ip", + "configurationItems": [ + { + "name": "Hostname_PaloAltoNGFW", + "description": "Hostname_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "User_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "Password_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "name_internal_Address_Group", + "description": "name_internal_Address_Group_for_ip", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "name_external_Address_Group", + "description": "name_external_Address_Group_for_ip", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_instance", + "description": "URL of the Thehive instance to query", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_api_key", + "description": "TheHive API key with read access", + "type": "string", + "multi": false, + "required": true + } + ] +} diff --git a/responders/PaloAltoNGFW_unblock_ip/README.md b/responders/PaloAltoNGFW_unblock_ip/README.md new file mode 100644 index 000000000..0ff66431e --- /dev/null +++ b/responders/PaloAltoNGFW_unblock_ip/README.md @@ -0,0 +1,18 @@ +# Block external IP address for Palo Alto NGFW + +Response module for block external IP address for Palo Alto NGFW + +# Installation + +need install: +1. pan-os-python +2. thehive4py + +# ToDo + +to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in "name_internal_Address_Group_" and "name_external_Address_Group" + +principle of operation: +1. the value is selected from the alert the hive. +2. if ioc added in Address_Groups, script deleted ioc +3. if ioc in AddressObject, script deleted ioc \ No newline at end of file diff --git a/responders/PaloAltoNGFW_unblock_ip/Unblock_ip.py b/responders/PaloAltoNGFW_unblock_ip/Unblock_ip.py new file mode 100644 index 000000000..2fae0f761 --- /dev/null +++ b/responders/PaloAltoNGFW_unblock_ip/Unblock_ip.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.responder import Responder +from thehive4py.api import TheHiveApi +from panos import firewall +import panos.objects + +class Unblock_ip(Responder): + def __init__(self): + Responder.__init__(self) + self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW') + self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW') + self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW') + self.name_internal_Address_Group = self.get_param('config.name_internal_Address_Group') + self.name_external_Address_Group = self.get_param('config.name_external_Address_Group') + self.thehive_instance = self.get_param('config.thehive_instance') + self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE') + self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key) + + def run(self): + alertId = self.get_param('data.id') + response = self.api.get_alert(alertId) + ioc=None + ioc_clear=[] + for i in list(response.json().get("artifacts")): + if 'ip' in str(i): + ioc = i.get("data") + for i in ioc: + if i == "[" or i == "]": + continue + else: + ioc_clear.append(i) + ioc="".join(ioc_clear) + fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW) + panos.objects.AddressGroup.refreshall(fw) + block_list = fw.find(self.name_internal_Address_Group, panos.objects.AddressGroup) + ioc_list = block_list.about().get('static_value') + if ioc in ioc_list: + ioc_list.remove(ioc) + temp1 = panos.objects.AddressGroup(self.name_internal_Address_Group, static_value=ioc_list) + fw.add(temp1) + temp1.apply() + + block_list = fw.find(self.name_external_Address_Group, panos.objects.AddressGroup) + ioc_list = block_list.about().get('static_value') + if ioc in ioc_list: + ioc_list.remove(ioc) + temp1 = panos.objects.AddressGroup(self.name_external_Address_Group, static_value=ioc_list) + fw.add(temp1) + temp1.apply() + + panos.objects.AddressObject.refreshall(fw) + if ioc in str(fw.find(ioc, panos.objects.AddressObject)): + deleted_ioc = fw.find(ioc, panos.objects.AddressObject) + deleted_ioc.delete() + + self.report({'message': 'message sent'}) + +if __name__ == '__main__': + Unblock_ip().run() diff --git a/responders/PaloAltoNGFW_unblock_port/.Unblock_port.py.swp b/responders/PaloAltoNGFW_unblock_port/.Unblock_port.py.swp new file mode 100644 index 0000000000000000000000000000000000000000..250cf29671ef19c5b0df4056331e4c2003749a86 GIT binary patch literal 12288 zcmeHNO=u)V7_HS^*T2=(1qJcYJ3)HJo%Cdl$Qm7EknC>M-GrDZVOiSBbahfmPgh%A zlVnyz1i^y`FM1LL5icG*i(Wl=5Y~%&6Ff<-i$_^})qm47naS)y#FZ*|GgZ}Jz543) zS6@v?txvtaaLGF7Oc9imgxom(k^A|3kCN%P2$4c4-94@ZqD6yE5i2LDd7@2uIAl;m zM5^(Ukc#b1&V@ASUSl$DNESyT^mKKJ24XHy;_`*_Z@8Us9dz4ngaM7!Qp1V5L&!~+ zQNSoLMu8J#`l++YR-dSxwoW~~I>z2SHVPO8i~>dhqkvJsC}0#Y3K#|cPYS5$2zeI^ zx+7cEZ1#O*;5%!YFQb4_z$jo8FbWt2i~>dhqkvJsC}0#Y3K#`$Lj|Zu$TxQq^3zc` zkN^MYfB)}4NXW0iFThv8`v3=4fR}+Yz$xIy1B84AECV-BpboqM{CPhip8`w3BJezL z68QZ-LVg6k1wH^;z>B~`z#sP#@;&eg5CM+>Ki@;htH5Kx&ASQt0@wyF0Z#%y94F*! z;A7xJU<&x_E<%0-z5~{PS>OraabW)#AzuP-0<*v~z%k$`un!Hi4%f97rWgf`0=Jz4 z7E1ZDP_^dBPFSrG?pv-K(l&EltJ$<{*VVU_T-TlW`XZWrf(co-?rNlh!eU@m!1CY@^}K3g&>LKg!IFp0eL;#&R86E$UJu(-OyYK!n~C5i26bzP1|8Pa>vsbl ztNs~^Zmgj#c37fn&!i+=VOf$S=Y)&toijawL)S$|A$~TPs@loyc8{@VS9+D>7cp9a z9`(N~HxK{Aa_itJs?H7Mn#{`#b7dy#0 zpHDvn6;qux}zMlxT@yfP_w7J3x|KYUYA0>#Wsq zGjx~9frOzQXjZIjX5AXHvk?Ks6PysjNdMh?&&Q>gNe5DJfQgNT+fT)xl)gCr4 zi;xwIEPQTWxmtAQgpekQFGQRsb!otG+9jV0UQf%cBe&L;5tX!EwKcoLy(|}c%(wIb zt2yCRFu4-EAwma#rfs=QV#DU&b=AWoLdeu9dde&COu@(Q2yarZVdnML4*85 zlgVi2q2_~}2eQ~`z5}L%TtidmXugZXGHr=-Ilp)AxClkATsIBkB!qQX_jk{bR)B2V z|KqaYKs!b72lfMD%qTZ?i literal 0 HcmV?d00001 diff --git a/responders/PaloAltoNGFW_unblock_port/PaloAltoNGFW_unblock_port.json b/responders/PaloAltoNGFW_unblock_port/PaloAltoNGFW_unblock_port.json new file mode 100644 index 000000000..dfb3e6246 --- /dev/null +++ b/responders/PaloAltoNGFW_unblock_port/PaloAltoNGFW_unblock_port.json @@ -0,0 +1,62 @@ +{ + "name": "PaloAltoNGFW_unblock_port", + "version": "1.0.0", + "author": "Maxim Konakin", + "url": "", + "license": "AGPL-V3", + "description": "Unblock domain", + "dataTypeList": ["thehive:alert"], + "command": "PaloAltoNGFW_unblock_port/Unblock_port.py", + "baseConfig": "PaloAltoNGFW_unblock_port", + "configurationItems": [ + { + "name": "Hostname_PaloAltoNGFW", + "description": "Hostname_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "User_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "Password_PaloAltoNGFW", + "description": "User_PaloAltoNGFW", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "name_internal_Service_Group", + "description": "name_internal_Service_Group", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "name_external_Service_Group", + "description": "name_external_Service_Group", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_instance", + "description": "URL of the Thehive instance to query", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "thehive_api_key", + "description": "TheHive API key with read access", + "type": "string", + "multi": false, + "required": true + } + ] +} diff --git a/responders/PaloAltoNGFW_unblock_port/README.md b/responders/PaloAltoNGFW_unblock_port/README.md new file mode 100644 index 000000000..3b0110cf7 --- /dev/null +++ b/responders/PaloAltoNGFW_unblock_port/README.md @@ -0,0 +1,19 @@ +# Block external IP address for Palo Alto NGFW + +Response module for block external IP address for Palo Alto NGFW + +# Installation + +need install: +1. pan-os-python +2. thehive4py + +# ToDo + +to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in "name_internal_Service_Group" and "name_external_Service_Group". + + +principle of operation: +1. the value is selected from the alert the hive. +2. if ioc added in Service_Groups, script deleted ioc +3. if ioc in AddressObject, script deleted ioc \ No newline at end of file diff --git a/responders/PaloAltoNGFW_unblock_port/Unblock_port.py b/responders/PaloAltoNGFW_unblock_port/Unblock_port.py new file mode 100644 index 000000000..c6c8cc835 --- /dev/null +++ b/responders/PaloAltoNGFW_unblock_port/Unblock_port.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.responder import Responder +from thehive4py.api import TheHiveApi +from panos import firewall +import panos.objects +import re +class Unblock_port(Responder): + def __init__(self): + Responder.__init__(self) + self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW') + self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW') + self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW') + self.name_internal_Service_Group = self.get_param('config.name_internal_Service_Group') + self.name_external_Service_Group = self.get_param('config.name_external_Service_Group') + self.thehive_instance = self.get_param('config.thehive_instance') + self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE') + self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key) + + def run(self): + alertId = self.get_param('data.id') + response = self.api.get_alert(alertId) + data_list=[] + data=None + for i in response.json().get("artifacts"): + if "'port'," in str(i): + ioc = i.get("data") + data_list.append(i.get("data")) + elif "'protocol'," in str(i): + ioc = i.get("data") + data_list.append(i.get("data")) + data=" ".join(data_list) + protocol=re.findall(r'[a-z]+',str(data)); protocol=str("".join(protocol)).lower() + port=re.findall(r'[0-9]+',str(data)); port="".join(port) + fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW) + panos.objects.ServiceGroup.refreshall(fw) + raise IOError("to") + block_list = fw.find(self.name_internal_Service_Group, panos.objects.ServiceGroup) + port_list = block_list.about().get('value') + if port in port_list: + port_list.remove(port) + temp1 = panos.objects.ServiceGroup(self.name_internal_Service_Group, value=port_list) + fw.add(temp1) + temp1.apply() + + block_list = fw.find(self.name_external_Service_Group, panos.objects.ServiceGroup) + port_list = block_list.about().get('value') + if port in port_list: + port_list.remove(port) + temp1 = panos.objects.ServiceGroup(self.name_external_Service_Group, value=port_list) + fw.add(temp1) + temp1.apply() + + panos.objects.ServiceObject.refreshall(fw) + if port in str(fw.find(port, panos.objects.ServiceObject)): + deleted_ioc = fw.find(port, panos.objects.ServiceObject) + deleted_ioc.delete() + + self.report({'message': 'message sent'}) + +if __name__ == '__main__': + Unblock_port().run()