Skip to content

Commit

Permalink
Merge pull request #171 from thalesgroup-cert/test
Browse files Browse the repository at this point in the history 
v2.1.2
  • Loading branch information
@ygalnezri
ygalnezri authored Mar 6, 2025
2 parents 5bd1b80 + 2e95f9b commit 92f0b13
Show file tree
Hide file tree
Showing 27 changed files with 311 additions and 398 deletions.
101 changes: 78 additions & 23 deletions Watcher/Watcher/common/core.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
from .mail_template.dns_finder_group_template import get_dns_finder_group_template
from .utils.send_thehive_alerts import send_thehive_alert
from .utils.update_thehive import search_thehive_for_ticket_id, update_existing_alert_case, create_new_alert

import tldextract

def generate_ref():
"""
Expand Down Expand Up @@ -247,6 +247,15 @@ def generate_ref():
'tags': settings.THE_HIVE_TAGS
},
'dns_finder': {
'title': "New Twisted DNS found - {dns_domain_name_sanitized}",
'description_template': (
"**Alert:**\n"
"**New Twisted DNS found:**\n"
"*Twisted DNS:* {dns_domain_name_sanitized}\n"
"*Corporate Keyword:* {alert.dns_twisted.keyword_monitored}\n"
"*Corporate DNS:* {alert.dns_twisted.dns_monitored}\n"
"*Fuzzer:* {alert.dns_twisted.fuzzer}\n"
),
'severity': 1,
'tlp': 1,
'pap': 1,
Expand Down Expand Up @@ -469,39 +478,80 @@ def send_notification(channel, content_template, subscribers_filter, send_func,
print(f"{timezone.now()} - No valid alert data found or DNS Twisted information missing.")
return

current_time = timezone.now()
subdomain = alert.dns_twisted.domain_name

extracted = tldextract.extract(subdomain)
subdomain_part = extracted.subdomain
domain_part = extracted.domain
suffix_part = extracted.suffix

if suffix_part:
parent_domain = f"{domain_part}.{suffix_part}"

is_parent_domain = (not subdomain_part)
else:
return

dns_domain_name_sanitized = (
getattr(alert.dns_twisted, 'dns_domain_name_sanitized', None) or
alert.dns_twisted.domain_name.replace('.', '[.]')
)

if subscribers.filter(thehive=True).exists():
source = context_data.get('source')
subdomain = alert.dns_twisted.domain_name
parent_domain = '.'.join(subdomain.split('.')[-2:])

try:
parent_site = Site.objects.get(domain_name=parent_domain)
ticket_id = parent_site.ticket_id
except Site.DoesNotExist:
ticket_id = None

parent_site = Site.objects.filter(domain_name=parent_domain).first()
ticket_id = parent_site.ticket_id if parent_site else None
relevant_ticket_id = ticket_id if ticket_id else parent_ticket_id

dns_domain_name_sanitized = (
getattr(alert.dns_twisted, 'dns_domain_name_sanitized', None) or
alert.dns_twisted.domain_name.replace('.', '[.]')
)

observables = collect_observables(app_name, context_data)

subdomain = alert.dns_twisted.domain_name if alert and alert.dns_twisted else None
parent_domain = '.'.join(subdomain.split('.')[-2:]) if subdomain else None
if is_parent_domain:

if app_config_thehive:
common_data = {
'alert': alert,
'dns_domain_name_sanitized': dns_domain_name_sanitized,
'details_url': settings.WATCHER_URL + app_config_slack['url_suffix'],
'app_name': 'dns_finder'
}

formatted_title = app_config_thehive['title'].format(**common_data)

send_notification(
channel="thehive",
content_template=app_config_thehive['description_template'],
subscribers_filter={'thehive': True},
send_func=lambda content: send_thehive_alert(
title=formatted_title,
description=content,
severity=app_config_thehive['severity'],
tlp=app_config_thehive['tlp'],
pap=app_config_thehive['pap'],
tags=app_config_thehive['tags'] + [
f"Detected fuzzer: {alert.dns_twisted.fuzzer}",
f"Detected keyword: {alert.dns_twisted.keyword_monitored}",
f"Domain name: {dns_domain_name_sanitized}"
],
app_name=app_name,
domain_name=parent_domain,
observables=observables
),
**common_data
)

else:
for observable in observables:
if parent_domain:
observable["tags"].append(f"parent_domain:{parent_domain}")

current_time = datetime.now().strftime("%H:%M:%S")
current_date = datetime.now().strftime("%Y-%m-%d")
current_time_str = current_time.strftime("%H:%M:%S")
current_date_str = current_time.strftime("%Y-%m-%d")

comment = (
f"A change was processed by the {app_name} application at {current_time} on {current_date}.\n\n"
f"A new subdomain has been detected: {subdomain} associated with the parent domain {parent_domain}.\n\n"
f"A change was processed by {app_name} at {current_time_str} on {current_date_str}.\n\n"
f"A new subdomain has been detected: {subdomain}, associated with the parent domain {parent_domain}.\n\n"
"The associated observables have been handled in the dedicated section."
)

Expand Down Expand Up @@ -556,7 +606,7 @@ def send_notification(channel, content_template, subscribers_filter, send_func,
severity=app_config_thehive['severity'],
tlp=app_config_thehive['tlp'],
pap=app_config_thehive['pap'],
tags = app_config_thehive['tags'] + [
tags=app_config_thehive['tags'] + [
f"Detected fuzzer: {alert.dns_twisted.fuzzer}",
f"Detected keyword: {alert.dns_twisted.keyword_monitored}",
f"Domain name: {dns_domain_name_sanitized}"
Expand Down Expand Up @@ -589,7 +639,7 @@ def send_notification(channel, content_template, subscribers_filter, send_func,
severity=app_config_thehive['severity'],
tlp=app_config_thehive['tlp'],
pap=app_config_thehive['pap'],
tags = app_config_thehive['tags'] + [
tags=app_config_thehive['tags'] + [
f"Detected fuzzer: {alert.dns_twisted.fuzzer}",
f"Detected keyword: {alert.dns_twisted.keyword_monitored}",
f"Domain name: {dns_domain_name_sanitized}"
Expand All @@ -611,7 +661,7 @@ def send_notification(channel, content_template, subscribers_filter, send_func,

common_data = {
'alert': alert,
'dns_domain_name_sanitized': alert.dns_twisted.domain_name.replace('.', '[.]'),
'dns_domain_name_sanitized': dns_domain_name_sanitized,
'details_url': settings.WATCHER_URL + app_config_slack['url_suffix'],
'app_name': 'dns_finder'
}
Expand Down Expand Up @@ -865,6 +915,7 @@ def send_notification(channel, content_template, subscribers_filter, send_func,

common_data = {
'alert': alert,
'dns_domain_name_sanitized': alert.dns_twisted.domain_name.replace('.', '[.]'),
'details_url': settings.WATCHER_URL,
'app_name': 'dns_finder'
}
Expand All @@ -890,6 +941,8 @@ def send_notification(channel, content_template, subscribers_filter, send_func,
title=formatted_title,
description=content,
severity=app_config_thehive['severity'],
tlp=app_config_thehive['tlp'],
pap=app_config_thehive['pap'],
tags=app_config_thehive['tags'],
customFields=app_config_thehive.get('customFields'),
app_name=app_name,
Expand All @@ -904,6 +957,8 @@ def send_notification(channel, content_template, subscribers_filter, send_func,
title=formatted_title,
description=app_config_thehive['description_template'].format(**common_data),
severity=app_config_thehive['severity'],
tlp=app_config_thehive['tlp'],
pap=app_config_thehive['pap'],
tags=app_config_thehive['tags'],
app_name=app_name,
domain_name=None,
Expand Down
10 changes: 10 additions & 0 deletions Watcher/Watcher/site_monitoring/core.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -364,6 +364,16 @@ def create_alert(alert, site, new_ip, new_ip_second, score):
if site.monitored and alert != 0:
alert_data = alert_types[alert]

now = datetime.now()

one_hour_ago = now - timedelta(hours=3)
last_two_alerts = Alert.objects.filter(site=site, created_at__gte=one_hour_ago).order_by('-created_at')[:2]

for previous_alert in last_two_alerts:
if all(getattr(previous_alert, key) == value for key, value in alert_data.items()):
return


alert_data.update({
'new_ip': new_ip if new_ip else None,
'old_ip': site.ip if site.ip else None,
Expand Down
Loading

0 comments on commit 92f0b13

Please sign in to comment.