Paloalto wildfire responder

responders/MSDefenderEndpoints/test.py

@@ -0,0 +1,107 @@
+import requests
+import urllib.request
+import urllib.parse
+import json
+import datetime
+
+msdefenderAppId = "a3a1267e-08f0-4417-9d34-a0ac9636f6ea"
+msdefenderTenantId = "f7bab6a1-af76-41a2-a72e-0a9253b9ed40"
+msdefenderSecret = "n.hv7Tiax_9Z3tFv6rUtb-D.4K7yE2p-ja"
+msdefenderOAuthUr = 'https://login.windows.net/'
+
+msdefenderSession = requests.Session()
+msdefenderSession.headers.update(
+    { 
+	'Content-Type' : 'application/json' 
+    }
+)
+
+def getToken():
+    msdefenderAppId = "a3a1267e-08f0-4417-9d34-a0ac9636f6ea"
+    msdefenderTenantId = "f7bab6a1-af76-41a2-a72e-0a9253b9ed40"
+    msdefenderSecret = "n.hv7Tiax_9Z3tFv6rUtb-D.4K7yE2p-ja"
+    msdefenderOAuthUri = 'https://login.windows.net/'
+    msdefenderGrant = "client_credentials"
+    msdefenderResourceAppIdUri = 'https://api.securitycenter.windows.com'
+    url = "{}/{}/oauth2/token".format(
+	msdefenderOAuthUri,msdefenderTenantId
+	)
+
+    body = {'grant_type':msdefenderGrant, 'resource':msdefenderResourceAppIdUri, 'client_id':msdefenderAppId, 'client_secret':msdefenderSecret}
+
+    data = urllib.parse.urlencode(body).encode("utf-8")
+
+    req = urllib.request.Request(url, data)
+    response = urllib.request.urlopen(req)
+    jsonResponse = json.loads(response.read())
+    token = jsonResponse["access_token"]
+    #print(json.dumps(body))
+    #body = str(json.dumps(body))
+
+    #try:
+    #  req = msdefenderSession.post(url=url, json=body) 
+    #except requests.exceptions.RequestException as e:
+    #  print(e)
+
+    #print(req.json)
+    #jsonResponse = req.json()
+    #token = req.json()
+    #token = jsonResponse["access_token"]
+    #url="https://httpbin.org/post"
+    #token_r = requests.post(url, json={'grant_type':" client_credentials", 'resource': msdefenderResourceAppIdUri, 'client_id': msdefenderAppId, 'client_secret': msdefenderSecret})
+    #print(token_r.content)
+
+    return token
+
+def getMachineId(session,id,observable_type):
+    time = datetime.datetime.now() - datetime.timedelta(minutes=120)
+    time = time.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+    if observable_type == "ip":
+        url = "https://api.securitycenter.windows.com/api/machines/findbyip(ip='{}',timestamp={})".format(id,time)
+    else:
+        url = "https://api.securitycenter.windows.com/api/machines?$filter=computerDnsName+eq+'{}'".format(id)    
+
+    try:
+      response = session.get(url=url)
+      if response.status_code == 200:
+        jsonResponse = response.json()
+        if len(response.content) > 100:
+            return jsonResponse["value"][0]["aadDeviceId"]
+        else:
+            return "ERROR"
+    except requests.exceptions.RequestException as e:
+      print("Exception: {}".format(e))
+
+def runFullVirusScan(machineId,session):
+    url = 'https://api.securitycenter.windows.com/api/machines/{}/runAntiVirusScan'.format(machineId)
+
+    body = {
+        'Comment': 'Full scan to machine due to TheHive case {}'.format("1234"),
+        'ScanType': 'Full'
+       }
+
+    try:
+        response = session.post(url=url, json=body)
+        if response.status_code == 201:
+            print("message: Started full VirusScan on machine: {}".format(machine))
+    except requests.exceptions.RequestException as e:
+        print("Error")
+
+#########
+#########
+token = getToken()
+#print(token)
+
+msdefenderSession.headers.update(
+    {
+	'Accept' : 'application/json',
+	'Content-Type' : 'application/json',
+        'Authorization' : 'Bearer {0}'.format(token)
+    }
+)
+
+print("IP: " + getMachineId(msdefenderSession,"192.168.210.1","ip"))
+print("HOST: " + getMachineId(msdefenderSession,"laptop-6gjkth4p","hostname"))
+
+#runFullVirusScan(machine,msdefenderSession)

responders/Netcraft/.gitignore

@@ -0,0 +1 @@
+test.py

responders/Netcraft/Dockerfile

@@ -0,0 +1,6 @@
+FROM python:3
+
+WORKDIR /worker
+COPY . Netcraft
+RUN pip install --no-cache-dir -r Netcraft/requirements.txt
+ENTRYPOINT Netcraft/Netcraft.py

responders/Netcraft/Netcraft.py

@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+import requests
+
+
+class NetcraftReporter(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.scheme = "https"
+        self.api_key = self.get_param(
+            'config.api_key', None, "API-key Missing")
+        self.takedown_url = self.get_param(
+            'config.takedown_url', None, "Takedown URL Missing")
+        self.observable_type = self.get_param('data.dataType', None, "Data type is empty")
+        self.observable_description = self.get_param('data.message', None, "Description is empty")
+
+    def run(self):
+        Responder.run(self)
+        try:
+            supported_observables = ["domain", "url", "fqdn"]
+            if self.observable_type in supported_observables:
+                if self.observable_type == "domain" or self.observable_type == "fqdn":
+                    domain = self.get_param('data.data', None, 'No artifacts available')
+                    takedown = "{}://{}".format(self.scheme, domain)
+                elif self.observable_type == "url":
+                    takedown = self.get_param('data.data')
+
+                headers = {
+                    "Authorization": "Bearer {0}".format(self.api_key),
+                    'user-agent': 'Netcraft-Cortex-Responder'
+                }
+                payload = {
+                    "attack": takedown,
+                    "comment": "Automated takedown via Cortex"
+                }
+
+                response = requests.post(self.takedown_url, data=payload, headers=headers)
+                if response.status_code == 200:
+                    self.report({'message': 'Takedown sent ot Netcraft. Message: {}'.format(response.text)})
+                elif response.status_code == 401:
+                    self.error({'message': 'Failed authentication. Check API-Key. Message: {}'.format(response.text)})
+                else:
+                    self.error('Failed to submit takedown request. Error code: {}. Error message: {}'
+                               .format(response.status_code, response.text))
+            else:
+                self.error('Incorrect dataType. "Domain", "FQDN", or "URL" expected.')
+
+        except requests.exceptions.RequestException as e:
+            self.error(str(e))
+
+    def operations(self, raw):
+        return [self.build_operation('AddTagToArtifact', tag='Netcraft:takedown')]
+
+
+if __name__ == '__main__':
+    NetcraftReporter().run()

responders/Netcraft/NetcraftTakedown.json

@@ -0,0 +1,28 @@
+{
+  "name": "Netcraft Takedown Phishing URL",
+  "version": "1.0",
+  "author": "Keijo Korte - @korteke",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Submit URL to Netcrafts Takedown API.",
+  "dataTypeList": ["url", "domain", "fqdn"],
+  "command": "Netcraft/Netcraft.py",
+  "baseConfig": "Netcraft",
+  "configurationItems": [
+    {
+      "name": "api_key",
+      "description": "Netcraft Takedown API key",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "takedown_url",
+      "description": "Netcraft Takedown URL",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "https://takedown.netcraft.com/authorise.php"
+    }
+  ]
+}

responders/Netcraft/README.md

@@ -0,0 +1,13 @@
+### Netcraft Takedown
+
+This responder sends observables to [Netcraft Takedown service](https://www.netcraft.com/cybercrime/countermeasures/).
+
+#### Requirements
+One need to request API-key from Netcraft [Contact form](https://www.netcraft.com/contact/).
+
+#### Configuration
+- `api_key` : Netcraft Takedown API-key   
+- `takedown_url`: Netcraft Takedown URL (default: https://takedown.netcraft.com/authorise.php)
+
+#### Official documenation
+Official API documentation: [Netcraft site](https://takedown.netcraft.com/help_api.php).

responders/Netcraft/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+requests

responders/PaloAltoWildfire/Dockerfile

@@ -0,0 +1,6 @@
+FROM python:3
+
+WORKDIR /worker
+COPY . PaloAltoWildfire
+RUN pip install --no-cache-dir -r PaloAltoWildfire/requirements.txt
+ENTRYPOINT PaloAltoWildfire/PaloAltoWildfire.py

responders/PaloAltoWildfire/PaloAltoWildfire.py

@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+import requests
+
+
+class PaloAltoWildfire(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.scheme = "https"
+        self.api_key = self.get_param(
+            'config.api_key', None, "API-key Missing")
+        self.wildfire_url = self.get_param(
+            'config.wildfire_url', None, "Wildfire URL Missing")
+        self.observable_type = self.get_param('data.dataType', None, "Data type is empty")
+        self.observable_description = self.get_param('data.message', None, "Description is empty")
+
+    def run(self):
+        Responder.run(self)
+        try:
+            supported_observables = ["domain", "url", "fqdn"]
+            if self.observable_type in supported_observables:
+                if self.observable_type == "domain" or self.observable_type == "fqdn":
+                    domain = self.get_param('data.data', None, 'No artifacts available')
+                    observable = "{}://{}".format(self.scheme, domain)
+                elif self.observable_type == "url":
+                    observable = self.get_param('data.data')
+
+                headers = {
+                    'User-Agent': 'PaloAltoWildfire-Cortex-Responder'
+                }
+                payload = {
+                    'apikey': (None, self.api_key),
+                    'link': (None, observable),
+                }
+                response = requests.post(self.wildfire_url, files=payload, headers=headers)
+                if response.status_code == 200:
+                    self.report({'message': 'Observable sent to Wildfire. Message: {}'.format(response.text)})
+                elif response.status_code == 401:
+                    self.error({'message': 'Failed authentication. Check API-Key. Message: {}'.format(response.text)})
+                else:
+                    self.error('Failed to submit request. Error code: {}. Error message: {}'
+                               .format(response.status_code, response.text))
+            else:
+                self.error('Incorrect dataType. "Domain", "FQDN", or "URL" expected.')
+
+        except requests.exceptions.RequestException as e:
+            self.error(str(e))
+
+    def operations(self, raw):
+        return [self.build_operation('AddTagToArtifact', tag='Wildfire:submit')]
+
+
+if __name__ == '__main__':
+    PaloAltoWildfire().run()

responders/PaloAltoWildfire/PaloaltoWildfireSubmission.json

@@ -0,0 +1,28 @@
+{
+  "name": "PaloAlto Wildfire URL submission",
+  "version": "1.0",
+  "author": "Keijo Korte - @korteke",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Submit URL to PaloAlto Wildfire service.",
+  "dataTypeList": ["url", "domain", "fqdn"],
+  "command": "PaloAltoWildfire/PaloAltoWildfire.py",
+  "baseConfig": "PaloAltoWildfire",
+  "configurationItems": [
+    {
+      "name": "api_key",
+      "description": "PaloAlto Wildfire API key",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "wildfire_url",
+      "description": "PaloAlto Wildfire Takedown URL",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "https://wildfire.paloaltonetworks.com/publicapi/submit/link"
+    }
+  ]
+}

responders/PaloAltoWildfire/README.md

@@ -0,0 +1,15 @@
+### PaloAlto Wildfire responder
+
+This responder sends observable to [PaloAlto Wildfire service](https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-api/submit-files-and-links-through-the-wildfire-api.html).
+
+#### Requirements
+One need valid API-key to PaloAlto's Wildfire service.   
+* [Cloud Wildfire](https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-api/get-started-with-the-wildfire-api/get-your-api-key/get-your-wildfire-public-cloud-api-key.html#id3809ea9e-090f-459b-a382-9689383d1855)
+* [Local Wildfire instance](https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-api/get-started-with-the-wildfire-api/get-your-api-key/get-your-wildfire-appliance-api-key.html#idd900a1f8-95e3-4739-b02a-7a3269d85bea)
+
+#### Configuration
+- `api_key` : Wildfire API-key   
+- `wildfire_url`: Wildfire URL (default: Cloud version)
+
+#### Official documenation
+Official API documentation: [PaloAlto site](https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-api.html).

responders/PaloAltoWildfire/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+requests