Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Synapse to Support Thehive5 API #78

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions Pipfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"

[packages]
asn1crypto = "==0.24.0"
cached-property = "==1.5.1"
certifi = "==2018.8.24"
cffi = "==1.11.5"
chardet = "==3.0.4"
click = "==7.0"
cryptography = "==2.3.1"
defusedxml = "==0.5.0"
dnspython = "==1.15.0"
exchangelib = "==1.12.0"
flask = "==1.0.2"
future = "==0.16.0"
idna = "==2.7"
isodate = "==0.6.0"
itsdangerous = "==0.24"
jinja2 = "==2.10"
lxml = "==4.2.5"
markupsafe = "==1.0"
ntlm-auth = "==1.2.0"
pycparser = "==2.19"
pygments = "==2.2.0"
python-dateutil = "==2.7.3"
python-magic = "==0.4.15"
pytz = "==2018.5"
requests-ntlm = "==1.1.0"
requests = "==2.20.0"
six = "==1.11.0"
python-slugify = "==1.2.6"
thehive4py = "==1.5.1"
tzlocal = "==1.5.1"
urllib3 = "==1.23"
werkzeug = "==0.14.1"

[dev-packages]

[requires]
python_version = "3.11"
python_full_version = "3.11.4"
18 changes: 17 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,14 @@
## Synpase for TheHive5

<p align="center">
<img src="https://blog.strangebee.com/content/images/size/w2000/2023/07/Blog_5.2_released-1.png"
height="500"/>
</p>

> **_NOTE:_** The work is in progress to update **Ews2Case**. In this wave of updates, we were interested in updating **QRadar2Alert** (pulling offenses and create alerts to Thehive5).

- [x] Project in progress

Synapse is a free, open source meta alert feeder that allows you to feed [TheHive](https://github.com/TheHive-Project/TheHive) from multiple alert sources at once.
It leverages TheHive's API to automate case and alert creation. Thanks to Synapse, you can swiftly create cases or alerts in TheHive out of email notifications or SIEM events.

Expand All @@ -7,6 +18,8 @@ Currently, Synapse supports the following alert sources:
- Microsoft O365
- IBM QRadar

> We have updated Synapse to support theHive 5.x REST API

# Overview

Most of the time, transforming a security event or a notification about a suspicious email requires several actions and conditions. Synapse gathers those into workflows.
Expand All @@ -29,7 +42,10 @@ The [user guide](docs/user_guide.md) should contain all the information you need
2. Fill in the config file
3. Execute: ```python3 app.py```

While all operating systems running Python 3 can be used for Synapse, we recommend the use of Ubuntu.
### Test environment
The new update was tested on:
* Python 3.11.4
* Ubuntu/Kali Linux /Redhat

# License
Synapse is an open source and free software released under the
Expand Down
33 changes: 23 additions & 10 deletions app.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
from flask import Flask, request, jsonify

from workflows.common.common import getConf
from workflows.Ews2Case import connectEws
#from workflows.Ews2Case import connectEws
from workflows.QRadar2Alert import allOffense2Alert
from workflows.ManageWebhooks import manageWebhook

Expand All @@ -33,6 +33,10 @@

app = Flask(__name__)

@app.route('/', methods=['GET'])
def index():
return "Synapse is up and running."

@app.route('/webhook', methods=['POST'])
def listenWebhook():
if request.is_json:
Expand All @@ -57,31 +61,40 @@ def ews2case():
else:
return jsonify(workflowReport), 500


@app.route('/QRadar2alert', methods=['POST'])
def QRadar2alert():
# Get token from config file conf/synpase.conf
Token = getConf().get('Token','auth_token')
if request.is_json:
content = request.get_json()
if 'timerange' in content:
workflowReport = allOffense2Alert(content['timerange'])
if workflowReport['success']:
return jsonify(workflowReport), 200
if content['token'] == Token:
if 'timerange' in content:
workflowReport = allOffense2Alert(content['timerange'])
if workflowReport['success']:
return jsonify(workflowReport), 200
else:
return jsonify(workflowReport), 500
else:
return jsonify(workflowReport), 500
logger.error('Missing <timerange> key/value')
return jsonify({'sucess':False, 'message':"timerange key missing in request"}), 500
else:
logger.error('Missing <timerange> key/value')
return jsonify({'sucess':False, 'message':"timerange key missing in request"}), 500
logger.error('Missing token!')
return jsonify({"message":"Missing a valid token !"}), 403

else:
logger.error('Not json request')
return jsonify({'sucess':False, 'message':"Request didn't contain valid JSON"}), 400


@app.route('/version', methods=['GET'])
def getSynapseVersion():
return jsonify({'version': '1.1.1'}), 200
return jsonify({'version': '1.1.2'}), 200

if __name__ == '__main__':
cfg = getConf()
app.run(debug=cfg.getboolean('api', 'debug'),
host=cfg.get('api', 'host'),
port=cfg.get('api', 'port'),
threaded=cfg.get('api', 'threaded')
)
)
3 changes: 3 additions & 0 deletions conf/synapse.conf
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,6 @@ server:qradar.stargazer.org
auth_token:d6e-8f-4e-85-55738fd
cert_filepath:/home/dc/qradar.crt
api_version:8.0

[Token]
auth_token=CHANGE_ME
36 changes: 36 additions & 0 deletions docs/user_guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ This guide will go through installation and basic configuration for Synapse.
+ [Stopping the application](#stopping-the-application)
+ [Starting the application](#starting-the-application)
+ [Logs](#logs)
+ [Crontab](#crontab)
+ [Update](#update)

## Installation
Expand All @@ -27,6 +28,16 @@ sudo apt install python3-dev libkrb5-dev gcc
sudo pip3 install -r requirements.txt
```

#### Thehive4py
Install the new thehive4py library
```
git clone https://github.com/TheHive-Project/TheHive4py
cd TheHive4py
python3 setup.py install
## If failed, edit setup.py version=parse_version()
version="5"
```

## Configuration

### Synapse user
Expand Down Expand Up @@ -69,6 +80,18 @@ url:http://127.0.0.1:9000
user:synapse
api_key:r4n0O8SvEll/VZdOD8r0hZneOWfOmth6
```
### [Token] section

Create a new secure token that will be used to invoke QRadar2Alert function
```
tr -dc A-Za-z0-9 </dev/urandom | head -c 32 ; echo ''
```
#### Example

```
[Token]
auth_token=CHANGE_ME
```

Basic configuration for Synapse is done.
To configure workflows, head to the [workflows page](workflows/README.md).
Expand All @@ -80,6 +103,12 @@ To start Synapse, run:
```
python3 app.py
```
Test Synapse
```
curl -H "Content-Type: application/json" -XPOST -d '{"timerange":10,"token":"CHANGE_ME"}' http://127.0.0.1:5000/QRadar2alert
# or
bash Synapse/examples/qradar2alert_post.sh
```

## Deployment to Production

Expand Down Expand Up @@ -167,6 +196,13 @@ Regarding Synapse, if the application is located at ```/opt``` then logs are und
/opt/Synapse/logs/
```

### Crontab
You can create Crontab job to automate the alerts pulling
```
# Invoke QradarToAlert function every 10 min
*/10 * * * * /bin/bash /home/Synpase/examples/qradar2alert_post.sh >> /home/Synpase/logs/synapse_curl.log 2>&1
```

# Update

In order to update Synapse (minor version), just pull the new version from Github and run the application:
Expand Down
3 changes: 2 additions & 1 deletion examples/qradar2alert_post.sh
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
curl --header "Content-Type: application/json" --request POST --data '{"timerange":10}' http://127.0.0.1:5000/QRadar2alert
# Trigger <QRadar2alert> FUNC (Change the token with the a valid token in conf/synpase.conf)
curl -H "Content-Type: application/json" -XPOST -d '{"timerange":10,"token":"CHANGE_ME"}' http://127.0.0.1:5000/QRadar2alert
67 changes: 34 additions & 33 deletions requirements.txt
Original file line number Diff line number Diff line change
@@ -1,33 +1,34 @@
-i https://pypi.org/simple
asn1crypto==0.24.0
cached-property==1.5.1
certifi==2018.8.24
cffi==1.11.5
chardet==3.0.4
click==7.0
cryptography==2.3.1
defusedxml==0.5.0
dnspython==1.15.0
exchangelib==1.12.0
flask==1.0.2
future==0.16.0
idna==2.7
isodate==0.6.0
itsdangerous==0.24
jinja2==2.10
lxml==4.2.5
markupsafe==1.0
ntlm-auth==1.2.0
pycparser==2.19
pygments==2.2.0
python-dateutil==2.7.3
python-magic==0.4.15
pytz==2018.5
requests-ntlm==1.1.0
requests==2.20.0
six==1.11.0
python-slugify==1.2.6
thehive4py==1.5.1
tzlocal==1.5.1
urllib3==1.23
werkzeug==0.14.1
anyio==3.7.1
blinker==1.6.2
cached-property==1.5.2
certifi==2023.5.7
cffi==1.15.1
charset-normalizer==3.2.0
click==8.1.6
cryptography==41.0.2
defusedxml==0.7.1
dnspython==2.4.0
exchangelib==5.0.3
Flask==2.3.2
h11==0.14.0
httpcore==0.17.3
idna==3.4
isodate==0.6.1
itsdangerous==2.1.2
Jinja2==3.1.2
lxml==4.9.3
MarkupSafe==2.1.3
oauthlib==3.2.2
pycparser==2.21
Pygments==2.15.1
pyspnego==0.9.1
requests==2.31.0
requests-ntlm==1.2.0
requests-oauthlib==1.3.1
six==1.16.0
sniffio==1.3.0
thehive4py==2.0.0b4
tzdata==2023.3
tzlocal==5.0.1
urllib3==2.0.4
Werkzeug==2.3.6
Loading