Skip to content

Commit

Permalink
Fix TheHive and MISP API export issues
Browse files Browse the repository at this point in the history 
MISP Events are now created with the correct TAGS mention in the .env file. MISP Event attributes are now created even if the TAGS does not exist in the MISP instance. TheHive export now reseting if the Case is not anymore in the TheHive instance.
  • Loading branch information
@Felix83000
Felix83000 committed Jun 22, 2022
1 parent 27b2230 commit df4479d
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 49 deletions.
23 changes: 0 additions & 23 deletions Watcher/Watcher/site_monitoring/misp.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ def create_misp_tags(misp_api):
for tag in required_tags:
t = MISPTag()
t.name = tag
t.org_id = 1
if tag not in tags_names:
print(str(timezone.now()) + " - " + "Create tag: ", tag)
misp_api.add_tag(t)
Expand All @@ -46,18 +45,11 @@ def create_attributes(misp_api, event_id, site):
print(str(timezone.now()) + " - " + 'Create MISP IOCs attributes for: ', event_id)
print('-----------------------------')

tag = None
tags = misp_api.tags(pythonify=True)
for t in tags:
if t.name == 'Watcher':
tag = t

attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "domain"
attribute.distribution = 5
attribute.comment = "Domain name monitored"
attribute.tags = [tag]
attribute.value = site.domain_name
misp_api.add_attribute(event=event_id, attribute=attribute)

Expand All @@ -67,7 +59,6 @@ def create_attributes(misp_api, event_id, site):
attribute.type = "link"
attribute.distribution = 0
attribute.comment = "Ticketing link"
attribute.tags = [tag]
attribute.value = settings.MISP_TICKETING_URL + "?id=" + str(site.rtir)
misp_api.add_attribute(event=event_id, attribute=attribute)

Expand All @@ -77,7 +68,6 @@ def create_attributes(misp_api, event_id, site):
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "First IP"
attribute.tags = [tag]
attribute.value = site.ip
misp_api.add_attribute(event=event_id, attribute=attribute)

Expand All @@ -87,7 +77,6 @@ def create_attributes(misp_api, event_id, site):
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "Second IP"
attribute.tags = [tag]
attribute.value = site.ip_second
misp_api.add_attribute(event=event_id, attribute=attribute)

Expand All @@ -97,7 +86,6 @@ def create_attributes(misp_api, event_id, site):
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = 'Mail Server A record IP: mail.' + site.domain_name
attribute.tags = [tag]
attribute.value = site.mail_A_record_ip
misp_api.add_attribute(event=event_id, attribute=attribute)

Expand All @@ -108,7 +96,6 @@ def create_attributes(misp_api, event_id, site):
attribute.type = "domain"
attribute.distribution = 5
attribute.comment = "MX record"
attribute.tags = [tag]
attribute.value = str(mx).split()[1][:-1]
misp_api.add_attribute(event=event_id, attribute=attribute)

Expand Down Expand Up @@ -155,19 +142,12 @@ def update_attributes(misp_api, site):
print(str(timezone.now()) + " - " + 'Update MISP IOCs attributes for: ', site.misp_event_id)
print('-----------------------------')

tag = None
tags = misp_api.tags(pythonify=True)
for t in tags:
if t.name == 'Watcher':
tag = t

if site.ip and not search_attributes(misp_api, site.misp_event_id, site.ip, site.pk):
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "First IP"
attribute.tags = [tag]
attribute.value = site.ip
misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)

Expand All @@ -177,7 +157,6 @@ def update_attributes(misp_api, site):
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "Second IP"
attribute.tags = [tag]
attribute.value = site.ip_second
misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)

Expand All @@ -187,7 +166,6 @@ def update_attributes(misp_api, site):
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = 'Mail Server A record IP: mail.' + site.domain_name
attribute.tags = [tag]
attribute.value = site.mail_A_record_ip
misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)

Expand All @@ -199,6 +177,5 @@ def update_attributes(misp_api, site):
attribute.type = "domain"
attribute.distribution = 5
attribute.comment = "MX record"
attribute.tags = [tag]
attribute.value = str(mx).split()[1][:-1]
misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)
35 changes: 9 additions & 26 deletions Watcher/Watcher/site_monitoring/thehive.py
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from django.utils import timezone
from rest_framework.exceptions import NotFound
from rest_framework import serializers
from .models import Site
from thehive4py.models import CaseObservable
Expand Down Expand Up @@ -40,7 +41,6 @@ def create_observables(hive_api, case_id, site):
tlp=2,
ioc=True,
sighted=True,
tags=['Watcher'],
message='Domain name monitored'))
if response.status_code == 201:
print(str(timezone.now()) + " - " + "OK")
Expand All @@ -55,7 +55,6 @@ def create_observables(hive_api, case_id, site):
tlp=2,
ioc=True,
sighted=True,
tags=['Watcher'],
message='First IP'))
if response.status_code == 201:
print(str(timezone.now()) + " - " + "OK")
Expand All @@ -70,7 +69,6 @@ def create_observables(hive_api, case_id, site):
tlp=2,
ioc=True,
sighted=True,
tags=['Watcher'],
message='Second IP'))
if response.status_code == 201:
print(str(timezone.now()) + " - " + "OK")
Expand All @@ -85,7 +83,6 @@ def create_observables(hive_api, case_id, site):
tlp=2,
ioc=True,
sighted=True,
tags=['Watcher'],
message='Mail Server A record IP: mail.' + site.domain_name))
if response.status_code == 201:
print(str(timezone.now()) + " - " + "OK")
Expand All @@ -101,7 +98,6 @@ def create_observables(hive_api, case_id, site):
tlp=2,
ioc=True,
sighted=True,
tags=['Watcher'],
message='MX record'))
if response.status_code == 201:
print(str(timezone.now()) + " - " + "OK")
Expand Down Expand Up @@ -129,59 +125,49 @@ def update_observables(hive_api, site):
tlp=2,
ioc=True,
sighted=True,
tags=['Watcher'],
message='First IP'))
if response.status_code == 201:
print(str(timezone.now()) + " - " + "OK")
else:
print(str(timezone.now()) + " - " + 'ko: {}/{}'.format(response.status_code, response.text))

if response.json()['type'] == "NotFoundError":
if response.json()['type'] == "AuthorizationError":
# Reset the case id in database
Site.objects.filter(pk=site.pk).update(the_hive_case_id=None)

data = {'detail': response.json()['type'] + ": " + response.json()['message']}
raise serializers.ValidationError(data)
raise NotFound("TheHive Case " + str(case_id) + " Not Found: Resetting")

if site.ip_second and not search_observables(hive_api, case_id, site.ip_second):
response = hive_api.create_case_observable(case_id, CaseObservable(dataType='ip',
data=[site.ip_second],
tlp=2,
ioc=True,
sighted=True,
tags=['Watcher'],
message='Second IP'))
if response.status_code == 201:
print(str(timezone.now()) + " - " + "OK")
else:
print(str(timezone.now()) + " - " + 'ko: {}/{}'.format(response.status_code, response.text))

if response.json()['type'] == "NotFoundError":
if response.json()['type'] == "AuthorizationError":
# Reset the case id in database
Site.objects.filter(pk=site.pk).update(the_hive_case_id=None)

data = {'detail': response.json()['type'] + ": " + response.json()['message']}
raise serializers.ValidationError(data)
raise NotFound("TheHive Case " + str(case_id) + " Not Found: Resetting")

if site.mail_A_record_ip and not search_observables(hive_api, case_id, site.mail_A_record_ip):
response = hive_api.create_case_observable(case_id, CaseObservable(dataType='ip',
data=[site.mail_A_record_ip],
tlp=2,
ioc=True,
sighted=True,
tags=['Watcher'],
message='Mail Server A record IP: mail.' + site.domain_name))
if response.status_code == 201:
print(str(timezone.now()) + " - " + "OK")
else:
print(str(timezone.now()) + " - " + 'ko: {}/{}'.format(response.status_code, response.text))

if response.json()['type'] == "NotFoundError":
if response.json()['type'] == "AuthorizationError":
# Reset the case id in database
Site.objects.filter(pk=site.pk).update(the_hive_case_id=None)

data = {'detail': response.json()['type'] + ": " + response.json()['message']}
raise serializers.ValidationError(data)
raise NotFound("TheHive Case " + str(case_id) + " Not Found: Resetting")

if site.MX_records:
for mx in site.MX_records:
Expand All @@ -191,16 +177,13 @@ def update_observables(hive_api, site):
tlp=2,
ioc=True,
sighted=True,
tags=['Watcher'],
message='MX record'))
if response.status_code == 201:
print(str(timezone.now()) + " - " + "OK")
else:
print(str(timezone.now()) + " - " + 'ko: {}/{}'.format(response.status_code, response.text))

if response.json()['type'] == "NotFoundError":
if response.json()['type'] == "AuthorizationError":
# Reset the case id in database
Site.objects.filter(pk=site.pk).update(the_hive_case_id=None)

data = {'detail': response.json()['type'] + ": " + response.json()['message']}
raise serializers.ValidationError(data)
raise NotFound("TheHive Case " + str(case_id) + " Not Found: Resetting")

0 comments on commit df4479d

Please sign in to comment.