-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsn_malware.py
159 lines (121 loc) · 6.55 KB
/
sn_malware.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
# encoding = utf-8
# Import all needed packages
import os
import json
import requests
import getpass
import requests.packages.urllib3
from requests_ntlm import HttpNtlmAuth
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
import warnings
warnings.filterwarnings('ignore', '', requests.packages.urllib3.exceptions.InsecureRequestWarning, '', 0)
# Splunk doesn't respect the no proxy settings so we need to set it here
os.environ['no_proxy'] = '*'
###############################################################################################################
# Function for updating the notable event
def updateNotableEvents(sessionKey, baseurl, comment, status=None, urgency=None, owner=None, eventIDs=None, searchID=None):
# Make sure that the session ID was provided
if sessionKey is None:
raise Exception("A session key was not provided")
# Make sure that rule IDs and/or a search ID is provided
if eventIDs is None and searchID is None:
raise Exception("Either eventIDs of a searchID must be provided (or both)")
return False
# These the arguments to the REST handler
args = {}
args['comment'] = comment
if status is not None:
args['status'] = status
if urgency is not None:
args['urgency'] = urgency
if owner is not None:
args['newOwner'] = owner
# Provide the list of event IDs that you want to change:
if eventIDs is not None:
args['ruleUIDs'] = eventIDs
# If you want to manipulate the notable events returned by a search then include the search ID
if searchID is not None:
args['searchID'] = searchID
auth_header = {'Authorization': 'Splunk %s' % sessionKey}
args['output_mode'] = 'json'
mod_notables = requests.post(baseurl + 'services/notable_update', data=args, headers=auth_header, verify=False)
return mod_notables.json()
###############################################################################################################
# Primary function that Splunk utilizies for pulling the variables from the notable event.
def process_event(helper, *args, **kwargs):
helper.log_info("Alert action host_av started.")
# Pulls variables in from the notable event
severity = helper.get_param("severity")
subclassification = helper.get_param("subclassification")
computer_name = helper.get_param("computer_name")
file_name = helper.get_param("file_name")
file_path = helper.get_param("file_path")
description = helper.get_param("description")
rule_name = helper.get_param("rule_name")
event_id = helper.get_param("event_id")
assigned_to = helper.get_param("assigned_to")
# Take out the domain name of the variable computer_name which allows us to run it through CMDB
computer_name2 = computer_name.split('.')[0]
###############################################################################################################
# We don't use direct SN API calls but go through a third party. Use your SN API code here. This is just an example.
auth_url = "https://service-now.api.domain.com"
login_data = { 'username': 'sn_user, 'password': 'XXXXXXXXXXXX' }
session = requests.session()
r = session.post(auth_url, json=login_data, verify=False)
web_token = r.text
r.raise_for_status()
parsed_token = web_token.split('"')[3]
print(parsed_token)
headers = {'Authorization': 'Bearer ' + parsed_token, 'Content-Type': 'application/json'}
###############################################################################################################
# Getting subclass variables and putting them in the correct syntax for SN to read
if subclassification == 'malware':
subclassification2 = 'Malware'
elif subclassification == 'aup':
subclassification2 = 'AUP Violation'
else:
print("You did not provide a valid subclassification.")
###############################################################################################################
# Hardcoded SN fields
sn_input = {
"contact_type": "External System",
"classification": "Access & Security",
"reported_by": "InfoSec Automation"
"assignment_group": "InfoSec.AG" }
# SN fields that need to pull in variables
sn_input['severity'] = severity
sn_input['subclassification'] = subclassification2
sn_input['short_summary'] = rule_name + " - " + computer_name2
# Logic to update SN fields depending on the type of ticket.
if subclassification == 'aup':
sn_input['description'] = "Description: \n" + description + "\n\nSpecific information regarding what you want to show up in the SN ticket"
else:
sn_input['description'] = "Description: \n" + description + "\n\nSpecific information regarding what you want to show up in the SN ticket"
# Create the SN ticket
resp = requests.post("https://service-now.api.domain.com/incidents", headers=headers, data=json.dumps(sn_input), verify=False)
if resp.text:
print(resp.text)
helper.addevent(resp.text, sourcetype="host_av")
# Put the response data into json format so I can pull out variables
data = resp.json()
ticket_number = data['number']
sys_id = data['sys_id']
sn_url = "https://service-now.com/nav_to.do?uri=incident.do?sys_id=" + sys_id
###############################################################################################################
# Update the notable event portion of the code
baseurl = 'https://siem.domain.com:8089/'
# Get a session ID and make a function for outputting the results for the example below
auth_req = requests.post(baseurl + 'services/auth/login', data={'username': 'splunk_api', 'password': 'XXXXXXXXXXXXXX', 'output_mode': 'json'}, verify=False)
sessionKey = auth_req.json()['sessionKey']
def printResultMessage(response_info):
if not response_info['success']:
print "The operation was not successful"
if 'failure_count' in response_info and response_info['failure_count'] > 0:
print "Some failures were noted: " + str(response_info['failure_count'])
print response_info['message']
# Update notable events
print "Updating some notable events..."
printResultMessage( updateNotableEvents( sessionKey=sessionKey, baseurl=baseurl, status=5, comment=ticket_number + "\n" + sn_url, eventIDs=[event_id]))
helper.writeevents(index="_internal", host="localhost", source="adaptive_response"
return 0