mirror of
https://github.com/valitydev/Cortex-Analyzers.git
synced 2024-11-06 00:55:17 +00:00
Merge branch 'master' of https://github.com/yugoslavskiy/Cortex-Analyzers into yugoslavskiy-master
This commit is contained in:
commit
2d78f1570f
@ -1 +1,2 @@
|
||||
splunk-sdk
|
||||
cortexutils
|
||||
|
BIN
responders/Duo_Security/AddObservableType.jpg
Normal file
BIN
responders/Duo_Security/AddObservableType.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 127 KiB |
BIN
responders/Duo_Security/Demo_Lock-Unlock_DuoUser.gif
Normal file
BIN
responders/Duo_Security/Demo_Lock-Unlock_DuoUser.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 24 MiB |
34
responders/Duo_Security/DuoLockUserAccount.json
Normal file
34
responders/Duo_Security/DuoLockUserAccount.json
Normal file
@ -0,0 +1,34 @@
|
||||
{
|
||||
"name": "DuoLockUserAccount",
|
||||
"version": "1.0",
|
||||
"author": "Sven Kutzer / Gyorgy Acs, @oscd_initiative",
|
||||
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
|
||||
"license": "AGPL-V3",
|
||||
"description": "Lock User Account in Duo Security via AdminAPI (The user will not be able to log in)",
|
||||
"dataTypeList": ["thehive:case_artifact"],
|
||||
"command": "Duo_Security/duoLockUserAccount.py",
|
||||
"baseConfig": "Duo_Security_main",
|
||||
"configurationItems": [
|
||||
{
|
||||
"name": "API_hostname",
|
||||
"description": "Duo Admin API hostname, api-XXXXXXXX.duosecurity.com",
|
||||
"type": "string",
|
||||
"multi": false,
|
||||
"required": true
|
||||
},
|
||||
{
|
||||
"name": "Integration_Key",
|
||||
"description": "Integration Key",
|
||||
"type": "string",
|
||||
"multi": false,
|
||||
"required": true
|
||||
},
|
||||
{
|
||||
"name": "Secret_Key",
|
||||
"description": "Secret Key",
|
||||
"type": "string",
|
||||
"multi": false,
|
||||
"required": true
|
||||
}
|
||||
]
|
||||
}
|
34
responders/Duo_Security/DuoUnlockUserAccount.json
Normal file
34
responders/Duo_Security/DuoUnlockUserAccount.json
Normal file
@ -0,0 +1,34 @@
|
||||
{
|
||||
"name": "DuoUnlockUserAccount",
|
||||
"version": "1.0",
|
||||
"author": "Sven Kutzer / Gyorgy Acs, @oscd_initiative",
|
||||
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
|
||||
"license": "AGPL-V3",
|
||||
"description": "Unlock User Account in Duo Security via AdminAPI (The user must complete secondary authentication)",
|
||||
"dataTypeList": ["thehive:case_artifact"],
|
||||
"command": "Duo_Security/duoUnlockUserAccount.py",
|
||||
"baseConfig": "Duo_Security_main",
|
||||
"configurationItems": [
|
||||
{
|
||||
"name": "API_hostname",
|
||||
"description": "Duo Admin API hostname, api-XXXXXXXX.duosecurity.com",
|
||||
"type": "string",
|
||||
"multi": false,
|
||||
"required": true
|
||||
},
|
||||
{
|
||||
"name": "Integration_Key",
|
||||
"description": "Integration Key",
|
||||
"type": "string",
|
||||
"multi": false,
|
||||
"required": true
|
||||
},
|
||||
{
|
||||
"name": "Secret_Key",
|
||||
"description": "Secret Key",
|
||||
"type": "string",
|
||||
"multi": false,
|
||||
"required": true
|
||||
}
|
||||
]
|
||||
}
|
31
responders/Duo_Security/README.md
Normal file
31
responders/Duo_Security/README.md
Normal file
@ -0,0 +1,31 @@
|
||||
# CortexResponder_DuoUserAccount
|
||||
Rep. for Cortex Responder (TheHive project - https://github.com/TheHive-Project/CortexDocs)
|
||||
to Lock/Unlock User Accounts in the Duo Admin Portal (Cisco Security)
|
||||
|
||||
|
||||
There are two Responder available in order to change the status of a User in Duo Security via the AdminAPI (https://duo.com/docs/adminapi)
|
||||
|
||||
**DuoLockUserAccount** -> changes the "status" to “disabled” - The user will not be able to log in.
|
||||
|
||||
**DuoUnlockUserAccount** -> changes the "status" to “active” - The user must complete secondary authentication.
|
||||
|
||||
The Responder is looking for a "**username**" as input and queries the Duo Admin API, to receive the associated UserID.
|
||||
The UserID is used to change the "status" of the particular user.
|
||||
|
||||
## How to install:
|
||||
* copy the folders "DuoLockUserAccount" & "DuoUnlockUserAccount" into your Cortex responders path
|
||||
* install necessary python modules from the requirements.txt (**pip install -r requirements.txt**)
|
||||
* restart Cortex to initialize the new Responder "**systemctl restart cortex**"
|
||||
* add the ResponderConfig
|
||||
* ![ResponderConfig](ResponderConfig.jpg)
|
||||
* enable the Responder Actions
|
||||
* ![Responders](Responders.jpg)
|
||||
|
||||
## Add Observable type in TheHive**
|
||||
* per default TheHive has no "username" Observable type, so we have to add this in the Admin settings
|
||||
* ![AddObservableType](AddObservableType.jpg)
|
||||
|
||||
## Run the Responder action in TheHive
|
||||
|
||||
If you have add an observable, you can now take action and lock/unlock the User in Duo Security
|
||||
* ![Demo_Lock-Unlock_DuoUser](Demo_Lock-Unlock_DuoUser.gif)
|
BIN
responders/Duo_Security/ResponderConfig.jpg
Normal file
BIN
responders/Duo_Security/ResponderConfig.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 40 KiB |
BIN
responders/Duo_Security/Responders.jpg
Normal file
BIN
responders/Duo_Security/Responders.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 84 KiB |
48
responders/Duo_Security/duoLockUserAccount.py
Normal file
48
responders/Duo_Security/duoLockUserAccount.py
Normal file
@ -0,0 +1,48 @@
|
||||
#!/usr/bin/env python3
|
||||
# encoding: utf-8
|
||||
|
||||
from cortexutils.responder import Responder
|
||||
import requests
|
||||
import duo_client
|
||||
from datetime import datetime
|
||||
|
||||
class DuoLockUserAccount(Responder):
|
||||
def __init__(self):
|
||||
Responder.__init__(self)
|
||||
self.API_hostname = self.get_param('config.API_hostname', None, "API hostname is missing")
|
||||
self.iKey = self.get_param('config.Integration_Key', None, "Integration Key is missing")
|
||||
self.sKey = self.get_param('config.Secret_Key', None, "Secret Key is missing")
|
||||
|
||||
def run(self):
|
||||
Responder.run(self)
|
||||
|
||||
if self.get_param('data.dataType') == 'username':
|
||||
|
||||
str_username = self.get_param('data.data', None, 'No artifacts available')
|
||||
|
||||
admin_api = duo_client.Admin(self.iKey, self.sKey, self.API_hostname)
|
||||
|
||||
response = admin_api.get_users_by_name(username=str_username)
|
||||
|
||||
# print(response)
|
||||
|
||||
user_id=response[0]["user_id"]
|
||||
|
||||
# print("user_id:",user_id)
|
||||
|
||||
r = admin_api.update_user(user_id=user_id,status='disabled')
|
||||
|
||||
# print("response:",r)
|
||||
|
||||
if r.get('status') == 'disabled':
|
||||
self.report({'message': 'User is locked in Duo Security.'})
|
||||
else:
|
||||
self.error('Failed to lock User Account in Duo.')
|
||||
else:
|
||||
self.error('Incorrect dataType. "username" expected.')
|
||||
|
||||
def operations(self, raw):
|
||||
return [self.build_operation('AddTagToArtifact', tag='Duo User: locked')]
|
||||
|
||||
if __name__ == '__main__':
|
||||
DuoLockUserAccount().run()
|
48
responders/Duo_Security/duoUnlockUserAccount.py
Normal file
48
responders/Duo_Security/duoUnlockUserAccount.py
Normal file
@ -0,0 +1,48 @@
|
||||
#!/usr/bin/env python3
|
||||
# encoding: utf-8
|
||||
|
||||
from cortexutils.responder import Responder
|
||||
import requests
|
||||
import duo_client
|
||||
from datetime import datetime
|
||||
|
||||
class DuoUnlockUserAccount(Responder):
|
||||
def __init__(self):
|
||||
Responder.__init__(self)
|
||||
self.API_hostname = self.get_param('config.API_hostname', None, "API hostname is missing")
|
||||
self.iKey = self.get_param('config.Integration_Key', None, "Integration Key is missing")
|
||||
self.sKey = self.get_param('config.Secret_Key', None, "Secret Key is missing")
|
||||
|
||||
def run(self):
|
||||
Responder.run(self)
|
||||
|
||||
if self.get_param('data.dataType') == 'username':
|
||||
|
||||
str_username = self.get_param('data.data', None, 'No artifacts available')
|
||||
|
||||
admin_api = duo_client.Admin(self.iKey, self.sKey, self.API_hostname)
|
||||
|
||||
response = admin_api.get_users_by_name(username=str_username)
|
||||
|
||||
# print(response)
|
||||
|
||||
user_id=response[0]["user_id"]
|
||||
|
||||
# print("user_id:",user_id)
|
||||
|
||||
r = admin_api.update_user(user_id=user_id,status='active')
|
||||
|
||||
# print("response:",r)
|
||||
|
||||
if r.get('status') == 'active':
|
||||
self.report({'message': 'User is unlocked in Duo Security. The user must complete secondary authentication.'})
|
||||
else:
|
||||
self.error('Failed to unlock User Account in Duo.')
|
||||
else:
|
||||
self.error('Incorrect dataType. "username" expected.')
|
||||
|
||||
def operations(self, raw):
|
||||
return [self.build_operation('AddTagToArtifact', tag='Duo User: reactivated')]
|
||||
|
||||
if __name__ == '__main__':
|
||||
DuoUnlockUserAccount().run()
|
4
responders/Duo_Security/requirements.txt
Normal file
4
responders/Duo_Security/requirements.txt
Normal file
@ -0,0 +1,4 @@
|
||||
cortexutils
|
||||
requests
|
||||
datetime
|
||||
duo_client
|
Loading…
Reference in New Issue
Block a user