valitydev/Cortex-Analyzers
14
0
Fork 0
mirror of https://github.com/valitydev/Cortex-Analyzers.git synced 2024-11-06 09:05:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add new vesion configs and readme

Browse Source
This commit is contained in:
Konakin Maksim 2021-02-26 00:20:56 +03:00
parent cfa10131ec
commit 79e32de646
18 changed files with 54 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
responders/PaloAltoNGFW/PaloAltoNGFW_block_external_IP_address.json
View File

@ -1,7 +1,7 @@
{
"name": "PaloAltoNGFW_block_external_IP_address",
"version": "2.0.0",
"author": "Maxim Konakin, OSCD Initiative",
"author": "Maxim Konakin, OSCD Community",
"url": "",
"license": "AGPL-V3",
"description": "Block external IP address",
@ -35,8 +35,7 @@
"description": "name_external_name_security_rule_for_ip",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "TheHive Block external IP address"
"required": false
},
{
"name": "thehive_instance",

5
responders/PaloAltoNGFW/PaloAltoNGFW_block_external_domain.json
View File

@ -1,7 +1,7 @@
{
"name": "PaloAltoNGFW_block_external_domain",
"version": "2.0.0",
"author": "Maxim Konakin, OSCD Initiative",
"author": "Maxim Konakin, OSCD Community",
"url": "",
"license": "AGPL-V3",
"description": "Block external domain",
@ -28,8 +28,7 @@
"description": "User_PaloAltoNGFW",
"type": "string",
"multi": false,
"required": true,
"defaultValue": "TheHive Block external Domain"
"required": true
},
{
"name": "name_security_rule",

3
responders/PaloAltoNGFW/PaloAltoNGFW_block_external_port.json
View File

@ -35,8 +35,7 @@
"description": "name_external_name_security_rule_for_port",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "TheHive Block external port"
"required": false
},
{
"name": "thehive_instance",

5
responders/PaloAltoNGFW/PaloAltoNGFW_block_external_user.json
View File

@ -1,7 +1,7 @@
{
"name": "PaloAltoNGFW_block_external_user",
"version": "1.0.0",
"author": "Maxim Konakin, OSCD Initiative",
"author": "Maxim Konakin, OSCD Community",
"url": "",
"license": "AGPL-V3",
"description": "Block external user",
@ -35,8 +35,7 @@
"description": "name_external_name_security_rule_for_users",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "TheHive Block user external communication"
"required": false
},
{
"name": "thehive_instance",

5
responders/PaloAltoNGFW/PaloAltoNGFW_block_internal_IP_address.json
View File

@ -1,7 +1,7 @@
{
"name": "PaloAltoNGFW_block_internal_IP_address",
"version": "2.0.0",
"author": "Maxim Konakin, OSCD Initiative",
"author": "Maxim Konakin, OSCD Community",
"url": "",
"license": "AGPL-V3",
"description": "Block internal IP address",
@ -35,8 +35,7 @@
"description": "name_internal_name_security_rule_for_ip",
"type": "string",
"multi": false,
"required": false,
"defaultValue": 'TheHive Block internal IP address'
"required": false
},
{
"name": "thehive_instance",

5
responders/PaloAltoNGFW/PaloAltoNGFW_block_internal_domain.json
View File

@ -1,7 +1,7 @@
{
"name": "PaloAltoNGFW_block_internal_domain",
"version": "2.0.0",
"author": "Maxim Konakin, OSCD Initiative",
"author": "Maxim Konakin, OSCD Community",
"url": "",
"license": "AGPL-V3",
"description": "Block internal domain",
@ -35,8 +35,7 @@
"description": "name_internal_security_rule_for_domain",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "TheHive Block internal Domain"
"required": false
},
{
"name": "thehive_instance",

3
responders/PaloAltoNGFW/PaloAltoNGFW_block_internal_port.json
View File

@ -35,8 +35,7 @@
"description": "name_internal_name_security_rule_for_port",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "TheHive Block internal port"
"required": false
},
{
"name": "thehive_instance",

5
responders/PaloAltoNGFW/PaloAltoNGFW_block_internal_user.json
View File

@ -1,7 +1,7 @@
{
"name": "PaloAltoNGFW_block_internal_user",
"version": "1.0.0",
"author": "Maxim Konakin, OSCD Initiative",
"author": "Maxim Konakin, OSCD Community",
"url": "",
"license": "AGPL-V3",
"description": "Block internal user",
@ -35,8 +35,7 @@
"description": "name_internal_name_security_rule_for_users",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "TheHive Block user internal communication"
"required": false
},
{
"name": "thehive_instance",

9
responders/PaloAltoNGFW/PaloAltoNGFW_unblock_external_IP_address.json
View File

@ -1,13 +1,13 @@
{
"name": "PaloAltoNGFW_unblock_external_IP_address",
"version": "1.0.0",
"author": "Maxim Konakin, OSCD Initiative",
"author": "Maxim Konakin, OSCD Community",
"url": "",
"license": "AGPL-V3",
"description": "Unblock ip",
"dataTypeList": ["thehive:alert","thehive:case_artifact","thehive:case"],
"command": "PaloAltoNGFW/Unblock_external_ip.py",
"baseConfig": "PaloAltoNGFW_unblock_ip",
"baseConfig": "PaloAltoNGFW_main",
"configurationItems": [
{
"name": "Hostname_PaloAltoNGFW",
@ -31,12 +31,11 @@
"required": true
},
{
"name": "name_Address_Group",
"name": "name_external_Address_Group",
"description": "name_external_Address_Group",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "TheHive Black list external IP"
"required": false
},
{
"name": "thehive_instance",

9
responders/PaloAltoNGFW/PaloAltoNGFW_unblock_external_domain.json
View File

@ -1,13 +1,13 @@
{
"name": "PaloAltoNGFW_unblock_external_domain",
"version": "1.0.0",
"author": "Maxim Konakin, OSCD Initiative",
"author": "Maxim Konakin, OSCD Community",
"url": "",
"license": "AGPL-V3",
"description": "Unblock domain",
"dataTypeList": ["thehive:alert","thehive:case_artifact","thehive:case"],
"command": "PaloAltoNGFW/Unblock_external_domain.py",
"baseConfig": "PaloAltoNGFW_unblock_domain",
"baseConfig": "PaloAltoNGFW_main",
"configurationItems": [
{
"name": "Hostname_PaloAltoNGFW",
@ -31,12 +31,11 @@
"required": true
},
{
"name": "name_Address_Group",
"name": "name_external_Address_Group",
"description": "name_external_Address_Group_for_domain",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "TheHive Black list external domain"
"required": false
},
{
"name": "thehive_instance",

9
responders/PaloAltoNGFW/PaloAltoNGFW_unblock_external_port.json
View File

@ -1,13 +1,13 @@
{
"name": "PaloAltoNGFW_unblock_external_port",
"version": "1.0.0",
"author": "Maxim Konakin, OSCD Initiative",
"author": "Maxim Konakin, OSCD Community",
"url": "",
"license": "AGPL-V3",
"description": "Unblock domain",
"dataTypeList": ["thehive:alert","thehive:case_artifact","thehive:case"],
"command": "PaloAltoNGFW/Unblock_external_port.py",
"baseConfig": "PaloAltoNGFW_unblock_port",
"baseConfig": "PaloAltoNGFW_main",
"configurationItems": [
{
"name": "Hostname_PaloAltoNGFW",
@ -31,12 +31,11 @@
"required": true
},
{
"name": "name_Service_Group",
"name": "name_external_Service_Group",
"description": "name_external_Service_Group",
"type": "string",
"multi": false,
"required": false,
"defaultValue": 'TheHive Black list external port'
"required": false
},
{
"name": "thehive_instance",

7
responders/PaloAltoNGFW/PaloAltoNGFW_unblock_external_user.json
View File

@ -1,7 +1,7 @@
{
"name": "PaloAltoNGFW_unblock_external_user",
"version": "1.0.0",
"author": "Maxim Konakin, OSCD Initiative",
"author": "Maxim Konakin, OSCD Community",
"url": "",
"license": "AGPL-V3",
"description": "Unblock external user",
@ -32,11 +32,10 @@
},
{
"name": "name_security_rule",
"description": "name_external_security_rule_for_users",
"description": "name_external_name_security_rule_for_users",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "TheHive Block user external communication"
"required": false
},
{
"name": "thehive_instance",

9
responders/PaloAltoNGFW/PaloAltoNGFW_unblock_internal_IP_address.json
View File

@ -1,13 +1,13 @@
{
"name": "PaloAltoNGFW_unblock_internal_IP_address",
"version": "1.0.0",
"author": "Maxim Konakin, OSCD Initiative",
"author": "Maxim Konakin, OSCD Community",
"url": "",
"license": "AGPL-V3",
"description": "Unblock ip",
"dataTypeList": ["thehive:alert","thehive:case_artifact","thehive:case"],
"command": "PaloAltoNGFW/Unblock_internal_ip.py",
"baseConfig": "PaloAltoNGFW_unblock_ip",
"baseConfig": "PaloAltoNGFW_main",
"configurationItems": [
{
"name": "Hostname_PaloAltoNGFW",
@ -31,12 +31,11 @@
"required": true
},
{
"name": "name_Address_Group",
"name": "name_internal_Address_Group",
"description": "name_internal_Address_Group",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "TheHive Black list internal IP"
"required": false
},
{
"name": "thehive_instance",

9
responders/PaloAltoNGFW/PaloAltoNGFW_unblock_internal_domain.json
View File

@ -1,13 +1,13 @@
{
"name": "PaloAltoNGFW_unblock_internal_domain",
"version": "1.0.0",
"author": "Maxim Konakin, OSCD Initiative",
"author": "Maxim Konakin, OSCD Community",
"url": "",
"license": "AGPL-V3",
"description": "Unblock domain",
"dataTypeList": ["thehive:alert","thehive:case_artifact","thehive:case"],
"command": "PaloAltoNGFW/Unblock_internal_domain.py",
"baseConfig": "PaloAltoNGFW_unblock_domain",
"baseConfig": "PaloAltoNGFW_main",
"configurationItems": [
{
"name": "Hostname_PaloAltoNGFW",
@ -31,12 +31,11 @@
"required": true
},
{
"name": "name_Address_Group",
"name": "name_internal_Address_Group",
"description": "name_internal_Address_Group_for_domain",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "TheHive Black list internal domain"
"required": false
},
{
"name": "thehive_instance",

9
responders/PaloAltoNGFW/PaloAltoNGFW_unblock_internal_port.json
View File

@ -1,13 +1,13 @@
{
"name": "PaloAltoNGFW_unblock_internal_port",
"version": "1.0.0",
"author": "Maxim Konakin, OSCD Initiative",
"author": "Maxim Konakin, OSCD Community",
"url": "",
"license": "AGPL-V3",
"description": "Unblock domain",
"dataTypeList": ["thehive:alert","thehive:case_artifact","thehive:case"],
"command": "PaloAltoNGFW/Unblock_internal_port.py",
"baseConfig": "PaloAltoNGFW_unblock_port",
"baseConfig": "PaloAltoNGFW_main",
"configurationItems": [
{
"name": "Hostname_PaloAltoNGFW",
@ -31,12 +31,11 @@
"required": true
},
{
"name": "name_Service_Group",
"name": "name_internal_Service_Group",
"description": "name_internal_Service_Group",
"type": "string",
"multi": false,
"required": false,
"defaultValue": 'TheHive Black list internal port'
"required": false
},
{
"name": "thehive_instance",

5
responders/PaloAltoNGFW/PaloAltoNGFW_unblock_internal_user.json
View File

@ -1,7 +1,7 @@
{
"name": "PaloAltoNGFW_unblock_internal_user",
"version": "1.0.0",
"author": "Maxim Konakin, OSCD Initiative",
"author": "Maxim Konakin, OSCD Community",
"url": "",
"license": "AGPL-V3",
"description": "Unblock internal user",
@ -35,8 +35,7 @@
"description": "name_internal_name_security_rule_for_users",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "TheHive Block user internal communication"
"required": false
},
{
"name": "thehive_instance",

18
responders/PaloAltoNGFW/README.md
View File

@ -5,10 +5,10 @@
# Installation
need install:
1. cortexutils
2. requests
3. pan-os-python
4. thehive4py
1. pip install cortexutils
2. pip install requests
3. pip install pan-os-python
4. pip install thehive4py
# ToDo
Для работы responders, необходимо загрузить папку PaloAltoNGFW в директорию, где храняться другие responder. Далее перейти в загруженную папку и сделать запускаемыми скрипты на языке python командой "chmod +x *.py"
@ -16,7 +16,7 @@ need install:
Далее необходимо:
Выполнить перезагрузку системы cortex;
После перезагрузки в веб консоли cortex перейти на вкладку "Organization", выбрать организацию для которой будет выполнена настройка и перейти на вкладку "Responders", выбрать интерисующий Вас responder и настроить поля в соответсвии с их значениями:
После перезагрузки в веб консоли cortex перейти на вкладку "Organization", выбрать организацию для которой будет выполнена настройка и перейти на вкладку "Responders Config" и выполняем настройку полей в соответсвии с их значениями:
![alt text](Responders.jpg)
1. Hostname_PaloAltoNGFW - сетевой адрес системы PaloAltoNGFW
2. User_PaloAltoNGFW - пользователь в системе PaloAltoNGFW
@ -38,7 +38,8 @@ need install:
4.4.1 "TheHive Block internal port"
4.4.2 "TheHive Block external port"
4.5 thehive_instance - url адрес системы TheHive (используется только для типов case и alert)
4.5 thehive_instance - url адрес системы TheHive (используется только для типов case и alert).
Важно для каждой организации должен быть свой пользователь с API!
4.6 thehive_api_key - API ключ для подключения к системе TheHive
Примечание: указанные правила безопасноти должны быть созданы в PaloAltoNGFW, а так же расставлены в порядке их применения.
@ -46,6 +47,7 @@ need install:
1. Сетевой адрес - 'ip'
2. FQDN - 'hostname'
3. порт - 'port'
4. имя пользователя - 'user-agent'
Примечание: данный тип необходимо создать в системе TheHive. По умолчанию TheHive не имеет типа данных "user-agent" в Observable type, поэтому мы должны добавить его в настройках администратора.
4. протокол - 'protocol'
5. имя пользователя - 'user-agent'
Примечание: типы 'port' и 'protocol' необходимо создать в системе TheHive. По умолчанию TheHive не имеет данных типов данных в Observable type, поэтому мы должны добавить его в настройках администратора.
![alt text](AddObservableType.jpg)

2
responders/PaloAltoNGFW/requirements.txt
View File

@ -1,4 +1,4 @@
cortexutils
requests
panos
pan-os-python
thehive4py