valitydev/Cortex-Analyzers
14
0
Fork 0
mirror of https://github.com/valitydev/Cortex-Analyzers.git synced 2024-11-06 09:05:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

New Responder KnowBe4 (#549)

Browse Source 
* Create KnowBe4.json

* Create KnowBe4.py

* Create requirements.txt

* Create Dockerfile

* Move KnowBe4 to responders dir

* Add additional payload params

Co-authored-by: Jerome Leonard <jeromeleonard@users.noreply.github.com>
This commit is contained in:
Kyle Parrish 2020-01-08 15:58:40 -05:00 committed by Nabil Adouani
parent 47b7762f4b
commit a155548f20
8 changed files with 282 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
analyzers/KnowBe4/Dockerfile Normal file
View File

@ -0,0 +1,6 @@
FROM python:3
WORKDIR /worker
COPY . KnowBe4
RUN pip install --no-cache-dir -r KnowBe4/requirements.txt
ENTRYPOINT KnowBe4/KnowBe4.py

59
analyzers/KnowBe4/KnowBe4.json Normal file
View File

@ -0,0 +1,59 @@
{
"name": "KnowBe4",
"version": "1.0",
"author": "Kyle Parrish",
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Add 'Clicked Event' to User via User Events API.",
"dataTypeList": [
"thehive:case_artifact"
],
"command": "KnowBe4/KnowBe4.py",
"baseConfig": "KnowBe4",
"configurationItems": [
{
"name": "api_url",
"description": "Base API url",
"type": "string",
"multi": false,
"required": true,
"defaultValue": "https://api.events.knowbe4.com/events"
},
{
"name": "hive_url",
"description": "Specify The Hive Instance URL",
"type": "string",
"multi": false,
"required": true
},
{
"name": "api_key",
"description": "Api Key",
"type": "string",
"multi": false,
"required": true
},
{
"name": "required_tag",
"description": "Specify a tag that must be present for responder to run.",
"type": "string",
"multi": false,
"required": false
},
{
"name": "event_type",
"description": "Specify the Event Type for the new event. https://developer.knowbe4.com/events/#tag/Event-Types",
"type": "string",
"multi": false,
"required": true
},
{
"name": "risk_level",
"description": "Specify the desired risk level. https://developer.knowbe4.com/events/#tag/Events/paths/~1events/post",
"type": "integer",
"multi": false,
"required": false,
"defaultValue": 10
}
]
}

76
analyzers/KnowBe4/KnowBe4.py Normal file
View File

@ -0,0 +1,76 @@
#!/usr/bin/python3
# encoding: utf-8
from cortexutils.responder import Responder
import requests
class KnowBe4(Responder):
def __init__(self):
Responder.__init__(self)
self.api_url = self.get_param(
'config.api_url', None, "Base URL Missing")
self.hive_url = self.get_param(
'config.hive_url', None, "Hive URL Missing")
self.api_key = self.get_param(
'config.api_key', None, "API Key Missing")
self.event_type = self.get_param(
'config.event_type', None, "Event Type Missing")
self.required_tag = self.get_param(
'config.required_tag', None, "Required tags missing.")
def run(self):
Responder.run(self)
if self.get_param('data.dataType') == 'mail':
tags = self.get_param('data.tags')
if self.required_tag in tags or self.required_tag is None:
target_user = self.get_param(
'data.data', None, 'No email address found')
headers = {
'Authorization': 'Bearer ' + self.api_key,
'user-agent': 'KnowBe4-Cortex-Responder',
'Content-Type': 'application/json',
'Accept': 'application/json'
}
thehive_case = '{}/index.html#!/case/{}/details'.format(
self.hive_url, self.get_param('data.case._routing'))
description = 'TheHive Case: {}\n Description: {}\n URL: {}'.format(self.get_param(
'data.case.title'), self.get_param('data.case.description'), thehive_case)
payload = {
'target_user': target_user,
'event_type': self.event_type,
'description': description,
'external_id': self.get_param('data.case._routing'),
'source': 'TheHive',
'risk_level': 10
}
r = requests.post(self.api_url,
json=payload, headers=headers)
if r.status_code == 200 | 201:
self.report({'message': 'Added user event.'})
else:
self.error(
'Failed report user to KnowBe4. Status: ' + str(r.status_code))
else:
self.error(
'Email address not tagged with the required tag. ' + self.required_tag)
else:
self.error('Incorrect dataType. "Mail" expected.')
def operations(self, raw):
return [self.build_operation('AddTagToArtifact', tag='kb4:clicker')]
if __name__ == '__main__':
KnowBe4().run()

1
analyzers/KnowBe4/requirements.txt Normal file
View File

@ -0,0 +1 @@
requests

6
responders/KnowBe4/Dockerfile Normal file
View File

@ -0,0 +1,6 @@
FROM python:3
WORKDIR /worker
COPY . KnowBe4
RUN pip install --no-cache-dir -r KnowBe4/requirements.txt
ENTRYPOINT KnowBe4/KnowBe4.py

59
responders/KnowBe4/KnowBe4.json Normal file
View File

@ -0,0 +1,59 @@
{
"name": "KnowBe4",
"version": "1.0",
"author": "Kyle Parrish",
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Add 'Clicked Event' to User via User Events API.",
"dataTypeList": [
"thehive:case_artifact"
],
"command": "KnowBe4/KnowBe4.py",
"baseConfig": "KnowBe4",
"configurationItems": [
{
"name": "api_url",
"description": "Base API url",
"type": "string",
"multi": false,
"required": true,
"defaultValue": "https://api.events.knowbe4.com/events"
},
{
"name": "hive_url",
"description": "Specify The Hive Instance URL",
"type": "string",
"multi": false,
"required": true
},
{
"name": "api_key",
"description": "Api Key",
"type": "string",
"multi": false,
"required": true
},
{
"name": "required_tag",
"description": "Specify a tag that must be present for responder to run.",
"type": "string",
"multi": false,
"required": false
},
{
"name": "event_type",
"description": "Specify the Event Type for the new event. https://developer.knowbe4.com/events/#tag/Event-Types",
"type": "string",
"multi": false,
"required": true
},
{
"name": "risk_level",
"description": "Specify the desired risk level. https://developer.knowbe4.com/events/#tag/Events/paths/~1events/post",
"type": "integer",
"multi": false,
"required": false,
"defaultValue": 10
}
]
}

74
responders/KnowBe4/KnowBe4.py Normal file
View File

@ -0,0 +1,74 @@
#!/usr/bin/python3
# encoding: utf-8
from cortexutils.responder import Responder
import requests
class KnowBe4(Responder):
def __init__(self):
Responder.__init__(self)
self.api_url = self.get_param(
'config.api_url', None, "Base URL Missing")
self.hive_url = self.get_param(
'config.hive_url', None, "Hive URL Missing")
self.api_key = self.get_param(
'config.api_key', None, "API Key Missing")
self.event_type = self.get_param(
'config.event_type', None, "Event Type Missing")
self.required_tag = self.get_param(
'config.required_tag', None, "Required tags missing.")
def run(self):
Responder.run(self)
if self.get_param('data.dataType') == 'mail':
tags = self.get_param('data.tags')
if self.required_tag in tags or self.required_tag is None:
target_user = self.get_param(
'data.data', None, 'No email address found')
headers = {
'Authorization': 'Bearer ' + self.api_key,
'user-agent': 'KnowBe4-Cortex-Responder',
'Content-Type': 'application/json',
'Accept': 'application/json'
}
thehive_case = '{}/index.html#!/case/{}/details'.format(
self.hive_url, self.get_param('data.case._routing'))
description = 'TheHive Case: {}\n Description: {}\n URL: {}'.format(self.get_param(
'data.case.title'), self.get_param('data.case.description'), thehive_case)
payload = {
'target_user': target_user,
'event_type': self.event_type,
'description': description,
'risk_level': 10
}
r = requests.post(self.api_url,
json=payload, headers=headers)
if r.status_code == 200 | 201:
self.report({'message': 'Added user event.'})
else:
self.error(
'Failed report user to KnowBe4. Status: ' + str(r.status_code))
else:
self.error(
'Email address not tagged with the required tag. ' + self.required_tag)
else:
self.error('Incorrect dataType. "Mail" expected.')
def operations(self, raw):
return [self.build_operation('AddTagToArtifact', tag='kb4:clicker')]
if __name__ == '__main__':
KnowBe4().run()

1
responders/KnowBe4/requirements.txt Normal file
View File

@ -0,0 +1 @@
requests