New Responder KnowBe4 (#549)

* Create KnowBe4.json

* Create KnowBe4.py

* Create requirements.txt

* Create Dockerfile

* Move KnowBe4 to responders dir

* Add additional payload params

Co-authored-by: Jerome Leonard <jeromeleonard@users.noreply.github.com>

analyzers/KnowBe4/Dockerfile

@@ -0,0 +1,6 @@
+FROM python:3
+
+WORKDIR /worker
+COPY . KnowBe4
+RUN pip install --no-cache-dir -r KnowBe4/requirements.txt
+ENTRYPOINT KnowBe4/KnowBe4.py

analyzers/KnowBe4/KnowBe4.json

@@ -0,0 +1,59 @@
+{
+    "name": "KnowBe4",
+    "version": "1.0",
+    "author": "Kyle Parrish",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Add 'Clicked Event' to User via User Events API.",
+    "dataTypeList": [
+        "thehive:case_artifact"
+    ],
+    "command": "KnowBe4/KnowBe4.py",
+    "baseConfig": "KnowBe4",
+    "configurationItems": [
+        {
+            "name": "api_url",
+            "description": "Base API url",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.events.knowbe4.com/events"
+        },
+        {
+            "name": "hive_url",
+            "description": "Specify The Hive Instance URL",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "api_key",
+            "description": "Api Key",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "required_tag",
+            "description": "Specify a tag that must be present for responder to run.",
+            "type": "string",
+            "multi": false,
+            "required": false
+        },
+        {
+            "name": "event_type",
+            "description": "Specify the Event Type for the new event. https://developer.knowbe4.com/events/#tag/Event-Types",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "risk_level",
+            "description": "Specify the desired risk level. https://developer.knowbe4.com/events/#tag/Events/paths/~1events/post",
+            "type": "integer",
+            "multi": false,
+            "required": false,
+            "defaultValue": 10
+        }
+    ]
+}

analyzers/KnowBe4/KnowBe4.py

@@ -0,0 +1,76 @@
+#!/usr/bin/python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+import requests
+
+
+class KnowBe4(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.api_url = self.get_param(
+            'config.api_url', None, "Base URL Missing")
+        self.hive_url = self.get_param(
+            'config.hive_url', None, "Hive URL Missing")
+        self.api_key = self.get_param(
+            'config.api_key', None, "API Key Missing")
+        self.event_type = self.get_param(
+            'config.event_type', None, "Event Type Missing")
+        self.required_tag = self.get_param(
+            'config.required_tag', None, "Required tags missing.")
+
+    def run(self):
+        Responder.run(self)
+
+        if self.get_param('data.dataType') == 'mail':
+
+            tags = self.get_param('data.tags')
+
+            if self.required_tag in tags or self.required_tag is None:
+
+                target_user = self.get_param(
+                    'data.data', None, 'No email address found')
+
+                headers = {
+                    'Authorization': 'Bearer ' + self.api_key,
+                    'user-agent': 'KnowBe4-Cortex-Responder',
+                    'Content-Type': 'application/json',
+                    'Accept': 'application/json'
+                }
+
+                thehive_case = '{}/index.html#!/case/{}/details'.format(
+                    self.hive_url, self.get_param('data.case._routing'))
+
+                description = 'TheHive Case: {}\n Description: {}\n URL: {}'.format(self.get_param(
+                    'data.case.title'), self.get_param('data.case.description'), thehive_case)
+
+                payload = {
+                    'target_user': target_user,
+                    'event_type': self.event_type,
+                    'description': description,
+                    'external_id': self.get_param('data.case._routing'),
+                    'source': 'TheHive',
+                    'risk_level': 10
+                }
+
+                r = requests.post(self.api_url,
+                                  json=payload, headers=headers)
+
+                if r.status_code == 200 | 201:
+                    self.report({'message': 'Added user event.'})
+                else:
+                    self.error(
+                        'Failed report user to KnowBe4. Status: ' + str(r.status_code))
+
+            else:
+                self.error(
+                    'Email address not tagged with the required tag. ' + self.required_tag)
+        else:
+            self.error('Incorrect dataType. "Mail" expected.')
+
+    def operations(self, raw):
+        return [self.build_operation('AddTagToArtifact', tag='kb4:clicker')]
+
+
+if __name__ == '__main__':
+    KnowBe4().run()

analyzers/KnowBe4/requirements.txt

@@ -0,0 +1 @@
+requests

responders/KnowBe4/Dockerfile

@@ -0,0 +1,6 @@
+FROM python:3
+
+WORKDIR /worker
+COPY . KnowBe4
+RUN pip install --no-cache-dir -r KnowBe4/requirements.txt
+ENTRYPOINT KnowBe4/KnowBe4.py

responders/KnowBe4/KnowBe4.json

@@ -0,0 +1,59 @@
+{
+    "name": "KnowBe4",
+    "version": "1.0",
+    "author": "Kyle Parrish",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Add 'Clicked Event' to User via User Events API.",
+    "dataTypeList": [
+        "thehive:case_artifact"
+    ],
+    "command": "KnowBe4/KnowBe4.py",
+    "baseConfig": "KnowBe4",
+    "configurationItems": [
+        {
+            "name": "api_url",
+            "description": "Base API url",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.events.knowbe4.com/events"
+        },
+        {
+            "name": "hive_url",
+            "description": "Specify The Hive Instance URL",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "api_key",
+            "description": "Api Key",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "required_tag",
+            "description": "Specify a tag that must be present for responder to run.",
+            "type": "string",
+            "multi": false,
+            "required": false
+        },
+        {
+            "name": "event_type",
+            "description": "Specify the Event Type for the new event. https://developer.knowbe4.com/events/#tag/Event-Types",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "risk_level",
+            "description": "Specify the desired risk level. https://developer.knowbe4.com/events/#tag/Events/paths/~1events/post",
+            "type": "integer",
+            "multi": false,
+            "required": false,
+            "defaultValue": 10
+        }
+    ]
+}

responders/KnowBe4/KnowBe4.py

@@ -0,0 +1,74 @@
+#!/usr/bin/python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+import requests
+
+
+class KnowBe4(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.api_url = self.get_param(
+            'config.api_url', None, "Base URL Missing")
+        self.hive_url = self.get_param(
+            'config.hive_url', None, "Hive URL Missing")
+        self.api_key = self.get_param(
+            'config.api_key', None, "API Key Missing")
+        self.event_type = self.get_param(
+            'config.event_type', None, "Event Type Missing")
+        self.required_tag = self.get_param(
+            'config.required_tag', None, "Required tags missing.")
+
+    def run(self):
+        Responder.run(self)
+
+        if self.get_param('data.dataType') == 'mail':
+
+            tags = self.get_param('data.tags')
+
+            if self.required_tag in tags or self.required_tag is None:
+
+                target_user = self.get_param(
+                    'data.data', None, 'No email address found')
+
+                headers = {
+                    'Authorization': 'Bearer ' + self.api_key,
+                    'user-agent': 'KnowBe4-Cortex-Responder',
+                    'Content-Type': 'application/json',
+                    'Accept': 'application/json'
+                }
+
+                thehive_case = '{}/index.html#!/case/{}/details'.format(
+                    self.hive_url, self.get_param('data.case._routing'))
+
+                description = 'TheHive Case: {}\n Description: {}\n URL: {}'.format(self.get_param(
+                    'data.case.title'), self.get_param('data.case.description'), thehive_case)
+
+                payload = {
+                    'target_user': target_user,
+                    'event_type': self.event_type,
+                    'description': description,
+                    'risk_level': 10
+                }
+
+                r = requests.post(self.api_url,
+                                  json=payload, headers=headers)
+
+                if r.status_code == 200 | 201:
+                    self.report({'message': 'Added user event.'})
+                else:
+                    self.error(
+                        'Failed report user to KnowBe4. Status: ' + str(r.status_code))
+
+            else:
+                self.error(
+                    'Email address not tagged with the required tag. ' + self.required_tag)
+        else:
+            self.error('Incorrect dataType. "Mail" expected.')
+
+    def operations(self, raw):
+        return [self.build_operation('AddTagToArtifact', tag='kb4:clicker')]
+
+
+if __name__ == '__main__':
+    KnowBe4().run()

responders/KnowBe4/requirements.txt

@@ -0,0 +1 @@
+requests