Add Responder for port with rules

Add Responder for: 1. Block internal port 2. Block external port 3. Unblock internal port 4. Unblock external port
2024-11-06 09:05:19 +00:00 · 2020-10-29 18:37:56 +03:00 · 2020-10-29 18:37:56 +03:00 · c45961fa0a
commit c45961fa0a
parent 456bf91c26
14 changed files with 277 additions and 129 deletions
--- a/responders/PaloAltoNGFW_block_external_port/Block_port.py
+++ b/responders/PaloAltoNGFW_block_external_port/Block_port.py
@ -6,13 +6,15 @@ from thehive4py.api import TheHiveApi
 from panos import firewall
 import panos.objects
 import re
+import panos.policies
+
 class Block_port(Responder):
    def __init__(self):
        Responder.__init__(self)
        self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW')
        self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW')
        self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW')
-        self.name_external_Service_Group = self.get_param('config.name_external_Service_Group')
+        self.name_security_rule = self.get_param('config.name_security_rule','Block external port')
        self.thehive_instance = self.get_param('config.thehive_instance')
        self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE')
        self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key)
@ -34,6 +36,9 @@ class Block_port(Responder):
        port=re.findall(r'[0-9]+',str(data)); port="".join(port)
        fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW)
        panos.objects.ServiceObject.refreshall(fw)
+        rulebase = panos.policies.Rulebase()
+        fw.add(rulebase)
+        current_security_rules =panos.policies.SecurityRule.refreshall(rulebase)
        if port not in str(fw.find(port, panos.objects.ServiceObject)):
            new_port_object = panos.objects.ServiceObject(port, protocol, description="Blocked port",destination_port=port)
            fw.add(new_port_object)
@ -41,13 +46,28 @@ class Block_port(Responder):

            
        panos.objects.ServiceGroup.refreshall(fw)
-        block_list = fw.find(self.name_external_Service_Group, panos.objects.ServiceGroup)
-        port_list = block_list.about().get('value')
-        if port not in port_list:
-            port_list.append(port)
-            temp1 = panos.objects.ServiceGroup(self.name_external_Service_Group, value=port_list)
+        block_list = fw.find("Black list external port", panos.objects.ServiceGroup)
+        if block_list != None:
+            port_list = block_list.about().get('value')
+            if port not in port_list:
+                port_list.append(port)
+                temp1 = panos.objects.ServiceGroup("Black list external port", value=port_list)
+                fw.add(temp1)
+                temp1.apply()
+        elif block_list == None:
+            temp1 = panos.objects.ServiceGroup("Black list external port", value=port)
            fw.add(temp1)
            temp1.apply()
+        desired_rule_params = {
+            "name": self.name_security_rule,
+            "description": "Block external port",
+            "type": "interzone",
+            "action": "deny",
+            'service': "Black list external port"
+            }
+        new_rule = panos.policies.SecurityRule(**desired_rule_params)
+        rulebase.add(new_rule)
+        new_rule.apply()
        self.report({'message': 'message sent'})

 if __name__ == '__main__':
--- a/responders/PaloAltoNGFW_block_external_port/PaloAltoNGFW_block_external_port.json
+++ b/responders/PaloAltoNGFW_block_external_port/PaloAltoNGFW_block_external_port.json
@ -1,6 +1,6 @@
 {
  "name": "PaloAltoNGFW_block_external_port",
-  "version": "1.0.0",
+  "version": "2.0.0",
  "author": "Maxim Konakin",
  "url": "",
  "license": "AGPL-V3",
@ -31,11 +31,11 @@
      "required": true
    },
    {
-      "name": "name_external_Service_Group",
-      "description": "name_external_Service_Group",
+      "name": "name_security_rule",
+      "description": "name_external_name_security_rule_for_port",
      "type": "string",
      "multi": false,
-      "required": true
+      "required": false
    },
 	{
        "name": "thehive_instance",
--- a/responders/PaloAltoNGFW_block_external_port/README.md
+++ b/responders/PaloAltoNGFW_block_external_port/README.md
@ -10,14 +10,12 @@ need install:

 # ToDo

-to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in  "name_external_Service_Group".
-
-First: you need add field "port" and "protocol" to "Observable types management" in the hive.
-or you can change script and call your field names
+to work, you need set setting PaloAltoNGFW and The Hive. If you want create or add setting for custom rule you need set "name_security_rule"

 principle of operation:
 1. the value is selected from the alert the hive.
-2. ioc compare against already added Service_Group.
-3. if ioc not in Service_Group, will add field port and protocol
-4. if ioc in Service_Group, next step
-5. checks if there is already a blocking list, if not, ioc will add
+2. ioc compare against already added ServiceObject.
+3. if ioc not in ServiceObject, will add
+4. if ioc in ServiceObject, next step
+5. checks if there is already a blocking list, if not, ioc will add
+6. create security rule and add ServiceGroup
--- a/responders/PaloAltoNGFW_block_internal_port/Block_port.py
+++ b/responders/PaloAltoNGFW_block_internal_port/Block_port.py
@ -5,6 +5,7 @@ from cortexutils.responder import Responder
 from thehive4py.api import TheHiveApi
 from panos import firewall
 import panos.objects
+import panos.policies
 import re
 class Block_port(Responder):
    def __init__(self):
@ -12,7 +13,7 @@ class Block_port(Responder):
        self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW')
        self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW')
        self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW')
-        self.name_internal_Service_Group = self.get_param('config.name_internal_Service_Group')
+        self.name_security_rule = self.get_param('config.name_security_rule','Block internal port')
        self.thehive_instance = self.get_param('config.thehive_instance')
        self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE')
        self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key)
@ -34,6 +35,9 @@ class Block_port(Responder):
        port=re.findall(r'[0-9]+',str(data)); port="".join(port)
        fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW)
        panos.objects.ServiceObject.refreshall(fw)
+        rulebase = panos.policies.Rulebase()
+        fw.add(rulebase)
+        current_security_rules =panos.policies.SecurityRule.refreshall(rulebase)
        if port not in str(fw.find(port, panos.objects.ServiceObject)):
            new_port_object = panos.objects.ServiceObject(port, protocol, description="Blocked port",destination_port=port)
            fw.add(new_port_object)
@ -41,13 +45,28 @@ class Block_port(Responder):

            
        panos.objects.ServiceGroup.refreshall(fw)
-        block_list = fw.find(self.name_internal_Service_Group, panos.objects.ServiceGroup)
-        port_list = block_list.about().get('value')
-        if port not in port_list:
-            port_list.append(port)
-            temp1 = panos.objects.ServiceGroup(self.name_internal_Service_Group, value=port_list)
+        block_list = fw.find("Black list internal port", panos.objects.ServiceGroup)
+        if block_list != None:
+            port_list = block_list.about().get('value')
+            if port not in port_list:
+                port_list.append(port)
+                temp1 = panos.objects.ServiceGroup("Black list internal port", value=port_list)
+                fw.add(temp1)
+                temp1.apply()
+        elif block_list == None:
+            temp1 = panos.objects.ServiceGroup("Black list internal port", value=port)
            fw.add(temp1)
            temp1.apply()
+        desired_rule_params = {
+            "name": self.name_security_rule,
+            "description": "Block internal port",
+            "type": "interzone",
+            "action": "deny",
+            'service': "Black list internal port"
+            }
+        new_rule = panos.policies.SecurityRule(**desired_rule_params)
+        rulebase.add(new_rule)
+        new_rule.apply()
        self.report({'message': 'message sent'})

 if __name__ == '__main__':
--- a/responders/PaloAltoNGFW_block_internal_port/PaloAltoNGFW_block_internal_port.json
+++ b/responders/PaloAltoNGFW_block_internal_port/PaloAltoNGFW_block_internal_port.json
@ -1,6 +1,6 @@
 {
  "name": "PaloAltoNGFW_block_internal_port",
-  "version": "1.0.0",
+  "version": "2.0.0",
  "author": "Maxim Konakin",
  "url": "",
  "license": "AGPL-V3",
@ -31,11 +31,11 @@
      "required": true
    },
    {
-      "name": "name_internal_Service_Group",
-      "description": "name_internal_Service_Group",
+      "name": "name_security_rule",
+      "description": "name_internal_name_security_rule_for_port",
      "type": "string",
      "multi": false,
-      "required": true
+      "required": false
    },
 	{
        "name": "thehive_instance",
--- a/responders/PaloAltoNGFW_block_internal_port/README.md
+++ b/responders/PaloAltoNGFW_block_internal_port/README.md
@ -10,14 +10,12 @@ need install:

 # ToDo

-to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in  "name_internal_Service_Group".
-
-First: you need add field "port" and "protocol" to "Observable types management" in the hive.
-or you can change script and call your field names
+to work, you need set setting PaloAltoNGFW and The Hive. If you want create or add setting for custom rule you need set "name_security_rule"

 principle of operation:
 1. the value is selected from the alert the hive.
-2. ioc compare against already added Service_Group.
-3. if ioc not in Service_Group, will add field port and protocol
-4. if ioc in Service_Group, next step
-5. checks if there is already a blocking list, if not, ioc will add
+2. ioc compare against already added ServiceObject.
+3. if ioc not in ServiceObject, will add
+4. if ioc in ServiceObject, next step
+5. checks if there is already a blocking list, if not, ioc will add
+6. create security rule and add ServiceGroup
--- a/responders/PaloAltoNGFW_unblock_external_port/PaloAltoNGFW_unblock_external_port.json
+++ b/responders/PaloAltoNGFW_unblock_external_port/PaloAltoNGFW_unblock_external_port.json
@ -1,13 +1,13 @@
 {
-  "name": "PaloAltoNGFW_unblock_ip",
+  "name": "PaloAltoNGFW_unblock_external_port",
  "version": "1.0.0",
  "author": "Maxim Konakin",
  "url": "",
  "license": "AGPL-V3",
-  "description": "Unblock ip",
+  "description": "Unblock domain",
  "dataTypeList": ["thehive:alert"],
-  "command": "PaloAltoNGFW_unblock_ip/Unblock_ip.py",
-  "baseConfig": "PaloAltoNGFW_unblock_ip",
+  "command": "PaloAltoNGFW_unblock_external_port/Unblock_port.py",
+  "baseConfig": "PaloAltoNGFW_unblock_port",
  "configurationItems": [
    {
      "name": "Hostname_PaloAltoNGFW",
@ -31,18 +31,11 @@
      "required": true
    },
    {
-      "name": "name_internal_Address_Group",
-      "description": "name_internal_Address_Group_for_ip",
+      "name": "name_external_Service_Group",
+      "description": "name_external_Service_Group",
      "type": "string",
      "multi": false,
-      "required": true
-    },
-     {
-      "name": "name_external_Address_Group",
-      "description": "name_external_Address_Group_for_ip",
-      "type": "string",
-      "multi": false,
-      "required": true
+      "required": false
    },
    {
      "name": "thehive_instance",
--- a/responders/PaloAltoNGFW_unblock_external_port/README.md
+++ b/responders/PaloAltoNGFW_unblock_external_port/README.md
@ -0,0 +1,19 @@
+# Block external IP address for Palo Alto NGFW
+
+Response module for block external IP address for Palo Alto NGFW
+
+# Installation
+
+need install:
+1. pan-os-python
+2. thehive4py
+
+# ToDo
+
+to work, you need set setting PaloAltoNGFW and The Hive. If you want delete in custom Address Group you need set "ServiceGroup"
+
+principle of operation:
+1. the value is selected from the alert the hive.
+2. ioc compare against already added AddressObject.
+3. if ioc in ServiceGroup, will delete
+4. if ioc in ServiceObject, will delete
--- a/responders/PaloAltoNGFW_unblock_external_port/Unblock_port.py
+++ b/responders/PaloAltoNGFW_unblock_external_port/Unblock_port.py
@ -0,0 +1,53 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+from thehive4py.api import TheHiveApi
+from panos import firewall
+import panos.objects
+import re
+class Unblock_port(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW')
+        self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW')
+        self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW')
+        self.name_external_Service_Group = self.get_param('config.name_external_Service_Group','Black list external port')
+        self.thehive_instance = self.get_param('config.thehive_instance')
+        self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE')
+        self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key)
+
+    def run(self):
+        alertId = self.get_param('data.id')
+        response = self.api.get_alert(alertId)
+        data_list=[]
+        data=None
+        for i in response.json().get("artifacts"):
+            if "'port'," in str(i):
+               ioc = i.get("data")
+               data_list.append(i.get("data"))
+            elif "'protocol'," in str(i):
+               ioc = i.get("data")
+               data_list.append(i.get("data"))
+            data=" ".join(data_list)
+        protocol=re.findall(r'[a-z]+',str(data)); protocol=str("".join(protocol)).lower()
+        port=re.findall(r'[0-9]+',str(data)); port="".join(port)
+        fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW)
+        panos.objects.ServiceGroup.refreshall(fw)
+        block_list = fw.find(self.name_external_Service_Group, panos.objects.ServiceGroup)
+        port_list = block_list.about().get('value')    
+        if port in port_list:
+            port_list.remove(port)
+            temp1 = panos.objects.ServiceGroup(self.name_external_Service_Group, value=port_list)
+            fw.add(temp1)
+            temp1.apply()
+        
+        panos.objects.ServiceObject.refreshall(fw)
+        if port in str(fw.find(port, panos.objects.ServiceObject)):
+            deleted_ioc = fw.find(port, panos.objects.ServiceObject)
+            deleted_ioc.delete()
+        
+        self.report({'message': 'message sent'})
+
+if __name__ == '__main__':
+    Unblock_port().run()
--- a/responders/PaloAltoNGFW_unblock_internal_port/PaloAltoNGFW_unblock_internal_port.json
+++ b/responders/PaloAltoNGFW_unblock_internal_port/PaloAltoNGFW_unblock_internal_port.json
@ -0,0 +1,55 @@
+{
+  "name": "PaloAltoNGFW_unblock_internal_port",
+  "version": "1.0.0",
+  "author": "Maxim Konakin",
+  "url": "",
+  "license": "AGPL-V3",
+  "description": "Unblock domain",
+  "dataTypeList": ["thehive:alert"],
+  "command": "PaloAltoNGFW_unblock_internal_port/Unblock_port.py",
+  "baseConfig": "PaloAltoNGFW_unblock_port",
+  "configurationItems": [
+    {
+      "name": "Hostname_PaloAltoNGFW",
+      "description": "Hostname_PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "User_PaloAltoNGFW",
+      "description": "User_PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Password_PaloAltoNGFW",
+      "description": "User_PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "name_internal_Service_Group",
+      "description": "name_internal_Service_Group",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "thehive_instance",
+      "description": "URL of the Thehive instance to query",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+	  "name": "thehive_api_key",
+	  "description": "TheHive API key with read access",
+	  "type": "string",
+	  "multi": false,
+	  "required": true
+    }
+  ]
+}
--- a/responders/PaloAltoNGFW_unblock_internal_port/README.md
+++ b/responders/PaloAltoNGFW_unblock_internal_port/README.md
@ -0,0 +1,19 @@
+# Block external IP address for Palo Alto NGFW
+
+Response module for block external IP address for Palo Alto NGFW
+
+# Installation
+
+need install:
+1. pan-os-python
+2. thehive4py
+
+# ToDo
+
+to work, you need set setting PaloAltoNGFW and The Hive. If you want delete in custom Address Group you need set "ServiceGroup"
+
+principle of operation:
+1. the value is selected from the alert the hive.
+2. ioc compare against already added AddressObject.
+3. if ioc in ServiceGroup, will delete
+4. if ioc in ServiceObject, will delete
--- a/responders/PaloAltoNGFW_unblock_internal_port/Unblock_port.py
+++ b/responders/PaloAltoNGFW_unblock_internal_port/Unblock_port.py
@ -0,0 +1,53 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+from thehive4py.api import TheHiveApi
+from panos import firewall
+import panos.objects
+import re
+class Unblock_port(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW')
+        self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW')
+        self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW')
+        self.name_internal_Service_Group = self.get_param('config.name_internal_Service_Group','Black list internal port')
+        self.thehive_instance = self.get_param('config.thehive_instance')
+        self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE')
+        self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key)
+
+    def run(self):
+        alertId = self.get_param('data.id')
+        response = self.api.get_alert(alertId)
+        data_list=[]
+        data=None
+        for i in response.json().get("artifacts"):
+            if "'port'," in str(i):
+               ioc = i.get("data")
+               data_list.append(i.get("data"))
+            elif "'protocol'," in str(i):
+               ioc = i.get("data")
+               data_list.append(i.get("data"))
+            data=" ".join(data_list)
+        protocol=re.findall(r'[a-z]+',str(data)); protocol=str("".join(protocol)).lower()
+        port=re.findall(r'[0-9]+',str(data)); port="".join(port)
+        fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW)
+        panos.objects.ServiceGroup.refreshall(fw)
+        block_list = fw.find(self.name_internal_Service_Group, panos.objects.ServiceGroup)
+        port_list = block_list.about().get('value')    
+        if port in port_list:
+            port_list.remove(port)
+            temp1 = panos.objects.ServiceGroup(self.name_internal_Service_Group, value=port_list)
+            fw.add(temp1)
+            temp1.apply()
+        
+        panos.objects.ServiceObject.refreshall(fw)
+        if port in str(fw.find(port, panos.objects.ServiceObject)):
+            deleted_ioc = fw.find(port, panos.objects.ServiceObject)
+            deleted_ioc.delete()
+        
+        self.report({'message': 'message sent'})
+
+if __name__ == '__main__':
+    Unblock_port().run()
--- a/responders/PaloAltoNGFW_unblock_ip/README.md
+++ b/responders/PaloAltoNGFW_unblock_ip/README.md
@ -1,18 +0,0 @@
-# Block external IP address for Palo Alto NGFW
-
-Response module for block external IP address for Palo Alto NGFW
-
-# Installation
-
-need install:
-1. pan-os-python
-2. thehive4py
-
-# ToDo
-
-to work, you need to create Address_Group in PaloAltoNGFW and create security polites and name them in  "name_internal_Address_Group_" and "name_external_Address_Group"
-
-principle of operation:
-1. the value is selected from the alert the hive.
-2. if ioc added in Address_Groups, script deleted ioc
-3. if ioc in AddressObject, script deleted ioc
--- a/responders/PaloAltoNGFW_unblock_ip/Unblock_ip.py
+++ b/responders/PaloAltoNGFW_unblock_ip/Unblock_ip.py
@ -1,61 +0,0 @@
-#!/usr/bin/env python3
-# encoding: utf-8
-
-from cortexutils.responder import Responder
-from thehive4py.api import TheHiveApi
-from panos import firewall
-import panos.objects
-
-class Unblock_ip(Responder):
-    def __init__(self):
-        Responder.__init__(self)
-        self.hostname_PaloAltoNGFW = self.get_param('config.Hostname_PaloAltoNGFW')
-        self.User_PaloAltoNGFW = self.get_param('config.User_PaloAltoNGFW')
-        self.Password_PaloAltoNGFW = self.get_param('config.Password_PaloAltoNGFW')
-        self.name_internal_Address_Group = self.get_param('config.name_internal_Address_Group')
-        self.name_external_Address_Group = self.get_param('config.name_external_Address_Group')
-        self.thehive_instance = self.get_param('config.thehive_instance')
-        self.thehive_api_key = self.get_param('config.thehive_api_key', 'YOUR_KEY_HERE')
-        self.api = TheHiveApi(self.thehive_instance, self.thehive_api_key)
-
-    def run(self):
-        alertId = self.get_param('data.id')
-        response = self.api.get_alert(alertId)
-        ioc=None
-        ioc_clear=[]
-        for i in list(response.json().get("artifacts")):
-            if 'ip' in str(i):
-                ioc = i.get("data")
-                for i in ioc:
-                    if i == "[" or i == "]":
-                        continue
-                    else:
-                        ioc_clear.append(i)
-                ioc="".join(ioc_clear)
-        fw = firewall.Firewall(self.hostname_PaloAltoNGFW, api_username=self.User_PaloAltoNGFW, api_password=self.Password_PaloAltoNGFW)
-        panos.objects.AddressGroup.refreshall(fw)
-        block_list = fw.find(self.name_internal_Address_Group, panos.objects.AddressGroup)
-        ioc_list = block_list.about().get('static_value')
-        if ioc in ioc_list:
-            ioc_list.remove(ioc)
-            temp1 = panos.objects.AddressGroup(self.name_internal_Address_Group, static_value=ioc_list)
-            fw.add(temp1)
-            temp1.apply()
-            
-        block_list = fw.find(self.name_external_Address_Group, panos.objects.AddressGroup)
-        ioc_list = block_list.about().get('static_value')
-        if ioc in ioc_list:
-            ioc_list.remove(ioc)
-            temp1 = panos.objects.AddressGroup(self.name_external_Address_Group, static_value=ioc_list)
-            fw.add(temp1)
-            temp1.apply()
-            
-        panos.objects.AddressObject.refreshall(fw)
-        if ioc in str(fw.find(ioc, panos.objects.AddressObject)):
-            deleted_ioc = fw.find(ioc, panos.objects.AddressObject)
-            deleted_ioc.delete()
-        
-        self.report({'message': 'message sent'})
-
-if __name__ == '__main__':
-    Unblock_ip().run()