modified: tools/sigma/backends/carbonblack.py

2024-11-06 17:35:19 +00:00 · 2020-03-19 09:00:24 +07:00 · 2020-03-19 09:00:24 +07:00 · 1b12a6b261
commit 1b12a6b261
parent e228d42b97
3 changed files with 3 additions and 14 deletions
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@ -10,7 +10,7 @@
            "request": "launch",
            "program": "/media/lep/Common/FIS/CBR/sigma/tools/sigmac",
            "console": "integratedTerminal",
-            "args": ["-t", "carbonblack",  "/media/lep/Common/FIS/sigmaRules_CBR/sysmon_powershell_network_connection.yml", "-c", "carbonblack"]
+            "args": ["-t", "carbonblack",  "/media/lep/Common/FIS/sigmaRules/Deploy2/sysmon_powershell_network_connection.yml", "-c", "carbonblack"]
            // "args": ["-t", "sumologic", "/home/gsanm/Downloads/demo/sigma/rules/windows/sysmon/sysmon_cactustorch.yml", "-c", "carbonblack"]
        }
    ]
--- a/tools/sigma/backends/carbonblack.py
+++ b/tools/sigma/backends/carbonblack.py
@ -152,12 +152,6 @@ class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryB
        expression = super().generateNode(node.item)
        if expression:
            return "(%s%s)" % (self.notToken, expression)
-    # def generateNOTNode(self, node):
-    #     generated = self.generateNode(node.item)
-    #     if generated is not None:
-    #         return self.notToken + generated
-    #     else:
-    #         return None

    def postAPI(self,result,title,desc):
        url = os.getenv("cbapi_watchlist")
@ -191,8 +185,6 @@ class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryB
        """Method is called for each sigma rule and receives the parsed rule (SigmaParser)"""
        title = sigmaparser.parsedyaml["title"]
        desc = sigmaparser.parsedyaml["description"]
-        # print(title)
-        # print("\n")
        try:
            self.category = sigmaparser.parsedyaml['logsource'].setdefault('category', None)
            self.counted = sigmaparser.parsedyaml.get('counted', None)
@ -205,9 +197,6 @@ class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryB

            if query is not None:
                result += query
-                # val = "vsss admin shadow"
-                # escapeSubst = "\\\\\g<1>" 
-                # print(self.reEscape.sub(escapeSubst, val))
                self.postAPI(result,title,desc)
            return result
        # if self.category == "process_creation":
--- a/tools/sigma/backends/my_carbonblack.py
+++ b/tools/sigma/backends/my_carbonblack.py
@ -180,7 +180,7 @@ class CarbonBlackBackend(SingleTextQueryBackend):
        return new_value

    def postAPI(self,result,title,desc):
-        url = 'https://10.14.132.35//api/v1/watchlist'
+        rl = os.getenv("cbapi_watchlist")
        body = {
                "name":title,
                "search_query":"q="+str(result),
@ -188,7 +188,7 @@ class CarbonBlackBackend(SingleTextQueryBackend):
                "index_type":"events"
                }
        header = {
-            "X-Auth-Token": "099c366b1e56c0bca3ae61ce1fb7435af7a5926c"
+            "X-Auth-Token": os.getenv("APIToken")
        }
        print(title)
        x = requests.post(url, data =json.dumps(body), headers = header, verify=False)