-
Notifications
You must be signed in to change notification settings - Fork 0
/
splunk-custom.py
149 lines (131 loc) · 7.11 KB
/
splunk-custom.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
############## CONFIGURATION ########################################################################
'''
The purpose of this custom python code is to create PTR / TRAP Alerts from Splunk Alerts
Step 1: Upload this code to Main Menu -> Scripts -> ETL Scripts
Step 2: Create a PTR Scripted Listener Event Source
Step 2a: Select the script uploaded in Step 1 -> SAVE
Step 2b: NOTE the POST URL exposed after SAVE... You will need this url for the next step
Step 3: Configure SPLUNK to send Alerts to the PTR using the POST URL from STEP 2b.
'''
############## jyun@proofpoint.com ##################################################################
import requests
import json
import datetime
import json_sdk
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def create_alert(alert_description,alert_severity,search_name,attacker_ip=None,user_account=None):
alert=json_sdk.Alert()
alert.set_description(alert_description)
alert.set_severity(alert_severity)
alert.set_threat_info(json_sdk.ThreatInfo(
name=search_name,
threat_type="Splunk Alert",
occurred_at=datetime.datetime.utcnow().isoformat()+"Z"
))
if attacker_ip!=None:
alert.set_attacker(json_sdk.Attacker(
ip_address=attacker_ip
))
alert.add_custom_field('Attacker IP',attacker_ip)
if user_account!=None:
alert.set_target(json_sdk.Target(
user=user_account
))
alert.add_custom_field('User',user_account)
alert.set_detector(json_sdk.Detector(
product='SIEM',
vendor='Splunk'
))
alert.add_custom_field('Summary',search_name)
return alert
def parse_alert():
postdata1=ptr.DEVICE_ALERT_DATA
print(postdata1)
postdata=json.loads(postdata1)
try:
typealert = postdata["search_name"]
print("typealert: ", typealert)
if typealert == "CloudTrail Alert: Unauthorized Actions":
results_link=postdata["results_link"]
threat_description=postdata["result"]
alert_description=typealert+"\n"+results_link+"\n "+ json.dumps(threat_description,indent=4)
alert_severity="high"
result=create_alert(alert_description=alert_description,alert_severity=alert_severity,search_name=typealert)
return result
elif typealert == "Geographically Improbable Access":
results_link=postdata["results_link"]
threat_description=postdata["result"]
alert_description=typealert+"\n"+results_link+"\n "+ json.dumps(threat_description,indent=4)
alert_severity="high"
attacker_ip=postdata["result"]["src"]
result=create_alert(alert_description=alert_description,alert_severity=alert_severity,search_name=typealert,attacker_ip=attacker_ip)
return result
elif typealert == "Suspected Network Scanning":
results_link=postdata["results_link"]
threat_description=postdata["result"]
alert_description=typealert+"\n"+results_link+"\n "+ json.dumps(threat_description,indent=4)
alert_severity="low"
attacker_ip=postdata["result"]["src_ip"]
result=create_alert(alert_description=alert_description,alert_severity=alert_severity,search_name=typealert,attacker_ip=attacker_ip)
return result
elif typealert == "Locked Out Accounts":
results_link=postdata["results_link"]
threat_description=postdata["result"]
alert_description=typealert+"\n"+results_link+"\n "+ json.dumps(threat_description,indent=4)
alert_severity="low"
user_account=postdata["result"]["User Account"]
result=create_alert(alert_description=alert_description,alert_severity=alert_severity,search_name=typealert,user_account=user_account)
return result
elif typealert == "Okta Detected IP Threat":
results_link=postdata["results_link"]
threat_description=postdata["result"]
alert_description=typealert+"\n"+results_link+"\n "+ json.dumps(threat_description,indent=4)
alert_severity="low"
attacker_ip=postdata["result"]["src_ip"]
result=create_alert(alert_description=alert_description,alert_severity=alert_severity,search_name=typealert,attacker_ip=attacker_ip)
return result
elif typealert == "CloudTrail Alert: IAM: Create/Delete/Update Access Keys":
results_link=postdata["results_link"]
threat_description=postdata["result"]
alert_description=typealert+"\n"+results_link+"\n "+ json.dumps(threat_description,indent=4)
alert_severity="high"
result=create_alert(alert_description=alert_description,alert_severity=alert_severity,search_name=typealert)
return result
elif typealert == "CloudTrail Alert: Security Groups: Create/Delete Groups":
results_link=postdata["results_link"]
threat_description=postdata["result"]
alert_description=typealert+"\n"+results_link+"\n "+ json.dumps(threat_description,indent=4)
alert_severity="high"
result=create_alert(alert_description=alert_description,alert_severity=alert_severity,search_name=typealert)
return result
elif typealert == "CloudTrail Alert: IAM: Create/Delete Roles":
results_link=postdata["results_link"]
threat_description=postdata["result"]
alert_description=typealert+"\n"+results_link+"\n "+ json.dumps(threat_description,indent=4)
alert_severity="high"
result=create_alert(alert_description=alert_description,alert_severity=alert_severity,search_name=typealert)
return result
elif typealert == "CloudTrail Alert: Key Pairs: Create/Delete/Import Key Pairs":
results_link=postdata["results_link"]
threat_description=postdata["result"]
alert_description=typealert+"\n"+results_link+"\n "+ json.dumps(threat_description,indent=4)
alert_severity="high"
result=create_alert(alert_description=alert_description,alert_severity=alert_severity,search_name=typealert)
return result
elif typealert == "High Number of KTG Requests":
results_link=postdata["results_link"]
threat_description=postdata["result"]
alert_description=typealert+"\n"+results_link+"\n "+ json.dumps(threat_description,indent=4)
alert_severity="high"
result=create_alert(alert_description=alert_description,alert_severity=alert_severity,search_name=typealert)
return result
else:
alert_description="NO ALERT MATCH...... "
alert_severity="low"
result=create_alert(alert_description=typealert+"\n"+alert_description,alert_severity=alert_severity,search_name=typealert)
return result
except Exception as e:
print("Exception:", e)
print("NO action defined...ignoring")
return