From 824082e8099d979eb820520d31ad8f3741742622 Mon Sep 17 00:00:00 2001 From: ygalnezri Date: Wed, 18 Dec 2024 17:09:56 +0100 Subject: [PATCH] Fix minor bugs, resolve TheHive observables creation issue, and add group notifications - Fixed a minor bug . - Addressed an issue with the creation of observables in TheHive. - Added support for group notifications. --- Watcher/Watcher/common/core.py | 369 +++++++++++++++--- .../mail_template/data_leak_group_template.py | 2 +- .../mail_template/data_leak_template.py | 2 +- .../dns_finder_cert_transparency.py | 2 +- .../dns_finder_group_template.py | 2 +- .../mail_template/dns_finder_template.py | 2 +- .../mail_template/site_monitoring_template.py | 4 +- .../mail_template/threats_watcher_template.py | 2 +- .../common/utils/send_thehive_alerts.py | 16 +- .../Watcher/common/utils/update_thehive.py | 7 +- Watcher/Watcher/data_leak/core.py | 65 +-- Watcher/Watcher/dns_finder/core.py | 65 ++- Watcher/Watcher/site_monitoring/core.py | 14 +- Watcher/Watcher/threats_watcher/core.py | 2 +- 14 files changed, 403 insertions(+), 151 deletions(-) diff --git a/Watcher/Watcher/common/core.py b/Watcher/Watcher/common/core.py index 4aacc5f..61fe71c 100644 --- a/Watcher/Watcher/common/core.py +++ b/Watcher/Watcher/common/core.py @@ -10,16 +10,17 @@ from secrets import token_hex from .mail_template.threats_watcher_template import get_threats_watcher_template from .mail_template.data_leak_template import get_data_leak_template +from .mail_template.data_leak_group_template import get_data_leak_group_template from .mail_template.site_monitoring_template import get_site_monitoring_template from .mail_template.dns_finder_template import get_dns_finder_template from .mail_template.dns_finder_cert_transparency import get_dns_finder_cert_transparency_template +from .mail_template.dns_finder_group_template import get_dns_finder_group_template +from .utils.send_thehive_alerts import send_thehive_alert def generate_ref(): """ - Generates a unique 'sourceRef' identifier for an alert. - - :return: Unique identifier as a string. + Generate unique 'sourceRef' for an alert. """ ref = datetime.now().strftime("%y%m%d") + "-" + str(token_hex(3))[:5] return ref @@ -50,13 +51,21 @@ def generate_ref(): 'channel': settings.SLACK_CHANNEL, 'url_suffix': '#data_leak', }, + 'data_leak_group': { + 'content_template': ( + "*[{alerts_number} ALERTS] 🚨 Data Leak 🚨*\n\n" + "Dear team,\n\n" + "*{alerts_number}* new data leakage alerts have been detected for the keyword *{keyword}*\n\n" + "Please, find more details <{details_url}|here>." + ), + 'channel': settings.SLACK_CHANNEL, + 'url_suffix': '#data_leak', + }, 'website_monitoring': { 'content_template': ( - "*[SITE MONITORING - INCIDENT] πŸ”” {alert_type} on {domain_name} πŸ””*\n\n" + "*[SITE MONITORING - INCIDENT #{ticket_id}] πŸ”” {alert_type} on {domain_name} πŸ””*\n\n" "Dear team,\n\n" "Please find the new incident detected below:\n\n" - "*β€’ Type of alert:* {alert_type}\n" - "*β€’ Domain name:* {domain_name}\n" "*β€’ Difference Score:* {difference_score}\n" "*β€’ New Ip:* {new_ip}\n" "*β€’ Old Ip:* {old_ip}\n" @@ -85,16 +94,27 @@ def generate_ref(): 'channel': settings.SLACK_CHANNEL, 'url_suffix': '#/dns_finder/', }, + 'dns_finder_group': { + 'content_template': ( + "*[{alerts_number} ALERTS] 🚨 DNS Finder 🚨*\n\n" + "Dear team,\n\n" + "*{alerts_number}* New DNS Twisted Alerts for *{dns_monitored.domain_name}* asset.\n\n" + "Please, find more details <{details_url}|here>." + ), + 'channel': settings.SLACK_CHANNEL, + 'url_suffix': '#/dns_finder/', + }, } + # Configuration for Citadel APP_CONFIG_CITADEL = { 'threats_watcher': { 'content_template': ( - "

[THREATS WATCHER - WARNING] πŸ”₯ Trendy Threats Detected πŸ”₯

" + "

[THREATS WATCHER - WARNING] πŸ”₯ Trendy Threats Detected πŸ”₯

" "

Dear team,

" - "

Please find the new trendy word(s) detected below:\n

" - "\n" + "

Please find the new trendy word(s) detected below:

" + "" "

Please, find more details here.

" ), 'citadel_room_id': settings.CITADEL_ROOM_ID, @@ -102,26 +122,34 @@ def generate_ref(): }, 'data_leak': { 'content_template': ( - "

[DATA LEAK - ALERT #{alert_pk}] πŸ”” Data Leak Detected: {keyword_name} πŸ””

" + "

[DATA LEAK - ALERT #{alert_pk}] πŸ”” Data Leak Detected: {keyword_name} πŸ””

" "

Dear team,

" - "

New Data Leakage Alert for {keyword_name} keyword:

\n" + "

New Data Leakage Alert for {keyword_name} keyword:

" "" "

Please, find more details here.

" ), 'citadel_room_id': settings.CITADEL_ROOM_ID, 'url_suffix': '#data_leak', }, + 'data_leak_group': { + 'content_template': ( + "

[{alerts_number} ALERTS] 🚨 Data Leak 🚨

" + "

Dear team,

" + "

{alerts_number} new data leakage alerts have been detected for the keyword {keyword}.

" + "

Please, find more details here.

" + ), + 'citadel_room_id': settings.CITADEL_ROOM_ID, + 'url_suffix': '#data_leak', + }, 'website_monitoring': { 'content_template': ( - "

[SITE MONITORING - INCIDENT] πŸ”” {alert_type} on {domain_name} πŸ””

" + "

[SITE MONITORING - INCIDENT #{ticket_id}] πŸ”” {alert_type} on {domain_name} πŸ””

" "

Dear team,

" - "

Please find the new incident detected below:

\n" + "

Please find the new incident detected below:

" "" "

Please, find more details here.

" ), @@ -139,9 +167,9 @@ def generate_ref(): }, 'dns_finder': { 'content_template': ( - "

[DNS FINDER - ALERT #{alert.pk}] 🚨 Suspicious DNS Detected: {alert.dns_twisted.domain_name} 🚨

" + "

[DNS FINDER - ALERT #{alert.pk}] 🚨 Suspicious DNS Detected: {alert.dns_twisted.domain_name} 🚨

" "

Dear team,

" - "

New Twisted DNS found:

\n" + "

New Twisted DNS found:

" "