From d0c4042c40c0711a62119b6c4d5c7520f98d315c Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Mon, 23 Dec 2024 17:47:07 +0100 Subject: [PATCH 1/7] Implement TheHive custom user-agent --- .../CrowdstrikeFalcon_GetDeviceVulnerabilities.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py index 9c4325a36..bffe8c154 100755 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py @@ -19,8 +19,12 @@ def run(self): Analyzer.run(self) if self.data_type == 'hostname': try: + # Define the custom header + extra_headers = { + "User-Agent": "strangebee-thehive/1.0" + } auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret) - hosts = Hosts(auth_object=auth) + hosts = Hosts(auth_object=auth, ext_headers=extra_headers) hostname = self.get_data() # Search for the device ID using the hostname @@ -35,7 +39,7 @@ def run(self): if device_ids: device_id = device_ids[0] # Get detailed asset information using the device ID - spotlight = SpotlightVulnerabilities(auth_object=auth) + spotlight = SpotlightVulnerabilities(auth_object=auth, ext_headers=extra_headers) host_vulns = spotlight.query_vulnerabilities_combined(parameters={"filter": f"aid:'{device_id}'+status:!'closed'"}) host_vulns = host_vulns["body"]["resources"] #print(host_vulns) From 5aa7a6c89550d6c896934822348a436ad46e2d11 Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Tue, 24 Dec 2024 00:21:12 +0100 Subject: [PATCH 2/7] Implement TheHive custom user-agent --- analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py index a76c8f9b2..54412b012 100755 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py @@ -49,8 +49,12 @@ def run(self): with open(filepath, "rb") as sample: auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret) - samples = SampleUploads(auth_object=auth) - sandbox = FalconXSandbox(auth_object=auth) + # Define the custom header + extra_headers = { + "User-Agent": "strangebee-thehive/1.0" + } + samples = SampleUploads(auth_object=auth, ext_headers=extra_headers) + sandbox = FalconXSandbox(auth_object=auth, ext_headers=extra_headers) response = samples.upload_sample(file_data=sample.read(), file_name=filename, comment=comment, From fa3cac20443484940a542eee19ff676882594fea Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Tue, 24 Dec 2024 00:22:21 +0100 Subject: [PATCH 3/7] Implement TheHive custom user-agent --- .../CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.py b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.py index cbaf8b7f6..219008f1d 100755 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.py +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.py @@ -18,7 +18,11 @@ def run(self): if self.data_type == 'hostname': try: auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret) - alerts = Alerts(auth_object=auth) + # Define the custom header + extra_headers = { + "User-Agent": "strangebee-thehive/1.0" + } + alerts = Alerts(auth_object=auth, ext_headers=extra_headers) hostname = self.get_data() message = "No alerts found." filtered_alert_list = [] From d8a8b631eb0c9056ce062892f1088d77ab22ab9a Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Tue, 24 Dec 2024 00:23:08 +0100 Subject: [PATCH 4/7] Implement TheHive custom user-agent --- .../CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.py b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.py index 322dd73de..f18c63875 100755 --- a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.py +++ b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.py @@ -17,7 +17,11 @@ def run(self): if self.data_type == 'hostname': try: auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret) - hosts = Hosts(auth_object=auth) + # Define the custom header + extra_headers = { + "User-Agent": "strangebee-thehive/1.0" + } + hosts = Hosts(auth_object=auth, ext_headers=extra_headers) hostname = self.get_data() # Search for the device ID using the hostname From d9d0c8026fd20e262983fbe3c409eb1b8657f06c Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Tue, 24 Dec 2024 00:31:11 +0100 Subject: [PATCH 5/7] Implement TheHive custom user-agent --- .../CrowdstrikeFalcon/CrowdstrikeFalconSync.py | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalconSync.py b/responders/CrowdstrikeFalcon/CrowdstrikeFalconSync.py index 6dcc2cea2..83e5d111b 100755 --- a/responders/CrowdstrikeFalcon/CrowdstrikeFalconSync.py +++ b/responders/CrowdstrikeFalcon/CrowdstrikeFalconSync.py @@ -11,11 +11,13 @@ def __init__(self): self.service = self.get_param("config.service", None) self.custom_field_name_alert_id = self.get_param("config.custom_field_name_alert_id") self.custom_field_name_incident_id = self.get_param("config.custom_field_name_incident_id") - self.alert_client = Alerts(client_id=self.client_id, client_secret=self.client_secret) - self.incident_client = Incidents(client_id=self.client_id, client_secret=self.client_secret) def run(self): if self.service == "sync": + # Define the custom headers + extra_headers = { + "User-Agent": "strangebee-thehive/1.0" + } #data = self.get_param("data", None, "Can't get case ID") current_stage = self.get_param("data.stage", None, "Can't get case or alert stage") detection_id = self.get_param(f"data.customFieldValues.{self.custom_field_name_alert_id}", None) @@ -48,6 +50,7 @@ def run(self): # Update the CrowdStrike alert status if detection_id: + alert_client = Alerts(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers) # Determine the corresponding CrowdStrike alert status cs_status_alert = status_mapping_alert[current_stage] if isinstance(detection_id,str): @@ -62,11 +65,12 @@ def run(self): } ] } - alert_response = self.alert_client.update_alerts_v3(body=alert_body) + alert_response = alert_client.update_alerts_v3(body=alert_body) alert_status_code = alert_response.get('status_code', None) if incident_id: + incident_client = Incidents(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers) # Determine the corresponding CrowdStrike incident status cs_status_incident = status_mapping_incident[current_stage] if isinstance(incident_id,str): @@ -82,7 +86,7 @@ def run(self): ] } - incident_response = self.incident_client.perform_incident_action(body=incident_body) + incident_response = incident_client.perform_incident_action(body=incident_body) incident_status_code = incident_response.get('status_code', None) @@ -110,4 +114,4 @@ def run(self): self.report({"message": final_message}) if __name__ == '__main__': - CrowdstrikeFalconSync().run() \ No newline at end of file + CrowdstrikeFalconSync().run() From 6b40e15629f4b3232d77a7a61ab15d469b18c134 Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Tue, 24 Dec 2024 00:34:52 +0100 Subject: [PATCH 6/7] Implement TheHive custom user-agent --- .../CrowdstrikeFalcon/CrowdstrikeFalconIOC.py | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalconIOC.py b/responders/CrowdstrikeFalcon/CrowdstrikeFalconIOC.py index 0566fbe57..174a978da 100755 --- a/responders/CrowdstrikeFalcon/CrowdstrikeFalconIOC.py +++ b/responders/CrowdstrikeFalcon/CrowdstrikeFalconIOC.py @@ -78,8 +78,12 @@ def run(self): case_id = self.get_param("data.case.id", None, "Can't get case ID") description = f"Pushed from TheHive - {case_title} - {case_id}" + # Define the custom headers + extra_headers = { + "User-Agent": "strangebee-thehive/1.0" + } # Create the IOC service object - ioc = IOC(client_id=self.client_id, client_secret=self.client_secret) + ioc = IOC(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers) # Determine if the IOC applies globally or to specific host groups ioc_kwargs = { @@ -117,7 +121,13 @@ def run(self): filter = f"_all:~'{ioc_value}'" - ioc = IOC(client_id=self.client_id, client_secret=self.client_secret) + + # Define the custom headers + extra_headers = { + "User-Agent": "strangebee-thehive/1.0" + } + # Create the IOC service object + ioc = IOC(client_id=self.client_id, client_secret=self.client_secret, ext_headers=extra_headers) # Search for the IOC by value response = ioc.indicator_search(filter=filter,offset=0, limit=200) @@ -143,4 +153,4 @@ def run(self): if __name__ == '__main__': - CrowdstrikeFalconIOC().run() \ No newline at end of file + CrowdstrikeFalconIOC().run() From b8f8fe6ec82064b05cba23050d2169825f691020 Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Tue, 24 Dec 2024 00:37:00 +0100 Subject: [PATCH 7/7] Implement TheHive custom user-agent --- responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py b/responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py index cf0a6b4ae..9e751ca37 100755 --- a/responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py +++ b/responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py @@ -14,8 +14,12 @@ def run(self): Responder.run(self) hostname = self.get_param("data.data", None) #self.report({'message': f"Host {device_name}"}) + # Define the custom headers + extra_headers = { + "User-Agent": "strangebee-thehive/1.0" + } auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret) - hosts = Hosts(auth_object=auth) + hosts = Hosts(auth_object=auth, ext_headers=extra_headers) # Search for the device ID using the hostname if self.service == "unhide_host": @@ -44,4 +48,4 @@ def operations(self, raw): return operations_list if __name__ == '__main__': - CrowdstrikeFalconHosts().run() \ No newline at end of file + CrowdstrikeFalconHosts().run()