一个为thehive创建动态剧本的简单脚本
来源:https://www.peerlyst.com/posts/a-simple-script-for-creating-dynamic-playbooks-for-thehive-can-topay,一个为thehive创建动态剧本的简单脚本
https://github.com/CanTopay/thehive-playbook-creator
一、为什么
这个thehive有内置的case模板功能,你可以使用预定义的case绑定。但是我发现在处理具有无穷映射选项的多个事件源时,管理起来有点棘手/困难。因此我制作了这个简单的剧本创建脚本。
使用这种方法,您可以构建方法,您可以利用任何情况下的post方法使用警报类型或相关规则组动态创建和分配剧本。(Siem、工作流引擎、电子邮件解析器等)
实际上,我的用例是使用IBM QRadar规则组来构建定制/动态剧本。获取导致违规的规则的规则组,然后使用它们创建定制的事件响应剧本/响应任务。
为了使其更清楚,我准备了一个示例剧本,其中包含对第一个Mitre策略(“初始访问”)和该策略下的所有技术的潜在事件响应行动。使用此示例脚本构建警报/事件的集成方法;在Json文件中添加您喜欢的事件响应过程;或添加其余项目的Mitre战术和技术等,在那里你有一个动态SOP库!
二、注意
我使用一个json文件来定义和排序所有playbook项目/任务的顺序。最高领导小组负责默认任务;更多特定规则/警报类型,请参见第一个“默认”任务组,然后是更特定的事件响应任务组。这种用法允许您首先将事件映射到默认的捕获组。如果您有更多的规则(警报)支持这种情况(支持2个或更多),这使得它更精确,您还可以为它们指定更详细的事件响应步骤。
您将按照将条目写入json文件的顺序看到这些条目。所以按照你喜欢的顺序保存文件。另一个好处是devops方法;在Git和dev管道中使用这个基于json的剧本,您可以监视和管理代码分支的变更,还可以在任何推送到主分支之前申请批准——主分支就是您的SOP/剧本。
三、Json文件- Mitre Playbook的Json样本
四、thehive
{
"Initial Access": {
"Default": {
"Identification": [
"Triage (Initial - Automatic/Manual Assignment)",
"Inform User/Gather Information and Evidence"
],
"Containment": [
],
"Eradication": [
"Fix/Update System/Target Software(Or Re-Image and Update) - SM"
],
"Recovery": [
"Watchlist Target Users/Systems - SIEM/UEBA",
"Hunt for IOCs - Data Lake",
"Update Image/Update Policy - SM"
],
"Lessons Learned": [
"Update CSIRT Wiki(If Applicable)",
"Create Incident Report - 5W's and 1H",
"Remarks for Improvement Points"
]
},
"Drive-by Compromise": {
"Identification": [
"Investigate Logs,Flows and Alerts - FWs/Proxy/IDS-IPS/SSL Inspection",
"Threat Intel Query / Reputation Check - TI",
"User Enrichment and Analysis - AD/Directory Services/UEBA",
"System Enrichment - EP/EDR/CMDB/Vuln.Scanning"
],
"Containment": [
"Block Application/Isolate Target System - EP/EDR",
"Block Attacker URL/IP/IP Segment - Proxy/FWs"
],
"Eradication": [
],
"Recovery": [
],
"Lessons Learned": [
]
},
"Exploit Public-Facing Application": {
"Identification": [
"Investigate Logs,Flows and Alerts - FWs/Proxy/WAF/IDS-IPS",
"Threat Intel Query / Reputation Check - TI",
"System Enrichment - EP/EDR/CMDB/Vuln.Scanning",
"Deep Packet Inspection - PCAP",
"Risk Enrichment Account/Service - CMDB/Vuln. Scanning/UEBA"
],
"Containment":[
"Block Application/Isolate Target System - EP/EDR/Proxy/FWs/WAF",
"Reset Accounts,Token,Secret - AD/Directory Services/IAM-IDM/PIM/Keyvault"
],
"Eradication": [
],
"Recovery": [
],
"Lessons Learned": [
]
},
"External Remote Services": {
"Identification": [
"Investigate Logs,Flows and Alerts - AD/Directory Services/UEBA/FWs/IDS-IPS",
"Threat Intel Query / Reputation Check - TI",
"User Enrichment and Analysis - AD/Directory Services/UEBA",
"Risk Enrichment Account/Service - CMDB/Vuln. Scanning/UEBA"
],
"Containment": [
"Block Attacker URL/IP/IP Segment - Proxy/FWs/WAF",
"Reset Account/Enforce MFA(If applicable) - AD/Directory Services/IAM-IDM/PIM/MFA",
"Blacklist/Whitelist Access List / Sources"
],
"Eradication": [
],
"Recovery": [
],
"Lessons Learned": [
]
},
"Hardware Additions": {
"Identification": [
"Investigate Logs,Flows and Alerts - DHCP/FWs/Proxy",
"System Enrichment - EP/EDR/CMDB/Vuln.Scanning"
],
"Containment": [
"Blacklist/Whitelist - Network/Device Access Controls"
],
"Eradication": [
"Update Service Endpoints/Configure Access Policies"
],
"Recovery": [],
"Lessons Learned": [
]
},
"Replication Through Removable Media": {
"Identification": [
"Investigate Logs,Flows and Alerts - EP/UEBA/FWs/Proxy/SSL Inspection",
"System Enrichment - EP/EDR/CMDB/Vuln.Scanning",
"Inform User/Gather Information and Evidence"
],
"Containment": [
"Block Application/Isolate Target System - EP/EDR",
"Reset Accounts,Token,Secret - AD/Directory Services/IAM-IDM/PIM/Keyvault"
],
"Eradication": [
],
"Recovery": [
],
"Lessons Learned": [
]
},
"Spearphishing Attachment": {
"Identification": [
"Investigate Logs,Flows and Alerts - Email GW/EP/FWs/Proxy/IDS-IPS/SSL Inspection",
"Threat Intel Query / Investigate IOCs and Campaign",
"Sandbox Email and/or Attachment",
"User Enrichment and Analysis - AD/Directory Services/UEBA",
"Inform User/Gather Information and Evidence",
"System Enrichment - EP/EDR/CMDB/Vuln.Scanning"
],
"Containment": [
"Block Attacker URL/IP/IP Segment - Proxy/FWs",
"Block Application/Isolate Target System - EP/EDR",
"Reset Accounts,Token,Secret - AD/Directory Services/IAM-IDM/PIM/Keyvault"
],
"Eradication": [
],
"Recovery": [
],
"Lessons Learned": [
]
},
"Spearphishing Link": {
"Identification": [
"Investigate Logs,Flows and Alerts - Email GW/EP/FWs/Proxy/SSL Inspection",
"Threat Intel Query / Investigate IOCs and Campaign",
"Sandbox Email and/or Attachment",
"User Enrichment and Analysis - AD/Directory Services/UEBA",
"Inform User/Gather Information and Evidence",
"System Enrichment - EP/EDR/CMDB/Vuln.Scanning"
],
"Containment": [
"Block Attacker URL/IP/IP Segment - Proxy/FWs",
"Block Application/Isolate Target System - EP/EDR",
"Reset Accounts,Token,Secret - AD/Directory Services/IAM-IDM/PIM/Keyvault"
],
"Eradication": [
],
"Recovery": [
],
"Lessons Learned": [
]
},
"Spearphishing via Service": {
"Identification": [
"Investigate Logs,Flows and Alerts - FWs/Proxy/IDS-IPS/SSL Inspection",
"User Enrichment and Analysis - AD/Directory Services/UEBA",
"Inform User/Gather Information and Evidence",
"Threat Intel Query / Investigate IOCs and Campaign",
"System Enrichment - EP/EDR/CMDB/Vuln.Scanning",
"Sandbox Email and/or Attachment"
],
"Containment": [
"Block Attacker URL/IP/IP Segment - Proxy/FWs",
"Block Application/Isolate Target System - EP/EDR",
"Reset Accounts,Token,Secret - AD/Directory Services/IAM-IDM/PIM/Keyvault"
],
"Eradication": [
],
"Recovery": [
],
"Lessons Learned": [
]
},
"Supply Chain Compromise": {
"Identification": [
"Investigate Logs,Flows and Alerts - FWs/WAF/Proxy/IDS-IPS/SSL Inspection/EP/UEBA",
"System Enrichment - EP/EDR/FIM/CMDB/Vuln.Scanning",
"Threat Intel Query / Investigate IOCs and Campaign",
"Risk Enrichment / Service Enrichment / Approval - CMDB/Vuln. Scanning/UEBA/SM"
],
"Containment": [
"Block Application/Isolate Target System - EP/EDR/Proxy/FWs",
"Reset Accounts,Token,Secret - AD/Directory Services/IAM-IDM/PIM/Keyvault"
],
"Eradication": [
],
"Recovery": [
],
"Lessons Learned": [
]
},
"Trusted Relationship": {
"Identification": [
"Investigate Logs,Flows and Alerts - AD/Directory Services/UEBA/FWs/IDS-IPS/VPN",
"User Enrichment and Analysis - AD/Directory Services/UEBA",
"Inform User/Gather Information and Evidence",
"Risk Enrichment / Service Enrichment / Approval - CMDB/Vuln. Scanning/UEBA/SM"
],
"Containment": [
"Deactivate Account/Remove Access Permissions - AD/Directory Services/IAM-IDM/PIM"
],
"Eradication": [
],
"Recovery": [
],
"Lessons Learned": [
]
},
"Valid Accounts": {
"Identification": [
"Investigate Logs,Flows and Alerts - AD/Directory Services/UEBA/FWs/IDS-IPS/VPN",
"User Enrichment and Analysis - AD/Directory Services/UEBA",
"Inform User/Gather Information and Evidence",
"Risk Enrichment / Service Enrichment / Approval - CMDB/Vuln. Scanning/UEBA/SM"
],
"Containment": [
"Reset Accounts,Token,Secret/Enforce MFA(If applicable) - AD/Directory Services/IAM-IDM/PIM/MFA"
],
"Eradication": [
]
,
"Recovery": [
],
"Lessons Learned": [
]
}
}
}
