-
Notifications
You must be signed in to change notification settings - Fork 333
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
17 changed files
with
218 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
""" | ||
Batch of example publishers usable with Demisto. | ||
""" | ||
from streamalert.shared.publisher import Register | ||
|
||
|
||
@Register | ||
def demisto_classification(alert, publication): | ||
""" | ||
This publisher appropriately sets the demisto incident type and playbook. | ||
It first looks into the alert's context for the "demisto" key, where individual rules can | ||
explcitly specify the desired classification traits of the output alert. | ||
""" | ||
|
||
# If a rule explicitly states Demisto information with the alert context, obey that | ||
# The convention to follow is any key in this dict (example, "incident_type") is mapped | ||
# directly onto the Demisto output magic keys (example, @demisto.incident_type) | ||
if 'demisto' in alert.context: | ||
for key, value in alert.context['demisto'].items(): | ||
output_key = '@demisto.{}'.format(key) | ||
publication[output_key] = value | ||
|
||
return publication | ||
|
||
# If no context was explicitly declared, then we default to our global rules | ||
for code in GLOBAL_CLASSIFIERS: | ||
payload = code(alert) | ||
if payload: | ||
for key, value in payload: | ||
output_key = '@demisto.{}'.format(key) | ||
publication[output_key] = value | ||
|
||
return publication | ||
|
||
# Else, nothing | ||
return publication | ||
|
||
|
||
def _any_rule_with_demisto(alert): | ||
if alert.rule_name.contains('sample'): | ||
return { | ||
'incident_type': 'Sample Alert', | ||
'playbook': 'Sample Playbook', | ||
} | ||
|
||
return False | ||
|
||
|
||
# The GLOBAL_CLASSIFIERS is an array of functions. Any function that returns a truthy value is | ||
# considered to be a "match". This value must be a dict, and the keys on the dict map directly | ||
# onto the Demisto output magic keys (e.g. "incident_type" -> "@demisto.incident_type") | ||
GLOBAL_CLASSIFIERS = [ | ||
_any_rule_with_demisto | ||
] |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
[ | ||
{ | ||
"data": { | ||
"action": "added", | ||
"calendarTime": "Wed Feb 12 21:38:11 2020 UTC", | ||
"columns": { | ||
"host": "10.0.2.2", | ||
"pid": 12345, | ||
"time": 1581542540, | ||
"tty": "ttys001", | ||
"type": "8", | ||
"username": "runlevel" | ||
}, | ||
"decorations": { | ||
"envIdentifier": "fake-environment", | ||
"roleIdentifier": "fake-role" | ||
}, | ||
"epoch": "0", | ||
"hostIdentifier": "sample_demisto", | ||
"log_type": "result", | ||
"name": "pack_incident-response_last", | ||
"unixTime": "1581543491" | ||
}, | ||
"description": "Just shows how to do Demisto stuff", | ||
"log": "osquery:differential", | ||
"service": "kinesis", | ||
"source": "prefix_cluster1_streamalert", | ||
"trigger_rules": [ | ||
"sample_demisto" | ||
], | ||
"publisher_tests": { | ||
"demisto:sample-integration": [ | ||
{ | ||
"jmespath_expression": "\"@demisto.incident_type\"", | ||
"condition": "is", | ||
"value": "My sample type" | ||
} | ||
] | ||
} | ||
} | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
""" | ||
Example for writing a Demisto role | ||
""" | ||
from publishers.sample.sample_demisto import demisto_classification | ||
from streamalert.shared.rule import rule | ||
|
||
|
||
@rule( | ||
logs=['osquery:differential'], | ||
outputs=['demisto:sample-integration'], | ||
publishers=[demisto_classification], | ||
context={ | ||
'demisto': { | ||
'incident_type': 'My sample type', | ||
'playbook': 'A Playbook', | ||
'severity': 'informational' | ||
}, | ||
} | ||
) | ||
def sample_demisto(record, _): | ||
""" | ||
author: Derek Wang | ||
description: An example of how to write a Demisto alert using publishers to classify | ||
""" | ||
return record.get('hostIdentifier', '') == 'sample_demisto' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,2 @@ | ||
"""StreamAlert version.""" | ||
__version__ = '3.2.1' | ||
__version__ = '3.3.0' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 4 additions & 0 deletions
4
streamalert_cli/_infrastructure/modules/tf_scheduled_queries/outputs.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
# Role id of the lambda function that runs scheduled queries | ||
output "lambda_function_role_id" { | ||
value = module.scheduled_queries_lambda.role_id | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters