49 lines
1.1 KiB
Python
49 lines
1.1 KiB
Python
import sys
|
|
import alert
|
|
import json
|
|
import logging
|
|
import iris_api
|
|
from datetime import datetime
|
|
|
|
def main():
|
|
if len(sys.argv) < 4:
|
|
print("Not enough arguments!")
|
|
sys.exit(1)
|
|
|
|
alert_file = sys.argv[1]
|
|
api_key = sys.argv[2]
|
|
hook_url = sys.argv[3]
|
|
|
|
try:
|
|
with open(alert_file) as f:
|
|
alert_json = json.load(f)
|
|
except Exception as e:
|
|
sys.exit(1)
|
|
|
|
client = iris_api.IrisClient(hook_url, api_key)
|
|
|
|
processor = alert.AlertProcessor()
|
|
|
|
formatted_alert = processor.process(alert_json)
|
|
|
|
alert_result = client.alert(formatted_alert.to_IRIS())
|
|
|
|
match = None
|
|
|
|
for case in client.cases_list():
|
|
if formatted_alert.srcip in case["case_name"]:
|
|
match = case
|
|
|
|
if match == None:
|
|
client.case_new(formatted_alert.srcip, formatted_alert.title)
|
|
else:
|
|
iocs = []
|
|
|
|
for ioc in alert_result.get("iocs", {}):
|
|
iocs.append(ioc.get("ioc_uuid", "N/A"))
|
|
|
|
client.merge_alert_to_case(alert_result.get("alert_id", -1), match.get("case_id", -1), iocs)
|
|
|
|
if __name__ == "__main__":
|
|
main()
|