Rémi ALLAIN rallain@cyberprotect.fr
Python script for automatically create a case in The Hive and start Cortex analyzers adapted to fit the observables.
Go into TheHiveBeeBot directory
cd TheHiveBeeBot-masterLaunch setup.py
python setup.py installOpen config.json and replace the value of api.uri.thehive and api.credentials.key
Then execute app.py
python app.py -H 0.0.0.0 -p 9898Server is now running on port 9898, you can send a submit query :
curl -X POST \
http://127.0.0.1:9898/submit \
-H 'Content-Type: application/json' \
-d '
{
"case": {
"description": "-- test --",
"tags": [
"test"
],
"title": "-- test --",
"tlp": null
},
"jobs": {
"scopes": [
"local",
"ext"
]
},
"observable": {
"data": "./test.png",
"dataType": "file",
"ioc": true,
"message": "test",
"tags": [
"test"
],
"tlp": 2
}
}
'Go into your The Hive platform and check if a new case has been created. If not, you can refer to the errors in the response.
Python 2.7+
Python libraries (available via PIP) :
- magic (
pip install python-magic) - future (
pip install future) - requests (
pip install requests) - thehive4py (
pip install thehive4py) - flask (
pip install flask) - argparse (
pip install argparse)
cd TheHiveBeeBot-master
python setup.py installOpen config.json and replace the value of api.uri.thehive and api.credentials.key
The Hive Bee Bot extends data types for greater accuracy. For example in The Hive, there is the file data type. In The Hive Bee Bot, you can extend the precision of this type by adding a tree structure. For example, a windows binary file will have the following types :
- file
- file/binary
- file/binary/windows
These subtypes are fully customizable. They are simply dependent on the rules you assign within that configuration file.
In order to assign a file type with its extended type, entries must be created in routing. Each entry must have at least one row in regex and one row in type. The regex field is an array containing regular expressions that will be applied to the file information. If there is a match, the file inherits the types and subtypes specified in the type field.
"routing": [
{
"regex": [
"ELF",
"byte-compiled",
"binary"
],
"type": [
"file/binary"
]
}
]Once you've made your routing, you can fulfill the analyzers fields. In this section you should list all the analyzers present in your Cortex. For each scanner, you must specify with which file types and subtypes it should be executed. Thus, when a data is submitted, the analyzers having the types and/or subtypes corresponding to the data will be selected.
"analyzers": [
{
"id": "VirusTotal_Scan ",
"scope": "ext",
"cortexId": "CORTEX-SERVER-ID",
"type": [
"file/binary",
"file/text",
"url"
]
}
]Execute app.py
python app.py -H 0.0.0.0 -p 9898Server is now running on port 9898, you can send a submit query :
curl -X POST \
http://127.0.0.1:9898/submit \
-H 'Content-Type: application/json' \
-d '
{
"case": {
"description": "-- test --",
"tags": [
"test"
],
"title": "-- test --",
"tlp": null
},
"jobs": {
"scopes": [
"local",
"ext"
]
},
"observable": {
"data": "./test.png",
"dataType": "file",
"ioc": true,
"message": "test",
"tags": [
"test"
],
"tlp": 2
}
}
'First, import the library
from thehivebeebot.core import TheHiveBeeBotThen load your configuration
beebot = TheHiveBeeBot('config.json')Add observable to a new case
beebot.execute({
'case': {
'title': '-- test --',
'description': '-- test --',
'tlp': None,
'tags': ['test']
},
'observable': {
'dataType': 'file',
'data': 'test.png',
'tlp': 2,
'ioc': True,
'message': 'test',
'tags': ['test']
},
'jobs': {
'scopes': [
'local',
'ext'
]
}
})Or add observable to an existing case
beebot.execute({
'case': {
'id': 'SOMECASEID'
},
'observable': {
'dataType': 'file',
'data': 'test.png',
'tlp': 2,
'ioc': True,
'message': 'test',
'tags': ['test']
},
'jobs': {
'scopes': [
'local',
'ext'
]
}
})