TheHive-Project · dadokkio · Feb 3, 2021 · Jan 22, 2021 · Jan 25, 2021 · Jan 27, 2021
diff --git a/responders/CheckPoint/CheckPoint_Gaia_lock.json b/responders/CheckPoint/CheckPoint_Gaia_lock.json
@@ -0,0 +1,65 @@
+{
+  "name": "CheckPoint Lock",
+  "version": "1.0",
+  "author": "@dadokkio LDO-CERT",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Lock ip on CheckPoint Gaia",
+  "dataTypeList": ["thehive:case_artifact"],
+  "command": "CheckPoint/checkpoint.py",
+  "baseConfig": "CheckPoint", 
+  "config": {
+    "service": "lock"
+  },  
+  "configurationItems": [
+    {
+      "name": "server",
+      "description": "Checkpoint API server",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "username",
+      "description": "CheckPoint username",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "password",
+      "description": "CheckPoint password",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "group_name",
+      "description": "CheckPoint group name ip will be added/removed from",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "exclusions",
+      "description": "ip/subnet that cannot be locked or unlocked",
+      "type": "string",
+      "multi": true,
+      "required": false
+    },
+    {
+      "name": "added_tag",
+      "description": "Tag added to observable when adding to FW",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "removed_tag",
+      "description": "Tag added to observable when removing from FW",
+      "type": "string",
+      "multi": false,
+      "required": false
+    }
+  ]
+}
diff --git a/responders/CheckPoint/CheckPoint_Gaia_unlock.json b/responders/CheckPoint/CheckPoint_Gaia_unlock.json
@@ -0,0 +1,65 @@
+{
+  "name": "CheckPoint Unlock",
+  "version": "1.0",
+  "author": "@dadokkio LDO-CERT",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Unlock ip on CheckPoint Gaia",
+  "dataTypeList": ["thehive:case_artifact"],
+  "command": "CheckPoint/checkpoint.py",
+  "baseConfig": "CheckPoint", 
+  "config": {
+    "service": "unlock"
+  },  
+  "configurationItems": [
+    {
+      "name": "server",
+      "description": "Checkpoint API server",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "username",
+      "description": "CheckPoint username",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "password",
+      "description": "CheckPoint password",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "group_name",
+      "description": "CheckPoint group name ip will be added/removed from",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "exclusions",
+      "description": "ip/subnet that cannot be locked or unlocked",
+      "type": "string",
+      "multi": true,
+      "required": false
+    },
+    {
+      "name": "added_tag",
+      "description": "Tag added to observable when adding to FW",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "removed_tag",
+      "description": "Tag added to observable when removing from FW",
+      "type": "string",
+      "multi": false,
+      "required": false
+    }
+  ]
+}
diff --git a/responders/CheckPoint/README.md b/responders/CheckPoint/README.md
@@ -0,0 +1,22 @@
+### CkeckPoint
+
+This responder permits you to add/remove selected observable from a specific group. 
+
+Some notes:
+
+    - API must permit access from cortex machine.
+
+    - First login from API must be manual because it needs fingerprint acceptance. This will generate a fingerprints.txt file that must be placed near to the analyzer python file.
+
+    - It doesn't work in dockerized analyzer!
+
+    - If group doesn't exists it'll be created [when blocking]. At the moment without any default rule.
+
+
+#### Requirements
+The following options are required in CheckPoint Responder configuration:
+
+- `server` : URL of CheckPoint instance 
+- `username`: user accessing CheckPoint instance
+- `password`:  password for the user accessing CheckPoint instance
+- `group_name`: name of the group ip will be added to or removed
diff --git a/responders/CheckPoint/checkpoint.py b/responders/CheckPoint/checkpoint.py
@@ -0,0 +1,174 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+import os
+import json
+import ipaddress
+from cortexutils.responder import Responder
+from cpapi import APIClient, APIClientArgs
+
+
+class CheckPoint(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        # Mail settings
+        server = self.get_param("config.server", None, "Missing server in config")
+        self.username = self.get_param(
+            "config.username", None, "Missing username in config"
+        )
+        self.password = self.get_param(
+            "config.password", None, "Missing password in config"
+        )
+        try:
+            fingerprint_path = "{}/fingerprints.txt".format(os.path.dirname(__file__))
+            fingerprint = json.loads(open(fingerprint_path, "r").read())[server]
+            self.client_args = APIClientArgs(server=server, fingerprint=fingerprint)
+        except:
+            self.error(
+                "Fingerprint check failed. It should be locate here {}".format(
+                    fingerprint_path
+                )
+            )
+
+        self.service = self.get_param("config.service", None)
+        self.group_name = self.get_param(
+            "config.group_name", None, "Missing group_name in config"
+        )
+        self.exclusions = self.get_param("config.exclusions", [])
+        self.added_tag = self.get_param("config.added_tag", None)
+        self.removed_tag = self.get_param("config.removed_tag", None)
+
+    def run(self):
+        Responder.run(self)
+
+        data = self.get_param("data.data")
+        try:
+            data = ipaddress.ip_address(data)
+        except ValueError:
+            self.error("{} is not a valid ip".format(data))
+
+        for excl in self.exclusions:
+            try:
+                excl = ipaddress.ip_address(excl)
+                if data == excl:
+                    self.error("{} in exclusions".format(data))
+            except ValueError:
+                try:
+                    excl = ipaddress.ip_network(excl)
+                    if data in excl:
+                        self.error("{} in exclusions".format(data))
+                except ValueError:
+                    continue
+
+        data = str(data)
+
+        return_dict = {}
+
+        with APIClient(self.client_args) as client:
+            login = client.login(self.username, self.password)
+
+            if not login.success:
+                self.error("Login failed!")
+
+            if self.service == "lock":
+
+                # Check if group exists
+                get_group_response = client.api_call(
+                    "show-group", {"name": self.group_name}
+                )
+
+                if not get_group_response.success:
+                    # if no create it
+                    add_group_response = client.api_call(
+                        "add-group", {"name": self.group_name}
+                    )
+
+                    if not add_group_response.success:
+                        self.error(
+                            "Error during group creation: {}".format(
+                                add_group_response.error_message
+                            )
+                        )
+                    else:
+                        client.api_call("publish", {})
+                        return_dict["group_created"] = True
+                else:
+                    return_dict["group_created"] = False
+
+                # Check if host exists
+                get_host_response = client.api_call("show-host", {"name": data})
+
+                if not get_host_response.success:
+                    return_dict["host_created"] = True
+
+                    # Create host from ip
+                    add_host_response = client.api_call(
+                        "add-host",
+                        {
+                            "name": data,
+                            "ip-address": data,
+                            "comments": "From TheHive responder",
+                        },
+                    )
+
+                    if not add_host_response.success:
+                        self.error(
+                            "Error during host creation: {}".format(
+                                add_host_response.error_message
+                            )
+                        )
+                else:
+                    client.api_call("publish", {})
+                    return_dict["host_created"] = False
+
+                # Add observable to group
+                response = client.api_call(
+                    "set-group",
+                    {"name": self.group_name, "members": {"add": data}},
+                )
+
+                if not response.success:
+                    self.error(
+                        "Error adding host to group: {}".format(response.error_message)
+                    )
+                else:
+                    # COMMIT CHANGES
+                    client.api_call("publish", {})
+                    return_dict["Success"] = True
+
+            elif self.service == "unlock":
+                # Check if host exists
+                get_host_response = client.api_call("show-host", {"name": data})
+
+                if not get_host_response.success:
+                    self.error(
+                        "Host doen't exists: {}".format(get_host_response.error_message)
+                    )
+
+                # Remove observable from group
+                response = client.api_call(
+                    "set-group",
+                    {"name": self.group_name, "members": {"remove": data}},
+                )
+
+                if not response.success:
+                    self.error(
+                        "Error removing host from group: {}".format(
+                            response.error_message
+                        )
+                    )
+                else:
+                    # COMMIT CHANGES
+                    client.api_call("publish", {})
+                    return_dict["Success"] = True
+
+            self.report({"message": return_dict})
+
+    def operations(self, raw):
+        if self.service == "lock" and self.added_tag:
+            return [self.build_operation("AddTagToArtifact", tag=self.added_tag)]
+        elif self.service == "unlock" and self.removed_tag:
+            return [self.build_operation("AddTagToArtifact", tag=self.removed_tag)]
+
+
+if __name__ == "__main__":
+    CheckPoint().run()
diff --git a/responders/CheckPoint/requirements.txt b/responders/CheckPoint/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+-e git+https://github.com/CheckPointSW/cp_mgmt_api_python_sdk#egg=cpapi cpapi
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		cortexutils
		-e git+https://github.com/CheckPointSW/cp_mgmt_api_python_sdk#egg=cpapi cpapi