GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → jordisk → TheHive2Sigma

jordisk / TheHive2Sigma

Licence: MIT License
Python script to automatically create sigma rules from The hive observables

Programming Languages

python
139335 projects - #7 most used programming language

Labels

thehive

Projects that are alternatives of or similar to TheHive2Sigma

training-materials
No description or website provided.
Stars: ✭ 47 (+104.35%)
Mutual labels:  thehive
Docker-Templates
Docker configurations for TheHive, Cortex and 3rd party tools
Stars: ✭ 71 (+208.7%)
Mutual labels:  thehive
S1EM
This project is a SIEM with SIRP and Threat Intel, all in one.
Stars: ✭ 270 (+1073.91%)
Mutual labels:  thehive
ThePhish
ThePhish: an automated phishing email analysis tool
Stars: ✭ 676 (+2839.13%)
Mutual labels:  thehive
TheHiveHooks
This is a python tool aiming to make using TheHive webhooks easier.
Stars: ✭ 22 (-4.35%)
Mutual labels:  thehive
Thehive
TheHive: a Scalable, Open Source and Free Security Incident Response Platform
Stars: ✭ 2,300 (+9900%)
Mutual labels:  thehive
Email2TheHive
This package allows for creating alerts in The Hive from emails retrieved from a Microsoft Exchange mailbox.
Stars: ✭ 11 (-52.17%)
Mutual labels:  thehive

TheHive2Sigma

What is?

TheHive2Sigma is a python script that through the API of The Hive, gets all observables related to an specific case and creates a Sigma Rule to search in your Siem solution to know how many logs matches your observables.

At this moment, TheHive2Sigma is able to create Sigma rules for the following type of observables:

  • Ip address
  • Fqdn
  • Domain
  • Registry keys
  • Process (since there is no process observable type on The Hive by default, create one under Admin --> Observables)

How it works?

Install python libraries:

pip install -r requirements.txt

Open with your favourite text editor the file and fulfill the three empty variables written on the begining of the script:

#Config
thehive_url = 'https://thehive.bussiness.com:9000' # The hive URL including port
thehive_api = 'oczZpMn44t6bgImffz7Odfred87sEA7u' #Api key for The Hive
thehive_case = 'ADAS3pWuOTfe0bZni0kV' # The Hive case id (20 chars)

Simply run the script and it will print out a Sigma Rule:

python thehive2sigma.py

Sample output:

action: global 
title: Case 5 WannaFuck infection
status: experimental
description: Detects Observables based on Case 5 from TheHive
author: jordisk
references:
    - http://thehive.lab.int:9000/index.html#/case/ADAS3pWuOTfe0bZni0kV/details
date: 2018/08/09
---
logsource:
    category: firewall
detection:
    outgoing: 
        dst_ip:
            - '155.151.29.109'
            - '8.8.8.8'
    incoming: 
        src_ip:
            - '155.151.29.109'
            - '8.8.8.8'
    condition: 1 of them
---
logsource:
    category: dns
detection:
    selection: 
        query: 
            - 'google.co.uk'
            - 'github.com'
            - 'hackmd.io'
    condition: selection
---
logsource:
    category: proxy
detection:
    selection1: 
        UserAgent: 
            - '*(hydra)*'
    condition: selection1
---
logsource:
    product: windows
    service: sysmon
detection:
    selection2: 
        EventID: 
            - 13
            - 12
            - 14
        TargetObject: 
            - 'HKLM\REGISTRY\MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run\wannafuck'
            - 'HKLM\REGISTRY\MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run\wanna*'
    condition: selection2
---
logsource:
    product: windows
    service: sysmon
detection:
    selection3: 
        EventID: 1
        TargetImage: 
            - '*\badcmd.exe'
            - '*\wannafuck.exe'
    condition: selection3
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].