private static void ParseProtectWiseEvent(Object_ProtectWise_Threat_ConfigClass.ProtectWise_Events protectWiseReturn) { protectWiseReturn.Events = protectWiseReturn.Events.Reverse().ToArray(); foreach (var pevent in protectWiseReturn.Events) { Console.WriteLine(@"Gathering ProtectWise observations for event: " + pevent.Message + @"."); ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("protectwisev1-event"); var request = parseConfigs.Server + parseConfigs.Query2 + pevent.Id; var alertRequest = (HttpWebRequest) WebRequest.Create(request); alertRequest.Headers[@"X-Access-Token"] = parseConfigs.APIKey; alertRequest.Method = "GET"; try { using (var protectwiseResponse = alertRequest.GetResponse() as HttpWebResponse) { if (protectwiseResponse != null && protectwiseResponse.StatusCode == HttpStatusCode.OK) { using (var respStream = protectwiseResponse.GetResponseStream()) { if (respStream == null) return; var protectwiseReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = protectwiseReader.ReadToEnd(); var protectwiseReturn = JsonConvert.DeserializeObject<Object_ProtectWise_Threat_ConfigClass.ProtectWise_Search_Event>(stringreturn); if (protectwiseReturn != null) { ParseProtectWiseObservation(protectwiseReturn, pevent.Message); } var responseStream = protectwiseResponse.GetResponseStream(); if (responseStream != null) responseStream.Dispose(); protectwiseResponse.Close(); } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 Detector when getting json:" + e); } } }
private static void ParseProtectWiseObservation(Object_ProtectWise_Threat_ConfigClass.ProtectWise_Search_Event protectwiseReturn, string malwareType) { try { //protectwiseReturn.Observations = protectwiseReturn.Observations.Reverse().ToArray(); for (var i = 0; i < protectwiseReturn.Observations.Count(); i++) { if (protectwiseReturn.Observations[i].Flow.IP.DstIP == "0.0.0.0") continue; Console.WriteLine(@"Processing ProtectWise observation " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + protectwiseReturn.Observations.Count().ToString(CultureInfo.InvariantCulture) + @"."); //initialize generic variables for Cyphort values var lFidoReturnValues = new FidoReturnValues(); if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.ProtectWise == null) { lFidoReturnValues.ProtectWise = new ProtectWiseReturnValues(); } lFidoReturnValues.ProtectWise.EventDetails = protectwiseReturn; lFidoReturnValues.MalwareType = protectwiseReturn.Observations[i].Category + " : " + protectwiseReturn.Observations[i].ThreatSubCategory + " (" + protectwiseReturn.Observations[i].KillChainStage + ")"; //Assign generic event deatils for use in TheDirector lFidoReturnValues.CurrentDetector = "protectwisev1"; lFidoReturnValues.MalwareType = malwareType; if (!string.IsNullOrEmpty(lFidoReturnValues.ProtectWise.EventDetails.Id)) { if (protectwiseReturn.Observations[i].Flow.IP.SrcIP == "0.0.0.0" || protectwiseReturn.Observations[i].Flow.IP.DstIP == "0.0.0.0") continue; lFidoReturnValues.ProtectWise.IncidentDetails = new Object_ProtectWise_Threat_ConfigClass.ProtectWise_Observation(); if (protectwiseReturn.Netflow[i].GEO != null) { lFidoReturnValues.ProtectWise.GEO = new Object_ProtectWise_Threat_ConfigClass.ProtectWise_GEO(); lFidoReturnValues.ProtectWise.GEO = protectwiseReturn.Netflow[i].GEO; } lFidoReturnValues.ProtectWise.IncidentDetails = protectwiseReturn.Observations[i]; if (protectwiseReturn.Observations[i].Flow.IP.DstIP.StartsWith("10.")) { lFidoReturnValues.SrcIP = protectwiseReturn.Observations[i].Flow.IP.DstIP; lFidoReturnValues.ProtectWise.DstIP = protectwiseReturn.Observations[i].Flow.IP.SrcIP; lFidoReturnValues.DstIP = protectwiseReturn.Observations[i].Flow.IP.SrcIP; lFidoReturnValues.ProtectWise.URL = protectwiseReturn.Observations[i].Flow.IP.SrcIP; } else { lFidoReturnValues.DstIP = protectwiseReturn.Observations[i].Flow.IP.DstIP; lFidoReturnValues.ProtectWise.DstIP = protectwiseReturn.Observations[i].Flow.IP.DstIP; lFidoReturnValues.SrcIP = protectwiseReturn.Observations[i].Flow.IP.SrcIP; lFidoReturnValues.ProtectWise.URL = protectwiseReturn.Observations[i].Flow.IP.DstIP; } lFidoReturnValues.ProtectWise.EventID = protectwiseReturn.Observations[i].EventID; lFidoReturnValues.AlertID = protectwiseReturn.Observations[i].EventID; lFidoReturnValues.TimeOccurred = FromEpochTime(protectwiseReturn.Observations[i].EventTime).ToString(); lFidoReturnValues.ProtectWise.EventTime = FromEpochTime(protectwiseReturn.Observations[i].EventTime).ToString(); if (protectwiseReturn.Observations[i].Data.URL_Reputation != null) { var getDomain = protectwiseReturn.Observations[i].Data.URL_Reputation.Url.Split('/'); lFidoReturnValues.DNSName = getDomain[0].Replace(".", "(.)"); } //Check to see if ID has been processed before var isRunDirector = false; lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.ProtectWise.EventID, lFidoReturnValues.ProtectWise.EventTime); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) return; if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.Ip_Reputation != null) { lFidoReturnValues = FormatIPReturnValues(lFidoReturnValues); } if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation != null) { lFidoReturnValues = FormatURLReturnValues(lFidoReturnValues); } if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.File_Reputation != null) { } if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.DNS_Reputation != null) { } if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.IdsEvent != null) { lFidoReturnValues = FormatIdsReturnValues(lFidoReturnValues); } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 Detector parse:" + e); } }