private static FidoReturnValues FormatInfectionReturnValues(FidoReturnValues lFidoReturnValues) { lFidoReturnValues.Cyphort.DstIP = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_ip; lFidoReturnValues.Cyphort.Domain = new List <string>(); lFidoReturnValues.Cyphort.URL = new List <string>(); lFidoReturnValues.Cyphort.MD5Hash = new List <string>(); try { foreach (var infection in lFidoReturnValues.Cyphort.IncidentDetails.Incident.InfectionArray) { lFidoReturnValues.Cyphort.EventID = infection.Infection_id; lFidoReturnValues.AlertID = infection.Infection_id; lFidoReturnValues.Cyphort.URL.Add(string.Empty); lFidoReturnValues.Cyphort.MD5Hash.Add(string.Empty); lFidoReturnValues.Cyphort.Domain.Add(infection.Cnc_servers); lFidoReturnValues.DNSName = infection.Cnc_servers.Replace(".", "(.)"); var isRunDirector = false; //Check to see if ID has been processed before lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = AlertHelper.PreviousAlert(lFidoReturnValues, lFidoReturnValues.Cyphort.EventID, lFidoReturnValues.Cyphort.EventTime); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) { continue; } //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; Console.WriteLine(@"Processing CNC incident " + lFidoReturnValues.Cyphort.EventID + @" through to the Director."); TheDirector.Direct(lFidoReturnValues); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 infection return:" + e); } return(lFidoReturnValues); }
private static void ParsePan(Object_PaloAlto_Class.PanReturn panReturn) { try { foreach (var entry in panReturn.Result.Log.Logs.Entry) { if (entry.App == "dns") { continue; } Console.WriteLine(@"Processing PAN " + entry.SubType + @" event."); //initialize generic variables for PAN values var lFidoReturnValues = new FidoReturnValues(); if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.PaloAlto == null) { lFidoReturnValues.PaloAlto = new PaloAltoReturnValues(); } //Convert PAN classifications to more readable values lFidoReturnValues.MalwareType = entry.Type + " " + entry.SubType; lFidoReturnValues.CurrentDetector = "panv1"; lFidoReturnValues.PaloAlto.EventID = entry.EventID; lFidoReturnValues.AlertID = entry.EventID; if (entry.Direction == "client-to-server") { lFidoReturnValues.PaloAlto.isDst = true; } else { lFidoReturnValues.PaloAlto.isDst = false; } if (lFidoReturnValues.PaloAlto.isDst) { lFidoReturnValues.SrcIP = entry.SrcIP; lFidoReturnValues.DstIP = entry.DstIP; lFidoReturnValues.PaloAlto.DstIp = entry.DstIP; } else { lFidoReturnValues.SrcIP = entry.DstIP; lFidoReturnValues.DstIP = entry.SrcIP; lFidoReturnValues.PaloAlto.DstIp = entry.SrcIP; } if (!string.IsNullOrEmpty(entry.DstUser)) { lFidoReturnValues.PaloAlto.DstUser = entry.DstUser.Replace(@"corp\", string.Empty); lFidoReturnValues.Username = entry.DstUser; } lFidoReturnValues.PaloAlto.EventTime = entry.ReceivedTime.ToString(CultureInfo.InvariantCulture); lFidoReturnValues.TimeOccurred = entry.ReceivedTime.ToString(CultureInfo.InvariantCulture); var isRunDirector = false; //Check to see if ID has been processed before lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = AlertHelper.PreviousAlert(lFidoReturnValues, lFidoReturnValues.PaloAlto.EventID, lFidoReturnValues.PaloAlto.EventTime); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) { continue; } //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; Console.WriteLine(@"Processing PAN incident " + lFidoReturnValues.PaloAlto.EventID + @" through to the Director."); TheDirector.Direct(lFidoReturnValues); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in PANv1 Detector parse:" + e); } }
//Helper function to assign important values to FidoReturnValues objects and then //handoff to TheDirector for FIDO processing. private static void ParseCyphort(CyphortClass cyphortReturn) { try { if (cyphortReturn.correlations_array != null && cyphortReturn.correlations_array.Any()) { cyphortReturn.correlations_array = cyphortReturn.correlations_array.Reverse().ToArray(); for (var i = 0; i < cyphortReturn.correlations_array.Count(); i++) { Console.WriteLine(@"Processing correlation alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.correlations_array.Count().ToString(CultureInfo.InvariantCulture) + @"."); var lFidoReturnValues = new FidoReturnValues(); var isRunDirector = false; if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.Cyphort == null) { lFidoReturnValues.Cyphort = new CyphortReturnValues(); } if (cyphortReturn.correlations_array[i][4].Contains(":")) { continue; } lFidoReturnValues.SrcIP = cyphortReturn.correlations_array[i][4]; lFidoReturnValues.MalwareType = cyphortReturn.correlations_array[i][19] + " and download"; lFidoReturnValues.DstIP = cyphortReturn.correlations_array[i][16]; lFidoReturnValues.Cyphort.DstIP = cyphortReturn.correlations_array[i][16]; lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.correlations_array[i][2]).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.correlations_array[i][2]).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventID = cyphortReturn.correlations_array[i][1]; lFidoReturnValues.AlertID = lFidoReturnValues.Cyphort.EventID; lFidoReturnValues.Cyphort.URL = new List <string> { cyphortReturn.correlations_array[i][12] }; lFidoReturnValues.Url = new List <string> { cyphortReturn.correlations_array[i][12] }; lFidoReturnValues.Cyphort.Domain = new List <string> { cyphortReturn.correlations_array[i][11] }; lFidoReturnValues.Cyphort.MD5Hash = new List <string> { cyphortReturn.correlations_array[i][7] }; lFidoReturnValues.Hash = new List <string> { cyphortReturn.correlations_array[i][7] }; lFidoReturnValues.CurrentDetector = "cyphortv2"; //Using the Hostname/SrcIP, check the FidoDB to see if any previous alerts were generated lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); //If previous alerts were generated then run PreviousAlert to compare the AlertID of the newly generated //alert versus previous alerts. if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = AlertHelper.PreviousAlert(lFidoReturnValues); } //If the type of alert is a test alert then exit, or if the alert is has already been processed if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY")) { continue; } //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; TheDirector.Direct(lFidoReturnValues); } } if (cyphortReturn.downloads_array != null && cyphortReturn.downloads_array.Any()) { cyphortReturn.downloads_array = cyphortReturn.downloads_array.Reverse().ToArray(); for (var i = 0; i < cyphortReturn.downloads_array.Count(); i++) { Console.WriteLine(@"Processing download alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.downloads_array.Count().ToString(CultureInfo.InvariantCulture) + @"."); var lFidoReturnValues = new FidoReturnValues(); var isRunDirector = false; if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.Cyphort == null) { lFidoReturnValues.Cyphort = new CyphortReturnValues(); } if (cyphortReturn.downloads_array[i][4].Contains(":")) { continue; } lFidoReturnValues.SrcIP = cyphortReturn.downloads_array[i][4]; lFidoReturnValues.MalwareType = cyphortReturn.downloads_array[i][20] + " download detected"; lFidoReturnValues.DstIP = cyphortReturn.downloads_array[i][16]; lFidoReturnValues.Cyphort.DstIP = cyphortReturn.downloads_array[i][16]; lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.downloads_array[i][2]).ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.downloads_array[i][2]).ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventID = cyphortReturn.downloads_array[i][0]; lFidoReturnValues.AlertID = lFidoReturnValues.Cyphort.EventID; lFidoReturnValues.Cyphort.URL = new List <string> { cyphortReturn.downloads_array[i][12] }; lFidoReturnValues.Url = new List <string> { cyphortReturn.downloads_array[i][12] }; lFidoReturnValues.Cyphort.Domain = new List <string> { cyphortReturn.downloads_array[i][11] }; lFidoReturnValues.Cyphort.MD5Hash = new List <string> { cyphortReturn.downloads_array[i][7] }; lFidoReturnValues.Hash = new List <string> { cyphortReturn.downloads_array[i][7] }; lFidoReturnValues.CurrentDetector = "cyphortv2"; lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = AlertHelper.PreviousAlert(lFidoReturnValues); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY")) { continue; } //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; TheDirector.Direct(lFidoReturnValues); } } if (cyphortReturn.infections_array != null && cyphortReturn.infections_array.Any()) { cyphortReturn.infections_array = cyphortReturn.infections_array.Reverse().ToArray(); for (var i = 0; i < cyphortReturn.infections_array.Count(); i++) { Console.WriteLine(@"Processing infection alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.infections_array.Count().ToString(CultureInfo.InvariantCulture) + @"."); var lFidoReturnValues = new FidoReturnValues(); var isRunDirector = false; if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.Cyphort == null) { lFidoReturnValues.Cyphort = new CyphortReturnValues(); } if (cyphortReturn.infections_array[i][4].Contains(":")) { continue; } lFidoReturnValues.SrcIP = cyphortReturn.infections_array[i][4]; lFidoReturnValues.MalwareType = "C&C external communication detected"; lFidoReturnValues.DstIP = cyphortReturn.infections_array[i][16]; lFidoReturnValues.Cyphort.DstIP = cyphortReturn.infections_array[i][16]; lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.infections_array[i][2]).ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.infections_array[i][2]).ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventID = cyphortReturn.infections_array[i][1]; lFidoReturnValues.AlertID = lFidoReturnValues.Cyphort.EventID; lFidoReturnValues.Cyphort.URL = new List <string> { cyphortReturn.infections_array[i][12] }; lFidoReturnValues.Url = new List <string> { cyphortReturn.infections_array[i][12] }; lFidoReturnValues.Cyphort.Domain = new List <string> { cyphortReturn.infections_array[i][11] }; lFidoReturnValues.Cyphort.MD5Hash = new List <string> { cyphortReturn.infections_array[i][7] }; lFidoReturnValues.Hash = new List <string> { cyphortReturn.infections_array[i][7] }; lFidoReturnValues.CurrentDetector = "cyphortv2"; lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = AlertHelper.PreviousAlert(lFidoReturnValues); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY")) { continue; } //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; TheDirector.Direct(lFidoReturnValues); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphort Detector parse:" + e); } }
private static void ParseProtectWiseObservation(Object_ProtectWise_Threat_ConfigClass.ProtectWise_Search_Event protectwiseReturn, string malwareType) { try { //protectwiseReturn.Observations = protectwiseReturn.Observations.Reverse().ToArray(); for (var i = 0; i < protectwiseReturn.Observations.Count(); i++) { if (protectwiseReturn.Observations[i].Flow.IP.DstIP == "0.0.0.0") { continue; } Console.WriteLine(@"Processing ProtectWise observation " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + protectwiseReturn.Observations.Count().ToString(CultureInfo.InvariantCulture) + @"."); //initialize generic variables for Cyphort values var lFidoReturnValues = new FidoReturnValues(); if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.ProtectWise == null) { lFidoReturnValues.ProtectWise = new ProtectWiseReturnValues(); } lFidoReturnValues.ProtectWise.EventDetails = protectwiseReturn; lFidoReturnValues.MalwareType = protectwiseReturn.Observations[i].Category + " : " + protectwiseReturn.Observations[i].ThreatSubCategory + " (" + protectwiseReturn.Observations[i].KillChainStage + ")"; //Assign generic event deatils for use in TheDirector lFidoReturnValues.CurrentDetector = "protectwisev1"; lFidoReturnValues.MalwareType = malwareType; if (!string.IsNullOrEmpty(lFidoReturnValues.ProtectWise.EventDetails.Id)) { if (protectwiseReturn.Observations[i].Flow.IP.SrcIP == "0.0.0.0" || protectwiseReturn.Observations[i].Flow.IP.DstIP == "0.0.0.0") { continue; } lFidoReturnValues.ProtectWise.IncidentDetails = new Object_ProtectWise_Threat_ConfigClass.ProtectWise_Observation(); if (protectwiseReturn.Netflow[i].GEO != null) { lFidoReturnValues.ProtectWise.GEO = new Object_ProtectWise_Threat_ConfigClass.ProtectWise_GEO(); lFidoReturnValues.ProtectWise.GEO = protectwiseReturn.Netflow[i].GEO; } lFidoReturnValues.ProtectWise.IncidentDetails = protectwiseReturn.Observations[i]; if (protectwiseReturn.Observations[i].Flow.IP.DstIP.StartsWith("10.")) { lFidoReturnValues.SrcIP = protectwiseReturn.Observations[i].Flow.IP.DstIP; lFidoReturnValues.ProtectWise.DstIP = protectwiseReturn.Observations[i].Flow.IP.SrcIP; lFidoReturnValues.DstIP = protectwiseReturn.Observations[i].Flow.IP.SrcIP; lFidoReturnValues.ProtectWise.URL = protectwiseReturn.Observations[i].Flow.IP.SrcIP; } else { lFidoReturnValues.DstIP = protectwiseReturn.Observations[i].Flow.IP.DstIP; lFidoReturnValues.ProtectWise.DstIP = protectwiseReturn.Observations[i].Flow.IP.DstIP; lFidoReturnValues.SrcIP = protectwiseReturn.Observations[i].Flow.IP.SrcIP; lFidoReturnValues.ProtectWise.URL = protectwiseReturn.Observations[i].Flow.IP.DstIP; } lFidoReturnValues.ProtectWise.EventID = protectwiseReturn.Observations[i].EventID; lFidoReturnValues.AlertID = protectwiseReturn.Observations[i].EventID; lFidoReturnValues.TimeOccurred = FromEpochTime(protectwiseReturn.Observations[i].EventTime).ToString(); lFidoReturnValues.ProtectWise.EventTime = FromEpochTime(protectwiseReturn.Observations[i].EventTime).ToString(); if (protectwiseReturn.Observations[i].Data.URL_Reputation != null) { var getDomain = protectwiseReturn.Observations[i].Data.URL_Reputation.Url.Split('/'); lFidoReturnValues.DNSName = getDomain[0].Replace(".", "(.)"); } //Check to see if ID has been processed before var isRunDirector = false; lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = AlertHelper.PreviousAlert(lFidoReturnValues, lFidoReturnValues.ProtectWise.EventID, lFidoReturnValues.ProtectWise.EventTime); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) { return; } if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.Ip_Reputation != null) { lFidoReturnValues = FormatIPReturnValues(lFidoReturnValues); } if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation != null) { lFidoReturnValues = FormatURLReturnValues(lFidoReturnValues); } if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.File_Reputation != null) { } if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.DNS_Reputation != null) { } if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.IdsEvent != null) { lFidoReturnValues = FormatIdsReturnValues(lFidoReturnValues); } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 Detector parse:" + e); } }
private static void ParseCarbonBlackAlert(Object_CarbonBlack_Alert_Class.CarbonBlack cbReturn) { var cbHost = string.Empty; var cbHostInt = 0; foreach (var cbEvent in cbReturn.Results) { Console.WriteLine(@"Formatting CarbonBlack event for: " + cbEvent.Hostname + @"."); try { //initialize generic variables for CB values var lFidoReturnValues = new FidoReturnValues(); if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.CB == null) { lFidoReturnValues.CB = new CarbonBlackReturnValues { Alert = new CarbonBlackAlert() }; } lFidoReturnValues.CurrentDetector = "carbonblackv1"; lFidoReturnValues.CB.Alert.WatchListName = cbEvent.WatchlistName; lFidoReturnValues.CB.Alert.AlertType = cbEvent.AlertType; if (lFidoReturnValues.CB.Alert.WatchListName.Contains("binary") || lFidoReturnValues.CB.Alert.AlertType.Contains("binary")) { lFidoReturnValues.isBinary = true; } var dTable = new SqLiteDB(); var cbData = dTable.GetDataTable(@"Select * from configs_dictionary_carbonblack"); var cbDict = GetDict(cbData); foreach (var label in cbDict) { if (cbEvent.WatchlistName == label.Key) { lFidoReturnValues.MalwareType = label.Value; break; } } if (lFidoReturnValues.MalwareType == null) { lFidoReturnValues.MalwareType = "Malicious file detected."; } lFidoReturnValues.CB.Alert.EventID = cbEvent.UniqueID; lFidoReturnValues.AlertID = cbEvent.UniqueID; lFidoReturnValues.CB.Alert.EventTime = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Hostname = cbEvent.Hostname; //todo: this was supposed to limit the total # of alerts sent from a single host, //however, it is poo and needs to be redone. if (lFidoReturnValues.Hostname != cbHost) { cbHost = lFidoReturnValues.Hostname; } else { cbHostInt++; } if (cbHostInt >= 25) { CloseCarbonBlackAlert(lFidoReturnValues); } lFidoReturnValues.Username = cbEvent.Username; lFidoReturnValues.Hash = new List <string> { cbEvent.MD5 }; lFidoReturnValues.CB.Alert.MD5Hash = cbEvent.MD5; lFidoReturnValues.CB.Inventory = SysMgmt_CarbonBlack.GetCarbonBlackHost(lFidoReturnValues, true); if (string.IsNullOrEmpty(cbEvent.ProcessPath)) { if (string.IsNullOrEmpty(cbEvent.ProcessPath)) { lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ObservedFilename[0]; } } else { lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ProcessPath; } if ((cbEvent.ObservedHosts.HostCount != 0) && (cbEvent.ObservedHosts.HostCount != null)) { lFidoReturnValues.CB.Alert.HostCount = cbEvent.ObservedHosts.HostCount.ToString(CultureInfo.InvariantCulture); } else { lFidoReturnValues.CB.Alert.HostCount = "0"; } if ((cbEvent.NetconnCount != 0) && (cbEvent.NetconnCount != null)) { lFidoReturnValues.CB.Alert.NetConn = cbEvent.NetconnCount.ToString(CultureInfo.InvariantCulture); } else { lFidoReturnValues.CB.Alert.NetConn = "0"; } if (lFidoReturnValues.CB.Inventory != null) { var sFilter = new[] { "|", "," }; var sIP = lFidoReturnValues.CB.Inventory.NetworkAdapters.Split(sFilter, StringSplitOptions.RemoveEmptyEntries); lFidoReturnValues.SrcIP = sIP[0]; } var isRunDirector = false; //Check to see if ID has been processed before lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = AlertHelper.PreviousAlert(lFidoReturnValues, lFidoReturnValues.AlertID, lFidoReturnValues.TimeOccurred); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) { continue; } //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; TheDirector.Direct(lFidoReturnValues); //CloseCarbonBlackAlert(lFidoReturnValues); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Carbon Black v1 Detector when formatting json:" + e); } } }
private static FidoReturnValues FormatDownloadReturnValues(FidoReturnValues lFidoReturnValues) { lFidoReturnValues.Cyphort.DstIP = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_ip; lFidoReturnValues.Cyphort.URL = new List <string>(); lFidoReturnValues.Cyphort.MD5Hash = new List <string>(); lFidoReturnValues.Cyphort.Domain = new List <string>(); try { foreach (var download in lFidoReturnValues.Cyphort.IncidentDetails.Incident.DownloadArray) { if (!string.IsNullOrEmpty(download.Event_id)) { lFidoReturnValues.Cyphort.EventID = download.Event_id; } if (!string.IsNullOrEmpty(download.Event_id)) { lFidoReturnValues.AlertID = download.Event_id; } if (!string.IsNullOrEmpty(download.Source_url)) { lFidoReturnValues.Cyphort.URL.Add(download.Source_url); lFidoReturnValues.Url = new List <string> { download.Source_url }; } if (!string.IsNullOrEmpty(download.File_md5_string)) { lFidoReturnValues.Cyphort.MD5Hash.Add(download.File_md5_string); lFidoReturnValues.Hash = new List <string> { download.File_md5_string }; } if (download.Req_headers != null) { lFidoReturnValues.Cyphort.Domain.Add(download.Req_headers.Host); lFidoReturnValues.DNSName = download.Req_headers.Host.Replace(".", "(.)"); } //Check to see if ID has been processed before var isRunDirector = false; lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = AlertHelper.PreviousAlert(lFidoReturnValues, lFidoReturnValues.Cyphort.EventID, lFidoReturnValues.Cyphort.EventTime); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) { continue; } //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; Console.WriteLine(@"Processing download incident " + lFidoReturnValues.Cyphort.EventID + @" through to the Director."); TheDirector.Direct(lFidoReturnValues); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 download return:" + e); } return(lFidoReturnValues); }