public static Dictionary <string, string> StartReplacements(FidoReturnValues lFidoReturnValues, string[] detectors, ReplaceParameters replaceParameters) { try { //todo: put the following switch into its own function foreach (var detector in detectors) { switch (detector) { case "cyphortv2": if (lFidoReturnValues.Cyphort != null) { replaceParameters.Replacements = Notification_Cyphort_Helper.CyphortBadGuyReturn(lFidoReturnValues, replaceParameters); replaceParameters.Replacements = VTReplacements(lFidoReturnValues, replaceParameters); } break; case "cyphortv3": if (lFidoReturnValues.Cyphort != null) { replaceParameters.Replacements = Notification_Cyphort_Helper.CyphortBadGuyReturn(lFidoReturnValues, replaceParameters); replaceParameters.Replacements = VTReplacements(lFidoReturnValues, replaceParameters); } break; case "protectwisev1-event": if (lFidoReturnValues.ProtectWise != null) { replaceParameters.Replacements = Notfication_ProtectWise_Helper.ProtectWiseBadGuyReturn(lFidoReturnValues, replaceParameters); replaceParameters.Replacements = VTReplacements(lFidoReturnValues, replaceParameters); } break; case "carbonblackv1": if (lFidoReturnValues.CB.Alert != null) { replaceParameters.Replacements = Notification_CarbonBlack_Helper.CarbonBlackBadGuyReturn(lFidoReturnValues, replaceParameters); replaceParameters.Replacements = VTReplacements(lFidoReturnValues, replaceParameters); } break; case "panv1": if (lFidoReturnValues.PaloAlto != null) { replaceParameters.Replacements = Notification_PaloAlto_Helper.PaloAltoBadGuyReturn(lFidoReturnValues, replaceParameters); replaceParameters.Replacements = VTReplacements(lFidoReturnValues, replaceParameters); } break; case "mps": //Check Virustotal for values if (lFidoReturnValues.FireEye != null) { replaceParameters.Replacements = MPSBadGuyReturn(lFidoReturnValues, replaceParameters); replaceParameters.Replacements = VTReplacements(lFidoReturnValues, replaceParameters); } break; case "antivirus": break; case "ids": break; case "bit9": if (lFidoReturnValues.Bit9 != null) { if (lFidoReturnValues.Bit9.VTReport == null) { continue; } if (lFidoReturnValues.Bit9.VTReport[0].Positives > 0) { lFidoReturnValues.BadHashs += 1; lBadMD5Hashes.Add(lFidoReturnValues.Bit9.VTReport[0].Permalink); } else { lGoodMD5Hashes.Add(lFidoReturnValues.Bit9.VTReport[0].Permalink); } //Check Bit9 for values replaceParameters.Replacements.Add("%bit9threat%", lFidoReturnValues.Bit9.FileThreat); replaceParameters.Replacements.Add("%bit9trust%", lFidoReturnValues.Bit9.FileTrust); } break; } } return(replaceParameters.Replacements); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Notification Help:" + e); } return(replaceParameters.Replacements); }
public static Dictionary <string, string> CarbonBlackBadGuyReturn(FidoReturnValues lFidoReturnValues, ReplaceParameters replaceParameters) { if (lFidoReturnValues.CB.Alert.VirusTotal != null) { if (lFidoReturnValues.CB.Alert.VirusTotal.MD5HashReturn != null) { for (var i = 0; i < lFidoReturnValues.CB.Alert.VirusTotal.MD5HashReturn.Count(); i++) { if (lFidoReturnValues.CB.Alert.VirusTotal.MD5HashReturn[i].Positives > 0) { lFidoReturnValues.BadHashs += 1; replaceParameters.BadMD5Hashes.Add(lFidoReturnValues.CB.Alert.VirusTotal.MD5HashReturn[i].Permalink); } else { replaceParameters.GoodMD5Hashes.Add(lFidoReturnValues.CB.Alert.VirusTotal.MD5HashReturn[i].Permalink); } } } if (lFidoReturnValues.CB.Alert.VirusTotal.URLReturn != null) { for (var i = 0; i < lFidoReturnValues.CB.Alert.VirusTotal.URLReturn.Count(); i++) { if (lFidoReturnValues.CB.Alert.VirusTotal.URLReturn[i].Positives > 0) { lFidoReturnValues.BadUrLs += 1; replaceParameters.BadURLs.Add(lFidoReturnValues.CB.Alert.VirusTotal.URLReturn[i].Permalink); } else { replaceParameters.GoodURLs.Add(lFidoReturnValues.CB.Alert.VirusTotal.URLReturn[i].Permalink); } } } if (lFidoReturnValues.CB.Alert.VirusTotal.IPReturn != null) { if (lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedCommunicatingSamples != null) { for (var i = 0; i < lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedCommunicatingSamples.Count(); i++) { if (lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedCommunicatingSamples[i].Positives > 0) { lFidoReturnValues.BadDetectedComms += 1; } } } if (lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedDownloadedSamples != null) { for (var i = 0; i < lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedDownloadedSamples.Count(); i++) { if (lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedDownloadedSamples[i].Positives > 0) { lFidoReturnValues.BadDetectedDownloads += 1; } } } if (lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedUrls != null) { for (var i = 0; i < lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedUrls.Count(); i++) { if (lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedUrls[i].Positives > 0) { lFidoReturnValues.BadDetectedUrls += 1; } } } } } //Check AlienVault for values var replacements = replaceParameters.Replacements if (lFidoReturnValues.CB.Alert.AlienVault != null) { replacements.Add("%alienrisk%", lFidoReturnValues.CB.Alert.AlienVault.Risk.ToString(CultureInfo.InvariantCulture)); replacements.Add("%alienreliable%", lFidoReturnValues.CB.Alert.AlienVault.Reliability.ToString(CultureInfo.InvariantCulture)); replacements.Add("%alienactivity%", lFidoReturnValues.CB.Alert.AlienVault.Activity ?? string.Empty); } else { replacements.Add("%alienrisk%", "Not Found"); replacements.Add("%alienreliable%", "Not Found"); replacements.Add("%alienactivity%", string.Empty); } //Check Bit9 for values replacements.Add("%bit9threat%", "Not Configured"); replacements.Add("%bit9trust%", "Not Configured"); replacements = CarbonBlackBadGuyReplacements(lFidoReturnValues, replacements); return(replacements); }
public static Dictionary <string, string> PaloAltoBadGuyReturn(FidoReturnValues lFidoReturnValues, ReplaceParameters replaceParameters) { if (lFidoReturnValues.PaloAlto.VirusTotal != null) { if (lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn != null) { for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn.Count(); i++) { if (lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn[i].Positives > 0) { lFidoReturnValues.BadHashs += 1; replaceParameters.BadMD5Hashes.Add(lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn[i].Permalink); } else { replaceParameters.GoodMD5Hashes.Add(lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn[i].Permalink); } } } if (lFidoReturnValues.PaloAlto.VirusTotal.URLReturn != null) { for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.URLReturn.Count(); i++) { if (lFidoReturnValues.PaloAlto.VirusTotal.URLReturn[i].Positives > 0) { lFidoReturnValues.BadUrLs += 1; replaceParameters.BadURLs.Add(lFidoReturnValues.PaloAlto.VirusTotal.URLReturn[i].Permalink); } else { replaceParameters.GoodURLs.Add(lFidoReturnValues.PaloAlto.VirusTotal.URLReturn[i].Permalink); } } } if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn != null) { if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedCommunicatingSamples != null) { for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedCommunicatingSamples.Count(); i++) { if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedCommunicatingSamples[i].Positives > 0) { lFidoReturnValues.BadDetectedComms += 1; } } } if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedDownloadedSamples != null) { for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedDownloadedSamples.Count(); i++) { if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedDownloadedSamples[i].Positives > 0) { lFidoReturnValues.BadDetectedDownloads += 1; } } } if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedUrls != null) { for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedUrls.Count(); i++) { if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedUrls[i].Positives > 0) { lFidoReturnValues.BadDetectedUrls += 1; } } } } } //Check Bit9 for values var replacements = replaceParameters.Replacements replacements.Add("%bit9threat%", "Not Configured"); replacements.Add("%bit9trust%", "Not Configured"); replacements = PaloAltoBadGuyReplacements(lFidoReturnValues, replacements); return(replacements); }
public static Dictionary <string, string> CyphortBadGuyReturn(FidoReturnValues lFidoReturnValues, ReplaceParameters replaceParameters) { if (lFidoReturnValues.Cyphort.VirusTotal != null) { if (lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn != null) { for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn.Count(); i++) { if (lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn[i].Positives > 0) { lFidoReturnValues.BadHashs += 1; replaceParameters.lBadMD5Hashes.Add(lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn[i].Permalink); } else { replaceParameters.lGoodMD5Hashes.Add(lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn[i].Permalink); } } } if (lFidoReturnValues.Cyphort.VirusTotal.URLReturn != null) { for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.URLReturn.Count(); i++) { if (lFidoReturnValues.Cyphort.VirusTotal.URLReturn[i].Positives > 0) { lFidoReturnValues.BadUrLs += 1; replaceParameters.lBadURLs.Add(lFidoReturnValues.Cyphort.VirusTotal.URLReturn[i].Permalink); } else { replaceParameters.lGoodURLs.Add(lFidoReturnValues.Cyphort.VirusTotal.URLReturn[i].Permalink); } } } if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn != null) { if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedCommunicatingSamples != null) { for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedCommunicatingSamples.Count(); i++) { if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedCommunicatingSamples[i].Positives > 0) { lFidoReturnValues.BadDetectedComms += 1; } } } if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedDownloadedSamples != null) { for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedDownloadedSamples.Count(); i++) { if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedDownloadedSamples[i].Positives > 0) { lFidoReturnValues.BadDetectedDownloads += 1; } } } if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedUrls != null) { for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedUrls.Count(); i++) { if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedUrls[i].Positives > 0) { lFidoReturnValues.BadDetectedUrls += 1; } } } } } var replacements = CyphortBadGuyReplacements(lFidoReturnValues, replaceParameters.Replacements); return(replacements); }