private static void UpdateUserToDB(FidoReturnValues lFidoReturnValues, string row)
{
var db = new SqLiteDB();
var data = new Dictionary <String, String>
{
{ "username", lFidoReturnValues.Username.ToLower() },
{ "fullname", lFidoReturnValues.UserInfo.Username.ToLower() },
{ "email", lFidoReturnValues.UserInfo.UserEmail.ToLower() },
{ "title", lFidoReturnValues.UserInfo.Title.ToLower() },
{ "dept", lFidoReturnValues.UserInfo.Department.ToLower() },
{ "emp_type", lFidoReturnValues.UserInfo.EmployeeType.ToLower() },
{ "emp_phone", lFidoReturnValues.UserInfo.MobileNumber },
{ "cube", lFidoReturnValues.UserInfo.CubeLocation.ToLower() },
{ "city_state", lFidoReturnValues.UserInfo.City.ToLower() + "\\" + lFidoReturnValues.UserInfo.State.ToLower() },
{ "manager", lFidoReturnValues.UserInfo.ManagerName.ToLower() },
{ "manager_title", lFidoReturnValues.UserInfo.ManagerTitle.ToLower() },
{ "manager_email", lFidoReturnValues.UserInfo.ManagerMail.ToLower() },
{ "manager_phone", lFidoReturnValues.UserInfo.MobileNumber },
{ "user_score", lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture) }
};
try
{
db.Update("event_user", data, "primkey = " + row);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update user area of fidodb:" + e);
}
}
public static void InsertEventToDB(FidoReturnValues lFidoReturnValues)
{
var iKeepAlive = Object_Fido_Configs.GetAsInt("fido.application.unnownkeepalive", 0);
var db = new SqLiteDB();
var data = new Dictionary<String, String>
{
{"timer", iKeepAlive.ToString(CultureInfo.InvariantCulture)},
{"ip_address", lFidoReturnValues.SrcIP},
{"hostname", lFidoReturnValues.Hostname.ToLower()},
{"timestamp", Convert.ToDateTime(lFidoReturnValues.TimeOccurred).ToString(CultureInfo.InvariantCulture)},
{"previous_score", lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture)},
{"alert_id", lFidoReturnValues.AlertID}
};
try
{
//insert event to primary alert table
db.Insert("event_alerts", data);
const string eventAlerts = @"select count() from event_alerts";
var newRow = db.ExecuteScalar(eventAlerts);
//if there is threat data then insert otherwise
//todo: figure out a better way to find out if a detector is empty
if (lFidoReturnValues.Bit9 != null | lFidoReturnValues.Antivirus != null | lFidoReturnValues.FireEye != null |
lFidoReturnValues.Cyphort != null | lFidoReturnValues.ProtectWise != null | lFidoReturnValues.PaloAlto != null)
{
UpdateThreatToDB(lFidoReturnValues, newRow);
}
//if there is machine data then insert otherwise
if ((lFidoReturnValues.Landesk != null) | (lFidoReturnValues.Jamf != null))
{
UpdateMachineToDB(lFidoReturnValues, newRow);
}
//if there is user data then insert otherwise
if (lFidoReturnValues.UserInfo != null)
{
UpdateUserToDB(lFidoReturnValues, newRow);
}
//if there is detailed threat data insert
//if there is histiorical url data insert
UpdateHistoricalURLInfo(lFidoReturnValues);
UpdateHistoricalHashInfo(lFidoReturnValues);
UpdateHistoricalIPInfo(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error",
"Fido Failed: {0} Exception caught in insert of event alert to fidodb:" + e);
}
}
public static void InsertEventToDB(FidoReturnValues lFidoReturnValues)
{
var iKeepAlive = Object_Fido_Configs.GetAsInt("fido.application.unnownkeepalive", 0);
var db = new SqLiteDB();
var data = new Dictionary <String, String>
{
{ "timer", iKeepAlive.ToString(CultureInfo.InvariantCulture) },
{ "ip_address", lFidoReturnValues.SrcIP },
{ "hostname", lFidoReturnValues.Hostname.ToLower() },
{ "timestamp", Convert.ToDateTime(lFidoReturnValues.TimeOccurred).ToString(CultureInfo.InvariantCulture) },
{ "previous_score", lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture) },
{ "alert_id", lFidoReturnValues.AlertID }
};
try
{
//insert event to primary alert table
db.Insert("event_alerts", data);
const string eventAlerts = @"select count() from event_alerts";
var newRow = db.ExecuteScalar(eventAlerts);
//if there is threat data then insert otherwise
//todo: figure out a better way to find out if a detector is empty
if (lFidoReturnValues.Bit9 != null | lFidoReturnValues.Antivirus != null | lFidoReturnValues.FireEye != null |
lFidoReturnValues.Cyphort != null | lFidoReturnValues.ProtectWise != null | lFidoReturnValues.PaloAlto != null)
{
UpdateThreatToDB(lFidoReturnValues, newRow);
}
//if there is machine data then insert otherwise
if ((lFidoReturnValues.Landesk != null) | (lFidoReturnValues.Jamf != null))
{
UpdateMachineToDB(lFidoReturnValues, newRow);
}
//if there is user data then insert otherwise
if (lFidoReturnValues.UserInfo != null)
{
UpdateUserToDB(lFidoReturnValues, newRow);
}
//if there is detailed threat data insert
//if there is histiorical url data insert
UpdateHistoricalURLInfo(lFidoReturnValues);
UpdateHistoricalHashInfo(lFidoReturnValues);
UpdateHistoricalIPInfo(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error",
"Fido Failed: {0} Exception caught in insert of event alert to fidodb:" + e);
}
}
private static void UpdateThreatToDB(FidoReturnValues lFidoReturnValues, string row)
{
var db = new SqLiteDB();
var detector = lFidoReturnValues.CurrentDetector;
var data = new Dictionary <String, String>
{
{ "threat_dst_ip", lFidoReturnValues.DstIP },
{ "threat_name", lFidoReturnValues.MalwareType.ToLower() },
{ "threat_score", lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture) },
{ "detector", lFidoReturnValues.CurrentDetector.ToLower() },
{ "threat_url", lFidoReturnValues.BadUrLs.ToString(CultureInfo.InvariantCulture) },
{ "threat_hash", lFidoReturnValues.BadHashs.ToString(CultureInfo.InvariantCulture) }
};
switch (detector)
{
case "mps":
data.Add("time_occurred", lFidoReturnValues.FireEye.EventTime);
break;
case "bit9":
//todo: Fido.db does not have a column for filename... legacy? still needed?
//data.Add("file_name", lFidoReturnValues.Bit9.FileName);
break;
case "antivirus":
data.Add("time_occurred", lFidoReturnValues.Antivirus.EventTime);
data.Add("action_taken", lFidoReturnValues.Antivirus.ActionTaken);
data.Add("file_name", lFidoReturnValues.Antivirus.FileName);
data.Add("threat_status", lFidoReturnValues.Antivirus.Status);
break;
case "cyphortv2":
data.Add("time_occurred", lFidoReturnValues.Cyphort.EventTime);
break;
case "cyphortv3":
data.Add("time_occurred", lFidoReturnValues.Cyphort.EventTime);
break;
case "protectwisev1":
data.Add("time_occurred", lFidoReturnValues.ProtectWise.EventTime);
break;
case "panv1":
data.Add("time_occurred", lFidoReturnValues.PaloAlto.EventTime);
break;
case "carbonblackv1":
data.Add("time_occurred", lFidoReturnValues.CB.Alert.EventTime);
break;
}
db.Update("event_threat", data, "primkey = " + row);
}
private static void UpdateMachineToDB(FidoReturnValues lFidoReturnValues, string row)
{
var db = new SqLiteDB();
try
{
if (lFidoReturnValues.Landesk != null)
{
var data = new Dictionary <String, String>
{
{ "hostname", lFidoReturnValues.Hostname.ToLower() },
{ "os", lFidoReturnValues.Landesk.OSName.ToLower() },
{ "domain", lFidoReturnValues.Landesk.Domain.ToLower() },
{ "patches_critical", lFidoReturnValues.Landesk.Patches[1].ToString(CultureInfo.InvariantCulture) },
{ "patches_high", lFidoReturnValues.Landesk.Patches[2].ToString(CultureInfo.InvariantCulture) },
{ "patches_low", lFidoReturnValues.Landesk.Patches[3].ToString(CultureInfo.InvariantCulture) },
{ "av_installed", lFidoReturnValues.Landesk.Product.ToLower() },
{ "av_running", lFidoReturnValues.Landesk.AgentRunning.ToLower() },
{ "av_def_ver", lFidoReturnValues.Landesk.DefInstallDate.ToLower() },
{ "bit9_installed", lFidoReturnValues.Landesk.Bit9Version },
{ "bit9_running", lFidoReturnValues.Landesk.Bit9Running.ToLower() },
{ "machine_score", lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture) }
};
db.Update("event_machine", data, "primkey = " + row);
}
else if (lFidoReturnValues.Jamf != null)
{
var data = new Dictionary <String, String>
{
{ "hostname", lFidoReturnValues.Hostname.ToLower() },
{ "os", lFidoReturnValues.Jamf.OSName.ToLower() },
{ "domain", string.Empty },
{ "patches_critical", string.Empty },
{ "patches_high", string.Empty },
{ "patches_low", string.Empty },
{ "av_installed", string.Empty },
{ "av_running", string.Empty },
{ "av_def_ver", string.Empty },
{ "bit9_installed", lFidoReturnValues.Jamf.Bit9Version },
{ "bit9_running", string.Empty },
{ "machine_score", lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture) }
};
db.Update("event_machine", data, "primkey = " + row);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error",
"Fido Failed: {0} Exception caught in update machine area of fidodb:" + e);
}
}
private static void InsertHistoricalThreatToDB(HistorialThreatData threatData)
{
var db = new SqLiteDB();
var data = new Dictionary <String, String>
{
{ threatData.SDB, threatData.InValue },
{ "timedate", threatData.When }
};
var sdb = @"previous_threat_" + threatData.SDB;
//db.Insert("previous_threat_url", data);
db.Insert(sdb, data);
}
private static void InsertHistoricalThreatToDB(string sdb, string invalue, string timedate)
{
var db = new SqLiteDB();
var data = new Dictionary <String, String>
{
{ sdb, invalue },
{ "timedate", timedate }
};
sdb = @"previous_threat_" + sdb;
//db.Insert("previous_threat_url", data);
db.Insert(sdb, data);
}
public bool CheckFidoWhitelist(string sDstIP, List<string> sHash, string sDomain, List<string> sUrl)
{
var isFound = false;
var sqlQuery = new SqLiteDB();
if (!string.IsNullOrEmpty(sDstIP))
{
var qDstIPReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + sDstIP + "'");
if (!string.IsNullOrEmpty(qDstIPReturn))
{
isFound = true;
}
}
if (sHash != null)
{
foreach (var hash in sHash)
{
var qHashReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + hash + "'");
if (!string.IsNullOrEmpty(qHashReturn))
{
isFound = true;
}
}
}
if (!string.IsNullOrEmpty(sDomain))
{
var qDomainReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + sDomain + "'");
if (!string.IsNullOrEmpty(qDomainReturn))
{
isFound = true;
}
}
if (sUrl != null)
{
foreach (var url in sUrl)
{
var qUrlReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + url + "'");
if (!string.IsNullOrEmpty(qUrlReturn))
{
isFound = true;
}
}
}
return isFound;
}
private static DataTable GetPreviousAlerts(string query)
{
var fidoSQlite = new SqLiteDB();
var fidoData = new DataTable();
try
{
fidoData = fidoSQlite.GetDataTable(query);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e);
}
return fidoData;
}
private static void ParseCarbonBlackAlert(Object_CarbonBlack_Alert_Class.CarbonBlack cbReturn)
{
var cbHost = string.Empty;
var cbHostInt = 0;
foreach (var cbEvent in cbReturn.Results)
{
Console.WriteLine(@"Formatting CarbonBlack event for: " + cbEvent.Hostname + @".");
try
{
//initialize generic variables for CB values
var lFidoReturnValues = new FidoReturnValues();
if (lFidoReturnValues.PreviousAlerts == null)
{
lFidoReturnValues.PreviousAlerts = new EventAlerts();
}
if (lFidoReturnValues.CB == null)
{
lFidoReturnValues.CB = new CarbonBlackReturnValues { Alert = new CarbonBlackAlert() };
}
lFidoReturnValues.CurrentDetector = "carbonblackv1";
lFidoReturnValues.CB.Alert.WatchListName = cbEvent.WatchlistName;
lFidoReturnValues.CB.Alert.AlertType = cbEvent.AlertType;
if (lFidoReturnValues.CB.Alert.WatchListName.Contains("binary") || lFidoReturnValues.CB.Alert.AlertType.Contains("binary"))
{
lFidoReturnValues.isBinary = true;
}
var dTable = new SqLiteDB();
var cbData = dTable.GetDataTable(@"Select * from configs_dictionary_carbonblack");
var cbDict = GetDict(cbData);
foreach (var label in cbDict)
{
if (cbEvent.WatchlistName == label.Key)
{
lFidoReturnValues.MalwareType = label.Value;
break;
}
}
if (lFidoReturnValues.MalwareType == null) lFidoReturnValues.MalwareType = "Malicious file detected.";
lFidoReturnValues.CB.Alert.EventID = cbEvent.UniqueID;
lFidoReturnValues.AlertID = cbEvent.UniqueID;
lFidoReturnValues.CB.Alert.EventTime = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Hostname = cbEvent.Hostname;
//todo: this was supposed to limit the total # of alerts sent from a single host,
//however, it is poo and needs to be redone.
if (lFidoReturnValues.Hostname != cbHost)
{
cbHost = lFidoReturnValues.Hostname;
}
else
{
cbHostInt++;
}
if (cbHostInt >= 25)
{
CloseCarbonBlackAlert(lFidoReturnValues);
}
lFidoReturnValues.Username = cbEvent.Username;
lFidoReturnValues.Hash = new List<string> {cbEvent.MD5};
lFidoReturnValues.CB.Alert.MD5Hash = cbEvent.MD5;
lFidoReturnValues.CB.Inventory = SysMgmt_CarbonBlack.GetCarbonBlackHost(lFidoReturnValues, true);
if (string.IsNullOrEmpty(cbEvent.ProcessPath))
{
if (string.IsNullOrEmpty(cbEvent.ProcessPath)) lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ObservedFilename[0];
}
else
{
lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ProcessPath;
}
if ((cbEvent.ObservedHosts.HostCount != 0) && (cbEvent.ObservedHosts.HostCount != null))
{
lFidoReturnValues.CB.Alert.HostCount = cbEvent.ObservedHosts.HostCount.ToString(CultureInfo.InvariantCulture);
}
else
{
lFidoReturnValues.CB.Alert.HostCount = "0";
}
if ((cbEvent.NetconnCount != 0) && (cbEvent.NetconnCount != null))
{
lFidoReturnValues.CB.Alert.NetConn = cbEvent.NetconnCount.ToString(CultureInfo.InvariantCulture);
}
else
{
lFidoReturnValues.CB.Alert.NetConn = "0";
}
if (lFidoReturnValues.CB.Inventory != null)
{
var sFilter = new[] {"|", ","};
var sIP = lFidoReturnValues.CB.Inventory.NetworkAdapters.Split(sFilter,StringSplitOptions.RemoveEmptyEntries);
lFidoReturnValues.SrcIP = sIP[0];
}
var isRunDirector = false;
//Check to see if ID has been processed before
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.AlertID, lFidoReturnValues.TimeOccurred);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) continue;
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
TheDirector.Direct(lFidoReturnValues);
//CloseCarbonBlackAlert(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Carbon Black v1 Detector when formatting json:" + e);
}
}
}
private static void UpdateUserToDB(FidoReturnValues lFidoReturnValues, string row)
{
var db = new SqLiteDB();
var data = new Dictionary<String, String>
{
{"username", lFidoReturnValues.Username.ToLower()},
{"fullname", lFidoReturnValues.UserInfo.Username.ToLower()},
{"email", lFidoReturnValues.UserInfo.UserEmail.ToLower()},
{"title", lFidoReturnValues.UserInfo.Title.ToLower()},
{"dept", lFidoReturnValues.UserInfo.Department.ToLower()},
{"emp_type", lFidoReturnValues.UserInfo.EmployeeType.ToLower()},
{"emp_phone", lFidoReturnValues.UserInfo.MobileNumber},
{"cube", lFidoReturnValues.UserInfo.CubeLocation.ToLower()},
{"city_state", lFidoReturnValues.UserInfo.City.ToLower() + "\\" + lFidoReturnValues.UserInfo.State.ToLower()},
{"manager", lFidoReturnValues.UserInfo.ManagerName.ToLower()},
{"manager_title", lFidoReturnValues.UserInfo.ManagerTitle.ToLower()},
{"manager_email", lFidoReturnValues.UserInfo.ManagerMail.ToLower()},
{"manager_phone", lFidoReturnValues.UserInfo.MobileNumber},
{"user_score", lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture)}
};
try
{
db.Update("event_user", data, "primkey = " + row);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update user area of fidodb:" + e);
}
}
private static void InsertHistoricalThreatToDB(string sdb, string invalue, string timedate)
{
var db = new SqLiteDB();
var data = new Dictionary<String, String>
{
{ sdb, invalue },
{ "timedate", timedate}
};
sdb = @"previous_threat_" + sdb;
//db.Insert("previous_threat_url", data);
db.Insert(sdb, data);
}
private static void UpdateThreatToDB(FidoReturnValues lFidoReturnValues, string row)
{
var db = new SqLiteDB();
var detector = lFidoReturnValues.CurrentDetector;
var data = new Dictionary<String, String>
{
{"threat_dst_ip", lFidoReturnValues.DstIP},
{"threat_name", lFidoReturnValues.MalwareType.ToLower()},
{"threat_score", lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture)},
{"detector", lFidoReturnValues.CurrentDetector.ToLower()},
{"threat_url", lFidoReturnValues.BadUrLs.ToString(CultureInfo.InvariantCulture)},
{"threat_hash", lFidoReturnValues.BadHashs.ToString(CultureInfo.InvariantCulture)}
};
switch (detector)
{
case "mps":
data.Add("time_occurred", lFidoReturnValues.FireEye.EventTime);
break;
case "bit9":
//todo: Fido.db does not have a column for filename... legacy? still needed?
//data.Add("file_name", lFidoReturnValues.Bit9.FileName);
break;
case "antivirus":
data.Add("time_occurred", lFidoReturnValues.Antivirus.EventTime);
data.Add("action_taken", lFidoReturnValues.Antivirus.ActionTaken);
data.Add("file_name", lFidoReturnValues.Antivirus.FileName);
data.Add("threat_status", lFidoReturnValues.Antivirus.Status);
break;
case "cyphortv2":
data.Add("time_occurred", lFidoReturnValues.Cyphort.EventTime);
break;
case "cyphortv3":
data.Add("time_occurred", lFidoReturnValues.Cyphort.EventTime);
break;
case "protectwisev1":
data.Add("time_occurred", lFidoReturnValues.ProtectWise.EventTime);
break;
case "panv1":
data.Add("time_occurred", lFidoReturnValues.PaloAlto.EventTime);
break;
case "carbonblackv1":
data.Add("time_occurred", lFidoReturnValues.CB.Alert.EventTime);
break;
}
db.Update("event_threat", data, "primkey = " + row);
}
private static void UpdateMachineToDB(FidoReturnValues lFidoReturnValues, string row)
{
var db = new SqLiteDB();
try
{
if (lFidoReturnValues.Landesk != null)
{
var data = new Dictionary<String, String>
{
{"hostname", lFidoReturnValues.Hostname.ToLower()},
{"os", lFidoReturnValues.Landesk.OSName.ToLower()},
{"domain", lFidoReturnValues.Landesk.Domain.ToLower()},
{"patches_critical", lFidoReturnValues.Landesk.Patches[1].ToString(CultureInfo.InvariantCulture)},
{"patches_high", lFidoReturnValues.Landesk.Patches[2].ToString(CultureInfo.InvariantCulture)},
{"patches_low", lFidoReturnValues.Landesk.Patches[3].ToString(CultureInfo.InvariantCulture)},
{"av_installed", lFidoReturnValues.Landesk.Product.ToLower()},
{"av_running", lFidoReturnValues.Landesk.AgentRunning.ToLower()},
{"av_def_ver", lFidoReturnValues.Landesk.DefInstallDate.ToLower()},
{"bit9_installed", lFidoReturnValues.Landesk.Bit9Version},
{"bit9_running", lFidoReturnValues.Landesk.Bit9Running.ToLower()},
{"machine_score", lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture)}
};
db.Update("event_machine", data, "primkey = " + row);
}
else if (lFidoReturnValues.Jamf != null)
{
var data = new Dictionary<String, String>
{
{"hostname", lFidoReturnValues.Hostname.ToLower()},
{"os", lFidoReturnValues.Jamf.OSName.ToLower()},
{"domain", string.Empty},
{"patches_critical", string.Empty},
{"patches_high", string.Empty},
{"patches_low", string.Empty},
{"av_installed", string.Empty},
{"av_running", string.Empty},
{"av_def_ver", string.Empty},
{"bit9_installed", lFidoReturnValues.Jamf.Bit9Version},
{"bit9_running", string.Empty},
{"machine_score", lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture)}
};
db.Update("event_machine", data, "primkey = " + row);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error",
"Fido Failed: {0} Exception caught in update machine area of fidodb:" + e);
}
}
public static FidoReturnValues GetDetectorsScore(FidoReturnValues lFidoReturnValues)
{
//This section will iterate through each detector and then score each threatfeed.
//todo: refractor each threatfeed so it's not done inside this area.
var sDetector = lFidoReturnValues.CurrentDetector;
switch (sDetector)
{
case "antivirus":
if (lFidoReturnValues.CurrentDetector == "antivirus")
{
Console.WriteLine(@"Scoring AV detector information.");
lFidoReturnValues.ThreatScore += AntiVirusScore(lFidoReturnValues);
}
break;
case "bit9":
if ((lFidoReturnValues.Bit9 != null) && (lFidoReturnValues.Bit9.VTReport != null) &&
(lFidoReturnValues.CurrentDetector == "bit9"))
{
Console.WriteLine(@"Scoring Bit9 detector information.");
var iBit9PositiveReturns = BitTotalPosReturn(lFidoReturnValues.Bit9.VTReport);
if ((iBit9PositiveReturns[0] > 0) || (iBit9PositiveReturns[1] > 0))
{
lFidoReturnValues.ThreatScore += VirusTotalScore(iBit9PositiveReturns, true);
}
}
break;
case "ids":
break;
case "mas":
break;
case "mps":
//score VirusTotal hash
lFidoReturnValues.ThreatScore += GetMpsVTHashThreatScore(lFidoReturnValues);
//score VirusTotal URL
if ((lFidoReturnValues.FireEye.VirusTotal != null) &&
(lFidoReturnValues.FireEye.VirusTotal.URLReturn != null) &&
(lFidoReturnValues.FireEye.VirusTotal.URLReturn.Count > 0))
{
Console.WriteLine(@"Scoring FireEye/VirusTotal detector URL information.");
var iVTPositiveUrlReturns = VirusTotalPosReturnURL(lFidoReturnValues.FireEye.VirusTotal);
if ((iVTPositiveUrlReturns[0] > 0) || (iVTPositiveUrlReturns[1] > 0))
{
lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveUrlReturns, false);
}
}
//score VirusTotal IP
if ((lFidoReturnValues.FireEye.VirusTotal != null) &&
(lFidoReturnValues.FireEye.VirusTotal.IPReturn != null) &&
(lFidoReturnValues.FireEye.VirusTotal.IPReturn.Count > 0))
{
Console.WriteLine(@"Scoring Cyphort/VirusTotal detector IP information.");
var iVTPositiveIPReturns = VirusTotalPosIPReturn(lFidoReturnValues.FireEye.VirusTotal);
if ((iVTPositiveIPReturns[0] > 0) || (iVTPositiveIPReturns[1] > 0) || (iVTPositiveIPReturns[2] > 0))
{
lFidoReturnValues.ThreatScore += VirusTotalIPScore(iVTPositiveIPReturns);
}
}
//score Alienvault threat feed
if ((lFidoReturnValues.FireEye.AlienVault != null) &&
(lFidoReturnValues.FireEye.AlienVault.Activity != null))
{
Console.WriteLine(@"Scoring FireEye/AlienVault IP information.");
lFidoReturnValues.ThreatScore += AlienVaultScore(lFidoReturnValues.FireEye.AlienVault);
}
break;
case "cyphortv2":
//score VirusTotal hash
if ((lFidoReturnValues.Cyphort.VirusTotal != null) &&
(lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn != null) &&
(lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn.Count > 0))
{
Console.WriteLine(@"Scoring Cyphort/VirusTotal detector hash information.");
var iVTPositiveHashReturns = VirusTotalPosReturnHash(lFidoReturnValues.Cyphort.VirusTotal);
if ((iVTPositiveHashReturns[0] > 0) || (iVTPositiveHashReturns[1] > 0))
{
lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveHashReturns, true);
}
}
//score VirusTotal URL
if ((lFidoReturnValues.Cyphort.VirusTotal != null) &&
(lFidoReturnValues.Cyphort.VirusTotal.URLReturn != null) &&
(lFidoReturnValues.Cyphort.VirusTotal.URLReturn.Count > 0))
{
Console.WriteLine(@"Scoring Cyphort/VirusTotal detector URL information.");
var iVTPositiveUrlReturns = VirusTotalPosReturnURL(lFidoReturnValues.Cyphort.VirusTotal);
if ((iVTPositiveUrlReturns[0] > 0) || (iVTPositiveUrlReturns[1] > 0))
{
lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveUrlReturns, false);
}
}
//score VirusTotal IP
if ((lFidoReturnValues.Cyphort.VirusTotal != null) &&
(lFidoReturnValues.Cyphort.VirusTotal.IPReturn != null) &&
(lFidoReturnValues.Cyphort.VirusTotal.IPReturn.Count > 0))
{
Console.WriteLine(@"Scoring Cyphort/VirusTotal detector IP information.");
var iVTPositiveIPReturns = VirusTotalPosIPReturn(lFidoReturnValues.Cyphort.VirusTotal);
if ((iVTPositiveIPReturns[0] > 0) || (iVTPositiveIPReturns[1] > 0) || (iVTPositiveIPReturns[2] > 0))
{
lFidoReturnValues.ThreatScore += VirusTotalIPScore(iVTPositiveIPReturns);
}
}
//score Alienvault threat feed
if ((lFidoReturnValues.Cyphort.AlienVault != null) &&
(lFidoReturnValues.Cyphort.AlienVault.Activity != null))
{
Console.WriteLine(@"Scoring Cyphort/AlienVault detector IP information.");
lFidoReturnValues.ThreatScore += AlienVaultScore(lFidoReturnValues.Cyphort.AlienVault);
}
break;
case "cyphortv3":
//score VirusTotal hash
if ((lFidoReturnValues.Cyphort.VirusTotal != null) &&
(lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn != null) &&
(lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn.Count > 0))
{
Console.WriteLine(@"Scoring Cyphort/VirusTotal detector hash information.");
var iVTPositiveHashReturns = VirusTotalPosReturnHash(lFidoReturnValues.Cyphort.VirusTotal);
if ((iVTPositiveHashReturns[0] > 0) || (iVTPositiveHashReturns[1] > 0))
{
lFidoReturnValues.Cyphort.VirusTotal.VirusTotalScore += Math.Round(VirusTotalScore(iVTPositiveHashReturns, true))/10;
lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveHashReturns, true);
}
}
//score VirusTotal URL
if ((lFidoReturnValues.Cyphort.VirusTotal != null) &&
(lFidoReturnValues.Cyphort.VirusTotal.URLReturn != null) &&
(lFidoReturnValues.Cyphort.VirusTotal.URLReturn.Count > 0))
{
Console.WriteLine(@"Scoring Cyphort/VirusTotal detector URL information.");
var iVTPositiveUrlReturns = VirusTotalPosReturnURL(lFidoReturnValues.Cyphort.VirusTotal);
if ((iVTPositiveUrlReturns[0] > 0) || (iVTPositiveUrlReturns[1] > 0))
{
lFidoReturnValues.Cyphort.VirusTotal.VirusTotalScore += Math.Round(VirusTotalScore(iVTPositiveUrlReturns, false))/10;
lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveUrlReturns, false);
}
}
//score VirusTotal IP
if ((lFidoReturnValues.Cyphort.VirusTotal != null) &&
(lFidoReturnValues.Cyphort.VirusTotal.IPReturn != null) &&
(lFidoReturnValues.Cyphort.VirusTotal.IPReturn.Count > 0))
{
Console.WriteLine(@"Scoring Cyphort/VirusTotal detector IP information.");
var iVTPositiveIPReturns = VirusTotalPosIPReturn(lFidoReturnValues.Cyphort.VirusTotal);
if ((iVTPositiveIPReturns[0] > 0) || (iVTPositiveIPReturns[1] > 0) || (iVTPositiveIPReturns[2] > 0))
{
lFidoReturnValues.Cyphort.VirusTotal.VirusTotalScore += Math.Round(VirusTotalIPScore(iVTPositiveIPReturns))/10;
lFidoReturnValues.ThreatScore += VirusTotalIPScore(iVTPositiveIPReturns);
}
}
//score ThreatGRID IP
if ((lFidoReturnValues.Cyphort.ThreatGRID != null) && (lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo != null) && (lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Count > 0))
{
Console.WriteLine(@"Artifacts found in ThreatGRID IP data, downloading report.");
if (lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.Items.Any())
{
Feeds_ThreatGRID.ReportHTML(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.Items[0].HashID);
}
Console.WriteLine(@"Scoring Cyphort/ThreatGRID detector IP information.");
var aggregateScore = lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Score);
lFidoReturnValues.Cyphort.ThreatGRID.ThreatScore = aggregateScore/lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Count();
var aggregateIndicators = lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Count);
lFidoReturnValues.Cyphort.ThreatGRID.ThreatIndicators = aggregateIndicators / lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Count();
var aggregateConfidence = lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxConfidence);
lFidoReturnValues.Cyphort.ThreatGRID.ThreatConfidence = aggregateConfidence / lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Count();
var aggregateSeverity = lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxSeverity);
lFidoReturnValues.Cyphort.ThreatGRID.ThreatSeverity = aggregateSeverity / lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Count();
var fidoDB = new SqLiteDB().ExecuteScalar(@"select feed_weight from configs_threatfeed_threatgrid_scoring");
lFidoReturnValues.ThreatScore += (lFidoReturnValues.Cyphort.ThreatGRID.ThreatScore * 10) / Convert.ToDouble(fidoDB);
}
if ((lFidoReturnValues.Cyphort.ThreatGRID != null) && (lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo != null) && (lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Count > 0))
{
Console.WriteLine(@"Artifacts found in ThreatGRID hash data, downloading report.");
if (lFidoReturnValues.Cyphort.ThreatGRID.HashSearch.Data.Items.Any())
{
Feeds_ThreatGRID.ReportHTML(lFidoReturnValues.Cyphort.ThreatGRID.HashSearch.Data.Items[0].HashID);
}
Console.WriteLine(@"Scoring Cyphort/ThreatGRID detector IP information.");
var aggregateScore = lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Score);
lFidoReturnValues.Cyphort.ThreatGRID.ThreatScore = aggregateScore / lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Count();
var aggregateIndicators = lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Count);
lFidoReturnValues.Cyphort.ThreatGRID.ThreatIndicators = aggregateIndicators / lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Count();
var aggregateConfidence = lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxConfidence);
lFidoReturnValues.Cyphort.ThreatGRID.ThreatConfidence = aggregateConfidence / lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Count();
var aggregateSeverity = lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxSeverity);
lFidoReturnValues.Cyphort.ThreatGRID.ThreatSeverity = aggregateSeverity / lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Count();
var fidoDB = new SqLiteDB().ExecuteScalar(@"select feed_weight from configs_threatfeed_threatgrid_scoring");
lFidoReturnValues.ThreatScore += (lFidoReturnValues.Cyphort.ThreatGRID.ThreatScore * 10) / Convert.ToDouble(fidoDB);
}
//score Alienvault threat feed
if ((lFidoReturnValues.Cyphort.AlienVault != null) && (lFidoReturnValues.Cyphort.AlienVault.Activity != null))
{
Console.WriteLine(@"Scoring Cyphort/AlienVault detector IP information.");
lFidoReturnValues.ThreatScore += AlienVaultScore(lFidoReturnValues.Cyphort.AlienVault);
}
break;
case "protectwisev1-event":
//score VirusTotal hash
if ((lFidoReturnValues.ProtectWise.VirusTotal != null) &&
(lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn != null) &&
(lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn.Count > 0))
{
Console.WriteLine(@"Scoring ProtectWise/VirusTotal detector hash information.");
var iVTPositiveHashReturns = VirusTotalPosReturnHash(lFidoReturnValues.ProtectWise.VirusTotal);
if ((iVTPositiveHashReturns[0] > 0) || (iVTPositiveHashReturns[1] > 0))
{
lFidoReturnValues.ProtectWise.VirusTotal.VirusTotalScore += Math.Round(VirusTotalScore(iVTPositiveHashReturns, true)) / 10;
lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveHashReturns, true);
}
}
//score VirusTotal URL
if ((lFidoReturnValues.ProtectWise.VirusTotal != null) &&
(lFidoReturnValues.ProtectWise.VirusTotal.URLReturn != null) &&
(lFidoReturnValues.ProtectWise.VirusTotal.URLReturn.Count > 0))
{
Console.WriteLine(@"Scoring ProtectWise/VirusTotal detector URL information.");
var iVTPositiveUrlReturns = VirusTotalPosReturnURL(lFidoReturnValues.ProtectWise.VirusTotal);
if ((iVTPositiveUrlReturns[0] > 0) || (iVTPositiveUrlReturns[1] > 0))
{
lFidoReturnValues.ProtectWise.VirusTotal.VirusTotalScore += Math.Round(VirusTotalScore(iVTPositiveUrlReturns, false)) / 10;
lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveUrlReturns, false);
}
}
//score VirusTotal IP
if ((lFidoReturnValues.ProtectWise.VirusTotal != null) &&
(lFidoReturnValues.ProtectWise.VirusTotal.IPReturn != null) &&
(lFidoReturnValues.ProtectWise.VirusTotal.IPReturn.Count > 0))
{
Console.WriteLine(@"Scoring ProtectWise/VirusTotal detector IP information.");
var iVTPositiveIPReturns = VirusTotalPosIPReturn(lFidoReturnValues.ProtectWise.VirusTotal);
if ((iVTPositiveIPReturns[0] > 0) || (iVTPositiveIPReturns[1] > 0) || (iVTPositiveIPReturns[2] > 0))
{
lFidoReturnValues.ProtectWise.VirusTotal.VirusTotalScore += Math.Round(VirusTotalIPScore(iVTPositiveIPReturns)) / 10;
lFidoReturnValues.ThreatScore += VirusTotalIPScore(iVTPositiveIPReturns);
}
}
//score ThreatGRID IP
if ((lFidoReturnValues.ProtectWise.ThreatGRID != null) && (lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo != null) && (lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Count > 0))
{
Console.WriteLine(@"Artifacts found in ThreatGRID IP data, downloading report.");
if (lFidoReturnValues.ProtectWise.ThreatGRID.IPSearch.Data.Items.Any())
{
Feeds_ThreatGRID.ReportHTML(lFidoReturnValues.ProtectWise.ThreatGRID.IPSearch.Data.Items[0].HashID);
}
Console.WriteLine(@"Scoring ProtectWise/ThreatGRID detector IP information.");
var aggregateScore = lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Score);
lFidoReturnValues.ProtectWise.ThreatGRID.ThreatScore = aggregateScore / lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Count();
var aggregateIndicators = lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Count);
lFidoReturnValues.ProtectWise.ThreatGRID.ThreatIndicators = aggregateIndicators / lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Count();
var aggregateConfidence = lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxConfidence);
lFidoReturnValues.ProtectWise.ThreatGRID.ThreatConfidence = aggregateConfidence / lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Count();
var aggregateSeverity = lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxSeverity);
lFidoReturnValues.ProtectWise.ThreatGRID.ThreatSeverity = aggregateSeverity / lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Count();
var fidoDB = new SqLiteDB().ExecuteScalar(@"select feed_weight from configs_threatfeed_threatgrid_scoring");
lFidoReturnValues.ThreatScore += (lFidoReturnValues.ProtectWise.ThreatGRID.ThreatScore * 10) / Convert.ToDouble(fidoDB);
}
if ((lFidoReturnValues.ProtectWise.ThreatGRID != null) && (lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo != null) && (lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Count > 0))
{
Console.WriteLine(@"Artifacts found in ThreatGRID hash data, downloading report.");
if (lFidoReturnValues.ProtectWise.ThreatGRID.HashSearch.Data.Items.Any())
{
Feeds_ThreatGRID.ReportHTML(lFidoReturnValues.ProtectWise.ThreatGRID.HashSearch.Data.Items[0].HashID);
}
Console.WriteLine(@"Scoring ProtectWise/ThreatGRID detector IP information.");
var aggregateScore = lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Score);
lFidoReturnValues.ProtectWise.ThreatGRID.ThreatScore = aggregateScore / lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Count();
var aggregateIndicators = lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Count);
lFidoReturnValues.ProtectWise.ThreatGRID.ThreatIndicators = aggregateIndicators / lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Count();
var aggregateConfidence = lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxConfidence);
lFidoReturnValues.ProtectWise.ThreatGRID.ThreatConfidence = aggregateConfidence / lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Count();
var aggregateSeverity = lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxSeverity);
lFidoReturnValues.ProtectWise.ThreatGRID.ThreatSeverity = aggregateSeverity / lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Count();
var fidoDB = new SqLiteDB().ExecuteScalar(@"select feed_weight from configs_threatfeed_threatgrid_scoring");
lFidoReturnValues.ThreatScore += (lFidoReturnValues.ProtectWise.ThreatGRID.ThreatScore * 10) / Convert.ToDouble(fidoDB);
}
//score Alienvault threat feed
if ((lFidoReturnValues.ProtectWise.AlienVault != null) && (lFidoReturnValues.ProtectWise.AlienVault.Activity != null))
{
Console.WriteLine(@"Scoring ProtectWise/AlienVault detector IP information.");
lFidoReturnValues.ThreatScore += AlienVaultScore(lFidoReturnValues.ProtectWise.AlienVault);
}
break;
case "carbonblackv1":
//score VirusTotal hash
if ((lFidoReturnValues.CB.Alert.VirusTotal != null) &&
(lFidoReturnValues.CB.Alert.VirusTotal.MD5HashReturn != null) &&
(lFidoReturnValues.CB.Alert.VirusTotal.MD5HashReturn.Count > 0))
{
Console.WriteLine(@"Scoring Carbon Black/VirusTotal detector hash information.");
var iVTPositiveHashReturns = VirusTotalPosReturnHash(lFidoReturnValues.CB.Alert.VirusTotal);
if ((iVTPositiveHashReturns[0] > 0) || (iVTPositiveHashReturns[1] > 0))
{
lFidoReturnValues.CB.Alert.VirusTotal.VirusTotalScore += Math.Round(VirusTotalScore(iVTPositiveHashReturns, true)) / 10;
lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveHashReturns, true);
}
}
if ((lFidoReturnValues.CB.Alert.ThreatGRID != null) && (lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo != null) && (lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Count > 0))
{
Console.WriteLine(@"Artifacts found in ThreatGRID hash data, downloading report.");
if (lFidoReturnValues.CB.Alert.ThreatGRID.HashSearch.Data.Items.Any())
{
Feeds_ThreatGRID.ReportHTML(lFidoReturnValues.CB.Alert.ThreatGRID.HashSearch.Data.Items[0].HashID);
}
Console.WriteLine(@"Scoring Carbon Black/ThreatGRID detector IP information.");
var aggregateScore = lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Score);
lFidoReturnValues.CB.Alert.ThreatGRID.ThreatScore = aggregateScore / lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Count();
var aggregateIndicators = lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Count);
lFidoReturnValues.CB.Alert.ThreatGRID.ThreatIndicators = aggregateIndicators / lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Count();
var aggregateConfidence = lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxConfidence);
lFidoReturnValues.CB.Alert.ThreatGRID.ThreatConfidence = aggregateConfidence / lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Count();
var aggregateSeverity = lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxSeverity);
lFidoReturnValues.CB.Alert.ThreatGRID.ThreatSeverity = aggregateSeverity / lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Count();
//todo: move this SQL to the DB
var fidoDB = new SqLiteDB().ExecuteScalar(@"select feed_weight from configs_threatfeed_threatgrid_scoring");
lFidoReturnValues.ThreatScore += (lFidoReturnValues.CB.Alert.ThreatGRID.ThreatScore * 10) / Convert.ToDouble(fidoDB);
}
//score Alienvault threat feed
if ((lFidoReturnValues.CB.Alert.AlienVault != null) && (lFidoReturnValues.CB.Alert.AlienVault.Activity != null))
{
Console.WriteLine(@"Scoring Carbon Black/AlienVault detector IP information.");
lFidoReturnValues.ThreatScore += AlienVaultScore(lFidoReturnValues.CB.Alert.AlienVault);
}
break;
case "panv1":
//score VirusTotal URL
//if ((lFidoReturnValues.PaloAlto.VirusTotal != null) &&
// (lFidoReturnValues.PaloAlto.VirusTotal.URLReturn != null) &&
// (lFidoReturnValues.PaloAlto.VirusTotal.URLReturn.Count > 0))
//{
// Console.WriteLine(@"Scoring PaloAlto/VirusTotal detector URL information.");
// var iVTPositiveUrlReturns = VirusTotalPosReturn(lFidoReturnValues.PaloAlto.VirusTotal, false);
// if ((iVTPositiveUrlReturns[0] > 0) || (iVTPositiveUrlReturns[1] > 0))
// {
// lFidoReturnValues.PaloAlto.VirusTotal.VirusTotalScore += Math.Round(VirusTotalScore(iVTPositiveUrlReturns, false)) / 10;
// lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveUrlReturns, false);
// }
//}
//score VirusTotal IP
if ((lFidoReturnValues.PaloAlto.VirusTotal != null) &&
(lFidoReturnValues.PaloAlto.VirusTotal.IPReturn != null) &&
(lFidoReturnValues.PaloAlto.VirusTotal.IPReturn.Count > 0))
{
Console.WriteLine(@"Scoring PaloAlto/VirusTotal detector IP information.");
var iVTPositiveIPReturns = VirusTotalPosIPReturn(lFidoReturnValues.PaloAlto.VirusTotal);
if ((iVTPositiveIPReturns[0] > 0) || (iVTPositiveIPReturns[1] > 0) || (iVTPositiveIPReturns[2] > 0))
{
lFidoReturnValues.PaloAlto.VirusTotal.VirusTotalScore += Math.Round(VirusTotalIPScore(iVTPositiveIPReturns)) / 10;
lFidoReturnValues.ThreatScore += VirusTotalIPScore(iVTPositiveIPReturns);
}
}
//score ThreatGRID IP
if ((lFidoReturnValues.PaloAlto.ThreatGRID != null) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo != null) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count > 0))
{
Console.WriteLine(@"Artifacts found in ThreatGRID IP data, downloading report.");
if (lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.Items.Any())
{
Feeds_ThreatGRID.ReportHTML(lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.Items[0].HashID);
}
Console.WriteLine(@"Scoring PaloAlto/ThreatGRID detector IP information.");
var aggregateScore = lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Score);
lFidoReturnValues.PaloAlto.ThreatGRID.ThreatScore = aggregateScore / lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count();
var aggregateIndicators = lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Count);
lFidoReturnValues.PaloAlto.ThreatGRID.ThreatIndicators = aggregateIndicators / lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count();
var aggregateConfidence = lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxConfidence);
lFidoReturnValues.PaloAlto.ThreatGRID.ThreatConfidence = aggregateConfidence / lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count();
var aggregateSeverity = lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxSeverity);
lFidoReturnValues.PaloAlto.ThreatGRID.ThreatSeverity = aggregateSeverity / lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count();
var fidoDB = new SqLiteDB().ExecuteScalar(@"select feed_weight from configs_threatfeed_threatgrid_scoring");
lFidoReturnValues.ThreatScore += (lFidoReturnValues.PaloAlto.ThreatGRID.ThreatScore * 10) / Convert.ToDouble(fidoDB);
}
break;
}
return lFidoReturnValues;
}
private static ParseCBConfigs ParseDetectorConfigs(string detect)
{
//todo: move this to the database, assign a variable to 'detect' and replace being using in GEtFidoConfigs
var query = @"SELECT * from configs_sysmgmt_carbonblack WHERE api_call = '" + detect + @"'";
var fidoSQlite = new SqLiteDB();
var fidoData = new DataTable();
var cbReturn = new ParseCBConfigs();
try
{
fidoData = fidoSQlite.GetDataTable(query);
cbReturn = CBConfigs(fidoData);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e);
}
return cbReturn;
}
internal static void LoadConfigFromDb(string table)
{
var fidoSQLite = new SqLiteDB();
_dict = fidoSQLite.GetDataTable("select key, value from " + table).AsEnumerable().ToDictionary<DataRow, string, string>(row => row.Field<string>(0), row => row.Field<string>(1));
}