private static void UpdateUserToDB(FidoReturnValues lFidoReturnValues, string row) { var db = new SqLiteDB(); var data = new Dictionary <String, String> { { "username", lFidoReturnValues.Username.ToLower() }, { "fullname", lFidoReturnValues.UserInfo.Username.ToLower() }, { "email", lFidoReturnValues.UserInfo.UserEmail.ToLower() }, { "title", lFidoReturnValues.UserInfo.Title.ToLower() }, { "dept", lFidoReturnValues.UserInfo.Department.ToLower() }, { "emp_type", lFidoReturnValues.UserInfo.EmployeeType.ToLower() }, { "emp_phone", lFidoReturnValues.UserInfo.MobileNumber }, { "cube", lFidoReturnValues.UserInfo.CubeLocation.ToLower() }, { "city_state", lFidoReturnValues.UserInfo.City.ToLower() + "\\" + lFidoReturnValues.UserInfo.State.ToLower() }, { "manager", lFidoReturnValues.UserInfo.ManagerName.ToLower() }, { "manager_title", lFidoReturnValues.UserInfo.ManagerTitle.ToLower() }, { "manager_email", lFidoReturnValues.UserInfo.ManagerMail.ToLower() }, { "manager_phone", lFidoReturnValues.UserInfo.MobileNumber }, { "user_score", lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture) } }; try { db.Update("event_user", data, "primkey = " + row); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update user area of fidodb:" + e); } }
public static void InsertEventToDB(FidoReturnValues lFidoReturnValues) { var iKeepAlive = Object_Fido_Configs.GetAsInt("fido.application.unnownkeepalive", 0); var db = new SqLiteDB(); var data = new Dictionary<String, String> { {"timer", iKeepAlive.ToString(CultureInfo.InvariantCulture)}, {"ip_address", lFidoReturnValues.SrcIP}, {"hostname", lFidoReturnValues.Hostname.ToLower()}, {"timestamp", Convert.ToDateTime(lFidoReturnValues.TimeOccurred).ToString(CultureInfo.InvariantCulture)}, {"previous_score", lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture)}, {"alert_id", lFidoReturnValues.AlertID} }; try { //insert event to primary alert table db.Insert("event_alerts", data); const string eventAlerts = @"select count() from event_alerts"; var newRow = db.ExecuteScalar(eventAlerts); //if there is threat data then insert otherwise //todo: figure out a better way to find out if a detector is empty if (lFidoReturnValues.Bit9 != null | lFidoReturnValues.Antivirus != null | lFidoReturnValues.FireEye != null | lFidoReturnValues.Cyphort != null | lFidoReturnValues.ProtectWise != null | lFidoReturnValues.PaloAlto != null) { UpdateThreatToDB(lFidoReturnValues, newRow); } //if there is machine data then insert otherwise if ((lFidoReturnValues.Landesk != null) | (lFidoReturnValues.Jamf != null)) { UpdateMachineToDB(lFidoReturnValues, newRow); } //if there is user data then insert otherwise if (lFidoReturnValues.UserInfo != null) { UpdateUserToDB(lFidoReturnValues, newRow); } //if there is detailed threat data insert //if there is histiorical url data insert UpdateHistoricalURLInfo(lFidoReturnValues); UpdateHistoricalHashInfo(lFidoReturnValues); UpdateHistoricalIPInfo(lFidoReturnValues); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in insert of event alert to fidodb:" + e); } }
public static void InsertEventToDB(FidoReturnValues lFidoReturnValues) { var iKeepAlive = Object_Fido_Configs.GetAsInt("fido.application.unnownkeepalive", 0); var db = new SqLiteDB(); var data = new Dictionary <String, String> { { "timer", iKeepAlive.ToString(CultureInfo.InvariantCulture) }, { "ip_address", lFidoReturnValues.SrcIP }, { "hostname", lFidoReturnValues.Hostname.ToLower() }, { "timestamp", Convert.ToDateTime(lFidoReturnValues.TimeOccurred).ToString(CultureInfo.InvariantCulture) }, { "previous_score", lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture) }, { "alert_id", lFidoReturnValues.AlertID } }; try { //insert event to primary alert table db.Insert("event_alerts", data); const string eventAlerts = @"select count() from event_alerts"; var newRow = db.ExecuteScalar(eventAlerts); //if there is threat data then insert otherwise //todo: figure out a better way to find out if a detector is empty if (lFidoReturnValues.Bit9 != null | lFidoReturnValues.Antivirus != null | lFidoReturnValues.FireEye != null | lFidoReturnValues.Cyphort != null | lFidoReturnValues.ProtectWise != null | lFidoReturnValues.PaloAlto != null) { UpdateThreatToDB(lFidoReturnValues, newRow); } //if there is machine data then insert otherwise if ((lFidoReturnValues.Landesk != null) | (lFidoReturnValues.Jamf != null)) { UpdateMachineToDB(lFidoReturnValues, newRow); } //if there is user data then insert otherwise if (lFidoReturnValues.UserInfo != null) { UpdateUserToDB(lFidoReturnValues, newRow); } //if there is detailed threat data insert //if there is histiorical url data insert UpdateHistoricalURLInfo(lFidoReturnValues); UpdateHistoricalHashInfo(lFidoReturnValues); UpdateHistoricalIPInfo(lFidoReturnValues); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in insert of event alert to fidodb:" + e); } }
private static void UpdateThreatToDB(FidoReturnValues lFidoReturnValues, string row) { var db = new SqLiteDB(); var detector = lFidoReturnValues.CurrentDetector; var data = new Dictionary <String, String> { { "threat_dst_ip", lFidoReturnValues.DstIP }, { "threat_name", lFidoReturnValues.MalwareType.ToLower() }, { "threat_score", lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture) }, { "detector", lFidoReturnValues.CurrentDetector.ToLower() }, { "threat_url", lFidoReturnValues.BadUrLs.ToString(CultureInfo.InvariantCulture) }, { "threat_hash", lFidoReturnValues.BadHashs.ToString(CultureInfo.InvariantCulture) } }; switch (detector) { case "mps": data.Add("time_occurred", lFidoReturnValues.FireEye.EventTime); break; case "bit9": //todo: Fido.db does not have a column for filename... legacy? still needed? //data.Add("file_name", lFidoReturnValues.Bit9.FileName); break; case "antivirus": data.Add("time_occurred", lFidoReturnValues.Antivirus.EventTime); data.Add("action_taken", lFidoReturnValues.Antivirus.ActionTaken); data.Add("file_name", lFidoReturnValues.Antivirus.FileName); data.Add("threat_status", lFidoReturnValues.Antivirus.Status); break; case "cyphortv2": data.Add("time_occurred", lFidoReturnValues.Cyphort.EventTime); break; case "cyphortv3": data.Add("time_occurred", lFidoReturnValues.Cyphort.EventTime); break; case "protectwisev1": data.Add("time_occurred", lFidoReturnValues.ProtectWise.EventTime); break; case "panv1": data.Add("time_occurred", lFidoReturnValues.PaloAlto.EventTime); break; case "carbonblackv1": data.Add("time_occurred", lFidoReturnValues.CB.Alert.EventTime); break; } db.Update("event_threat", data, "primkey = " + row); }
private static void UpdateMachineToDB(FidoReturnValues lFidoReturnValues, string row) { var db = new SqLiteDB(); try { if (lFidoReturnValues.Landesk != null) { var data = new Dictionary <String, String> { { "hostname", lFidoReturnValues.Hostname.ToLower() }, { "os", lFidoReturnValues.Landesk.OSName.ToLower() }, { "domain", lFidoReturnValues.Landesk.Domain.ToLower() }, { "patches_critical", lFidoReturnValues.Landesk.Patches[1].ToString(CultureInfo.InvariantCulture) }, { "patches_high", lFidoReturnValues.Landesk.Patches[2].ToString(CultureInfo.InvariantCulture) }, { "patches_low", lFidoReturnValues.Landesk.Patches[3].ToString(CultureInfo.InvariantCulture) }, { "av_installed", lFidoReturnValues.Landesk.Product.ToLower() }, { "av_running", lFidoReturnValues.Landesk.AgentRunning.ToLower() }, { "av_def_ver", lFidoReturnValues.Landesk.DefInstallDate.ToLower() }, { "bit9_installed", lFidoReturnValues.Landesk.Bit9Version }, { "bit9_running", lFidoReturnValues.Landesk.Bit9Running.ToLower() }, { "machine_score", lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture) } }; db.Update("event_machine", data, "primkey = " + row); } else if (lFidoReturnValues.Jamf != null) { var data = new Dictionary <String, String> { { "hostname", lFidoReturnValues.Hostname.ToLower() }, { "os", lFidoReturnValues.Jamf.OSName.ToLower() }, { "domain", string.Empty }, { "patches_critical", string.Empty }, { "patches_high", string.Empty }, { "patches_low", string.Empty }, { "av_installed", string.Empty }, { "av_running", string.Empty }, { "av_def_ver", string.Empty }, { "bit9_installed", lFidoReturnValues.Jamf.Bit9Version }, { "bit9_running", string.Empty }, { "machine_score", lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture) } }; db.Update("event_machine", data, "primkey = " + row); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update machine area of fidodb:" + e); } }
private static void InsertHistoricalThreatToDB(HistorialThreatData threatData) { var db = new SqLiteDB(); var data = new Dictionary <String, String> { { threatData.SDB, threatData.InValue }, { "timedate", threatData.When } }; var sdb = @"previous_threat_" + threatData.SDB; //db.Insert("previous_threat_url", data); db.Insert(sdb, data); }
private static void InsertHistoricalThreatToDB(string sdb, string invalue, string timedate) { var db = new SqLiteDB(); var data = new Dictionary <String, String> { { sdb, invalue }, { "timedate", timedate } }; sdb = @"previous_threat_" + sdb; //db.Insert("previous_threat_url", data); db.Insert(sdb, data); }
public bool CheckFidoWhitelist(string sDstIP, List<string> sHash, string sDomain, List<string> sUrl) { var isFound = false; var sqlQuery = new SqLiteDB(); if (!string.IsNullOrEmpty(sDstIP)) { var qDstIPReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + sDstIP + "'"); if (!string.IsNullOrEmpty(qDstIPReturn)) { isFound = true; } } if (sHash != null) { foreach (var hash in sHash) { var qHashReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + hash + "'"); if (!string.IsNullOrEmpty(qHashReturn)) { isFound = true; } } } if (!string.IsNullOrEmpty(sDomain)) { var qDomainReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + sDomain + "'"); if (!string.IsNullOrEmpty(qDomainReturn)) { isFound = true; } } if (sUrl != null) { foreach (var url in sUrl) { var qUrlReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + url + "'"); if (!string.IsNullOrEmpty(qUrlReturn)) { isFound = true; } } } return isFound; }
private static DataTable GetPreviousAlerts(string query) { var fidoSQlite = new SqLiteDB(); var fidoData = new DataTable(); try { fidoData = fidoSQlite.GetDataTable(query); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e); } return fidoData; }
private static void ParseCarbonBlackAlert(Object_CarbonBlack_Alert_Class.CarbonBlack cbReturn) { var cbHost = string.Empty; var cbHostInt = 0; foreach (var cbEvent in cbReturn.Results) { Console.WriteLine(@"Formatting CarbonBlack event for: " + cbEvent.Hostname + @"."); try { //initialize generic variables for CB values var lFidoReturnValues = new FidoReturnValues(); if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.CB == null) { lFidoReturnValues.CB = new CarbonBlackReturnValues { Alert = new CarbonBlackAlert() }; } lFidoReturnValues.CurrentDetector = "carbonblackv1"; lFidoReturnValues.CB.Alert.WatchListName = cbEvent.WatchlistName; lFidoReturnValues.CB.Alert.AlertType = cbEvent.AlertType; if (lFidoReturnValues.CB.Alert.WatchListName.Contains("binary") || lFidoReturnValues.CB.Alert.AlertType.Contains("binary")) { lFidoReturnValues.isBinary = true; } var dTable = new SqLiteDB(); var cbData = dTable.GetDataTable(@"Select * from configs_dictionary_carbonblack"); var cbDict = GetDict(cbData); foreach (var label in cbDict) { if (cbEvent.WatchlistName == label.Key) { lFidoReturnValues.MalwareType = label.Value; break; } } if (lFidoReturnValues.MalwareType == null) lFidoReturnValues.MalwareType = "Malicious file detected."; lFidoReturnValues.CB.Alert.EventID = cbEvent.UniqueID; lFidoReturnValues.AlertID = cbEvent.UniqueID; lFidoReturnValues.CB.Alert.EventTime = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Hostname = cbEvent.Hostname; //todo: this was supposed to limit the total # of alerts sent from a single host, //however, it is poo and needs to be redone. if (lFidoReturnValues.Hostname != cbHost) { cbHost = lFidoReturnValues.Hostname; } else { cbHostInt++; } if (cbHostInt >= 25) { CloseCarbonBlackAlert(lFidoReturnValues); } lFidoReturnValues.Username = cbEvent.Username; lFidoReturnValues.Hash = new List<string> {cbEvent.MD5}; lFidoReturnValues.CB.Alert.MD5Hash = cbEvent.MD5; lFidoReturnValues.CB.Inventory = SysMgmt_CarbonBlack.GetCarbonBlackHost(lFidoReturnValues, true); if (string.IsNullOrEmpty(cbEvent.ProcessPath)) { if (string.IsNullOrEmpty(cbEvent.ProcessPath)) lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ObservedFilename[0]; } else { lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ProcessPath; } if ((cbEvent.ObservedHosts.HostCount != 0) && (cbEvent.ObservedHosts.HostCount != null)) { lFidoReturnValues.CB.Alert.HostCount = cbEvent.ObservedHosts.HostCount.ToString(CultureInfo.InvariantCulture); } else { lFidoReturnValues.CB.Alert.HostCount = "0"; } if ((cbEvent.NetconnCount != 0) && (cbEvent.NetconnCount != null)) { lFidoReturnValues.CB.Alert.NetConn = cbEvent.NetconnCount.ToString(CultureInfo.InvariantCulture); } else { lFidoReturnValues.CB.Alert.NetConn = "0"; } if (lFidoReturnValues.CB.Inventory != null) { var sFilter = new[] {"|", ","}; var sIP = lFidoReturnValues.CB.Inventory.NetworkAdapters.Split(sFilter,StringSplitOptions.RemoveEmptyEntries); lFidoReturnValues.SrcIP = sIP[0]; } var isRunDirector = false; //Check to see if ID has been processed before lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.AlertID, lFidoReturnValues.TimeOccurred); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) continue; //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; TheDirector.Direct(lFidoReturnValues); //CloseCarbonBlackAlert(lFidoReturnValues); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Carbon Black v1 Detector when formatting json:" + e); } } }
private static void UpdateUserToDB(FidoReturnValues lFidoReturnValues, string row) { var db = new SqLiteDB(); var data = new Dictionary<String, String> { {"username", lFidoReturnValues.Username.ToLower()}, {"fullname", lFidoReturnValues.UserInfo.Username.ToLower()}, {"email", lFidoReturnValues.UserInfo.UserEmail.ToLower()}, {"title", lFidoReturnValues.UserInfo.Title.ToLower()}, {"dept", lFidoReturnValues.UserInfo.Department.ToLower()}, {"emp_type", lFidoReturnValues.UserInfo.EmployeeType.ToLower()}, {"emp_phone", lFidoReturnValues.UserInfo.MobileNumber}, {"cube", lFidoReturnValues.UserInfo.CubeLocation.ToLower()}, {"city_state", lFidoReturnValues.UserInfo.City.ToLower() + "\\" + lFidoReturnValues.UserInfo.State.ToLower()}, {"manager", lFidoReturnValues.UserInfo.ManagerName.ToLower()}, {"manager_title", lFidoReturnValues.UserInfo.ManagerTitle.ToLower()}, {"manager_email", lFidoReturnValues.UserInfo.ManagerMail.ToLower()}, {"manager_phone", lFidoReturnValues.UserInfo.MobileNumber}, {"user_score", lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture)} }; try { db.Update("event_user", data, "primkey = " + row); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update user area of fidodb:" + e); } }
private static void InsertHistoricalThreatToDB(string sdb, string invalue, string timedate) { var db = new SqLiteDB(); var data = new Dictionary<String, String> { { sdb, invalue }, { "timedate", timedate} }; sdb = @"previous_threat_" + sdb; //db.Insert("previous_threat_url", data); db.Insert(sdb, data); }
private static void UpdateThreatToDB(FidoReturnValues lFidoReturnValues, string row) { var db = new SqLiteDB(); var detector = lFidoReturnValues.CurrentDetector; var data = new Dictionary<String, String> { {"threat_dst_ip", lFidoReturnValues.DstIP}, {"threat_name", lFidoReturnValues.MalwareType.ToLower()}, {"threat_score", lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture)}, {"detector", lFidoReturnValues.CurrentDetector.ToLower()}, {"threat_url", lFidoReturnValues.BadUrLs.ToString(CultureInfo.InvariantCulture)}, {"threat_hash", lFidoReturnValues.BadHashs.ToString(CultureInfo.InvariantCulture)} }; switch (detector) { case "mps": data.Add("time_occurred", lFidoReturnValues.FireEye.EventTime); break; case "bit9": //todo: Fido.db does not have a column for filename... legacy? still needed? //data.Add("file_name", lFidoReturnValues.Bit9.FileName); break; case "antivirus": data.Add("time_occurred", lFidoReturnValues.Antivirus.EventTime); data.Add("action_taken", lFidoReturnValues.Antivirus.ActionTaken); data.Add("file_name", lFidoReturnValues.Antivirus.FileName); data.Add("threat_status", lFidoReturnValues.Antivirus.Status); break; case "cyphortv2": data.Add("time_occurred", lFidoReturnValues.Cyphort.EventTime); break; case "cyphortv3": data.Add("time_occurred", lFidoReturnValues.Cyphort.EventTime); break; case "protectwisev1": data.Add("time_occurred", lFidoReturnValues.ProtectWise.EventTime); break; case "panv1": data.Add("time_occurred", lFidoReturnValues.PaloAlto.EventTime); break; case "carbonblackv1": data.Add("time_occurred", lFidoReturnValues.CB.Alert.EventTime); break; } db.Update("event_threat", data, "primkey = " + row); }
private static void UpdateMachineToDB(FidoReturnValues lFidoReturnValues, string row) { var db = new SqLiteDB(); try { if (lFidoReturnValues.Landesk != null) { var data = new Dictionary<String, String> { {"hostname", lFidoReturnValues.Hostname.ToLower()}, {"os", lFidoReturnValues.Landesk.OSName.ToLower()}, {"domain", lFidoReturnValues.Landesk.Domain.ToLower()}, {"patches_critical", lFidoReturnValues.Landesk.Patches[1].ToString(CultureInfo.InvariantCulture)}, {"patches_high", lFidoReturnValues.Landesk.Patches[2].ToString(CultureInfo.InvariantCulture)}, {"patches_low", lFidoReturnValues.Landesk.Patches[3].ToString(CultureInfo.InvariantCulture)}, {"av_installed", lFidoReturnValues.Landesk.Product.ToLower()}, {"av_running", lFidoReturnValues.Landesk.AgentRunning.ToLower()}, {"av_def_ver", lFidoReturnValues.Landesk.DefInstallDate.ToLower()}, {"bit9_installed", lFidoReturnValues.Landesk.Bit9Version}, {"bit9_running", lFidoReturnValues.Landesk.Bit9Running.ToLower()}, {"machine_score", lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture)} }; db.Update("event_machine", data, "primkey = " + row); } else if (lFidoReturnValues.Jamf != null) { var data = new Dictionary<String, String> { {"hostname", lFidoReturnValues.Hostname.ToLower()}, {"os", lFidoReturnValues.Jamf.OSName.ToLower()}, {"domain", string.Empty}, {"patches_critical", string.Empty}, {"patches_high", string.Empty}, {"patches_low", string.Empty}, {"av_installed", string.Empty}, {"av_running", string.Empty}, {"av_def_ver", string.Empty}, {"bit9_installed", lFidoReturnValues.Jamf.Bit9Version}, {"bit9_running", string.Empty}, {"machine_score", lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture)} }; db.Update("event_machine", data, "primkey = " + row); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update machine area of fidodb:" + e); } }
public static FidoReturnValues GetDetectorsScore(FidoReturnValues lFidoReturnValues) { //This section will iterate through each detector and then score each threatfeed. //todo: refractor each threatfeed so it's not done inside this area. var sDetector = lFidoReturnValues.CurrentDetector; switch (sDetector) { case "antivirus": if (lFidoReturnValues.CurrentDetector == "antivirus") { Console.WriteLine(@"Scoring AV detector information."); lFidoReturnValues.ThreatScore += AntiVirusScore(lFidoReturnValues); } break; case "bit9": if ((lFidoReturnValues.Bit9 != null) && (lFidoReturnValues.Bit9.VTReport != null) && (lFidoReturnValues.CurrentDetector == "bit9")) { Console.WriteLine(@"Scoring Bit9 detector information."); var iBit9PositiveReturns = BitTotalPosReturn(lFidoReturnValues.Bit9.VTReport); if ((iBit9PositiveReturns[0] > 0) || (iBit9PositiveReturns[1] > 0)) { lFidoReturnValues.ThreatScore += VirusTotalScore(iBit9PositiveReturns, true); } } break; case "ids": break; case "mas": break; case "mps": //score VirusTotal hash lFidoReturnValues.ThreatScore += GetMpsVTHashThreatScore(lFidoReturnValues); //score VirusTotal URL if ((lFidoReturnValues.FireEye.VirusTotal != null) && (lFidoReturnValues.FireEye.VirusTotal.URLReturn != null) && (lFidoReturnValues.FireEye.VirusTotal.URLReturn.Count > 0)) { Console.WriteLine(@"Scoring FireEye/VirusTotal detector URL information."); var iVTPositiveUrlReturns = VirusTotalPosReturnURL(lFidoReturnValues.FireEye.VirusTotal); if ((iVTPositiveUrlReturns[0] > 0) || (iVTPositiveUrlReturns[1] > 0)) { lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveUrlReturns, false); } } //score VirusTotal IP if ((lFidoReturnValues.FireEye.VirusTotal != null) && (lFidoReturnValues.FireEye.VirusTotal.IPReturn != null) && (lFidoReturnValues.FireEye.VirusTotal.IPReturn.Count > 0)) { Console.WriteLine(@"Scoring Cyphort/VirusTotal detector IP information."); var iVTPositiveIPReturns = VirusTotalPosIPReturn(lFidoReturnValues.FireEye.VirusTotal); if ((iVTPositiveIPReturns[0] > 0) || (iVTPositiveIPReturns[1] > 0) || (iVTPositiveIPReturns[2] > 0)) { lFidoReturnValues.ThreatScore += VirusTotalIPScore(iVTPositiveIPReturns); } } //score Alienvault threat feed if ((lFidoReturnValues.FireEye.AlienVault != null) && (lFidoReturnValues.FireEye.AlienVault.Activity != null)) { Console.WriteLine(@"Scoring FireEye/AlienVault IP information."); lFidoReturnValues.ThreatScore += AlienVaultScore(lFidoReturnValues.FireEye.AlienVault); } break; case "cyphortv2": //score VirusTotal hash if ((lFidoReturnValues.Cyphort.VirusTotal != null) && (lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn != null) && (lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn.Count > 0)) { Console.WriteLine(@"Scoring Cyphort/VirusTotal detector hash information."); var iVTPositiveHashReturns = VirusTotalPosReturnHash(lFidoReturnValues.Cyphort.VirusTotal); if ((iVTPositiveHashReturns[0] > 0) || (iVTPositiveHashReturns[1] > 0)) { lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveHashReturns, true); } } //score VirusTotal URL if ((lFidoReturnValues.Cyphort.VirusTotal != null) && (lFidoReturnValues.Cyphort.VirusTotal.URLReturn != null) && (lFidoReturnValues.Cyphort.VirusTotal.URLReturn.Count > 0)) { Console.WriteLine(@"Scoring Cyphort/VirusTotal detector URL information."); var iVTPositiveUrlReturns = VirusTotalPosReturnURL(lFidoReturnValues.Cyphort.VirusTotal); if ((iVTPositiveUrlReturns[0] > 0) || (iVTPositiveUrlReturns[1] > 0)) { lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveUrlReturns, false); } } //score VirusTotal IP if ((lFidoReturnValues.Cyphort.VirusTotal != null) && (lFidoReturnValues.Cyphort.VirusTotal.IPReturn != null) && (lFidoReturnValues.Cyphort.VirusTotal.IPReturn.Count > 0)) { Console.WriteLine(@"Scoring Cyphort/VirusTotal detector IP information."); var iVTPositiveIPReturns = VirusTotalPosIPReturn(lFidoReturnValues.Cyphort.VirusTotal); if ((iVTPositiveIPReturns[0] > 0) || (iVTPositiveIPReturns[1] > 0) || (iVTPositiveIPReturns[2] > 0)) { lFidoReturnValues.ThreatScore += VirusTotalIPScore(iVTPositiveIPReturns); } } //score Alienvault threat feed if ((lFidoReturnValues.Cyphort.AlienVault != null) && (lFidoReturnValues.Cyphort.AlienVault.Activity != null)) { Console.WriteLine(@"Scoring Cyphort/AlienVault detector IP information."); lFidoReturnValues.ThreatScore += AlienVaultScore(lFidoReturnValues.Cyphort.AlienVault); } break; case "cyphortv3": //score VirusTotal hash if ((lFidoReturnValues.Cyphort.VirusTotal != null) && (lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn != null) && (lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn.Count > 0)) { Console.WriteLine(@"Scoring Cyphort/VirusTotal detector hash information."); var iVTPositiveHashReturns = VirusTotalPosReturnHash(lFidoReturnValues.Cyphort.VirusTotal); if ((iVTPositiveHashReturns[0] > 0) || (iVTPositiveHashReturns[1] > 0)) { lFidoReturnValues.Cyphort.VirusTotal.VirusTotalScore += Math.Round(VirusTotalScore(iVTPositiveHashReturns, true))/10; lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveHashReturns, true); } } //score VirusTotal URL if ((lFidoReturnValues.Cyphort.VirusTotal != null) && (lFidoReturnValues.Cyphort.VirusTotal.URLReturn != null) && (lFidoReturnValues.Cyphort.VirusTotal.URLReturn.Count > 0)) { Console.WriteLine(@"Scoring Cyphort/VirusTotal detector URL information."); var iVTPositiveUrlReturns = VirusTotalPosReturnURL(lFidoReturnValues.Cyphort.VirusTotal); if ((iVTPositiveUrlReturns[0] > 0) || (iVTPositiveUrlReturns[1] > 0)) { lFidoReturnValues.Cyphort.VirusTotal.VirusTotalScore += Math.Round(VirusTotalScore(iVTPositiveUrlReturns, false))/10; lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveUrlReturns, false); } } //score VirusTotal IP if ((lFidoReturnValues.Cyphort.VirusTotal != null) && (lFidoReturnValues.Cyphort.VirusTotal.IPReturn != null) && (lFidoReturnValues.Cyphort.VirusTotal.IPReturn.Count > 0)) { Console.WriteLine(@"Scoring Cyphort/VirusTotal detector IP information."); var iVTPositiveIPReturns = VirusTotalPosIPReturn(lFidoReturnValues.Cyphort.VirusTotal); if ((iVTPositiveIPReturns[0] > 0) || (iVTPositiveIPReturns[1] > 0) || (iVTPositiveIPReturns[2] > 0)) { lFidoReturnValues.Cyphort.VirusTotal.VirusTotalScore += Math.Round(VirusTotalIPScore(iVTPositiveIPReturns))/10; lFidoReturnValues.ThreatScore += VirusTotalIPScore(iVTPositiveIPReturns); } } //score ThreatGRID IP if ((lFidoReturnValues.Cyphort.ThreatGRID != null) && (lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo != null) && (lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Count > 0)) { Console.WriteLine(@"Artifacts found in ThreatGRID IP data, downloading report."); if (lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.Items.Any()) { Feeds_ThreatGRID.ReportHTML(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.Items[0].HashID); } Console.WriteLine(@"Scoring Cyphort/ThreatGRID detector IP information."); var aggregateScore = lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Score); lFidoReturnValues.Cyphort.ThreatGRID.ThreatScore = aggregateScore/lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Count(); var aggregateIndicators = lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Count); lFidoReturnValues.Cyphort.ThreatGRID.ThreatIndicators = aggregateIndicators / lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Count(); var aggregateConfidence = lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxConfidence); lFidoReturnValues.Cyphort.ThreatGRID.ThreatConfidence = aggregateConfidence / lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Count(); var aggregateSeverity = lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxSeverity); lFidoReturnValues.Cyphort.ThreatGRID.ThreatSeverity = aggregateSeverity / lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Count(); var fidoDB = new SqLiteDB().ExecuteScalar(@"select feed_weight from configs_threatfeed_threatgrid_scoring"); lFidoReturnValues.ThreatScore += (lFidoReturnValues.Cyphort.ThreatGRID.ThreatScore * 10) / Convert.ToDouble(fidoDB); } if ((lFidoReturnValues.Cyphort.ThreatGRID != null) && (lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo != null) && (lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Count > 0)) { Console.WriteLine(@"Artifacts found in ThreatGRID hash data, downloading report."); if (lFidoReturnValues.Cyphort.ThreatGRID.HashSearch.Data.Items.Any()) { Feeds_ThreatGRID.ReportHTML(lFidoReturnValues.Cyphort.ThreatGRID.HashSearch.Data.Items[0].HashID); } Console.WriteLine(@"Scoring Cyphort/ThreatGRID detector IP information."); var aggregateScore = lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Score); lFidoReturnValues.Cyphort.ThreatGRID.ThreatScore = aggregateScore / lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Count(); var aggregateIndicators = lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Count); lFidoReturnValues.Cyphort.ThreatGRID.ThreatIndicators = aggregateIndicators / lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Count(); var aggregateConfidence = lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxConfidence); lFidoReturnValues.Cyphort.ThreatGRID.ThreatConfidence = aggregateConfidence / lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Count(); var aggregateSeverity = lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxSeverity); lFidoReturnValues.Cyphort.ThreatGRID.ThreatSeverity = aggregateSeverity / lFidoReturnValues.Cyphort.ThreatGRID.HashThreatInfo.Count(); var fidoDB = new SqLiteDB().ExecuteScalar(@"select feed_weight from configs_threatfeed_threatgrid_scoring"); lFidoReturnValues.ThreatScore += (lFidoReturnValues.Cyphort.ThreatGRID.ThreatScore * 10) / Convert.ToDouble(fidoDB); } //score Alienvault threat feed if ((lFidoReturnValues.Cyphort.AlienVault != null) && (lFidoReturnValues.Cyphort.AlienVault.Activity != null)) { Console.WriteLine(@"Scoring Cyphort/AlienVault detector IP information."); lFidoReturnValues.ThreatScore += AlienVaultScore(lFidoReturnValues.Cyphort.AlienVault); } break; case "protectwisev1-event": //score VirusTotal hash if ((lFidoReturnValues.ProtectWise.VirusTotal != null) && (lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn != null) && (lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn.Count > 0)) { Console.WriteLine(@"Scoring ProtectWise/VirusTotal detector hash information."); var iVTPositiveHashReturns = VirusTotalPosReturnHash(lFidoReturnValues.ProtectWise.VirusTotal); if ((iVTPositiveHashReturns[0] > 0) || (iVTPositiveHashReturns[1] > 0)) { lFidoReturnValues.ProtectWise.VirusTotal.VirusTotalScore += Math.Round(VirusTotalScore(iVTPositiveHashReturns, true)) / 10; lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveHashReturns, true); } } //score VirusTotal URL if ((lFidoReturnValues.ProtectWise.VirusTotal != null) && (lFidoReturnValues.ProtectWise.VirusTotal.URLReturn != null) && (lFidoReturnValues.ProtectWise.VirusTotal.URLReturn.Count > 0)) { Console.WriteLine(@"Scoring ProtectWise/VirusTotal detector URL information."); var iVTPositiveUrlReturns = VirusTotalPosReturnURL(lFidoReturnValues.ProtectWise.VirusTotal); if ((iVTPositiveUrlReturns[0] > 0) || (iVTPositiveUrlReturns[1] > 0)) { lFidoReturnValues.ProtectWise.VirusTotal.VirusTotalScore += Math.Round(VirusTotalScore(iVTPositiveUrlReturns, false)) / 10; lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveUrlReturns, false); } } //score VirusTotal IP if ((lFidoReturnValues.ProtectWise.VirusTotal != null) && (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn != null) && (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn.Count > 0)) { Console.WriteLine(@"Scoring ProtectWise/VirusTotal detector IP information."); var iVTPositiveIPReturns = VirusTotalPosIPReturn(lFidoReturnValues.ProtectWise.VirusTotal); if ((iVTPositiveIPReturns[0] > 0) || (iVTPositiveIPReturns[1] > 0) || (iVTPositiveIPReturns[2] > 0)) { lFidoReturnValues.ProtectWise.VirusTotal.VirusTotalScore += Math.Round(VirusTotalIPScore(iVTPositiveIPReturns)) / 10; lFidoReturnValues.ThreatScore += VirusTotalIPScore(iVTPositiveIPReturns); } } //score ThreatGRID IP if ((lFidoReturnValues.ProtectWise.ThreatGRID != null) && (lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo != null) && (lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Count > 0)) { Console.WriteLine(@"Artifacts found in ThreatGRID IP data, downloading report."); if (lFidoReturnValues.ProtectWise.ThreatGRID.IPSearch.Data.Items.Any()) { Feeds_ThreatGRID.ReportHTML(lFidoReturnValues.ProtectWise.ThreatGRID.IPSearch.Data.Items[0].HashID); } Console.WriteLine(@"Scoring ProtectWise/ThreatGRID detector IP information."); var aggregateScore = lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Score); lFidoReturnValues.ProtectWise.ThreatGRID.ThreatScore = aggregateScore / lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Count(); var aggregateIndicators = lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Count); lFidoReturnValues.ProtectWise.ThreatGRID.ThreatIndicators = aggregateIndicators / lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Count(); var aggregateConfidence = lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxConfidence); lFidoReturnValues.ProtectWise.ThreatGRID.ThreatConfidence = aggregateConfidence / lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Count(); var aggregateSeverity = lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxSeverity); lFidoReturnValues.ProtectWise.ThreatGRID.ThreatSeverity = aggregateSeverity / lFidoReturnValues.ProtectWise.ThreatGRID.IPThreatInfo.Count(); var fidoDB = new SqLiteDB().ExecuteScalar(@"select feed_weight from configs_threatfeed_threatgrid_scoring"); lFidoReturnValues.ThreatScore += (lFidoReturnValues.ProtectWise.ThreatGRID.ThreatScore * 10) / Convert.ToDouble(fidoDB); } if ((lFidoReturnValues.ProtectWise.ThreatGRID != null) && (lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo != null) && (lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Count > 0)) { Console.WriteLine(@"Artifacts found in ThreatGRID hash data, downloading report."); if (lFidoReturnValues.ProtectWise.ThreatGRID.HashSearch.Data.Items.Any()) { Feeds_ThreatGRID.ReportHTML(lFidoReturnValues.ProtectWise.ThreatGRID.HashSearch.Data.Items[0].HashID); } Console.WriteLine(@"Scoring ProtectWise/ThreatGRID detector IP information."); var aggregateScore = lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Score); lFidoReturnValues.ProtectWise.ThreatGRID.ThreatScore = aggregateScore / lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Count(); var aggregateIndicators = lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Count); lFidoReturnValues.ProtectWise.ThreatGRID.ThreatIndicators = aggregateIndicators / lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Count(); var aggregateConfidence = lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxConfidence); lFidoReturnValues.ProtectWise.ThreatGRID.ThreatConfidence = aggregateConfidence / lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Count(); var aggregateSeverity = lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxSeverity); lFidoReturnValues.ProtectWise.ThreatGRID.ThreatSeverity = aggregateSeverity / lFidoReturnValues.ProtectWise.ThreatGRID.HashThreatInfo.Count(); var fidoDB = new SqLiteDB().ExecuteScalar(@"select feed_weight from configs_threatfeed_threatgrid_scoring"); lFidoReturnValues.ThreatScore += (lFidoReturnValues.ProtectWise.ThreatGRID.ThreatScore * 10) / Convert.ToDouble(fidoDB); } //score Alienvault threat feed if ((lFidoReturnValues.ProtectWise.AlienVault != null) && (lFidoReturnValues.ProtectWise.AlienVault.Activity != null)) { Console.WriteLine(@"Scoring ProtectWise/AlienVault detector IP information."); lFidoReturnValues.ThreatScore += AlienVaultScore(lFidoReturnValues.ProtectWise.AlienVault); } break; case "carbonblackv1": //score VirusTotal hash if ((lFidoReturnValues.CB.Alert.VirusTotal != null) && (lFidoReturnValues.CB.Alert.VirusTotal.MD5HashReturn != null) && (lFidoReturnValues.CB.Alert.VirusTotal.MD5HashReturn.Count > 0)) { Console.WriteLine(@"Scoring Carbon Black/VirusTotal detector hash information."); var iVTPositiveHashReturns = VirusTotalPosReturnHash(lFidoReturnValues.CB.Alert.VirusTotal); if ((iVTPositiveHashReturns[0] > 0) || (iVTPositiveHashReturns[1] > 0)) { lFidoReturnValues.CB.Alert.VirusTotal.VirusTotalScore += Math.Round(VirusTotalScore(iVTPositiveHashReturns, true)) / 10; lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveHashReturns, true); } } if ((lFidoReturnValues.CB.Alert.ThreatGRID != null) && (lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo != null) && (lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Count > 0)) { Console.WriteLine(@"Artifacts found in ThreatGRID hash data, downloading report."); if (lFidoReturnValues.CB.Alert.ThreatGRID.HashSearch.Data.Items.Any()) { Feeds_ThreatGRID.ReportHTML(lFidoReturnValues.CB.Alert.ThreatGRID.HashSearch.Data.Items[0].HashID); } Console.WriteLine(@"Scoring Carbon Black/ThreatGRID detector IP information."); var aggregateScore = lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Score); lFidoReturnValues.CB.Alert.ThreatGRID.ThreatScore = aggregateScore / lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Count(); var aggregateIndicators = lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Count); lFidoReturnValues.CB.Alert.ThreatGRID.ThreatIndicators = aggregateIndicators / lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Count(); var aggregateConfidence = lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxConfidence); lFidoReturnValues.CB.Alert.ThreatGRID.ThreatConfidence = aggregateConfidence / lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Count(); var aggregateSeverity = lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxSeverity); lFidoReturnValues.CB.Alert.ThreatGRID.ThreatSeverity = aggregateSeverity / lFidoReturnValues.CB.Alert.ThreatGRID.HashThreatInfo.Count(); //todo: move this SQL to the DB var fidoDB = new SqLiteDB().ExecuteScalar(@"select feed_weight from configs_threatfeed_threatgrid_scoring"); lFidoReturnValues.ThreatScore += (lFidoReturnValues.CB.Alert.ThreatGRID.ThreatScore * 10) / Convert.ToDouble(fidoDB); } //score Alienvault threat feed if ((lFidoReturnValues.CB.Alert.AlienVault != null) && (lFidoReturnValues.CB.Alert.AlienVault.Activity != null)) { Console.WriteLine(@"Scoring Carbon Black/AlienVault detector IP information."); lFidoReturnValues.ThreatScore += AlienVaultScore(lFidoReturnValues.CB.Alert.AlienVault); } break; case "panv1": //score VirusTotal URL //if ((lFidoReturnValues.PaloAlto.VirusTotal != null) && // (lFidoReturnValues.PaloAlto.VirusTotal.URLReturn != null) && // (lFidoReturnValues.PaloAlto.VirusTotal.URLReturn.Count > 0)) //{ // Console.WriteLine(@"Scoring PaloAlto/VirusTotal detector URL information."); // var iVTPositiveUrlReturns = VirusTotalPosReturn(lFidoReturnValues.PaloAlto.VirusTotal, false); // if ((iVTPositiveUrlReturns[0] > 0) || (iVTPositiveUrlReturns[1] > 0)) // { // lFidoReturnValues.PaloAlto.VirusTotal.VirusTotalScore += Math.Round(VirusTotalScore(iVTPositiveUrlReturns, false)) / 10; // lFidoReturnValues.ThreatScore += VirusTotalScore(iVTPositiveUrlReturns, false); // } //} //score VirusTotal IP if ((lFidoReturnValues.PaloAlto.VirusTotal != null) && (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn != null) && (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn.Count > 0)) { Console.WriteLine(@"Scoring PaloAlto/VirusTotal detector IP information."); var iVTPositiveIPReturns = VirusTotalPosIPReturn(lFidoReturnValues.PaloAlto.VirusTotal); if ((iVTPositiveIPReturns[0] > 0) || (iVTPositiveIPReturns[1] > 0) || (iVTPositiveIPReturns[2] > 0)) { lFidoReturnValues.PaloAlto.VirusTotal.VirusTotalScore += Math.Round(VirusTotalIPScore(iVTPositiveIPReturns)) / 10; lFidoReturnValues.ThreatScore += VirusTotalIPScore(iVTPositiveIPReturns); } } //score ThreatGRID IP if ((lFidoReturnValues.PaloAlto.ThreatGRID != null) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo != null) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count > 0)) { Console.WriteLine(@"Artifacts found in ThreatGRID IP data, downloading report."); if (lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.Items.Any()) { Feeds_ThreatGRID.ReportHTML(lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.Items[0].HashID); } Console.WriteLine(@"Scoring PaloAlto/ThreatGRID detector IP information."); var aggregateScore = lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Score); lFidoReturnValues.PaloAlto.ThreatGRID.ThreatScore = aggregateScore / lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count(); var aggregateIndicators = lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.Count); lFidoReturnValues.PaloAlto.ThreatGRID.ThreatIndicators = aggregateIndicators / lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count(); var aggregateConfidence = lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxConfidence); lFidoReturnValues.PaloAlto.ThreatGRID.ThreatConfidence = aggregateConfidence / lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count(); var aggregateSeverity = lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Aggregate(0, (current, threatinfo) => current + threatinfo.Data_Array.MaxSeverity); lFidoReturnValues.PaloAlto.ThreatGRID.ThreatSeverity = aggregateSeverity / lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count(); var fidoDB = new SqLiteDB().ExecuteScalar(@"select feed_weight from configs_threatfeed_threatgrid_scoring"); lFidoReturnValues.ThreatScore += (lFidoReturnValues.PaloAlto.ThreatGRID.ThreatScore * 10) / Convert.ToDouble(fidoDB); } break; } return lFidoReturnValues; }
private static ParseCBConfigs ParseDetectorConfigs(string detect) { //todo: move this to the database, assign a variable to 'detect' and replace being using in GEtFidoConfigs var query = @"SELECT * from configs_sysmgmt_carbonblack WHERE api_call = '" + detect + @"'"; var fidoSQlite = new SqLiteDB(); var fidoData = new DataTable(); var cbReturn = new ParseCBConfigs(); try { fidoData = fidoSQlite.GetDataTable(query); cbReturn = CBConfigs(fidoData); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e); } return cbReturn; }
internal static void LoadConfigFromDb(string table) { var fidoSQLite = new SqLiteDB(); _dict = fidoSQLite.GetDataTable("select key, value from " + table).AsEnumerable().ToDictionary<DataRow, string, string>(row => row.Field<string>(0), row => row.Field<string>(1)); }