Update Synapse to Support Thehive5 API

Pipfile

@@ -0,0 +1,44 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[packages]
+asn1crypto = "==0.24.0"
+cached-property = "==1.5.1"
+certifi = "==2018.8.24"
+cffi = "==1.11.5"
+chardet = "==3.0.4"
+click = "==7.0"
+cryptography = "==2.3.1"
+defusedxml = "==0.5.0"
+dnspython = "==1.15.0"
+exchangelib = "==1.12.0"
+flask = "==1.0.2"
+future = "==0.16.0"
+idna = "==2.7"
+isodate = "==0.6.0"
+itsdangerous = "==0.24"
+jinja2 = "==2.10"
+lxml = "==4.2.5"
+markupsafe = "==1.0"
+ntlm-auth = "==1.2.0"
+pycparser = "==2.19"
+pygments = "==2.2.0"
+python-dateutil = "==2.7.3"
+python-magic = "==0.4.15"
+pytz = "==2018.5"
+requests-ntlm = "==1.1.0"
+requests = "==2.20.0"
+six = "==1.11.0"
+python-slugify = "==1.2.6"
+thehive4py = "==1.5.1"
+tzlocal = "==1.5.1"
+urllib3 = "==1.23"
+werkzeug = "==0.14.1"
+
+[dev-packages]
+
+[requires]
+python_version = "3.11"
+python_full_version = "3.11.4"

README.md

@@ -1,3 +1,14 @@
+## Synpase for TheHive5
+
+<p align="center">
+  <img src="https://blog.strangebee.com/content/images/size/w2000/2023/07/Blog_5.2_released-1.png" 
+     height="500"/>
+</p>
+
+> **_NOTE:_**  The work is in progress to update **Ews2Case**. In this wave of updates, we were interested in updating **QRadar2Alert** (pulling offenses and create alerts to Thehive5).
+
+- [x] Project in progress
+
 Synapse is a free, open source meta alert feeder that allows you to feed [TheHive](https://github.com/TheHive-Project/TheHive) from multiple alert sources at once.   
 It leverages TheHive's API to automate case and alert creation. Thanks to Synapse, you can swiftly create cases or alerts in TheHive out of email notifications or SIEM events.
 
@@ -7,6 +18,8 @@ Currently, Synapse supports the following alert sources:
 - Microsoft O365
 - IBM QRadar  
 
+> We have updated Synapse to support theHive 5.x REST API
+
 # Overview
 
 Most of the time, transforming a security event or a notification about a suspicious email requires several actions and conditions.  Synapse gathers those into workflows.   
@@ -29,7 +42,10 @@ The [user guide](docs/user_guide.md) should contain all the information you need
    2. Fill in the config file
    3. Execute: ```python3 app.py```
 
-While all operating systems running Python 3 can be used for Synapse, we recommend the use of Ubuntu.   
+### Test environment
+The new update was tested on:
+* Python 3.11.4
+* Ubuntu/Kali Linux /Redhat
 
 # License
 Synapse is an open source and free software released under the 

app.py

@@ -6,7 +6,7 @@
 from flask import Flask, request, jsonify
 
 from workflows.common.common import getConf
-from workflows.Ews2Case import connectEws
+#from workflows.Ews2Case import connectEws
 from workflows.QRadar2Alert import allOffense2Alert
 from workflows.ManageWebhooks import manageWebhook
 
@@ -33,6 +33,10 @@
 
 app = Flask(__name__)
 
+@app.route('/', methods=['GET'])
+def index():
+    return "Synapse is up and running."
+
 @app.route('/webhook', methods=['POST'])
 def listenWebhook():
     if request.is_json:
@@ -57,31 +61,40 @@ def ews2case():
     else:
         return jsonify(workflowReport), 500
 
+
 @app.route('/QRadar2alert', methods=['POST'])
 def QRadar2alert():
+    # Get token from config file conf/synpase.conf
+    Token = getConf().get('Token','auth_token')
     if request.is_json:
         content = request.get_json()
-        if 'timerange' in content:
-            workflowReport = allOffense2Alert(content['timerange'])
-            if workflowReport['success']:
-                return jsonify(workflowReport), 200
+        if content['token'] == Token:
+            if 'timerange' in content:
+                workflowReport = allOffense2Alert(content['timerange'])
+                if workflowReport['success']:
+                    return jsonify(workflowReport), 200
+                else:
+                    return jsonify(workflowReport), 500
             else:
-                return jsonify(workflowReport), 500
+                logger.error('Missing <timerange> key/value')
+                return jsonify({'sucess':False, 'message':"timerange key missing in request"}), 500
         else:
-            logger.error('Missing <timerange> key/value')
-            return jsonify({'sucess':False, 'message':"timerange key missing in request"}), 500
+            logger.error('Missing token!')
+            return jsonify({"message":"Missing a valid token !"}), 403
+
     else:
         logger.error('Not json request')
         return jsonify({'sucess':False, 'message':"Request didn't contain valid JSON"}), 400
 
+
 @app.route('/version', methods=['GET'])
 def getSynapseVersion():
-    return jsonify({'version': '1.1.1'}), 200
+    return jsonify({'version': '1.1.2'}), 200
 
 if __name__ == '__main__':
     cfg = getConf()
     app.run(debug=cfg.getboolean('api', 'debug'),
         host=cfg.get('api', 'host'),
         port=cfg.get('api', 'port'),
         threaded=cfg.get('api', 'threaded')
-    )
+    )

conf/synapse.conf

@@ -28,3 +28,6 @@ server:qradar.stargazer.org
 auth_token:d6e-8f-4e-85-55738fd
 cert_filepath:/home/dc/qradar.crt
 api_version:8.0
+
+[Token]
+auth_token=CHANGE_ME

docs/user_guide.md

@@ -14,6 +14,7 @@ This guide will go through installation and basic configuration for Synapse.
     + [Stopping the application](#stopping-the-application)
     + [Starting the application](#starting-the-application)
     + [Logs](#logs)
+    + [Crontab](#crontab)
 + [Update](#update)
 
 ## Installation
@@ -27,6 +28,16 @@ sudo apt install python3-dev libkrb5-dev gcc
 sudo pip3 install -r requirements.txt
 ```
 
+#### Thehive4py
+Install the new thehive4py library
+```
+git clone https://github.com/TheHive-Project/TheHive4py
+cd TheHive4py
+python3 setup.py install
+## If failed, edit setup.py version=parse_version()
+version="5"
+```
+
 ## Configuration
 
 ### Synapse user
@@ -69,6 +80,18 @@ url:http://127.0.0.1:9000
 user:synapse
 api_key:r4n0O8SvEll/VZdOD8r0hZneOWfOmth6
 ```
+### [Token] section
+
+Create a new secure token that will be used to invoke QRadar2Alert function
+```
+tr -dc A-Za-z0-9 </dev/urandom | head -c 32 ; echo ''
+```
+#### Example
+
+```
+[Token]
+auth_token=CHANGE_ME
+```
 
 Basic configuration for Synapse is done.   
 To configure workflows, head to the [workflows page](workflows/README.md).
@@ -80,6 +103,12 @@ To start Synapse, run:
 ```
 python3 app.py
 ```
+Test Synapse
+```
+curl -H "Content-Type: application/json" -XPOST -d '{"timerange":10,"token":"CHANGE_ME"}'  http://127.0.0.1:5000/QRadar2alert
+# or
+bash Synapse/examples/qradar2alert_post.sh
+```
 
 ## Deployment to Production
 
@@ -167,6 +196,13 @@ Regarding Synapse, if the application is located at ```/opt``` then logs are und
 /opt/Synapse/logs/
 ```
 
+### Crontab
+You can create Crontab job to automate the alerts pulling
+```
+# Invoke QradarToAlert function every 10 min
+*/10 * * * * /bin/bash /home/Synpase/examples/qradar2alert_post.sh >> /home/Synpase/logs/synapse_curl.log 2>&1
+```
+
 # Update
 
 In order to update Synapse (minor version), just pull the new version from Github and run the application:

examples/qradar2alert_post.sh

@@ -1 +1,2 @@
-curl --header "Content-Type: application/json" --request POST --data '{"timerange":10}'  http://127.0.0.1:5000/QRadar2alert
+# Trigger <QRadar2alert> FUNC (Change the token with the a valid token in conf/synpase.conf)
+curl -H "Content-Type: application/json" -XPOST -d '{"timerange":10,"token":"CHANGE_ME"}'  http://127.0.0.1:5000/QRadar2alert

requirements.txt

@@ -1,33 +1,34 @@
--i https://pypi.org/simple
-asn1crypto==0.24.0
-cached-property==1.5.1
-certifi==2018.8.24
-cffi==1.11.5
-chardet==3.0.4
-click==7.0
-cryptography==2.3.1
-defusedxml==0.5.0
-dnspython==1.15.0
-exchangelib==1.12.0
-flask==1.0.2
-future==0.16.0
-idna==2.7
-isodate==0.6.0
-itsdangerous==0.24
-jinja2==2.10
-lxml==4.2.5
-markupsafe==1.0
-ntlm-auth==1.2.0
-pycparser==2.19
-pygments==2.2.0
-python-dateutil==2.7.3
-python-magic==0.4.15
-pytz==2018.5
-requests-ntlm==1.1.0
-requests==2.20.0
-six==1.11.0
-python-slugify==1.2.6
-thehive4py==1.5.1
-tzlocal==1.5.1
-urllib3==1.23
-werkzeug==0.14.1
+anyio==3.7.1
+blinker==1.6.2
+cached-property==1.5.2
+certifi==2023.5.7
+cffi==1.15.1
+charset-normalizer==3.2.0
+click==8.1.6
+cryptography==41.0.2
+defusedxml==0.7.1
+dnspython==2.4.0
+exchangelib==5.0.3
+Flask==2.3.2
+h11==0.14.0
+httpcore==0.17.3
+idna==3.4
+isodate==0.6.1
+itsdangerous==2.1.2
+Jinja2==3.1.2
+lxml==4.9.3
+MarkupSafe==2.1.3
+oauthlib==3.2.2
+pycparser==2.21
+Pygments==2.15.1
+pyspnego==0.9.1
+requests==2.31.0
+requests-ntlm==1.2.0
+requests-oauthlib==1.3.1
+six==1.16.0
+sniffio==1.3.0
+thehive4py==2.0.0b4
+tzdata==2023.3
+tzlocal==5.0.1
+urllib3==2.0.4
+Werkzeug==2.3.6