-
Notifications
You must be signed in to change notification settings - Fork 449
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[pan-cortex-xsoar] Create a stream intel connector (#3429)
- Loading branch information
1 parent
b022181
commit b513b96
Showing
10 changed files
with
569 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| src/config.yml | ||
| src/__pycache__ | ||
| src/logs | ||
| src/*.gql |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| config.yml | ||
| __pycache__ | ||
| logs | ||
| *.gql |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| FROM python:3.11-alpine | ||
| ENV CONNECTOR_TYPE=STREAM | ||
|
|
||
| # Copy the worker | ||
| COPY src /opt/opencti-connector-pan-cortex-xsoar-intel | ||
|
|
||
| # Install Python modules | ||
| # hadolint ignore=DL3003 | ||
| RUN apk --no-cache add git build-base libmagic libffi-dev libxml2-dev libxslt-dev | ||
|
|
||
| RUN cd /opt/opencti-connector-pan-cortex-xsoar-intel && \ | ||
| pip3 install --no-cache-dir -r requirements.txt && \ | ||
| apk del git build-base | ||
|
|
||
| # Expose and entrypoint | ||
| COPY entrypoint.sh / | ||
| RUN chmod +x /entrypoint.sh | ||
| ENTRYPOINT ["/entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| # OpenCTI PAN Cortex XSOAR intel | ||
|
|
||
| This connector allows organizations to push indicators to PAN Cortex XSOAR. | ||
|
|
||
| ## Installation | ||
|
|
||
| ### Configuration | ||
|
|
||
| | Parameter | Docker envvar | Mandatory | Description | | ||
| |-----------------------------------------|-----------------------------------------| --------- |-----------------------------------------------------------------------------------------------| | ||
| | `opencti_url` | `OPENCTI_URL` | Yes | The URL of the OpenCTI platform. | | ||
| | `opencti_token` | `OPENCTI_TOKEN` | Yes | The default admin token configured in the OpenCTI platform parameters file. | | ||
| | `connector_id` | `CONNECTOR_ID` | Yes | A valid arbitrary `UUIDv4` that must be unique for this connector. | | ||
| | `connector_name` | `CONNECTOR_NAME` | Yes | The name of the XSOAR instance, to identify it if you have multiple XSOAR connectors. | | ||
| | `connector_scope` | `CONNECTOR_SCOPE` | Yes | Must be `xsoar`, not used in this connector. | | ||
| | `connector_confidence_level` | `CONNECTOR_CONFIDENCE_LEVEL` | Yes | The default confidence level for created sightings (a number between 1 and 4). | | ||
| | `connector_log_level` | `CONNECTOR_LOG_LEVEL` | Yes | The log level for this connector, could be `debug`, `info`, `warn` or `error` (less verbose). | | ||
| | `connector_live_stream_id` | `CONNECTOR_LIVE_STREAM_ID` | Yes | The Live Stream ID of the stream created in the OpenCTI interface. | | ||
| | `connector_live_stream_start_timestamp` | `CONNECTOR_LIVE_STREAM_START_TIMESTAMP` | No | Start timestamp used on connector first start. | | ||
| | `xsoar_url` | `XSOAR_URL` | Yes | The XSOAR API URL (generally prefixed with "api-" in PAN cloud) | | ||
| | `xsoar_key_id` | `XSOAR_KEY_ID` | Yes | The XSOAR key ID | | ||
| | `xsoar_key` | `XSOAR_KEY` | Yes | The XSOAR key | | ||
| | `metrics_enable` | `METRICS_ENABLE` | No | Whether or not Prometheus metrics should be enabled. | | ||
| | `metrics_addr` | `METRICS_ADDR` | No | Bind IP address to use for metrics endpoint. | | ||
| | `metrics_port` | `METRICS_PORT` | No | Port to use for metrics endpoint. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| version: "3" | ||
| services: | ||
| connector-pan-cortex-xsoar-intel: | ||
| image: opencti/connector-pan-cortex-xsoar-intel:6.5.1 | ||
| environment: | ||
| - OPENCTI_URL=http://localhost | ||
| - OPENCTI_TOKEN=ChangeMe | ||
| - CONNECTOR_ID=ChangeMe | ||
| - CONNECTOR_LIVE_STREAM_ID=live # ID of the live stream created in the OpenCTI UI | ||
| - CONNECTOR_LIVE_STREAM_LISTEN_DELETE=true | ||
| - CONNECTOR_LIVE_STREAM_NO_DEPENDENCIES=true | ||
| - "CONNECTOR_NAME=PAN Cortex XSOAR Intel" | ||
| - CONNECTOR_SCOPE=xsoar | ||
| - CONNECTOR_CONFIDENCE_LEVEL=80 # From 0 (Unknown) to 100 (Fully trusted) | ||
| - CONNECTOR_LOG_LEVEL=error | ||
| - XSOAR_URL=https://xsoar.changeme.com | ||
| - XSOAR_KEY_ID=ChangeMe | ||
| - XSOAR_KEY=ChangeMe | ||
| restart: always |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| #!/bin/sh | ||
|
|
||
| # Go to the right directory | ||
| cd /opt/opencti-connector-pan-cortex-xsoar-intel | ||
|
|
||
| # Launch the worker | ||
| python3 pan-cortex-xsoar-intel.py |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| opencti: | ||
| url: 'http://localhost:8080' | ||
| token: 'ChangeMe' | ||
|
|
||
| connector: | ||
| id: 'ChangeMe' | ||
| type: 'STREAM' | ||
| live_stream_id: 'live' # ID of the live stream created in the OpenCTI UI | ||
| live_stream_listen_delete: true | ||
| live_stream_no_dependencies: true | ||
| name: 'PAN Cortex XSOAR Intel' | ||
| scope: 'xsoar' # Reserved | ||
| log_level: 'info' | ||
| consumer_count: 5 # number of consumer/worker used to push data to splunk | ||
|
|
||
| xsoar: | ||
| url: 'https://xsoar.changeme.com' | ||
| key_id: 'ChangeMe' | ||
| key: 'ChangeMe' | ||
|
|
||
| metrics: | ||
| enable: true # set to true to expose prometheus metrics | ||
| port: 9113 # port on which metrics should be exposed | ||
| addr: 0.0.0.0 # ip on which metrics should be exposed |
Oops, something went wrong.