Merge branch 'master' of https://github.com/cyberpescadito/Cortex-Ana…

…lyzers into cyberpescadito-master

responders/QRadarAutoClose/QRadarAutoClose.json

@@ -0,0 +1,34 @@
+{
+  "name": "QRadar Auto Closing Offense",
+  "version": "1.0",
+  "author": "Florian Perret",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Closing the QRadar Offense associated to your case in one clic !",
+  "dataTypeList": ["thehive:case"],
+  "command": "QRadarAutoClose/QRadarAutoClose.py",
+  "baseConfig": "QRadarAutoClose",
+  "configurationItems": [
+    {
+      "name": "QRadar_API_Key",
+      "description": "A QRadar API key with sufficent rights to close an offense",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "QRadar_Url",
+      "description": "URL of your QRadar API, must be accessible from Cortex server. eg: myqradar.myorg.com/api/siem/offenses",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Cert_Path",
+      "description": "If you need a certificate to authentificate to your QRadar API, please provide the path here",
+      "type": "string",
+      "multi": false,
+      "required": false
+    }
+  ]
+}

responders/QRadarAutoClose/QRadarAutoClose.py

@@ -0,0 +1,41 @@
+#!/usr/bin/env python
+# encoding: utf-8
+
+# QRadarAutoClose
+# Author: Florian Perret (@cyber_pescadito)
+
+from cortexutils.responder import Responder
+import requests
+
+
+class QRadarAutoClose(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.QRadar_URL = self.get_param('config.QRadar_Url', None, "QRadar URL is Missing")
+        self.QRadar_API_Key = self.get_param('config.QRadar_API_Key', None, "QRadar API Key is Missing")
+        self.Offense_Id = self.get_param('data.customFields.externalReferences', None, "QRadar Offense ID is Missing")
+        self.Cert_Path = self.get_param('config.Cert_Path')
+
+    def run(self):
+        h = {
+            'content-type': 'application/json',
+            'Version': '9.1',
+            'SEC': str(self.QRadar_API_Key)
+        }
+        payload = self.Offense_Id['string'] + '?closing_reason_id=3&status=CLOSED'
+
+        if self.Cert_Path == '':
+            r = requests.post(self.QRadar_URL + payload, headers=h)
+        else:
+            r = requests.post(self.QRadar_URL + payload, headers=h, verify=self.Cert_Path)
+
+        if r.status_code == 200 or \
+                r.status_code == 202 or \
+                r.status_code == 409:
+            self.report({'message': 'QRadar Offense succesfully closed !'})
+        else:
+            self.error({'message': r.status_code})
+
+
+if __name__ == '__main__':
+    QRadarAutoClose().run()

responders/QRadarAutoClose/README.md

@@ -0,0 +1,4 @@
+Simple responder to close a QRadar Offense through a simple clic !
+
+If you need to change the customfield which contain the QRadar Offense ID, change the "externalReferences" from QRadarAutoClose.py line 15.
+Be careful this have to be fulfill with the "Internal Reference" of the customfield, not it's name !

responders/QRadarAutoClose/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+requests