Merge pull request #1054 from korteke/PaloAltoWildfire

Paloalto wildfire responder
TheHive-Project · Feb 21, 2025 · befb41b · befb41b
2 parents ed68517 + 29d3244
commit befb41b
Show file tree

Hide file tree

Showing 4 changed files with 105 additions and 0 deletions.
diff --git a/responders/PaloAltoWildfire/PaloAltoWildfire.py b/responders/PaloAltoWildfire/PaloAltoWildfire.py
@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+import requests
+
+
+class PaloAltoWildfire(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.scheme = "https"
+        self.api_key = self.get_param(
+            'config.api_key', None, "API-key Missing")
+        self.wildfire_url = self.get_param(
+            'config.wildfire_url', None, "Wildfire URL Missing")
+        self.observable_type = self.get_param('data.dataType', None, "Data type is empty")
+        self.observable_description = self.get_param('data.message', None, "Description is empty")
+
+    def run(self):
+        Responder.run(self)
+        try:
+            supported_observables = ["domain", "url", "fqdn"]
+            if self.observable_type in supported_observables:
+                if self.observable_type == "domain" or self.observable_type == "fqdn":
+                    domain = self.get_param('data.data', None, 'No artifacts available')
+                    observable = "{}://{}".format(self.scheme, domain)
+                elif self.observable_type == "url":
+                    observable = self.get_param('data.data')
+
+                headers = {
+                    'User-Agent': 'PaloAltoWildfire-Cortex-Responder'
+                }
+                payload = {
+                    'apikey': (None, self.api_key),
+                    'link': (None, observable),
+                }
+                response = requests.post(self.wildfire_url, files=payload, headers=headers)
+                if response.status_code == 200:
+                    self.report({'message': 'Observable sent to Wildfire. Message: {}'.format(response.text)})
+                elif response.status_code == 401:
+                    self.error({'message': 'Failed authentication. Check API-Key. Message: {}'.format(response.text)})
+                else:
+                    self.error('Failed to submit request. Error code: {}. Error message: {}'
+                               .format(response.status_code, response.text))
+            else:
+                self.error('Incorrect dataType. "Domain", "FQDN", or "URL" expected.')
+
+        except requests.exceptions.RequestException as e:
+            self.error(str(e))
+
+    def operations(self, raw):
+        return [self.build_operation('AddTagToArtifact', tag='Wildfire:submit')]
+
+
+if __name__ == '__main__':
+    PaloAltoWildfire().run()
diff --git a/responders/PaloAltoWildfire/PaloaltoWildfireSubmission.json b/responders/PaloAltoWildfire/PaloaltoWildfireSubmission.json
@@ -0,0 +1,32 @@
+{
+  "name": "PaloAlto Wildfire URL submission",
+  "version": "1.0",
+  "author": "Keijo Korte - @korteke",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Submit URL to PaloAlto Wildfire service.",
+  "dataTypeList": ["url", "domain", "fqdn"],
+  "command": "PaloAltoWildfire/PaloAltoWildfire.py",
+  "baseConfig": "PaloAltoWildfire",
+  "configurationItems": [
+    {
+      "name": "api_key",
+      "description": "PaloAlto Wildfire API key",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "wildfire_url",
+      "description": "PaloAlto Wildfire Takedown URL",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "https://wildfire.paloaltonetworks.com/publicapi/submit/link"
+    }
+  ],
+  "registration_required": true,
+  "subscription_required": true,
+  "free_subscription": false,
+  "service_homepage": "https://www.paloaltonetworks.com/network-security/wildfire"
+}
diff --git a/responders/PaloAltoWildfire/README.md b/responders/PaloAltoWildfire/README.md
@@ -0,0 +1,15 @@
+### PaloAlto Wildfire responder
+
+This responder sends observable to [PaloAlto Wildfire service](https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-api/submit-files-and-links-through-the-wildfire-api.html).
+
+#### Requirements
+One need valid API-key to PaloAlto's Wildfire service.   
+* [Cloud Wildfire](https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-api/get-started-with-the-wildfire-api/get-your-api-key/get-your-wildfire-public-cloud-api-key.html#id3809ea9e-090f-459b-a382-9689383d1855)
+* [Local Wildfire instance](https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-api/get-started-with-the-wildfire-api/get-your-api-key/get-your-wildfire-appliance-api-key.html#idd900a1f8-95e3-4739-b02a-7a3269d85bea)
+
+#### Configuration
+- `api_key` : Wildfire API-key   
+- `wildfire_url`: Wildfire URL (default: Cloud version)
+
+#### Official documenation
+Official API documentation: [PaloAlto site](https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-api.html).
diff --git a/responders/PaloAltoWildfire/requirements.txt b/responders/PaloAltoWildfire/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+requests