All Articles

Interacting with The Hive and Helix alerts in Python

Interacting with The Hive and Helix alerts

It has been awhile since I get to write code. Today, I wanted to start off with something simple:

  • Read alerts from Helix
  • Parse alerts from Helix
  • Read alerts from The Hive
  • Post alerts to The Hive

The reason I chose this is because:

  1. It is a little bit more practical for both my personal project and work
  2. I am able to build this from scratch without struggling too much, where I end up quitting half way through
  3. A project that I can build on

First, create a new project. Create 3 files:

  • config.py
  • helix2hive.py
  • .gitignore

config.py

This will be your entry point for storing your API and config

FireEye = {
    'url':'https://apps.fireeye.com/helix/id/YOURORGIDGOESHERE/api/v3/',
    'api_key': 'YOURAPIKEYGOESHERE',
    'alert': 'alerts/'
}

TheHive = {
  'proxies':{
      'http': '',
      'https': ''
  },
    'url':'http://YOURHIVEINSTANCEGOESHERE/api/',
    'api_key':'HIVE_API_GOES_HERE',
    'template':'ALERTER',
    'alert': 'alert'

}

.gitignore

Since we will be putting sensitive information in config, we definitely don’t want to commit anything from that file on accident.

/venv
config.py

helix2hive.py

Helix is FireEye’s SIEM. A similar product was called TAP (Threat Application Platform).

To start off, we will want to import a few packages

import json
import requests
from config import FireEye, TheHive

The libraries I am importing to use are pretty straight forward. One is for working with JSON type objects, requests is used for making network connection such as GET/POST type of requests, and config is from the config file we created earlier.

Now, let’s try to get our first alerts from Helix

def get_alerts():
    print ("Getting Helix Alert Data.......")
    url = FireEye.get('url', None)
    api_key = FireEye.get('api_key', None)
    alert = FireEye.get('alert', None)

    fe_get_alert_url = url + alert
    accept_header = 'application/json'
    accept_version = 'v3'

    headers = {
        'Accept': accept_header,
        'Accept-Version': accept_version,
        'x-fireeye-api-key': api_key,
    }

    r = requests.get(fe_get_alert_url, headers=headers,
                     params={'limit': 1,
                             'alert_threat': '',
                             'alert_type': '',
                             'alert_type_source': '',
                             'created_at': '',
                             'is_threat': '',
                             'severity': '',
                             'order_by': ''
                             }
                     )
    helix_alerts = r.json()
    parse_data(helix_alerts)

Getting the Hive alerts

This step is pretty straight forward. We can constructing the URL to make our GET request to, and once we make the request, we store the data in hive_alert.

def get_hive_alert():
    print ("Getting The Hive Alert.......")

    url = TheHive.get('url', None)
    alert = TheHive.get('alert', None)
    api_key = TheHive.get('api_key', None)
    template = TheHive.get('template', None)
    accept_header = 'application/json'

    hive_alert_url = url + alert

    headers = {
        'Accept': accept_header,
        'Authorization': 'Bearer ' + api_key,
    }

    r = requests.get(hive_alert_url, headers=headers, verify=False)
    hive_alert = r.json()

Parsing Helix Data

If you only want to see a subset of the information that’s being returned, you can parsed it out here. While I’m just printing out certain field for example, you can do it however you want to!

def parse_data(helix_alerts):
    print ("Parsing Helix Alert Data.......")
    data = helix_alerts

    count = data['meta']['count']
    print('Total items:' + count)

    results = data['results']
    for result in results:
        print(result['alert_type']['name'])
        print(result['alert_type']['category'])
        print(result['description'])
        create_hive_alert(result)

Posting Alerts from Helix, to Hive

In this process, we are transforming the post body of information we got from Helix into a structure that The Hive will be happy to accept.

def create_hive_alert(helix_alert):
    post_body = {
        "title": helix_alert['alert_type']['name'],
        "description": helix_alert['description'],
        "customFields": '',
        "type": "external",
        "source": "helix",
        "sourceRef": "alert-helix",
        "severity": 3,
        "tlp": 3,
        "artifacts" : ''
    }

    url = TheHive.get('url', None)
    alert = TheHive.get('alert', None)
    api_key = TheHive.get('api_key', None)
    template = TheHive.get('template', None)
    accept_header = 'application/json'

    hive_alert_url = url + alert

    headers = {
        'Accept': accept_header,
        'Authorization': 'Bearer ' + api_key,
    }
    r = requests.post(hive_alert_url, data=post_body, headers=headers, verify=False)
    hive_response = r.json()
    # print(hive_response)

Future Work:

  • Refactor codebase
  • Create better variable naming schemes (I have horrible var names here, let’s be honest!)
  • Create a queue intake system
  • Dedup duplicated alerts
  • Set up polling job so alerts are continuously being fed into The Hive from Helix, and other sources

I will write more about my process of refactoring the code base, as well as implementing a queuing system in a future post!

Published 5 Nov 2019

Security engineer. Blue teamer. What about you?TV0 on Twitter