forked from vectranetworks/vectraautomatedresponse
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig_template.py
99 lines (90 loc) · 4.11 KB
/
config_template.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
### GENERAL SETUP
# Vectra brain API access.
COGNITO_URL = ["https://fqdn or ip"]
LOG_TO_FILE = False
LOG_FILE = "var.log"
SLEEP_MINUTES = 5
# All brains must use the same API version. Run a different instance of this script for each API version
V3 = False
# Available options: ['bitdefender', 'cisco_amp', 'cisco_fmc', 'cisco_ise',
# 'cisco_nxos', 'cisco_pxgrid', 'clearpass', 'cortex', 'endgame', 'external_call', 'fortinet',
# 'harmony', 'meraki', 'pan', 'pulse_nac', 'sophos', 'test_client', 'trendmicro_apexone',
# 'trendmicro_cloudone', 'trendmicro_visionone', 'vmware', 'windows_shutdown', 'withsecure_elements']
THIRD_PARTY_CLIENTS = ["test_client"]
### ALLOWED BLOCKING WINDOW
# Days that automated blocking is allowed
BLOCK_DAYS = []
# Time windows that automated blocking is allowed
# 0-23
BLOCK_START_TIME = 0
# 0-23
BLOCK_END_TIME = 0
### INTERNAL IP BLOCKING
# Tag that will cause a host to be blocked; remove the tag to unblock the host
BLOCK_HOST_TAG = "vectra_host_block"
# Host group for which member will NEVER be blocked.
NO_BLOCK_HOST_GROUP_NAME = "NoBlock"
# Host group for which all members will be blocked
BLOCK_HOST_GROUP_NAME = "Block"
# Threshold threat/certainty score for automatically blocking host.
# The middle argument can be 'and' or 'or', defining how the threshold conditions are read
BLOCK_HOST_THREAT_CERTAINTY = (100, "and", 100)
# V3 Only - Threshold urgency score for automatically blocking host.
BLOCK_HOST_URGENCY = 100
# Can't have both BLOCK_HOST_THREAT_CERTAINTY and BLOCK_HOST_URGENCY.
# If both provided and V3 is True, BLOCK_HOST_URGENCY will be used.
# To use BLOCK_HOST_THREAT_CERTAINTY set BLOCK_HOST_URGENCY = None
# List of detection types that when present will cause host to be blocked.
# The second argument enforces a threat/certainty threshold for hosts with those detection types on.
BLOCK_HOST_DETECTION_TYPES = []
BLOCK_HOST_DETECTION_TYPES_MIN_TC_SCORE = (100, "or", 100)
### EXTERNAL IP BlOCKING
# Host threat/certainty score when reached will get all detections on the host.
# All external IPs in those detections will then be blocked.
# The middle argument can be 'and' or 'or', defining how the threshold conditions are read
EXTERNAL_BLOCK_HOST_TC = (100, "and", 100)
# Tag to block external IPs present in detection; remove the tag to unblock the detection.
EXTERNAL_BLOCK_DETECTION_TAG = "block"
# Detection types for which we will block all external IPs present on those.
# E.g. "External Remote Access, Data Smuggler"
EXTERNAL_BLOCK_DETECTION_TYPES = []
# File containing static destination IPs to block
STATIC_BLOCK_DESTINATION_IPS = "static_dst_ips_to_block.txt"
### ACCOUNT BLOCKING
# Tag that will cause an account to be blocked; remove the tag to unblock the host
BLOCK_ACCOUNT_TAG = "vectra_account_block"
# Account group for which member will NEVER be blocked.
NO_BLOCK_ACCOUNT_GROUP_NAME = "NoBlock"
# Account group for which all members will be blocked
BLOCK_ACCOUNT_GROUP_NAME = "Block"
# Threshold threat/certainty score for automatically blocking account.
# The middle argument can be 'and' or 'or', defining how the threshold conditions are read
BLOCK_ACCOUNT_THREAT_CERTAINTY = (100, "and", 100)
# V3 Only - Threshold urgency score for automatically blocking account.
BLOCK_ACCOUNT_URGENCY = 100
# Can't have both BLOCK_ACCOUNT_THREAT_CERTAINTY and BLOCK_ACCOUNT_URGENCY.
# If both provided and V3 is True, BLOCK_ACCOUNT_URGENCY will be used.
# To use BLOCK_ACCOUNT_THREAT_CERTAINTY set BLOCK_ACCOUNT_URGENCY = None
# List of detection types that when present will cause account to be blocked.
# The second argument enforces a threat/certainty threshold for accounts with those detection types on.
BLOCK_ACCOUNT_DETECTION_TYPES = []
BLOCK_ACCOUNT_DETECTION_TYPES_MIN_TC_SCORE = (100, "or", 100)
### Notification Setup
# SMTP Configuration
SEND_EMAIL = False
# SMTP Server FQDN or IP
SMTP_SERVER = ""
SMTP_PORT = 25
SRC_EMAIL = "example@email.com"
DST_EMAIL = "example@email.com"
SMTP_AUTH = False
SMTP_USER = "user"
# Syslog Configuration
SEND_SYSLOG = False
# Syslog Server FQDN or IP
SYSLOG_SERVER = ""
SYSLOG_PORT = 514
# Proto: TCP or UDP
SYSLOG_PROTO = "TCP"
# Format: Standard or CEF
SYSLOG_FORMAT = "CEF"