Add Thinkst Canary Console integration

This is the first release of the Thinkst Canary Console integration
into the market place.

A connector was implemented to poll the Canary Console API to get
the latests incidents from the Console. This is then translated into
AlertInfo objects, which will generate cases.

A 'Ping' action is added to check that the API credentials has been
entered correctly, and that the API endpoint is reachable.

A 'Acknowledge Console Alert' action is implemented, this can be used
to acknowledge incidents on the Canary Console.

Signed-off-by: Louis Peens <[email protected]>

Author: thinkst-louis

content/response_integrations/third_party/thinkst_canary/.python-version

@@ -0,0 +1 @@
+3.11

content/response_integrations/third_party/thinkst_canary/__init__.py

@@ -0,0 +1,54 @@
+from soar_sdk.ScriptResult import EXECUTION_STATE_COMPLETED, EXECUTION_STATE_FAILED
+from soar_sdk.SiemplifyAction import SiemplifyAction
+from soar_sdk.SiemplifyUtils import output_handler
+
+from ..core.constants import (
+    THINKST_DEFAULT_API_KEY,
+    THINKST_DEFAULT_CONSOLE,
+    THINKST_INTEGRATION_NAME,
+)
+from ..core.ThinkstManager import ThinkstActionManager, str_to_bool
+
+
+@output_handler
+def main():
+    status = EXECUTION_STATE_COMPLETED
+    result_value = False
+    output_message = ""
+
+    siemplify = SiemplifyAction()
+
+    console_api_key = siemplify.extract_configuration_param(
+        provider_name=THINKST_INTEGRATION_NAME,
+        param_name="API Key",
+        default_value=THINKST_DEFAULT_API_KEY,
+    )
+    if console_api_key == THINKST_DEFAULT_API_KEY:
+        status = EXECUTION_STATE_FAILED
+        output_message = "Please provide a valid API Key"
+        siemplify.end(output_message, result_value, status)
+        return
+
+    console_hash = siemplify.extract_configuration_param(
+        provider_name=THINKST_INTEGRATION_NAME,
+        param_name="Console Hash",
+        default_value=THINKST_DEFAULT_CONSOLE,
+    )
+    if console_hash == THINKST_DEFAULT_CONSOLE:
+        status = EXECUTION_STATE_FAILED
+        output_message = "Please provide a valid Console Hash"
+        siemplify.end(output_message, result_value, status)
+        return
+
+    ssl_verify = siemplify.extract_configuration_param(
+        provider_name=THINKST_INTEGRATION_NAME, param_name="Verify SSL"
+    )
+
+    ssl = str_to_bool(ssl_verify)
+    manager = ThinkstActionManager(console_api_key, console_hash, siemplify, ssl)
+    status, output_message = manager.ack_alert()
+    siemplify.end(output_message, True, status)
+
+
+if __name__ == "__main__":
+    main()

content/response_integrations/third_party/thinkst_canary/actions/AckAlert.py

@@ -0,0 +1,11 @@
+creator: Thinkst
+default_result_value: ''
+description: Set an alert as acknowledged on the Canary console
+dynamic_results_metadata:
+-   result_example_path: null
+    result_name: JsonResult
+    show_result: true
+integration_identifier: THINKST
+name: Acknowledge Console Alert
+parameters: []
+script_result_name: ScriptResult

content/response_integrations/third_party/thinkst_canary/actions/AckAlert.yaml

@@ -0,0 +1,68 @@
+from soar_sdk.ScriptResult import EXECUTION_STATE_COMPLETED, EXECUTION_STATE_FAILED
+from soar_sdk.SiemplifyAction import SiemplifyAction
+from soar_sdk.SiemplifyUtils import output_handler
+
+from ..core.constants import (
+    THINKST_DEFAULT_API_KEY,
+    THINKST_DEFAULT_CONSOLE,
+    THINKST_INTEGRATION_NAME,
+)
+from ..core.ThinkstManager import ThinkstActionManager, str_to_bool
+
+
+@output_handler
+def main():
+    status = EXECUTION_STATE_COMPLETED
+    result_value = False
+    output_message = ""
+
+    siemplify = SiemplifyAction()
+
+    console_api_key = siemplify.extract_configuration_param(
+        provider_name=THINKST_INTEGRATION_NAME,
+        param_name="API Key",
+        default_value=THINKST_DEFAULT_API_KEY,
+    )
+    if console_api_key == THINKST_DEFAULT_API_KEY:
+        status = EXECUTION_STATE_FAILED
+        output_message = "Please provide a valid API Key"
+        siemplify.end(output_message, result_value, status)
+        return
+
+    console_hash = siemplify.extract_configuration_param(
+        provider_name=THINKST_INTEGRATION_NAME,
+        param_name="Console Hash",
+        default_value=THINKST_DEFAULT_CONSOLE,
+    )
+    if console_hash == THINKST_DEFAULT_CONSOLE:
+        status = EXECUTION_STATE_FAILED
+        output_message = "Please provide a valid Console Hash"
+        siemplify.end(output_message, result_value, status)
+        return
+
+    ssl_verify = siemplify.extract_configuration_param(
+        provider_name=THINKST_INTEGRATION_NAME, param_name="Verify SSL"
+    )
+
+    try:
+        ssl = str_to_bool(ssl_verify)
+        manager = ThinkstActionManager(console_api_key, console_hash, siemplify, ssl)
+        ping_res = manager.ping()
+
+        if ping_res:
+            output_message = f"Successfully connected to Canary Console '{console_hash}'."
+            result_value = True
+        else:
+            output_message = f"Failed to connect to Canary Console '{console_hash}'."
+
+    except Exception as e:
+        status = EXECUTION_STATE_FAILED
+        output_message = f"Ping failed: {str(e)}"
+        siemplify.LOGGER.exception(e)
+
+    siemplify.LOGGER.info(f"Action finished: {output_message}")
+    siemplify.end(output_message, result_value, status)
+
+
+if __name__ == "__main__":
+    main()

content/response_integrations/third_party/thinkst_canary/actions/Ping.py

@@ -0,0 +1,11 @@
+creator: Thinkst
+default_result_value: ''
+description: Uses the /ping endpoint to verify that API key and console hash is correct
+dynamic_results_metadata:
+-   result_example_path: null
+    result_name: JsonResult
+    show_result: true
+integration_identifier: THINKST
+name: Ping
+parameters: []
+script_result_name: ScriptResult

content/response_integrations/third_party/thinkst_canary/actions/Ping.yaml

@@ -0,0 +1,52 @@
+# ==============================================================================
+# This connector retrieves Incidents from a Thinkst Canary Console and creates
+# alerts/cases in Google SecOps SOAR. Each Canary Incident generates one alert.
+# ==============================================================================
+import sys
+
+from soar_sdk.SiemplifyConnectors import SiemplifyConnectorExecution
+from soar_sdk.SiemplifyUtils import output_handler
+
+from ..core.constants import (
+    THINKST_CONNECTOR_NAME,
+    THINKST_DEFAULT_API_KEY,
+    THINKST_DEFAULT_CONSOLE,
+)
+from ..core.ThinkstManager import ThinkstConnectorManager, str_to_bool
+
+
+@output_handler
+def main(is_test_run):
+    alerts = []
+    siemplify = SiemplifyConnectorExecution()
+    siemplify.script_name = THINKST_CONNECTOR_NAME
+
+    if is_test_run:
+        siemplify.LOGGER.info(
+            '***** This is an "IDE Play Button"\\"Run Connector once" test run ******'
+        )
+
+    siemplify.LOGGER.info("==================== Main - Param Init ====================")
+
+    console_api_key = siemplify.extract_connector_param("API Key", THINKST_DEFAULT_API_KEY)
+    if console_api_key == THINKST_DEFAULT_API_KEY:
+        siemplify.LOGGER.error("Please provide a valid API Key")
+        return
+
+    console_hash = siemplify.extract_connector_param("Console Hash", THINKST_DEFAULT_CONSOLE)
+    if console_hash == THINKST_DEFAULT_CONSOLE:
+        siemplify.LOGGER.error("Please provide a valid Console Hash")
+        return
+
+    ssl_verify = siemplify.extract_connector_param("Verify SSL")
+    ssl = str_to_bool(ssl_verify)
+
+    manager = ThinkstConnectorManager(console_api_key, console_hash, siemplify, ssl)
+    alerts = manager.fetch_alerts()
+    siemplify.return_package(alerts)
+
+
+if __name__ == "__main__":
+    # Connectors are run in iterations. The interval is configurable from the ConnectorsScreen UI.
+    is_test_run = not (len(sys.argv) < 2 or sys.argv[1] == "True")
+    main(is_test_run)

content/response_integrations/third_party/thinkst_canary/actions/__init__.py

@@ -0,0 +1,78 @@
+name: Thinkst - Alert Connector
+parameters:
+  - name: API Key
+    default_value: <API_KEY>
+    type: password
+    description: The API key for your console. If not specified will try and
+        get it from integration configuration.
+    is_mandatory: true
+    is_advanced: false
+    mode: script
+    integration_identifier: THINKST
+
+  - name: Console Hash
+    default_value: <CONSOLE_HASH>
+    type: string
+    description: The hash for your console (the part before .canary.tools). If
+        not specified will try and get it from integration configuration.
+    is_mandatory: true
+    integration_identifier: THINKST
+    is_advanced: false
+    mode: script
+
+  - name: Last Id
+    default_value: '0'
+    type: integer
+    description: Debug value - grab incidents since this update_id
+    is_mandatory: false
+    mode: script
+    is_advanced: false
+
+  - name: Verify SSL
+    type: boolean
+    description: Whether to verify SSL certificates when connecting to the console
+    is_mandatory: false
+    default_value: true
+    integration_identifier: THINKST
+    is_advanced: false
+    mode: script
+
+  - name: Ignore Informative
+    type: boolean
+    description: Do not create cases for informative incidents
+    is_mandatory: false
+    default_value: false
+    integration_identifier: THINKST
+    is_advanced: false
+    mode: script
+
+  - name: PythonProcessTimeout
+    default_value: '60'
+    type: string
+    description: The timeout limit (in seconds) for the python process running current
+        script
+    is_mandatory: true
+    is_advanced: false
+    mode: regular
+
+  - name: DeviceProductField
+    default_value: device_product
+    type: string
+    description: The field name used to determine the device product
+    is_mandatory: true
+    is_advanced: false
+    mode: regular
+
+  - name: EventClassId
+    default_value: name
+    type: string
+    description: The field name used to determine the event name (sub-type)
+    is_mandatory: true
+    is_advanced: false
+    mode: regular
+
+description: 'Gets security incidents from the Canary Console'
+integration: THINKST
+rules: []
+is_connector_rules_supported: true
+creator: Thinkst