Blitz – Incident Response Automation Framework

Blitz is an open source incident response automation framework aimed at accelerating incident triage, tracking and response capabilities. The framework allows:

• Device agnostic alert ingest
• Alert enrichment from internal/external sources
• Automated / one-click response action – from the alert itself!

How Blitz works:

Blitz assumes input as an alert data file structured in JSON format. The alert data can be further enriched with different enrichment modules. Blitz parses the input file and picks up information regarding the source, alert type, alert metadata etc. The output of the framework is an alert email configured for delivery to intended recipients – the framework can be extended to alternate delivery methods as well as long as a python module can be written.

We recommend using Apache Nifi for creating and managing alert data files to the Blitz framework as it allows ingestion, parsing and structuring of information in a manner suitable for consumption by the framework. However one can choose any other suitable alternative.

The illustration below depicts the functioning of the blitz framework.

Sample use cases / implementations:

• Endpoint Incident Response & Automation
• Perimeter / Website Incident Response & Automation
• Incident Tracking (via JIRA)
• Alert Enrichment – the framework already contains multiple default enrichment methods (available in modules.py) such as reverse DNS, WhoIs

Structure of Blitz

The blitz framework essentially comprises of the following files:

├── blitz/

|   ├── modules.py

|   ├── mail_conf

|   ├── template.html

|   ├── blitz.py

|   ├── bmail.py

blitz.py

It is the heart of the framework, which is agnostic to alert source and data. This is the file to be executed by providing an alert data file and source (detector) as input to generate an incident notification & respective actions.

Usage example :

blitz.py <detector> < path/to/alert_data_file

Here detector should be replaced by the name of the source configured in mail_conf and the path to the alert data file passed as the other argument.

mail_conf

mail_conf stores configurations for all data sources. One can provide the source_name, the enrichments to execute, the intended recipients and the actions associated with the alert. A sample configuration is shown below:

"device_1": {

  "subject": "Email Alert : {ip_src_addr} : {param2}",

  "mail_title": "{param3}""enrichment": True,

  "enrichment_conditional": False,

  "enrichments": [

    {

      "e_name": "Data from DB",

      "e_func": "get_data_from_db",

      "e_key": "ip_src_addr",

      "enabled": True

    },

    

  ],

  "custom_enrichment_data": [

    {

      "index": "ELASTIC_INDEX_NAME",

      "es_host": "ELASTIC_HOST_IP",

      "query_data": [

        {

          "method": "POST",

          "url": "/_msearch?timeout=0&ignore_unavailable=true",

          "query": '{"index":||list_indexes||,"search_type":"count","ignore_unavailable":true}\r\n{"size":0,"query":{"filtered":{"query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":{"bool":{"must":[{"query":{"match":{"ip_src_addr":{"query":||ip_src_addr||,"type":"phrase"}}}}],"must_not":[]}}}},"aggs":{"2":{"terms":{"field":"eventName","size":20,"order":{"_count":"desc"}}}}}\r\n'

        },

        

      ],

      

    }

  ],

  "send_mail_no_condition_match": True,

  "mailers": {

    "override": False,

    "to": [

      "PRIMARY_RECIPIENT"

    ],

    "cc": [

      "SECONDARY_RECIPIENT"

    ]

  },

  "include_json": True,

  "actions": {

    "send": [

      ("pass_to_mail",

      {

        "return_name": "ip_src_addr",

        "data": "{ip_src_addr}",

        "enabled": True

      }),

      ("pass_to_mail",

      {

        "return_name": "parameter 2",

        "data": "{param2}",

        "enabled": True

      }),

      

    ],

    "reply": [

      ("Create JIRA",

      {

        "color": "orange",

        "actions": [

          ("jira_create",

          {

            "enabled": True,

            "return_name": "jira_id",

            "data": {

              "conn_details": {

                "server": "JIRA_URL",

                "username": "XXXXXXXX",

                "password": "XXXXXXXX",

                

              },

              "fields": {

                'project': 'JIRA_PROJECT_NAME',

                'issuetype': {

                  'name': 'Task'

                },

                'summary': 'device1 - {ip_src_addr}',

                'customfield_13106': {

                  'id': '12309'

                },

                'customfield_13111': 'NA',

                'customfield_13104': '{ip_src_addr}',

                'description': "EVENT_DESCRIPTION"

              }

            }

          }),

          

        ]

      }),

      

    ],

    

  },

  

}

modules.py

It is a container class for all enrichment methods. It is instantiated in blitz.py with the input alert data so that the data is available to all the enrichment methods. One can write a variety of enrichments to suit their needs. These enrichments can then be mapped to sources in the configuration (mail_conf)

template.html

It is a generic HTML template to build an email alert. It has placeholders where title, body, action buttons are replaced with actual data according to the configuration. One can also write a custom template with specific layouts/schemes etc. A sample alert template is shown below.

Download && Tutorial

Author: 

• Pradyumn Nand
• Kunal Aggarwal