This is for use by the Security Tapestry Threat Hunting Team, and is written for compatibility with InsightIDR as an Alerts Platform, and FreshService Helpdesk.
-
config.json - Includes Configuration data
- 'Clients' - Stores Client Configuration information
- 'enabled' - Denotes whether or not to activate alerts for this client.
- 'api' - API Key symbol per client.
- 'idr_organization_id' - Symbol for company in InsightIDR
- 'email' - Mail Email Address Alerts are to be directed to per client.
- 'ccs' - Email Addresses to CC upon Investigation creation per client.
- 'time' - Time in UTC of last bot check-in per client.
- 'Other' - Stores non-client configuration
- 'last_checked_tickets_to_close' - Time in UTC of last bot check-in from FreshService to InsightIDR
- 'Clients' - Stores Client Configuration information
-
insight_functions.py - Contains all Functions called by investigations_post.py
-
investigations_post.py - Main script to be run, called by Workflow YAML
-
Investigations.yml - Main Workflow file for Github Actions, calls all API Keys and investigations_post.py every 5-10 minutes via cronjob.
-
detection_rules.json - Contains collected Detection Rules, Alert Types, and MITRE TTPs