I am using LimaCharlie Python in order to push rules to my LimaCharlie organization.
I have the following false positive rule that contains ´data´ with the rule and some ´metadata´ with for example tags.
fp_rule.yml:
---
data:
op: and
rules:
- op: is
path: cat
value: Command Detected
- op: or
rules:
- op: ends with
path: detect/event/PARENT/FILE_PATH
value: "\\A\\B\\C\\D.exe"
case sensitive: false
metadata:
author: [email protected]
tlp: amber
title: Command Detected
description: Legitimate Command Detected
source:
tags:
state: production
version: 1.0.0
I can easily add a new false positive rule to LimaCharlie, however how can I add metadata?
This is my script deploy_fp_rule_test.py:
import os
import limacharlie
import yaml
def deploy_fp_rule_test():
# Log into LimaCharlie
limacharlie_organization_id = os.environ['limacharlie_organization_id']
limacharlie_signatures_api_key = os.environ['limacharlie_signatures_api_key']
manager = limacharlie.Manager(oid=limacharlie_organization_id, secret_api_key=limacharlie_signatures_api_key)
# Read rule
with open(f"fp_rule.yml", mode='r',
encoding="utf8") as stream:
try:
fp_rule = yaml.safe_load(stream)
except yaml.YAMLError as exc:
print(exc)
# Map rule parts
fp_rule_data = fp_rule['data']
fp_rule_metadata = fp_rule['metadata']
# Add to LimaCharlie
result = manager.add_fp(name="Command Detected", rule=fp_rule_data, isReplace=True)
print(f"{result}")
# - Main start ----------------------------------------------------------------
if __name__ == "__main__":
deploy_fp_rule_test()