def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
indicator = get_indicator(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Update Indicator entity
e = Indicator(request.value)
e.title = encode_to_utf8(indicator.get('title'))
e.resourceId = indicator.get('resourceId')
e += Label('Severity', indicator.get('severity', dict()).get('displayName'))
e += Label('Confidence', indicator.get('confidence', dict()).get('displayName'))
e += Label('Indicator Type', indicator.get('indicatorType', dict()).get('displayName'))
if indicator.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(indicator.get('description')
).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
try:
url = request.fields['url']
except KeyError:
url = request.value
try:
indicators = search_indicator(url)
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
for indicator in indicators:
if indicator.get('tcScore'):
weight = int(indicator.get('tcScore'))
else:
weight = 1
indicator = indicator.get('resource')
e = Indicator(encode_to_utf8(indicator.get('title')),
weight=weight)
e.title = encode_to_utf8(indicator.get('title'))
# e.resourceId = indicator.get('resourceId')
e.resourceId = indicator.get('resourceId')
if indicator.get('severity'):
e += Label(
'Severity',
indicator.get('severity', dict()).get('displayName'))
e.severity = indicator.get('severity',
dict()).get('displayName')
if indicator.get('confidence'):
e += Label(
'Confidence',
indicator.get('confidence', dict()).get('displayName'))
e.confidence = indicator.get('confidence',
dict()).get('displayName')
if indicator.get('indicatorType'):
e += Label(
'Indicator Type',
indicator.get('indicatorType',
dict()).get('displayName'))
e.indicatorType = indicator.get('indicatorType',
dict()).get('displayName')
if indicator.get('description'):
e += Label(
'Description', '<br/>'.join(
encode_to_utf8(
indicator.get('description')).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
try:
ttps = search_ttp(request.value)
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
return response
else:
try:
for ttp in ttps:
if ttp.get('tcScore'):
weight = int(ttp.get('tcScore'))
else:
weight = 1
e = TTP(encode_to_utf8(ttp.get('title')), weight=weight)
e.title = encode_to_utf8(ttp.get('title'))
e.resourceId = ttp.get('id')
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
case = get_case(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Show coursesOfAction
if len(case.get('coursesOfAction', list())) is not 0:
for coa in case.get('coursesOfAction'):
if coa.get('tcScore'):
weight = int(coa.get('tcScore'))
else:
weight = 1
e = CoursesOfAction(encode_to_utf8(coa.get('title')), weight=weight)
e.title = encode_to_utf8(coa.get('title'))
e.resourceId = coa.get('resourceId')
if coa.get('text'):
e += Label('Text', '<br/>'.join(encode_to_utf8(coa.get('text')).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
try:
ttps = search_ttp(request.value)
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
return response
else:
try:
for ttp in ttps:
if ttp.get('tcScore'):
weight = int(ttp.get('tcScore'))
else:
weight = 1
e = TTP(encode_to_utf8(ttp.get('title')), weight=weight)
e.title = encode_to_utf8(ttp.get('title'))
e.resourceId = ttp.get('id')
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
indicator = get_indicator(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
indicator = None
response += UIMessage(err.value, type='PartialError')
if indicator:
try:
# Update Indicator entity ?
e = Indicator(request.value)
e.title = encode_to_utf8(indicator.get('title'))
e.resourceId = indicator.get('resourceId')
e.severity = indicator.get('severity', dict()).get('displayName')
e.confidence = indicator.get('confidence', dict()).get('displayName')
e.indicatorType = indicator.get('indicatorType', dict()).get('displayName')
e += Label('Severity', indicator.get('severity', dict()).get('displayName'))
e += Label('Confidence', indicator.get('confidence', dict()).get('displayName'))
e += Label('Indicator Type', indicator.get('indicatorType', dict()).get('displayName'))
if indicator.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(indicator.get('description')
).split('\n')))
response += e
if len(indicator.get('observables', list())) is not 0:
for observable in indicator.get('observables'):
if upper(observable.get('type', dict()).get('value')) == 'REGISTRY_KEY':
# Use sighting
if observable.get('sighting'):
weight = int(observable.get('sighting'))
else:
weight = 1
e = RegistryKey(observable.get('value'), weight=weight)
# TODO : Verify this
# e.name = observable.get('name')
e.value = observable.get('value')
# TODO : Verify this
# e.action = observable.get('action', dict()).get('displayName')
e.hive = observable.get('hive')
e.key = observable.get('key')
# TODO : Verify this
# e.data = registryKeyValues
# e.rtype = type
e.resourceId = observable.get('resourceId')
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
incident = get_incident(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Show linked TTP's
if len(incident.get('tacticsTechniquesAndProcedures',
list())) is not 0:
for ttp in incident.get('tacticsTechniquesAndProcedures'):
if ttp.get('tcScore'):
weight = int(ttp.get('tcScore'))
else:
weight = 1
e = TTP(encode_to_utf8(ttp.get('title')),
weight=weight)
e.title = encode_to_utf8(ttp.get('title'))
e.resourceId = ttp.get('resourceId')
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err),
type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
case = get_case(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Show linked TTP's
if len(case.get('tacticsTechniquesAndProcedures', list())) is not 0:
for ttp in case.get('tacticsTechniquesAndProcedures'):
if ttp.get('tcScore'):
weight = int(ttp.get('tcScore'))
else:
weight = 1
e = TTP(encode_to_utf8(ttp.get('title')), weight=weight)
e.title = encode_to_utf8(ttp.get('title'))
e.resourceId = ttp.get('resourceId')
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
indicator = get_indicator(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Update Indicator entity ?
e = Indicator(request.value)
e.title = encode_to_utf8(indicator.get('title'))
e.resourceId = indicator.get('resourceId')
e.severity = indicator.get('severity', dict()).get('displayName')
e.confidence = indicator.get('confidence', dict()).get('displayName')
e.indicatorType = indicator.get('indicatorType', dict()).get('displayName')
e += Label('Severity', indicator.get('severity', dict()).get('displayName'))
e += Label('Confidence', indicator.get('confidence', dict()).get('displayName'))
e += Label('Indicator Type', indicator.get('indicatorType', dict()).get('displayName'))
if indicator.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(indicator.get('description')
).split('\n')))
response += e
if len(indicator.get('observables', list())) is not 0:
for observable in indicator.get('observables'):
if upper(observable.get('type', dict()).get('value')) == 'FILE_HASH':
# Use sighting
if observable.get('sighting'):
weight = int(observable.get('sighting'))
else:
weight = 1
filehashes = observable.get('fileHashes', list())
for filehash in filehashes:
e = FileHash(filehash.get('value'), weight=weight)
e.name = observable.get('name')
e.value = filehash.get('value')
e.htype = filehash.get('type')
e.resourceId = observable.get('resourceId')
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
indicator = get_indicator(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Update Indicator entity ?
e = Indicator(request.value)
e.title = encode_to_utf8(indicator.get('title'))
e.resourceId = indicator.get('resourceId')
e.severity = indicator.get('severity', dict()).get('displayName')
e.confidence = indicator.get('confidence', dict()).get('displayName')
e.indicatorType = indicator.get('indicatorType', dict()).get('displayName')
e += Label('Severity', indicator.get('severity', dict()).get('displayName'))
e += Label('Confidence', indicator.get('confidence', dict()).get('displayName'))
e += Label('Indicator Type', indicator.get('indicatorType', dict()).get('displayName'))
if indicator.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(indicator.get('description')
).split('\n')))
response += e
if len(indicator.get('observables', list())) is not 0:
for observable in indicator.get('observables'):
if upper(observable.get('type', dict()).get('value')) == 'IP':
e = IPv4Address(observable.get('value'))
e += Label('IP Address', observable.get('value'))
if observable.get('port'):
e += Label('Port', observable.get('port'))
if upper(observable.get('location', dict()).get('city')) != 'UNDEFINED_GEO_LOCATION_STRING':
e += Label('Location', '<br/>'.join(['{}:{}'.format(encode_to_utf8(k),
encode_to_utf8(v))
for k, v in observable.get('location',
dict()).iteritems()]))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
try:
cases = get_linked_cases(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
return response
except KeyError:
response += UIMessage("No resourceId!", type='PartialError')
return response
else:
try:
for case in cases:
if case.get('tcScore'):
weight = int(case.get('tcScore'))
else:
weight = 1
e = Case(encode_to_utf8(case.get('title')), weight=weight)
e.title = encode_to_utf8(case.get('title'))
# e.resourceId = indicator.get('resourceId')
e.resourceId = case.get('resourceId')
if case.get('importanceScore'):
e.importanceScore = case.get('importanceScore')
e += Label('Importance Score', case.get('importanceScore'))
if case.get('importanceLevel'):
e.importanceLevel = case.get('importanceLevel')
e += Label('Importance Level', case.get('importanceLevel'))
# Show comments
if len(case.get('comments', list())) is not 0:
e += Label('Comments', '<br/>'.join(['{}<br/>'.format(_.get('text'))
for _ in encode_to_utf8(case.get('comments'))]))
if case.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(case.get('description')
).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
try:
url = request.fields['url']
except KeyError:
url = request.value
try:
indicators = search_indicator(url)
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
for indicator in indicators:
if indicator.get('tcScore'):
weight = int(indicator.get('tcScore'))
else:
weight = 1
indicator = indicator.get('resource')
e = Indicator(encode_to_utf8(indicator.get('title')), weight=weight)
e.title = encode_to_utf8(indicator.get('title'))
# e.resourceId = indicator.get('resourceId')
e.resourceId = indicator.get('resourceId')
if indicator.get('severity'):
e += Label('Severity', indicator.get('severity', dict()).get('displayName'))
e.severity = indicator.get('severity', dict()).get('displayName')
if indicator.get('confidence'):
e += Label('Confidence', indicator.get('confidence', dict()).get('displayName'))
e.confidence = indicator.get('confidence', dict()).get('displayName')
if indicator.get('indicatorType'):
e += Label('Indicator Type', indicator.get('indicatorType', dict()).get('displayName'))
e.indicatorType = indicator.get('indicatorType', dict()).get('displayName')
if indicator.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(indicator.get('description')
).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
indicator = get_indicator(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
indicator = None
response += UIMessage(err.value, type='PartialError')
if indicator:
try:
# Update Indicator entity ?
e = Indicator(request.value)
e.title = encode_to_utf8(indicator.get('title'))
e.resourceId = indicator.get('resourceId')
e.severity = indicator.get('severity', dict()).get('displayName')
e.confidence = indicator.get('confidence', dict()).get('displayName')
e.indicatorType = indicator.get('indicatorType', dict()).get('displayName')
e += Label('Severity', indicator.get('severity', dict()).get('displayName'))
e += Label('Confidence', indicator.get('confidence', dict()).get('displayName'))
e += Label('Indicator Type', indicator.get('indicatorType', dict()).get('displayName'))
if indicator.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(indicator.get('description')
).split('\n')))
response += e
if len(indicator.get('observables', list())) is not 0:
for observable in indicator.get('observables'):
if upper(observable.get('type', dict()).get('value')) == 'URI':
e = URL(observable.get('value'))
e.url = observable.get('value')
e += Label('URI', observable.get('value'))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
try:
incidents = get_linked_incidents(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
return response
except KeyError:
response += UIMessage("No resourceId!", type='PartialError')
return response
else:
try:
for incident in incidents:
if incident.get('tcScore'):
weight = int(incident.get('tcScore'))
else:
weight = 1
e = Incident(encode_to_utf8(incident.get('title')), weight=weight)
e.title = encode_to_utf8(incident.get('title'))
e.resourceId = incident.get('resourceId')
e.reportedOn = incident.get('reportedOn')
e += Label('Reported On', incident.get('reportedOn'))
if len(incident.get('incidentCategory', list())) is not 0:
e += Label('Incident Category', '<br/>'.join([encode_to_utf8(_.get('displayName'))
for _ in incident.get('incidentCategory',
list())]))
if len(incident.get('affectedAsset', list())) is not 0:
e += Label('Affected Asset', '<br/>'.join([encode_to_utf8(_.get('displayName'))
for _ in incident.get('affectedAsset', list())]))
if len(incident.get('incidentEffect', list())) is not 0:
e += Label('Incident Effect', '<br/>'.join([encode_to_utf8(_.get('displayName'))
for _ in incident.get('incidentEffect', list())]))
if len(incident.get('discoveryMethod', list())) is not 0:
e += Label('Discovery Method', '<br/>'.join([encode_to_utf8(_.get('displayName'))
for _ in incident.get('discoveryMethod', list())]))
if incident.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(incident.get('description')
).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
indicator = get_indicator(
request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Update Indicator entity
e = Indicator(request.value)
e.title = encode_to_utf8(indicator.get('title'))
e.resourceId = indicator.get('resourceId')
e += Label(
'Severity',
indicator.get('severity', dict()).get('displayName'))
e += Label(
'Confidence',
indicator.get('confidence', dict()).get('displayName'))
e += Label(
'Indicator Type',
indicator.get('indicatorType', dict()).get('displayName'))
if indicator.get('description'):
e += Label(
'Description', '<br/>'.join(
encode_to_utf8(
indicator.get('description')).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err),
type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
coa = get_incident(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Show linked Courses Of Actions
if len(coa.get('coursesOfAction', list())) is not 0:
for coa in coa.get('coursesOfAction'):
if coa.get('tcScore'):
weight = int(coa.get('tcScore'))
else:
weight = 1
e = CoursesOfAction(encode_to_utf8(coa.get('title')),
weight=weight)
e.title = encode_to_utf8(coa.get('title'))
e += Label('Title', encode_to_utf8(coa.get('title')))
e.resourceId = coa.get('resourceId')
if coa.get('description'):
e += Label(
'Description', '<br/>'.join(
encode_to_utf8(
coa.get('description')).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err),
type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
try:
incidents = search_incident(request.value)
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
return response
else:
try:
for incident in incidents:
if incident.get('tcScore'):
weight = int(incident.get('tcScore'))
else:
weight = 1
incident = incident.get('resource')
if incident:
e = Incident(encode_to_utf8(incident.get('title')), weight=weight)
e.title = encode_to_utf8(incident.get('title'))
e.resourceId = incident.get('resourceId')
# e.resourceId = incident.get('id')
e.reportedOn = incident.get('reportedOn')
e += Label('Reported On', incident.get('reportedOn'))
if len(incident.get('incidentCategory', list())) is not 0:
e += Label('Incident Category', '<br/>'.join([encode_to_utf8(_.get('displayName'))
for _ in incident.get('incidentCategory',
list())]))
if len(incident.get('affectedAsset', list())) is not 0:
e += Label('Affected Asset', '<br/>'.join([encode_to_utf8(_.get('displayName'))
for _ in incident.get('affectedAsset', list())]))
if len(incident.get('incidentEffect', list())) is not 0:
e += Label('Incident Effect', '<br/>'.join([encode_to_utf8(_.get('displayName'))
for _ in incident.get('incidentEffect', list())]))
if len(incident.get('discoveryMethod', list())) is not 0:
e += Label('Discovery Method', '<br/>'.join([encode_to_utf8(_.get('displayName'))
for _ in incident.get('discoveryMethod', list())]))
if incident.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(incident.get('description')
).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
case = get_case(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Show linked Indicators
if len(case.get('indicators', list())) is not 0:
for indicator in case.get('indicators'):
if indicator.get('tcScore'):
weight = int(indicator.get('tcScore'))
else:
weight = 1
e = Indicator(encode_to_utf8(indicator.get('title')), weight=weight)
e.title = encode_to_utf8(indicator.get('title'))
e.resourceId = indicator.get('resourceId')
e += Label('Severity', indicator.get('severity', dict()).get('displayName'))
e += Label('Confidence', indicator.get('confidence', dict()).get('displayName'))
e += Label('Indicator Type', indicator.get('indicatorType', dict()).get('displayName'))
if indicator.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(indicator.get('description')
).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
indicator = get_indicator(
request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Update Indicator entity ?
e = Indicator(request.value)
e.title = encode_to_utf8(indicator.get('title'))
e.resourceId = indicator.get('resourceId')
e.severity = indicator.get('severity',
dict()).get('displayName')
e.confidence = indicator.get('confidence',
dict()).get('displayName')
e.indicatorType = indicator.get('indicatorType',
dict()).get('displayName')
e += Label(
'Severity',
indicator.get('severity', dict()).get('displayName'))
e += Label(
'Confidence',
indicator.get('confidence', dict()).get('displayName'))
e += Label(
'Indicator Type',
indicator.get('indicatorType', dict()).get('displayName'))
if indicator.get('description'):
e += Label(
'Description', '<br/>'.join(
encode_to_utf8(
indicator.get('description')).split('\n')))
response += e
if len(indicator.get('observables', list())) is not 0:
for observable in indicator.get('observables'):
if upper(observable.get(
'type', dict()).get('value')) == 'FILE_HASH':
# Use sighting
if observable.get('sighting'):
weight = int(observable.get('sighting'))
else:
weight = 1
filehashes = observable.get('fileHashes', list())
for filehash in filehashes:
e = FileHash(filehash.get('value'),
weight=weight)
#e.name = observable.get('name')
e.value = filehash.get('value')
e.htype = filehash.get('type')
e.resourceId = observable.get('resourceId')
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err),
type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
incidents = get_incident(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Show linked actors
if len(incidents.get('actors', list())) is not 0:
for actor in incidents.get('actors'):
notes = list()
if actor.get('tcScore'):
weight = int(actor.get('tcScore'))
else:
weight = 1
if actor.get('name'):
e = Actor(encode_to_utf8(actor.get('name')), weight=weight)
e.name = encode_to_utf8(actor.get('name'))
e.actor = encode_to_utf8(actor.get('name'))
elif actor.get('title'):
e = Actor(encode_to_utf8(actor.get('title')), weight=weight)
e.title = encode_to_utf8(actor.get('title'))
e.resourceId = actor.get('resourceId')
if actor.get('organization'):
e.organization = encode_to_utf8(actor.get('organization'))
if actor.get('aliases'):
e.aliases = actor.get('aliases')
if actor.get('country'):
e.country = encode_to_utf8(actor.get('country', dict()).get('displayName'))
if actor.get('score'):
e.score = actor.get('score')
if actor.get('links'):
e += Label('Links', '<br/>'.join(['<a href="{}">{}</a>'.format(_.get('href'),
_.get('href'))
for _ in actor.get('links')]))
if actor.get('hyperlinks'):
e += Label('Hyperlinks', '<br/>'.join(['<a href="{}">{}</a>'.format(_.get('url'),
_.get('title'))
for _ in actor.get('hyperlinks')]))
if actor.get('title'):
e += Label('Title', encode_to_utf8(actor.get('title')))
if actor.get('resourceId'):
e += Label('ResourceID', actor.get('resourceId'))
if actor.get('aliases'):
e += Label('Aliases', '<br/>'.join([encode_to_utf8(_) for _ in actor.get('aliases', '')]))
if actor.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(actor.get('description', '')
).split('\n')))
if actor.get('country'):
e += Label('Country', encode_to_utf8(actor.get('country', dict()).get('displayName')))
if actor.get('organization'):
e += Label('Organization', encode_to_utf8(actor.get('organization')))
if actor.get('types'):
e += Label('Types', '<br/>'.join([encode_to_utf8(_.get('displayName'))
for _ in actor.get('types')]))
if actor.get('motivations'):
e += Label('Motivations', '<br/>'.join([encode_to_utf8(_.get('displayName'))
for _ in actor.get('motivations')]))
if actor.get('intendedEffects'):
e += Label('Intended Effects', '<br/>'.join([encode_to_utf8(_.get('displayName'))
for _ in actor.get('intendedEffects')]))
if actor.get('sophistication'):
e += Label('Sophistication', actor.get('sophistication', dict()).get('displayName'))
if actor.get('socialMediaText'):
e += Label('Social Media', '<br/>'.join(encode_to_utf8(actor.get('socialMediaText',
'')).split('\n')))
if actor.get('moreInfo'):
e += Label('More Info', '<br/>'.join(encode_to_utf8(actor.get('moreInfo', '')
).split('\n')))
if actor.get('score'):
e += Label('Score', actor.get('score'))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
try:
results = search(request.value)
except ThreatCentralError as err:
results = None
response += UIMessage(err.value, type='PartialError')
else:
try:
for result in results:
rtype = lower(result.get('type'))
if result.get('tcScore'):
weight = int(result.get('tcScore'))
else:
weight = 1
# Title ID Description
if rtype == 'actor':
# Check Title, if no title get resource > name
# Actor entity can have an empty title field
if result.get('title'):
e = Actor(encode_to_utf8(result.get('title')), weight=weight)
else:
e = Actor(encode_to_utf8(result.get('resource', dict()).get('name')), weight=weight)
e.name = encode_to_utf8(result.get('resource', dict()).get('name'))
e.actor = encode_to_utf8(result.get('resource', dict()).get('name'))
elif rtype == 'case':
e = Case(encode_to_utf8(result.get('title')), weight=weight)
elif rtype == 'coursesofactions':
e = CoursesOfAction(encode_to_utf8(result.get('title')), weight=weight)
elif rtype == 'indicator':
e = Indicator(encode_to_utf8(result.get('title')), weight=weight)
elif rtype == 'incident':
e = Incident(encode_to_utf8(result.get('title')), weight=weight)
# elif rtype == 'tacticstechniquesandprocedures':
elif rtype == 'ttp':
e = TTP(encode_to_utf8(result.get('title')), weight=weight)
else:
# To be safe
e = Phrase(encode_to_utf8(result.get('title')), weight=weight)
debug(rtype)
e.title = encode_to_utf8(result.get('title'))
e.resourceId = result.get('id')
if result.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(result.get('description',
'')).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
case = get_case(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Show linked Indicators
if len(case.get('indicators', list())) is not 0:
for indicator in case.get('indicators'):
if indicator.get('tcScore'):
weight = int(indicator.get('tcScore'))
else:
weight = 1
e = Indicator(encode_to_utf8(indicator.get('title')),
weight=weight)
e.title = encode_to_utf8(indicator.get('title'))
e.resourceId = indicator.get('resourceId')
e += Label(
'Severity',
indicator.get('severity',
dict()).get('displayName'))
e += Label(
'Confidence',
indicator.get('confidence',
dict()).get('displayName'))
e += Label(
'Indicator Type',
indicator.get('indicatorType',
def dotransform(request, response, config):
i = 0
for actor in search_actor(request.value):
try:
rtype = lower(actor.get('type'))
if actor.get('tcScore'):
weight = int(actor.get('tcScore'))
else:
weight = 1
actor = actor.get('resource')
# actor_name = actor.get('name', '').split('\n')
if len(actor) is not 0:
if rtype == 'actor':
if actor.get('name'):
e = Actor(encode_to_utf8(actor.get('name')), weight=weight)
e.name = encode_to_utf8(actor.get('name'))
e.actor = encode_to_utf8(actor.get('name'))
elif actor.get('title'):
e = Actor(encode_to_utf8(actor.get('title')))
e.title = encode_to_utf8(actor.get('title'))
e.resourceId = actor.get('resourceId')
if actor.get('organization'):
e.organization = encode_to_utf8(actor.get('organization'))
if actor.get('aliases'):
e.aliases = actor.get('aliases')
if actor.get('country'):
e.country = encode_to_utf8(actor.get('country', dict()).get('displayName'))
if actor.get('score'):
e.score = actor.get('score')
if actor.get('links'):
e += Label('Links', '<br/>'.join(['<a href="{}">{}</a>'.format(_.get('href'),
_.get('href'))
for _ in actor.get('links')]))
if actor.get('hyperlinks'):
e += Label('Hyperlinks', '<br/>'.join(['<a href="{}">{}</a>'.format(_.get('url'),
_.get('title'))
for _ in actor.get('hyperlinks')]))
if actor.get('title'):
e += Label('Title', encode_to_utf8(actor.get('title')))
if actor.get('resourceId'):
e += Label('ResourceID', actor.get('resourceId'))
if actor.get('aliases'):
e += Label('Aliases', '<br/>'.join([encode_to_utf8(_) for _ in actor.get('aliases', '')]))
if actor.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(actor.get('description', '')
).split('\n')))
if actor.get('country'):
e += Label('Country', encode_to_utf8(actor.get('country', dict()).get('displayName')))
if actor.get('organization'):
e += Label('Organization', encode_to_utf8(actor.get('organization')))
if actor.get('types'):
e += Label('Types', '<br/>'.join([encode_to_utf8(_.get('displayName'))
for _ in actor.get('types')]))
if actor.get('motivations'):
e += Label('Motivations', '<br/>'.join([encode_to_utf8(_.get('displayName'))
for _ in actor.get('motivations')]))
if actor.get('intendedEffects'):
e += Label('Intended Effects', '<br/>'.join([encode_to_utf8(_.get('displayName'))
for _ in actor.get('intendedEffects')]))
if actor.get('sophistication'):
e += Label('Sophistication', actor.get('sophistication', dict()).get('displayName'))
if actor.get('socialMediaText'):
e += Label('Social Media', '<br/>'.join(encode_to_utf8(actor.get('socialMediaText',
'')).split('\n')))
if actor.get('moreInfo'):
e += Label('More Info', '<br/>'.join(encode_to_utf8(actor.get('moreInfo', '')
).split('\n')))
if actor.get('score'):
e += Label('Score', actor.get('score'))
if i < 1:
i += 1
e.linkcolor = "0xf90000"
response += e
except AttributeError as err:
response += UIMessage(err, type='PartialError')
continue
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
try:
results = search(request.value, size=10, pages=1)
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
for result in results:
rtype = lower(result.get('type'))
if result.get('tcScore'):
weight = int(result.get('tcScore'))
else:
weight = 1
# Title ID Description
if rtype == 'actor':
# Check Title, if no title get resource > name
# Actor entity can have an empty title field
if result.get('title'):
e = Actor(encode_to_utf8(result.get('title')),
weight=weight)
else:
e = Actor(encode_to_utf8(
result.get('resource', dict()).get('name')),
weight=weight)
e.name = encode_to_utf8(
result.get('resource', dict()).get('name'))
e.actor = encode_to_utf8(
result.get('resource', dict()).get('name'))
elif rtype == 'case':
e = Case(encode_to_utf8(result.get('title')),
weight=weight)
elif rtype == 'coursesofactions':
e = CoursesOfAction(encode_to_utf8(result.get('title')),
weight=weight)
elif rtype == 'indicator':
e = Indicator(encode_to_utf8(result.get('title')),
weight=weight)
elif rtype == 'incident':
e = Incident(encode_to_utf8(result.get('title')),
weight=weight)
# elif rtype == 'tacticstechniquesandprocedures':
elif rtype == 'ttp':
e = TTP(encode_to_utf8(result.get('title')), weight=weight)
else:
# To be safe
e = Phrase(encode_to_utf8(result.get('title')),
weight=weight)
debug(rtype)
e.title = encode_to_utf8(result.get('title'))
e.resourceId = result.get('id')
if result.get('description'):
e += Label(
'Description', '<br/>'.join(
encode_to_utf8(result.get('description',
'')).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
try:
case = get_case(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Show linked TTP's
if len(case.get('tacticsTechniquesAndProcedures',
list())) is not 0:
for ttp in case.get('tacticsTechniquesAndProcedures'):
if ttp.get('tcScore'):
weight = int(ttp.get('tcScore'))
else:
weight = 1
e = TTP(encode_to_utf8(ttp.get('title')),
weight=weight)
e.title = encode_to_utf8(ttp.get('title'))
e.resourceId = ttp.get('resourceId')
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err),
type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
try:
actor = get_actor(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
return response
except KeyError:
try:
actors = search_actor(request.value)
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
return response
else:
i = 0
for actor in actors:
try:
rtype = lower(actor.get('type'))
actor = actor.get('resource')
if actor.get('tcScore'):
weight = int(actor.get('tcScore'))
else:
weight = 1
if len(actor) is not 0:
if rtype == 'actor':
if actor.get('name'):
e = Actor(encode_to_utf8(actor.get('name')),
weight=weight)
e.name = encode_to_utf8(actor.get('name'))
e.actor = encode_to_utf8(actor.get('name'))
elif actor.get('title'):
e = Actor(encode_to_utf8(actor.get('title')))
e.title = encode_to_utf8(actor.get('title'))
e.resourceId = actor.get('resourceId')
if actor.get('organization'):
e.organization = encode_to_utf8(
actor.get('organization'))
if actor.get('aliases'):
e.aliases = ', '.join([
encode_to_utf8(_)
for _ in actor.get('aliases')
])
if actor.get('country'):
e.country = encode_to_utf8(
actor.get('country',
dict()).get('displayName'))
if actor.get('score'):
e.score = actor.get('score')
if actor.get('links'):
e += Label(
'Links', '<br/>'.join([
'<a href="{}">{}</a>'.format(
_.get('href'), _.get('href'))
for _ in actor.get('links')
]))
if actor.get('hyperlinks'):
e += Label(
'Hyperlinks', '<br/>'.join([
'<a href="{}">{}</a>'.format(
_.get('url'), _.get('title'))
for _ in actor.get('hyperlinks')
]))
if actor.get('title'):
e += Label('Title',
encode_to_utf8(actor.get('title')))
if actor.get('resourceId'):
e += Label('ResourceID',
actor.get('resourceId'))
if actor.get('aliases'):
e += Label(
'Aliases', '<br/>'.join([
encode_to_utf8(_)
for _ in actor.get('aliases', '')
]))
if actor.get('description'):
e += Label(
'Description', '<br/>'.join(
encode_to_utf8(
actor.get('description',
'')).split('\n')))
if actor.get('country'):
e += Label(
'Country',
encode_to_utf8(
actor.get('country',
dict()).get('displayName')))
if actor.get('organization'):
e += Label(
'Organization',
encode_to_utf8(actor.get('organization')))
if actor.get('types'):
e += Label(
'Types', '<br/>'.join([
encode_to_utf8(_.get('displayName'))
for _ in actor.get('types')
]))
if actor.get('motivations'):
e += Label(
'Motivations', '<br/>'.join([
encode_to_utf8(_.get('displayName'))
for _ in actor.get('motivations')
]))
if actor.get('intendedEffects'):
e += Label(
'Intended Effects', '<br/>'.join([
encode_to_utf8(_.get('displayName'))
for _ in actor.get('intendedEffects')
]))
if actor.get('sophistication'):
e += Label(
'Sophistication',
actor.get('sophistication',
dict()).get('displayName'))
if actor.get('socialMediaText'):
e += Label(
'Social Media', '<br/>'.join(
encode_to_utf8(
actor.get('socialMediaText',
'')).split('\n')))
if actor.get('moreInfo'):
e += Label(
'More Info', '<br/>'.join(
encode_to_utf8(
actor.get('moreInfo',
'')).split('\n')))
if actor.get('score'):
e += Label('Score', actor.get('score'))
if i < 1:
i += 1
e.linkcolor = "0xf90000"
response += e
except AttributeError as err:
response += UIMessage(err, type='PartialError')
continue
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
else:
if actor:
try:
if actor.get('tcScore'):
weight = int(actor.get('tcScore'))
else:
weight = 1
# Update entity?
e = Actor(request.value, weight=weight)
if actor.get('name'):
e.name = encode_to_utf8(actor.get('name'))
e.actor = encode_to_utf8(actor.get('name'))
e.title = encode_to_utf8(actor.get('title'))
e.resourceId = actor.get('resourceId')
if actor.get('organization'):
e.organization = encode_to_utf8(actor.get('organization'))
if actor.get('aliases'):
e.aliases = ', '.join(
[encode_to_utf8(_) for _ in actor.get('aliases')])
if actor.get('country'):
e.country = encode_to_utf8(
actor.get('country', dict()).get('displayName'))
# Add Location entitie
l = Location(
encode_to_utf8(
actor.get('country', dict()).get('displayName')))
response += l
if actor.get('score'):
e.score = actor.get('score')
if actor.get('links'):
e += Label(
'Links', '<br/>'.join([
'<a href="{}">{}</a>'.format(
_.get('href'), _.get('href'))
for _ in actor.get('links')
]))
if actor.get('hyperlinks'):
e += Label(
'Hyperlinks', '<br/>'.join([
'<a href="{}">{}</a>'.format(
_.get('url'), _.get('title'))
for _ in actor.get('hyperlinks')
]))
if actor.get('title'):
e += Label('Title', encode_to_utf8(actor.get('title')))
if actor.get('resourceId'):
e += Label('ResourceID', actor.get('resourceId'))
if actor.get('aliases'):
e += Label(
'Aliases', '<br/>'.join([
encode_to_utf8(_)
for _ in actor.get('aliases', '')
]))
if actor.get('description'):
e += Label(
'Description', '<br/>'.join(
encode_to_utf8(actor.get('description',
'')).split('\n')))
if actor.get('country'):
e += Label(
'Country',
encode_to_utf8(
actor.get('country', dict()).get('displayName')))
if actor.get('organization'):
e += Label('Organization',
encode_to_utf8(actor.get('organization')))
if actor.get('types'):
e += Label(
'Types', '<br/>'.join([
encode_to_utf8(_.get('displayName'))
for _ in actor.get('types')
]))
if actor.get('motivations'):
e += Label(
'Motivations', '<br/>'.join([
encode_to_utf8(_.get('displayName'))
for _ in actor.get('motivations')
]))
if actor.get('intendedEffects'):
e += Label(
'Intended Effects', '<br/>'.join([
encode_to_utf8(_.get('displayName'))
for _ in actor.get('intendedEffects')
]))
if actor.get('sophistication'):
e += Label(
'Sophistication',
encode_to_utf8(
actor.get('sophistication',
dict()).get('displayName')))
if actor.get('socialMediaText'):
e += Label(
'Social Media', '<br/>'.join(
encode_to_utf8(actor.get('socialMediaText',
'')).split('\n')))
if actor.get('moreInfo'):
e += Label(
'More Info', '<br/>'.join(
encode_to_utf8(actor.get('moreInfo',
'')).split('\n')))
if actor.get('score'):
e += Label('Score', actor.get('score'))
response += e
# Extract email addresses
usable_info = search_for_usable_info('{} {} {}'.format(
encode_to_utf8(actor.get('description')),
encode_to_utf8(actor.get('socialMediaText')),
encode_to_utf8(actor.get('moreInfo'))))
if usable_info:
debug(usable_info)
try:
urls = usable_info.get('url', dict())
for twitter in urls.get('twitter', list()):
t = Twitter(twitter.get('name'))
t.uid = twitter.get('name')
t.set_field('affiliation.profile-url',
twitter.get('url'))
response += t
for facebook in urls.get('facebook', list()):
f = Facebook(facebook.get('name'))
f.uid = facebook.get('name')
f.set_field('affiliation.profile-url',
facebook.get('url'))
response += f
for other in urls.get('other', list()):
u = URL(other)
u.url = other
response += u
emailaddr = usable_info.get('email', list())
for email in emailaddr:
e = EmailAddress(email)
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err))
except AttributeError as err:
response += UIMessage('Error: {}'.format(err),
type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
try:
case = get_case(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Show coursesOfAction
if len(case.get('coursesOfAction', list())) is not 0:
for coa in case.get('coursesOfAction'):
if coa.get('tcScore'):
weight = int(coa.get('tcScore'))
else:
weight = 1
e = CoursesOfAction(encode_to_utf8(coa.get('title')),
weight=weight)
e.title = encode_to_utf8(coa.get('title'))
e.resourceId = coa.get('resourceId')
if coa.get('text'):
e += Label(
'Text', '<br/>'.join(
encode_to_utf8(
coa.get('text')).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err),
type='PartialError')
except ThreatCentralError as err:
e += Label('Importance Score', case.get('importanceScore'))
if case.get('importanceLevel'):
e.importanceLevel = case.get('importanceLevel')
e += Label('Importance Level', case.get('importanceLevel'))
# Show comments
if len(case.get('comments', list())) is not 0:
e += Label('Comments', '<br/>'.join(['{}<br/>'.format(_.get('text'))
for _ in encode_to_utf8(case.get('comments'))]))
response += e
# Show Hyperlinks
if len(case.get('hyperlinks', list())) is not 0:
for hyperlink in case.get('hyperlinks'):
e = Hyperlinks(encode_to_utf8(hyperlink.get('title')))
e.title = encode_to_utf8(hyperlink.get('title'))
e.resourceId = hyperlink.get('resourceId')
e.url = hyperlink.get('url')
e += Label('Title', encode_to_utf8(hyperlink.get('title')))
e += Label('Resource ID', hyperlink.get('resourceId'))
e += Label('url', hyperlink.get('url'))
response += e
# Show Attachments
if len(case.get('attachments', list())) is not 0:
for attachment in case.get('attachments'):
e = Attachments(encode_to_utf8(attachment.get('name')))
e.name = encode_to_utf8(attachment.get('name'))
e.resourceId = attachment.get('resourceId')
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
actor = get_actor(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Update entity?
e = Actor(request.value)
if actor.get('name'):
e.name = encode_to_utf8(actor.get('name'))
e.actor = encode_to_utf8(actor.get('name'))
e.title = encode_to_utf8(actor.get('title'))
e.resourceId = actor.get('resourceId')
if actor.get('organization'):
e.organization = encode_to_utf8(actor.get('organization'))
if actor.get('aliases'):
e.aliases = actor.get('aliases')
if actor.get('country'):
e.country = encode_to_utf8(
actor.get('country', dict()).get('displayName'))
if actor.get('score'):
e.score = actor.get('score')
if actor.get('links'):
e += Label(
'Links', '<br/>'.join([
'<a href="{}">{}</a>'.format(
_.get('href'), _.get('href'))
for _ in actor.get('links')
]))
if actor.get('hyperlinks'):
e += Label(
'Hyperlinks', '<br/>'.join([
'<a href="{}">{}</a>'.format(
_.get('url'), _.get('title'))
for _ in actor.get('hyperlinks')
]))
if actor.get('title'):
e += Label('Title', encode_to_utf8(actor.get('title')))
if actor.get('resourceId'):
e += Label('ResourceID', actor.get('resourceId'))
if actor.get('aliases'):
e += Label(
'Aliases', '<br/>'.join([
encode_to_utf8(_)
for _ in actor.get('aliases', '')
]))
if actor.get('description'):
e += Label(
'Description', '<br/>'.join(
encode_to_utf8(actor.get('description',
'')).split('\n')))
if actor.get('country'):
e += Label(
'Country',
encode_to_utf8(
actor.get('country', dict()).get('displayName')))
if actor.get('organization'):
e += Label('Organization',
encode_to_utf8(actor.get('organization')))
if actor.get('types'):
e += Label(
'Types', '<br/>'.join([
encode_to_utf8(_.get('displayName'))
for _ in actor.get('types')
]))
if actor.get('motivations'):
e += Label(
'Motivations', '<br/>'.join([
encode_to_utf8(_.get('displayName'))
for _ in actor.get('motivations')
]))
if actor.get('intendedEffects'):
e += Label(
'Intended Effects', '<br/>'.join([
encode_to_utf8(_.get('displayName'))
for _ in actor.get('intendedEffects')
]))
if actor.get('sophistication'):
e += Label(
'Sophistication',
encode_to_utf8(
actor.get('sophistication',
dict()).get('displayName')))
if actor.get('socialMediaText'):
e += Label(
'Social Media', '<br/>'.join(
encode_to_utf8(actor.get('socialMediaText',
'')).split('\n')))
if actor.get('moreInfo'):
e += Label(
'More Info', '<br/>'.join(
encode_to_utf8(actor.get('moreInfo',
'')).split('\n')))
if actor.get('score'):
e += Label('Score', actor.get('score'))
response += e
# Add entities
# Show linked TTP's
if len(actor.get('tacticsTechniquesAndProcedures',
list())) is not 0:
for ttp in actor.get('tacticsTechniquesAndProcedures'):
if ttp.get('tcScore'):
weight = int(actor.get('tcScore'))
else:
weight = 1
e = TTP(encode_to_utf8(ttp.get('title')),
weight=weight)
e.title = encode_to_utf8(ttp.get('title'))
e.resourceId = ttp.get('resourceId')
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err))
except TypeError:
return response
return response
if 'ThreatCentral.resourceId' in request.fields:
try:
case = get_case(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Show incidents
if len(case.get('incidents', list())) is not 0:
for incident in case.get('incidents'):
if incident.get('tcScore'):
weight = int(incident.get('tcScore'))
else:
weight = 1
e = Incident(encode_to_utf8(incident.get('title')),
weight=weight)
e.title = encode_to_utf8(incident.get('title'))
e.resourceId = incident.get('resourceId')
e.reportedOn = incident.get('reportedOn')
e += Label('Reported On', incident.get('reportedOn'))
if len(incident.get('incidentCategory',
list())) is not 0:
e += Label(
'Incident Category', '<br/>'.join([
encode_to_utf8(_.get('displayName'))
for _ in incident.get(
'incidentCategory', list())
]))
def dotransform(request, response, config):
try:
case = get_case(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
return response
except KeyError:
try:
cases = search_case(request.value)
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
return response
else:
try:
for case in cases:
if case.get('tcScore'):
weight = int(case.get('tcScore'))
else:
weight = 1
case = case.get('resource')
e = Case(encode_to_utf8(case.get('title')), weight=weight)
e.title = encode_to_utf8(case.get('title'))
e.resourceId = case.get('resourceId')
if case.get('importanceScore'):
e.importanceScore = case.get('importanceScore')
e += Label('Importance Score', case.get('importanceScore'))
if case.get('importanceLevel'):
e.importanceLevel = case.get('importanceLevel')
e += Label('Importance Level', case.get('importanceLevel'))
# Show comments
if len(case.get('comments', list())) is not 0:
e += Label('Comments', '<br/>'.join(['{}<br/>'.format(_.get('text'))
for _ in encode_to_utf8(case.get('comments'))]))
if case.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(case.get('description')
).split('\n')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
else:
if case:
try:
# Update entity?
e = Case(request.value)
if case.get('title'):
e.case = encode_to_utf8(case.get('title'))
e.title = encode_to_utf8(case.get('title'))
e += Label('Title', encode_to_utf8(case.get('title')))
if case.get('resourceId'):
e += Label('ResourceID', case.get('resourceId'))
if case.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(case.get('description', '')).split('\n')))
if case.get('importanceScore'):
e.importanceScore = case.get('importanceScore')
e += Label('Importance Score', case.get('importanceScore'))
if case.get('importanceLevel'):
e.importanceLevel = case.get('importanceLevel')
e += Label('Importance Level', case.get('importanceLevel'))
# Show comments
if len(case.get('comments', list())) is not 0:
e += Label('Comments', '<br/>'.join(['{}<br/>'.format(_.get('text'))
for _ in encode_to_utf8(case.get('comments'))]))
response += e
# Show Hyperlinks
if len(case.get('hyperlinks', list())) is not 0:
for hyperlink in case.get('hyperlinks'):
e = Hyperlinks(encode_to_utf8(hyperlink.get('title')))
e.title = encode_to_utf8(hyperlink.get('title'))
e.resourceId = hyperlink.get('resourceId')
e.url = hyperlink.get('url')
e += Label('Title', encode_to_utf8(hyperlink.get('title')))
e += Label('Resource ID', hyperlink.get('resourceId'))
e += Label('url', hyperlink.get('url'))
response += e
# Show Attachments
if len(case.get('attachments', list())) is not 0:
for attachment in case.get('attachments'):
e = Attachments(encode_to_utf8(attachment.get('name')))
e.name = encode_to_utf8(attachment.get('name'))
e.resourceId = attachment.get('resourceId')
e.atype = attachment.get('type')
e.size = attachment.get('size')
e.checksum = attachment.get('checksum')
e.createDate = attachment.get('createDate')
if attachment.get('description'):
e += Label('Description', '<br/>'.join(encode_to_utf8(attachment.get('description')
).split('\n')))
if len(attachment.get('links', list())) is not 0:
for att in attachment.get('links', list()):
e += Label('Links', '<a href="{}">{}</a><br/>'.format(att.get('href'), att.get('href')))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err), type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
indicator = get_indicator(
request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
indicator = None
response += UIMessage(err.value, type='PartialError')
if indicator:
try:
# Update Indicator entity ?
e = Indicator(request.value)
e.title = encode_to_utf8(indicator.get('title'))
e.resourceId = indicator.get('resourceId')
e.severity = indicator.get('severity',
dict()).get('displayName')
e.confidence = indicator.get('confidence',
dict()).get('displayName')
e.indicatorType = indicator.get('indicatorType',
dict()).get('displayName')
e += Label(
'Severity',
indicator.get('severity', dict()).get('displayName'))
e += Label(
'Confidence',
indicator.get('confidence', dict()).get('displayName'))
e += Label(
'Indicator Type',
indicator.get('indicatorType', dict()).get('displayName'))
if indicator.get('description'):
e += Label(
'Description', '<br/>'.join(
encode_to_utf8(
indicator.get('description')).split('\n')))
response += e
if len(indicator.get('observables', list())) is not 0:
for observable in indicator.get('observables'):
if upper(observable.get(
'type',
dict()).get('value')) == 'REGISTRY_KEY':
# Use sighting
if observable.get('sighting'):
weight = int(observable.get('sighting'))
else:
weight = 1
e = RegistryKey(observable.get('value'),
weight=weight)
# TODO : Verify this
# e.name = observable.get('name')
e.value = observable.get('value')
# TODO : Verify this
# e.action = observable.get('action', dict()).get('displayName')
e.hive = observable.get('hive')
e.key = observable.get('key')
# TODO : Verify this
# e.data = registryKeyValues
# e.rtype = type
e.resourceId = observable.get('resourceId')
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err),
type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
if 'ThreatCentral.resourceId' in request.fields:
try:
indicator = get_indicator(
request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Update Indicator entity ?
e = Indicator(request.value)
e.title = encode_to_utf8(indicator.get('title'))
e.resourceId = indicator.get('resourceId')
e.severity = indicator.get('severity',
dict()).get('displayName')
e.confidence = indicator.get('confidence',
dict()).get('displayName')
e.indicatorType = indicator.get('indicatorType',
dict()).get('displayName')
e += Label(
'Severity',
indicator.get('severity', dict()).get('displayName'))
e += Label(
'Confidence',
indicator.get('confidence', dict()).get('displayName'))
e += Label(
'Indicator Type',
indicator.get('indicatorType', dict()).get('displayName'))
if indicator.get('description'):
e += Label(
'Description', '<br/>'.join(
encode_to_utf8(
indicator.get('description')).split('\n')))
response += e
if len(indicator.get('observables', list())) is not 0:
for observable in indicator.get('observables'):
if upper(observable.get('type',
dict()).get('value')) == 'IP':
e = IPv4Address(observable.get('value'))
e += Label('IP Address', observable.get('value'))
if observable.get('port'):
e += Label('Port', observable.get('port'))
if upper(
observable.get('location',
dict()).get('city')
) != 'UNDEFINED_GEO_LOCATION_STRING':
e += Label(
'Location', '<br/>'.join([
'{}:{}'.format(encode_to_utf8(k),
encode_to_utf8(v))
for k, v in observable.get(
'location', dict()).iteritems()
]))
response += e
except AttributeError as err:
response += UIMessage('Error: {}'.format(err),
type='PartialError')
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
def dotransform(request, response, config):
i = 0
for actor in search_actor(request.value):
try:
rtype = lower(actor.get('type'))
if actor.get('tcScore'):
weight = int(actor.get('tcScore'))
else:
weight = 1
actor = actor.get('resource')
# actor_name = actor.get('name', '').split('\n')
if len(actor) is not 0:
if rtype == 'actor':
if actor.get('name'):
e = Actor(encode_to_utf8(actor.get('name')),
weight=weight)
e.name = encode_to_utf8(actor.get('name'))
e.actor = encode_to_utf8(actor.get('name'))
elif actor.get('title'):
e = Actor(encode_to_utf8(actor.get('title')))
e.title = encode_to_utf8(actor.get('title'))
e.resourceId = actor.get('resourceId')
if actor.get('organization'):
e.organization = encode_to_utf8(
actor.get('organization'))
if actor.get('aliases'):
e.aliases = actor.get('aliases')
if actor.get('country'):
e.country = encode_to_utf8(
actor.get('country', dict()).get('displayName'))
if actor.get('score'):
e.score = actor.get('score')
if actor.get('links'):
e += Label(
'Links', '<br/>'.join([
'<a href="{}">{}</a>'.format(
_.get('href'), _.get('href'))
for _ in actor.get('links')
]))
if actor.get('hyperlinks'):
e += Label(
'Hyperlinks', '<br/>'.join([
'<a href="{}">{}</a>'.format(
_.get('url'), _.get('title'))
for _ in actor.get('hyperlinks')
]))
if actor.get('title'):
e += Label('Title', encode_to_utf8(actor.get('title')))
if actor.get('resourceId'):
e += Label('ResourceID', actor.get('resourceId'))
if actor.get('aliases'):
e += Label(
'Aliases', '<br/>'.join([
encode_to_utf8(_)
for _ in actor.get('aliases', '')
]))
if actor.get('description'):
e += Label(
'Description', '<br/>'.join(
encode_to_utf8(actor.get('description',
'')).split('\n')))
if actor.get('country'):
e += Label(
'Country',
encode_to_utf8(
actor.get('country',
dict()).get('displayName')))
if actor.get('organization'):
e += Label('Organization',
encode_to_utf8(actor.get('organization')))
if actor.get('types'):
e += Label(
'Types', '<br/>'.join([
encode_to_utf8(_.get('displayName'))
for _ in actor.get('types')
]))
if actor.get('motivations'):
e += Label(
'Motivations', '<br/>'.join([
encode_to_utf8(_.get('displayName'))
for _ in actor.get('motivations')
]))
if actor.get('intendedEffects'):
e += Label(
'Intended Effects', '<br/>'.join([
encode_to_utf8(_.get('displayName'))
for _ in actor.get('intendedEffects')
]))
if actor.get('sophistication'):
e += Label(
'Sophistication',
actor.get('sophistication',
dict()).get('displayName'))
if actor.get('socialMediaText'):
e += Label(
'Social Media', '<br/>'.join(
encode_to_utf8(actor.get(
'socialMediaText', '')).split('\n')))
if actor.get('moreInfo'):
e += Label(
'More Info', '<br/>'.join(
encode_to_utf8(actor.get('moreInfo',
'')).split('\n')))
if actor.get('score'):
e += Label('Score', actor.get('score'))
if i < 1:
i += 1
e.linkcolor = "0xf90000"
response += e
except AttributeError as err:
response += UIMessage(err, type='PartialError')
continue
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
except TypeError:
return response
return response
case = get_case(request.fields['ThreatCentral.resourceId'])
except ThreatCentralError as err:
response += UIMessage(err.value, type='PartialError')
else:
try:
# Show Actors
if len(case.get('actors', list())) is not 0:
for actor in case.get('actors'):
notes = list()
if actor.get('tcScore'):
weight = int(actor.get('tcScore'))
else:
weight = 1
if actor.get('name'):
e = Actor(encode_to_utf8(actor.get('name')),
weight=weight)
e.name = encode_to_utf8(actor.get('name'))
e.actor = encode_to_utf8(actor.get('name'))
elif actor.get('title'):
e = Actor(encode_to_utf8(actor.get('title')),
weight=weight)
e.title = encode_to_utf8(actor.get('title'))
e.resourceId = actor.get('resourceId')
if actor.get('organization'):
e.organization = encode_to_utf8(
actor.get('organization'))
if actor.get('aliases'):
e.aliases = actor.get('aliases')
if actor.get('country'):