def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
config = (
yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path)
else {}
)
self.helper = OpenCTIConnectorHelper(config)
# Extra config
self.cve_import_history = get_config_variable(
"CVE_IMPORT_HISTORY", ["cve", "import_history"], config, False
)
self.cve_nvd_data_feed = get_config_variable(
"CVE_NVD_DATA_FEED", ["cve", "nvd_data_feed"], config
)
self.cve_history_data_feed = get_config_variable(
"CVE_HISTORY_DATA_FEED", ["cve", "history_data_feed"], config
)
self.cve_interval = get_config_variable(
"CVE_INTERVAL", ["cve", "interval"], config, True
)
self.update_existing_data = get_config_variable(
"CONNECTOR_UPDATE_EXISTING_DATA",
["connector", "update_existing_data"],
config,
)
def __init__(self):
# get config variable
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/config.yml"
config = (yaml.load(open(config_file_path, Loader=yaml.FullLoader))
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
self.update_existing_data = get_config_variable(
"UPDATE_EXISTING_DATA", ["connector", "update_existing_data"],
config)
self.interval_scan = get_config_variable(
"INTERVAL_SCAN", ["internal_import", "interval_scan"], config)
self._data_path = os.path.dirname(os.path.abspath(__file__)) + "/data"
self.identity = self.helper.api.identity.create(
name="Internal Collector",
type="Organization",
description="Importing internal data from CSV file",
)
self.markingDefinitions = self.helper.api.marking_definition.create(
definition_type="tlp", definition="TLP:WHITE")
self.tag = self.helper.api.tag.create(tag_type="Internal-Import",
value="internal-importer",
color="#2e99db")
self.tagFE = self.helper.api.tag.create(tag_type="Internal-Import",
value="FireEye",
color="#fb4d28")
self.filename = ""
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
# Extra config
self.urlhaus_csv_url = get_config_variable("URLHAUS_CSV_URL",
["urlhaus", "csv_url"],
config)
self.urlhaus_import_offline = get_config_variable(
"URLHAUS_IMPORT_OFFLINE", ["urlhaus", "import_offline"], config,
False, True)
self.urlhaus_interval = get_config_variable("URLHAUS_INTERVAL",
["urlhaus", "interval"],
config, True)
self.create_indicators = get_config_variable(
"URLHAUS_CREATE_INDICATORS",
["urlhaus", "create_indicators"],
config,
False,
True,
)
self.update_existing_data = get_config_variable(
"CONNECTOR_UPDATE_EXISTING_DATA",
["connector", "update_existing_data"],
config,
)
self.identity = self.helper.api.identity.create(
type="Organization",
name="Abuse.ch",
description=
"abuse.ch is operated by a random swiss guy fighting malware for non-profit, running a couple of projects helping internet service providers and network operators protecting their infrastructure from malware.",
)
def __init__(self):
# Get configuration
config_file_path = os.path.dirname(os.path.abspath(__file__)) + '/config.yml'
self.config = dict()
if os.path.isfile(config_file_path):
config = yaml.load(open(config_file_path), Loader=yaml.FullLoader)
self.config_rabbitmq = config['rabbitmq']
self.config['name'] = config['cve']['name']
self.config['confidence_level'] = config['cve']['confidence_level']
self.config['nvd_data_feed'] = config['cve']['nvd_data_feed']
self.config['entities'] = config['cve']['entities'].split(',')
self.config['interval'] = config['cve']['interval']
self.config['log_level'] = config['cve']['log_level']
else:
self.config_rabbitmq = dict()
self.config_rabbitmq['hostname'] = os.getenv('RABBITMQ_HOSTNAME', 'localhost')
self.config_rabbitmq['port'] = os.getenv('RABBITMQ_PORT', 5672)
self.config_rabbitmq['username'] = os.getenv('RABBITMQ_USERNAME', 'guest')
self.config_rabbitmq['password'] = os.getenv('RABBITMQ_PASSWORD', 'guest')
self.config['name'] = os.getenv('CVE_NAME', 'Common Vulnerabilities and Exposures')
self.config['confidence_level'] = int(os.getenv('CVE_CONFIDENCE_LEVEL', 3))
self.config['nvd_data_feed'] = os.getenv('CVE_DATA_FEED', 'https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-recent.json.gz')
self.config['entities'] = os.getenv('CVE_ENTITIES', 'vulnerability').split(',')
self.config['interval'] = os.getenv('CVE_INTERVAL', 5)
self.config['log_level'] = os.getenv('CVE_LOG_LEVEL', 'info')
# Initialize OpenCTI Connector
connector_identifier = ''.join(e for e in self.config['name'] if e.isalnum())
self.opencti_connector_helper = OpenCTIConnectorHelper(
connector_identifier.lower(),
self.config,
self.config_rabbitmq,
self.config['log_level']
)
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
config = (
yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path)
else {}
)
self.helper = OpenCTIConnectorHelper(config)
self.create_indicator = get_config_variable(
"PDF_OBSERVABLES_CREATE_INDICATOR",
["pdf_observables", "create_indicator"],
config,
)
self.types = {
"MD5": "File.hashes.MD5",
"SHA1": "File.hashes.SHA-1",
"SHA256": "File.hashes.SHA-256",
"Filename": "File.name",
"IP": "IPv4-Addr.value",
"DomainName": "Domain-Name.value",
# Directory is not yet fully functional
# "Directory": "Directory.path",
"URL": "Url.value",
"Email": "Email-Addr.value",
"CVE": "Vulnerability.name",
"Registry": "Windows-Registry-Key.key",
}
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
# Extra config
self.amitt_file_url = get_config_variable("AMITT_FILE_URL",
["amitt", "amitt_file_url"],
config)
self.pre_amitt_file_url = get_config_variable(
"PRE_AMITT_FILE_URL", ["amitt", "pre_amitt_file_url"], config)
self.amitt_interval = get_config_variable("AMITT_INTERVAL",
["amitt", "interval"],
config, True)
self.update_existing_data = get_config_variable(
"CONNECTOR_UPDATE_EXISTING_DATA",
["connector", "update_existing_data"],
config,
)
# Create the corresponding identity
self.helper.api.identity.create(
stix_id="identity--c9c1a598-7d0e-42fa-b8ec-e42c3de95ae4",
type="Organization",
name="CogSec",
description=
"A nonprofit that helps specialists form teams to combat disinformation.",
)
self.helper.api.marking_definition.create(
stix_id="marking-definition--8c9e2257-1c62-4ff0-9de0-1deed93cf282",
definition_type="statement",
definition="Copyright 2021, CogSec.",
)
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
config = (
<<<<<<< HEAD
yaml.load(open(config_file_path))
if os.path.isfile(config_file_path)
else {}
)
self.interval = 1 #1 Day interval between each scraping
self.helper = OpenCTIConnectorHelper(config)
# Extra config
self.confidence_level = get_config_variable(
"CONNECTOR_CONFIDENCE_LEVEL",
["connector", "confidence_level"],
config,
=======
yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path)
else {}
)
self.interval = 1 # 1 Day interval between each scraping
self.helper = OpenCTIConnectorHelper(config)
# Extra config
self.confidence_level = get_config_variable(
"CONNECTOR_CONFIDENCE_LEVEL", ["connector", "confidence_level"], config,
>>>>>>> 67675da1148528e484339cc30b2795d4cc0f5ce3
)
self.data = {}
class ImportFileStix:
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
def _process_message(self, data):
old_token = self.helper.api.get_token()
token = None
if "token" in data:
token = data["token"]
file_path = data["file_path"]
update = data["update"]
file_uri = self.helper.opencti_url + file_path
self.helper.log_info("Importing the file " + file_uri)
file_content = self.helper.api.fetch_opencti_file(file_uri)
if token:
self.helper.api.set_token(token)
bundles_sent = self.helper.send_stix2_bundle(file_content, None,
update)
self.helper.api.set_token(old_token)
return [
"Sent " + str(len(bundles_sent)) +
" stix bundle(s) for worker import"
]
# Start the main loop
def start(self):
self.helper.listen(self._process_message)
def __init__(self):
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
self.logger_config = self.helper.api.get_logs_worker_config()
if (self.logger_config["elasticsearch_username"] is not None
and self.logger_config["elasticsearch_password"] is not None):
self.elasticsearch = Elasticsearch(
[self.logger_config["elasticsearch_url"]],
verify_certs=self.
logger_config["elasticsearch_ssl_reject_unauthorized"],
http_auth=(
self.logger_config["elasticsearch_username"],
self.logger_config["elasticsearch_password"],
),
)
elif self.logger_config["elasticsearch_api_key"] is not None:
self.elasticsearch = Elasticsearch(
[self.logger_config["elasticsearch_url"]],
verify_certs=self.
logger_config["elasticsearch_ssl_reject_unauthorized"],
api_key=self.logger_config["elasticsearch_api_key"],
)
else:
self.elasticsearch = Elasticsearch(
[self.logger_config["elasticsearch_url"]],
verify_certs=self.
logger_config["elasticsearch_ssl_reject_unauthorized"],
)
self.elasticsearch_index = self.logger_config["elasticsearch_index"]
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + '/config.yml'
config = yaml.load(open(config_file_path), Loader=yaml.FullLoader
) if os.path.isfile(config_file_path) else {}
self.helper = OpenCTIConnectorHelper(config)
# Extra config
self.misp_url = os.getenv('MISP_URL') or config['misp']['url']
self.misp_key = os.getenv('MISP_KEY') or config['misp']['key']
self.misp_tag = os.getenv('MISP_TAG') or config['misp'][
'tag'] if 'tag' in config['misp'] else None
self.misp_untag_event = os.getenv('MISP_UNTAG_EVENT') or config['misp']['untag_event'] \
if 'untag_event' in config['misp'] else None
self.misp_imported_tag = os.getenv(
'MISP_IMPORTED_TAG') or config['misp']['imported_tag']
self.misp_filter_on_imported_tag = os.getenv(
'MISP_FILTER_ON_IMPORTED_TAG'
) or config['misp']['filter_on_imported_tag']
self.misp_interval = os.getenv(
'MISP_INTERVAL') or config['misp']['interval']
# Initialize MISP
self.misp = ExpandedPyMISP(url=self.misp_url,
key=self.misp_key,
ssl=False,
debug=False)
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
config = (
yaml.load(open(config_file_path), Loader=yaml.SafeLoader)
if os.path.isfile(config_file_path)
else {}
)
self.helper = OpenCTIConnectorHelper(config)
self.confidence_level = get_config_variable(
"CONNECTOR_CONFIDENCE_LEVEL", ["connector", "confidence_level"], config
)
self.api_key = get_config_variable(
"MALBEACON_API_KEY", ["malbeacon", "api_key"], config
)
self.author = self.helper.api.identity.create(
name="Malbeacon",
type="Organization",
description="""The first system of its kind, MalBeacon implants \
beacons via malware bot check-in traffic. Adversaries conducting \
campaigns in the wild who are logging in to these malware C2 \
panels can now be tracked. MalBeacon is a tool for the good guys \
that provides additional intelligence on attack attribution.""",
update=True,
)
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
config = (
yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path)
else {}
)
self.helper = OpenCTIConnectorHelper(config)
# Extra config
self.cyber_threat_coalition_interval = get_config_variable(
"CYBER_THREAT_COALITION_INTERVAL",
["cyber-threat-coalition", "interval_sec"],
config,
True,
)
self.cyber_threat_coalition_base_url = get_config_variable(
"CYBER_THREAT_COALITION_BASE_URL",
["cyber-threat-coalition", "base_url"],
config,
False,
)
self.update_existing_data = get_config_variable(
"CONNECTOR_UPDATE_EXISTING_DATA",
["connector", "update_existing_data"],
config,
)
def __init__(self) -> None:
# Instantiate the connector helper from config
base_path = os.path.dirname(os.path.abspath(__file__))
config_file_path = base_path + "/../config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
self.create_indicator = get_config_variable(
"IMPORT_REPORT_CREATE_INDICATOR",
["import_report", "create_indicator"],
config,
)
# Load Entity and Observable configs
observable_config_file = base_path + "/config/observable_config.ini"
entity_config_file = base_path + "/config/entity_config.ini"
if os.path.isfile(observable_config_file) and os.path.isfile(
entity_config_file):
self.observable_config = self._parse_config(
observable_config_file, Observable)
else:
raise FileNotFoundError(f"{observable_config_file} was not found")
if os.path.isfile(entity_config_file):
self.entity_config = self._parse_config(entity_config_file,
EntityConfig)
else:
raise FileNotFoundError(f"{entity_config_file} was not found")
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/../config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
# Extra config
self.confidence_level = get_config_variable(
"CONNECTOR_CONFIDENCE_LEVEL",
["connector", "confidence_level"],
config,
isNumber=True,
)
self.update_existing_data = get_config_variable(
"CONNECTOR_UPDATE_EXISTING_DATA",
["connector", "update_existing_data"],
config,
)
self.AUTH_KEY = get_config_variable("MALPEDIA_AUTH_KEY",
["malpedia", "auth_key"], config)
self.INTERVAL_SEC = get_config_variable("MALPEDIA_INTERVAL_SEC",
["malpedia", "interval_sec"],
config)
self.import_intrusion_sets = get_config_variable(
"MALPEDIA_IMPORT_INTRUSION_SETS",
["malpedia", "import_intrusion_sets"],
config,
)
self.import_yara = get_config_variable("MALPEDIA_IMPORT_YARA",
["malpedia", "import_yara"],
config)
self.helper = OpenCTIConnectorHelper(config)
self.helper.log_info(f"loaded malpedia config: {config}")
# Create Malpedia client and importers
self.client = MalpediaClient(self.AUTH_KEY)
# If we run without API key we can assume all data is TLP:WHITE else we
# default to TLP:AMBER to be safe.
if self.client.unauthenticated:
self.default_marking = self.helper.api.marking_definition.read(
id=TLP_WHITE["id"])
else:
self.default_marking = self.helper.api.marking_definition.read(
id=TLP_AMBER["id"])
self.knowledge_importer = KnowledgeImporter(
self.helper,
self.client,
self.confidence_level,
self.update_existing_data,
self.import_intrusion_sets,
self.import_yara,
self.default_marking,
)
self.malpedia_interval = get_config_variable("MALPEDIA_INTERVAL_SEC",
["amitt", "interval"],
config, True)
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
# Extra config
self.vxvault_url = get_config_variable("VXVAULT_URL",
["vxvault", "url"], config)
self.vxvault_interval = get_config_variable("VXVAULT_INTERVAL",
["vxvault", "interval"],
config, True)
self.create_indicators = get_config_variable(
"VXVAULT_CREATE_INDICATORS", ["vxvault", "create_indicators"],
config, True)
self.update_existing_data = get_config_variable(
"CONNECTOR_UPDATE_EXISTING_DATA",
["connector", "update_existing_data"],
config,
)
self.identity = self.helper.api.identity.create(
type="Organization",
name="VX Vault",
description=
"VX Vault is providing URLs of potential malicious payload.",
)
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
config = (
yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path)
else {}
)
self.helper = OpenCTIConnectorHelper(config)
self.api_key = get_config_variable(
"HYBRID_ANALYSIS_TOKEN", ["hybrid_analysis", "api_key"], config
)
self.environment_id = get_config_variable(
"HYBRID_ANALYSIS_ENVIRONMENT_ID",
["hybrid_analysis", "environment_id"],
config,
True,
110,
)
self.max_tlp = get_config_variable(
"HYBRID_ANALYSIS_MAX_TLP", ["hybrid_analysis", "max_tlp"], config
)
self.api_url = "https://www.hybrid-analysis.com/api/v2"
self.headers = {
"api-key": self.api_key,
"user-agent": "OpenCTI Hybrid Analysis Connector - Version 5.1.4",
"accept": "application/json",
}
self.identity = self.helper.api.identity.create(
type="Organization",
name="Hybrid Analysis",
description="Hybrid Analysis Sandbox.",
)["standard_id"]
self._CONNECTOR_RUN_INTERVAL_SEC = 60 * 60
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
config = (
yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path)
else {}
)
self.helper = OpenCTIConnectorHelper(config)
self._cache = {}
# Extra config
self.base_url = self.get_config("base_url", config, "https://api.sekoia.io")
self.start_date: str = self.get_config("start_date", config, None)
self.collection = self.get_config(
"collection", config, "d6092c37-d8d7-45c3-8aff-c4dc26030608"
)
self.helper.log_info("Setting up api key")
self.api_key = self.get_config("api_key", config)
if not self.api_key:
self.helper.log_error("API key is Missing")
raise ValueError("API key is Missing")
self._load_data_sets()
self.helper.log_info("All datasets has been loaded")
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
# Extra config
self.mitre_enterprise_file_url = get_config_variable(
"MITRE_ENTERPRISE_FILE_URL", ["mitre", "enterprise_file_url"],
config)
self.mitre_pre_attack_file_url = get_config_variable(
"MITRE_PRE_ATTACK_FILE_URL", ["mitre", "pre_attack_file_url"],
config)
self.mitre_mobile_attack_file_url = get_config_variable(
"MITRE_MOBILE_ATTACK_FILE_URL",
["mitre", "mobile_attack_file_url"], config)
self.mitre_interval = get_config_variable("MITRE_INTERVAL",
["mitre", "interval"],
config, True)
self.update_existing_data = get_config_variable(
"CONNECTOR_UPDATE_EXISTING_DATA",
["connector", "update_existing_data"],
config,
)
def __init__(self):
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
self.greynoise_key = get_config_variable("GREYNOISE_KEY",
["greynoise", "key"], config)
self.max_tlp = get_config_variable("GREYNOISE_MAX_TLP",
["greynoise", "max_tlp"], config)
self.spoofable_confidence_level = get_config_variable(
"GREYNOISE_SPOOFABLE_CONFIDENCE_LEVEL",
["greynoise", "spoofable_confidence_level"],
config,
)
self.sighting_not_seen = get_config_variable(
"GREYNOISE_SIGHTING_NOT_SEEN", ["greynoise", "sighting_not_seen"],
config)
self.greynoise_ent_name = get_config_variable("GREYNOISE_NAME",
["greynoise", "name"],
config)
self.greynoise_ent_desc = get_config_variable(
"GREYNOISE_DESCRIPTION", ["greynoise", "description"], config)
self.api_url = "https://api.greynoise.io/v2/noise/"
self.headers = {
"key": self.greynoise_key,
"Accept": "application/json"
}
self._CONNECTOR_RUN_INTERVAL_SEC = 60 * 60
self.greynoise_id = None
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
self.identity = self.helper.api.identity.create(
type="Organization",
name="MalwareBazaar",
description="For more info, see https://bazaar.abuse.ch/about/",
)
self.api_url = get_config_variable(
"MALWAREBAZAAR_RECENT_ADDITIONS_API_URL",
["malwarebazaar_recent_additions", "api_url"],
config,
)
self.cooldown_seconds = get_config_variable(
"MALWAREBAZAAR_RECENT_ADDITIONS_COOLDOWN_SECONDS",
["malwarebazaar_recent_additions", "cooldown_seconds"],
config,
)
self.labels_color = get_config_variable(
"MALWAREBAZAAR_RECENT_ADDITIONS_LABELS_COLOR",
["malwarebazaar_recent_additions", "labels_color"],
config,
)
self.include_tags = get_config_variable(
"MALWAREBAZAAR_RECENT_ADDITIONS_INCLUDE_TAGS",
["malwarebazaar_recent_additions", "include_tags"],
config,
)
if self.include_tags:
self.include_tags = self.include_tags.split(",")
self.include_reporters = get_config_variable(
"MALWAREBAZAAR_RECENT_ADDITIONS_INCLUDE_REPORTERS",
["malwarebazaar_recent_additions", "include_reporters"],
config,
)
if self.include_reporters:
self.include_reporters = self.include_reporters.split(",")
labels = get_config_variable(
"MALWAREBAZAAR_RECENT_ADDITIONS_LABELS",
["malwarebazaar_recent_additions", "labels"],
config,
).split(",")
# Create default labels
self.label_ids = []
for label in labels:
created_label = self.helper.api.label.create(
value=label, color=self.labels_color)
self.label_ids.append(created_label["id"])
class Mitre:
def __init__(self):
# Get configuration
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + '/config.yml'
self.config = dict()
if os.path.isfile(config_file_path):
config = yaml.load(open(config_file_path), Loader=yaml.FullLoader)
self.config_rabbitmq = config['rabbitmq']
self.config['name'] = config['mitre']['name']
self.config['confidence_level'] = config['mitre'][
'confidence_level']
self.config['enterprise_file_url'] = config['mitre'][
'enterprise_file_url']
self.config['entities'] = config['mitre']['entities'].split(',')
self.config['interval'] = config['mitre']['interval']
self.config['log_level'] = config['mitre']['log_level']
else:
self.config_rabbitmq = dict()
self.config_rabbitmq['hostname'] = os.getenv(
'RABBITMQ_HOSTNAME', 'localhost')
self.config_rabbitmq['port'] = os.getenv('RABBITMQ_PORT', 5672)
self.config_rabbitmq['username'] = os.getenv(
'RABBITMQ_USERNAME', 'guest')
self.config_rabbitmq['password'] = os.getenv(
'RABBITMQ_PASSWORD', 'guest')
self.config['name'] = os.getenv('MITRE_NAME', 'MITRE ATT&CK')
self.config['confidence_level'] = int(
os.getenv('MITRE_CONFIDENCE_LEVEL', 3))
self.config['enterprise_file_url'] = os.getenv(
'MITRE_ENTERPRISE_FILE_URL',
'https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json'
)
self.config['entities'] = os.getenv(
'MITRE_ENTITIES',
'attack-pattern,course-of-action,intrusion-set,malware,tool'
).split(',')
self.config['interval'] = os.getenv('MITRE_INTERVAL', 5)
self.config['log_level'] = os.getenv('MITRE_LOG_LEVEL', 'info')
# Initialize OpenCTI Connector
connector_identifier = ''.join(e for e in self.config['name']
if e.isalnum())
self.opencti_connector_helper = OpenCTIConnectorHelper(
connector_identifier.lower(), self.config, self.config_rabbitmq,
self.config['log_level'])
def get_log_level(self):
return self.config['log_level']
def get_interval(self):
return int(self.config['interval']) * 60 * 60 * 24
def run(self):
enterprise_data = urllib.request.urlopen(
self.config['enterprise_file_url']).read()
self.opencti_connector_helper.send_stix2_bundle(
enterprise_data.decode('utf-8'), self.config['entities'])
def __init__(self):
# Get configuration
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + '/config.yml'
self.config = dict()
if os.path.isfile(config_file_path):
config = yaml.load(open(config_file_path), Loader=yaml.FullLoader)
self.config_rabbitmq = config['rabbitmq']
self.config['name'] = config['misp']['name']
self.config['confidence_level'] = config['misp'][
'confidence_level']
self.config['url'] = config['misp']['url']
self.config['key'] = config['misp']['key']
self.config['tag'] = config['misp']['tag'] if 'tag' in config[
'misp'] else None
self.config['untag_event'] = config['misp'][
'untag_event'] if 'untag_event' in config['misp'] else None
self.config['imported_tag'] = config['misp']['imported_tag']
self.config['filter_on_imported_tag'] = config['misp'][
'filter_on_imported_tag']
self.config['interval'] = config['misp']['interval']
self.config['log_level'] = config['misp']['log_level']
else:
self.config_rabbitmq = dict()
self.config_rabbitmq['hostname'] = os.getenv(
'RABBITMQ_HOSTNAME', 'localhost')
self.config_rabbitmq['port'] = os.getenv('RABBITMQ_PORT', 5672)
self.config_rabbitmq['username'] = os.getenv(
'RABBITMQ_USERNAME', 'guest')
self.config_rabbitmq['password'] = os.getenv(
'RABBITMQ_PASSWORD', 'guest')
self.config['name'] = os.getenv('MISP_NAME', 'MISP')
self.config['confidence_level'] = int(
os.getenv('MISP_CONFIDENCE_LEVEL', 3))
self.config['url'] = os.getenv('MISP_URL', 'http://localhost')
self.config['key'] = os.getenv('MISP_KEY', 'ChangeMe')
self.config['tag'] = os.getenv('MISP_TAG', None)
self.config['untag_event'] = os.getenv('MISP_UNTAG_EVENT',
None) == "true"
self.config['imported_tag'] = os.getenv('MISP_IMPORTED_TAG',
'OpenCTI: Imported')
self.config['filter_on_imported_tag'] = os.getenv(
'MISP_FILTER_ON_IMPORTED_TAG', "true") == "true"
self.config['interval'] = os.getenv('MISP_INTERVAL', 5)
self.config['log_level'] = os.getenv('MISP_LOG_LEVEL', 'info')
# Initialize OpenCTI Connector
connector_identifier = ''.join(e for e in self.config['name']
if e.isalnum())
self.opencti_connector_helper = OpenCTIConnectorHelper(
connector_identifier.lower(), self.config, self.config_rabbitmq,
self.config['log_level'])
# Initialize MISP
self.misp = ExpandedPyMISP(url=self.config['url'],
key=self.config['key'],
ssl=False,
debug=False)
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
self.identity = self.helper.api.identity.create(
type="Organization",
name="UnpacMe",
description="UnpacMe",
)["standard_id"]
self.octi_api_url = get_config_variable("OPENCTI_URL",
["opencti", "url"], config)
# Get URL and private from config, use to instantiate the client
user_agent = get_config_variable(
"UNPAC_ME_USER_AGENT",
["unpac_me", "user_agent"],
config,
)
api_key = get_config_variable(
"UNPAC_ME_API_KEY",
["unpac_me", "api_key"],
config,
)
self.private = get_config_variable(
"UNPAC_ME_PRIVATE",
["unpac_me", "private"],
config,
)
self.unpacme_client = UnpacMeApi(api_key=api_key,
user_agent=user_agent)
# Other config settings
self.family_color = get_config_variable(
"UNPAC_ME_FAMILY_COLOR",
["unpac_me", "family_color"],
config,
)
self.default_tag_color = get_config_variable(
"UNPAC_ME_FAMILY_COLOR",
["unpac_me", "tag_color"],
config,
)
self.less_noise = get_config_variable(
"UNPAC_ME_LESS_NOISE",
["unpac_me", "less_noise"],
config,
)
self.max_tlp = get_config_variable(
"UNPAC_ME_MAX_TLP",
["unpac_me", "max_tlp"],
config,
)
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + '/config.yml'
config = yaml.load(open(config_file_path), Loader=yaml.FullLoader
) if os.path.isfile(config_file_path) else {}
self.helper = OpenCTIConnectorHelper(config)
self.token = get_config_variable('IPINFO_TOKEN', ['ipinfo', 'token'],
config)
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
self.identity = self.helper.api.identity.create(
type="Organization",
name="CAPEv2 Sandbox",
description="CAPEv2 Sandbox.",
)["standard_id"]
self.octi_api_url = get_config_variable("OPENCTI_URL",
["opencti", "url"], config)
self.cape_url = get_config_variable("CAPE_SANDBOX_URL",
["cape_sandbox", "url"], config)
self.cape_api_url = f"{self.cape_url}/apiv2"
self.token = get_config_variable("CAPE_SANDBOX_TOKEN",
["cape_sandbox", "token"], config)
self.max_tlp = get_config_variable("CAPE_SANDBOX_MAX_TLP",
["cape_sandbox", "max_tlp"], config)
self.less_noise = get_config_variable("CAPE_SANDBOX_LESS_NOISE",
["cape_sandbox", "less_noise"],
config)
self._cooldown_time = get_config_variable(
"CAPE_SANDBOX_COOLDOWN_TIME", ["cape_sandbox", "cooldown_time"],
config)
self._max_retries = get_config_variable(
"CAPE_SANDBOX_MAX_RETRIES", ["cape_sandbox", "max_retries"],
config)
self.headers = {"Authorization": f"Token {self.token}"}
# Analysis options
self.route = get_config_variable("CAPE_SANDBOX_ROUTE",
["cape_sandbox", "route"], config)
self.try_extract = get_config_variable("CAPE_SANDBOX_TRY_EXTRACT",
["cape_sandbox", "try_extract"],
config)
self.options = get_config_variable("CAPE_SANDBOX_OPTIONS",
["cape_sandbox", "options"], config)
self.timeout = get_config_variable("CAPE_SANDBOX_TIMEOUT",
["cape_sandbox", "timeout"], config)
self.enforce_timeout = get_config_variable(
"CAPE_SANDBOX_ENFORCE_TIMEOUT",
["cape_sandbox", "enforce_timeout"], config)
self.priority = get_config_variable("CAPE_SANDBOX_PRIORITY",
["cape_sandbox", "priority"],
config)
def __init__(self):
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
# Extra config
self.tanium_url = get_config_variable("TANIUM_URL", ["tanium", "url"],
config)
self.tanium_login = get_config_variable("TANIUM_LOGIN",
["tanium", "login"], config)
self.tanium_password = get_config_variable("TANIUM_PASSWORD",
["tanium", "password"],
config)
self.tanium_indicator_types = get_config_variable(
"TANIUM_INDICATOR_TYPES", ["tanium", "indicator_types"],
config).split(",")
self.tanium_observable_types = get_config_variable(
"TANIUM_OBSERVABLE_TYPES", ["tanium", "observable_types"],
config).split(",")
self.tanium_import_label = get_config_variable(
"TANIUM_IMPORT_LABEL",
["tanium", "import_label"],
config,
)
self.tanium_auto_quickscan = get_config_variable(
"TANIUM_AUTO_QUICKSCAN", ["tanium", "auto_quickscan"], config,
False, False)
self.tanium_computer_groups = get_config_variable(
"TANIUM_COMPUTER_GROUPS", ["tanium", "computer_groups"], config,
False, "").split(",")
# Variables
self.session = None
# Open a session
self._get_session()
# Create the source if not exist
self.source_id = None
sources = self._query("get", "/plugin/products/detect3/api/v1/sources")
for source in sources:
if source["name"] == "OpenCTI":
self.source_id = source["id"]
if self.source_id is None:
source = self._query(
"post",
"/plugin/products/detect3/api/v1/sources",
{
"type": "api-client",
"name": "OpenCTI",
"description":
"Cyber Threat Intelligence knowledge imported from OpenCTI.",
"canAutoQuickScan": True,
},
)
self.source_id = source["id"]
def __init__(self):
"""Read in config variables"""
config_file_path = os.path.dirname(os.path.abspath(__file__))
config_file_path += "/config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
self.cape_api_url = get_config_variable("CAPE_API_URL",
["cape", "api_url"], config)
self.cape_url = get_config_variable("CAPE_BASE_URL",
["cape", "base_url"], config)
self.EnableNetTraffic = get_config_variable(
"CAPE_ENABLE_NETWORK_TRAFFIC",
["cape", "enable_network_traffic"],
config,
default=False,
)
self.EnableRegKeys = get_config_variable(
"CAPE_ENABLE_REGISTRY_KEYS",
["cape", "enable_registry_keys"],
config,
default=False,
)
self.verify_ssl = get_config_variable("VERIFY_SSL",
["cape", "verify_ssl"],
config,
default=True)
self.interval = get_config_variable("CAPE_INTERVAL",
["cape", "interval"], config, True,
30)
self.start_id = get_config_variable("CAPE_START_TASK_ID",
["cape", "start_task_id"], config,
True, 0)
self.report_score = get_config_variable("CAPE_REPORT_SCORE",
["cape", "report_score"],
config, True, 0)
self.create_indicators = get_config_variable(
"CAPE_CREATE_INDICATORS", ["cape", "create_indicators"], config)
self.update_existing_data = get_config_variable(
"CONNECTOR_UPDATE_EXISTING_DATA",
["connector", "update_existing_data"],
config,
)
self.cape_api: cuckoo = cuckoo(self.helper, self.cape_api_url,
self.verify_ssl)
class OpenCTI:
def __init__(self):
# Get configuration
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + '/config.yml'
self.config = dict()
if os.path.isfile(config_file_path):
config = yaml.load(open(config_file_path), Loader=yaml.FullLoader)
self.config_rabbitmq = config['rabbitmq']
self.config['name'] = config['opencti']['name']
self.config['confidence_level'] = config['opencti'][
'confidence_level']
self.config['sectors_file_url'] = config['opencti'][
'sectors_file_url']
self.config['entities'] = config['opencti']['entities'].split(',')
self.config['interval'] = config['opencti']['interval']
self.config['log_level'] = config['opencti']['log_level']
else:
self.config_rabbitmq = dict()
self.config_rabbitmq['hostname'] = os.getenv(
'RABBITMQ_HOSTNAME', 'localhost')
self.config_rabbitmq['port'] = os.getenv('RABBITMQ_PORT', 5672)
self.config_rabbitmq['username'] = os.getenv(
'RABBITMQ_USERNAME', 'guest')
self.config_rabbitmq['password'] = os.getenv(
'RABBITMQ_PASSWORD', 'guest')
self.config['name'] = os.getenv('OPENCTI_NAME', 'OpenCTI')
self.config['confidence_level'] = int(
os.getenv('OPENCTI_CONFIDENCE_LEVEL', 5))
self.config['sectors_file_url'] = os.getenv(
'OPENCTI_SECTORS_FILE_URL',
'https://raw.githubusercontent.com/OpenCTI-Platform/datasets/master/data/sectors.json'
)
self.config['entities'] = os.getenv(
'OPENCTI_ENTITIES', 'sector,region,country,city').split(',')
self.config['interval'] = os.getenv('OPENCTI_INTERVAL', 1)
self.config['log_level'] = os.getenv('OPENCTI_LOG_LEVEL', 'info')
# Initialize OpenCTI Connector
connector_identifier = ''.join(e for e in self.config['name']
if e.isalnum())
self.opencti_connector_helper = OpenCTIConnectorHelper(
connector_identifier.lower(), self.config, self.config_rabbitmq,
self.config['log_level'])
def get_log_level(self):
return self.config['log_level']
def get_interval(self):
return int(self.config['interval']) * 60 * 60 * 24
def run(self):
sectors_data = urllib.request.urlopen(
self.config['sectors_file_url']).read()
self.opencti_connector_helper.send_stix2_bundle(
sectors_data.decode('utf-8'), self.config['entities'])
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + "/config.yml"
config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path) else {})
self.helper = OpenCTIConnectorHelper(config)
self.identity = self.helper.api.identity.create(
type="Organization",
name="Intezer Sandbox",
description="Intezer Sandbox",
)["standard_id"]
self.octi_api_url = get_config_variable("OPENCTI_URL",
["opencti", "url"], config)
# Get api key from config, use to instantiate the client
api_key = get_config_variable(
"INTEZER_SANDBOX_API_KEY",
["intezer_sandbox", "api_key"],
config,
)
self.intezer_client = IntezerApi(api_key=api_key)
# Other config settings
self.family_color = get_config_variable(
"INTEZER_SANDBOX_FAMILY_COLOR",
["intezer_sandbox", "family_color"],
config,
)
self.malicious_color = get_config_variable(
"INTEZER_SANDBOX_MALICIOUS_COLOR",
["intezer_sandbox", "malicious_color"],
config,
)
self.trusted_color = get_config_variable(
"INTEZER_SANDBOX_TRUSTED_COLOR",
["intezer_sandbox", "trusted_color"],
config,
)
self.unknown_color = get_config_variable(
"INTEZER_SANDBOX_UNKNOWN_COLOR",
["intezer_sandbox", "unknown_color"],
config,
)
self.suspicious_color = get_config_variable(
"INTEZER_SANDBOX_SUSPICIOUS_COLOR",
["intezer_sandbox", "suspicious_color"],
config,
)
self.max_tlp = get_config_variable(
"INTEZER_SANDBOX_MAX_TLP",
["intezer_sandbox", "max_tlp"],
config,
)
