def _process_message(self, data):
entity_id = data["entity_id"]
observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
# Extract TLP
tlp = "TLP:WHITE"
for marking_definition in observable["objectMarking"]:
if marking_definition["definition_type"] == "TLP":
tlp = marking_definition["definition"]
if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
raise ValueError(
"Do not send any data, TLP of the observable is greater than MAX TLP"
)
# Extract IP from entity data
observable_value = observable["value"]
# Get Shodan API Response
try:
response = self.shodanAPI.host(observable_value)
except Exception as e:
return str(e)
# Process and send Shodan Data to OpenCTI
self._convert_shodan_to_stix(response, observable)
return "[SUCCESS] Shodan IP Found, data sent in"
def _process_message(self, data):
entity_id = data['entity_id']
observable = self.helper.api.stix_observable.read(id=entity_id)
# Extract TLP
tlp = 'TLP:WHITE'
for marking_definition in observable['markingDefinitions']:
if marking_definition['definition_type'] == 'TLP':
tlp = marking_definition['definition']
if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
return [
'Do not send any data, TLP of the observable is greater than MAX TLP'
]
# Extract IP from entity data
observable_id = observable['stix_id_key']
observable_value = observable['observable_value']
# Get the geo loc from the API
api_url = 'https://ipinfo.io/' + observable_value + '?token=' + self.token
response = requests.request("GET",
api_url,
headers={
'accept': "application/json",
'content-type': "application/json",
})
json_data = json.loads(response.text)
country = pycountry.countries.get(alpha_2=json_data['country'])
bundle = self._generate_stix_bundle(country, json_data['city'],
observable_id)
bundles_sent = self.helper.send_stix2_bundle(bundle)
return [
'Sent ' + str(len(bundles_sent)) +
' stix bundle(s) for worker import'
]
def _process_message(self, data):
entity_id = data["entity_id"]
observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
if observable is None:
raise ValueError(
"Observable not found (or the connector does not has access to this observable, check the group of the connector user)"
)
TLPs = ["TLP:WHITE"]
if "objectMarking" in observable:
for marking_definition in observable["objectMarking"]:
if marking_definition["definition_type"] == "TLP":
TLPs.append(marking_definition["definition"])
for TLPx in TLPs:
if not OpenCTIConnectorHelper.check_max_tlp(TLPx, self.max_tlp):
raise ValueError(
"Do not send any data, TLP of the observable is greater than MAX TLP"
)
# Extract IP from entity data
observable_value = observable["value"]
# Get Shodan API Response
try:
response = self.shodanAPI.host(observable_value)
except Exception as e:
return str(e)
# Process and send Shodan Data to OpenCTI
self._convert_shodan_to_stix(response, observable)
return "[SUCCESS] Shodan IP Found, data sent in"
def _process_message(self, data):
entity_id = data["entity_id"]
observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
# Extract TLP
tlp = "TLP:WHITE"
for marking_definition in observable["objectMarking"]:
if marking_definition["definition_type"] == "TLP":
tlp = marking_definition["definition"]
if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
raise ValueError(
"Do not send any data, TLP of the observable is greater than MAX TLP"
)
return self._process_file(observable)
def _process_message(self, data):
entity_id = data["entity_id"]
observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
if observable is None:
raise ValueError(
"Observable not found (or the connector does not has access to this observable, check the group of the connector user)"
)
# Extract TLP
tlp = "TLP:WHITE"
for marking_definition in observable.get("objectMarking", []):
if marking_definition["definition_type"] == "TLP":
tlp = marking_definition["definition"]
if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
raise ValueError(
"Do not send any data, TLP of the observable is greater than MAX TLP"
)
return self._process_file(observable)
def _process_message(self, data):
entity_id = data["entity_id"]
observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
if observable is None:
raise ValueError(
"Observable not found "
"(may be linked to data seggregation, check your group and permissions)"
)
# Extract TLP
tlp = "TLP:WHITE"
for marking_definition in observable["objectMarking"]:
if marking_definition["definition_type"] == "TLP":
tlp = marking_definition["definition"]
if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
raise ValueError(
"Do not send any data, TLP of the observable is greater than MAX TLP"
)
return self._process_observable(observable)
def _process_message(self, data):
entity_id = data["entity_id"]
observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
if observable is None:
raise ValueError(
"Observable not found (or the connector does not has access to this observable, check the group of the connector user)"
)
# Extract TLP
tlp = "TLP:WHITE"
for marking_definition in observable["objectMarking"]:
if marking_definition["definition_type"] == "TLP":
tlp = marking_definition["definition"]
if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
raise ValueError(
"Do not send any data, TLP of the observable is greater than MAX TLP"
)
# Extract IP from entity data
observable_id = observable["standard_id"]
observable_value = observable["value"]
# Get the geo loc from the API
api_url = "https://ipinfo.io/" + observable_value + "/json/?token=" + self.token
response = requests.request(
"GET",
api_url,
headers={
"accept": "application/json",
"content-type": "application/json"
},
)
json_data = response.json()
if "status" in json_data and json_data["status"] == 429:
raise ValueError("IpInfo Rate limit exceeded")
country = pycountry.countries.get(alpha_2=json_data["country"])
if country is None:
raise ValueError(
"IpInfo was not able to find a country for this IP address")
bundle = self._generate_stix_bundle(country, json_data["city"],
json_data["loc"], observable_id)
bundles_sent = self.helper.send_stix2_bundle(bundle)
return "Sent " + str(
len(bundles_sent)) + " stix bundle(s) for worker import"
def _process_message(self, data):
entity_id = data["entity_id"]
observable = self.helper.api.stix_observable.read(id=entity_id)
# Extract TLP
tlp = "TLP:WHITE"
for marking_definition in observable["markingDefinitions"]:
if marking_definition["definition_type"] == "TLP":
tlp = marking_definition["definition"]
if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
raise ValueError(
"Do not send any data, TLP of the observable is greater than MAX TLP"
)
# Extract IP from entity data
observable_id = observable["stix_id_key"]
observable_value = observable["observable_value"]
# Get the geo loc from the API
api_url = "https://ipinfo.io/" + observable_value + "?token=" + self.token
response = requests.request(
"GET",
api_url,
headers={
"accept": "application/json",
"content-type": "application/json",
},
)
json_data = json.loads(response.text)
country = pycountry.countries.get(alpha_2=json_data["country"])
if country is None:
raise ValueError(
"IpInfo was not able to find a country for this IP address")
bundle = self._generate_stix_bundle(country, json_data["city"],
observable_id)
bundles_sent = self.helper.send_stix2_bundle(bundle)
return [
"Sent " + str(len(bundles_sent)) +
" stix bundle(s) for worker import"
]
def _process_message(self, data):
"""Process a message, depending on its type."""
entity_id = data["entity_id"]
observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
if observable is None:
return
# Extract TLP
tlp = "TLP:WHITE"
for marking_definition in observable["objectMarking"]:
if marking_definition["definition_type"] == "TLP":
tlp = marking_definition["definition"]
break
if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
raise ValueError(
"Do not send any data, TLP of the observable is greater than MAX TLP"
)
if self.use_data:
self.process_data_observable(observable)
if self.use_passive:
self.process_passive_observable(observable)
if self.use_scans:
self.process_scans_observable(observable)
def _process_message(self, data):
entity_id = data["entity_id"]
observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
# Extract TLP
tlp = "TLP:WHITE"
for marking_definition in observable["objectMarking"]:
if marking_definition["definition_type"] == "TLP":
tlp = marking_definition["definition"]
if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
raise ValueError(
"Do not send any data, TLP of the observable is greater than MAX TLP"
)
# Extract IP from entity data
observable_id = observable["standard_id"]
observable_value = observable["value"]
url = "https://api.abuseipdb.com/api/v2/check"
headers = {
"Accept": "application/json",
"Content-Type": "application/x-www-form-urlencoded",
"Key": "%s" % self.api_key,
}
params = {
"maxAgeInDays": 365,
"verbose": "True",
"ipAddress": observable_value
}
response = requests.get(url, headers=headers, params=params)
data = response.json()
data = data["data"]
self.helper.api.stix_cyber_observable.update_field(
id=observable_id,
key="x_opencti_score",
value=str(data["abuseConfidenceScore"]),
)
if data["isWhitelisted"]:
external_reference = self.helper.api.external_reference.create(
source_name="AbuseIPDB (whitelist)",
url="https://www.abuseipdb.com/check/" + observable_value,
description="This IP address is from within our whitelist.",
)
self.helper.api.stix_cyber_observable.add_external_reference(
id=observable_id,
external_reference_id=external_reference["id"])
self.helper.api.stix_cyber_observable.add_label(
id=observable_id, label_id=self.whitelist_label["id"])
return "IP found in AbuseIPDB WHITELIST."
if len(data["reports"]) > 0:
for report in data["reports"]:
country = self.helper.api.stix_domain_object.get_by_stix_id_or_name(
name=report["reporterCountryName"])
self.helper.api.stix_sighting_relationship.create(
fromId=observable_id,
toId=country["id"],
count=1,
first_seen=report["reportedAt"],
last_seen=report["reportedAt"],
)
for category in report["categories"]:
category_text = self.extract_abuse_ipdb_category(category)
label = self.helper.api.label.create(value=category_text)
self.helper.api.stix_cyber_observable.add_label(
id=observable_id, label_id=label["id"])
return "IP found in AbuseIPDB with reports, knowledge attached."
def _process_message(self, data):
entity_id = data["entity_id"]
observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
# Extract TLP
tlp = "TLP:WHITE"
for marking_definition in observable.get("objectMarking", []):
if marking_definition["definition_type"] == "TLP":
tlp = marking_definition["definition"]
if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
raise ValueError(
"Do not send any data, TLP of the observable is greater than MAX TLP"
)
# Extract IP from entity data
observable_id = observable["standard_id"]
observable_value = observable["value"]
url = "https://api.abuseipdb.com/api/v2/check"
headers = {
"Accept": "application/json",
"Content-Type": "application/x-www-form-urlencoded",
"Key": "%s" % self.api_key,
}
params = {
"maxAgeInDays": 365,
"verbose": "True",
"ipAddress": observable_value
}
r = requests.get(url, headers=headers, params=params)
r.raise_for_status()
data = r.json()
data = data["data"]
self.helper.api.stix_cyber_observable.update_field(
id=observable_id,
input={
"key": "x_opencti_score",
"value": str(data["abuseConfidenceScore"]),
},
)
if data["isWhitelisted"]:
external_reference = self.helper.api.external_reference.create(
source_name="AbuseIPDB (whitelist)",
url="https://www.abuseipdb.com/check/" + observable_value,
description="This IP address is from within our whitelist.",
)
self.helper.api.stix_cyber_observable.add_external_reference(
id=observable_id,
external_reference_id=external_reference["id"])
self.helper.api.stix_cyber_observable.add_label(
id=observable_id, label_id=self.whitelist_label["id"])
return "IP found in AbuseIPDB WHITELIST."
if len(data["reports"]) > 0:
found = []
cl = defaultdict(dict)
for report in data["reports"]:
countryN = report["reporterCountryCode"]
if countryN in cl:
cl[countryN]["count"] += 1
cl[countryN]["firstseen"] = report["reportedAt"]
else:
cl[countryN]["count"] = 1
cl[countryN]["firstseen"] = report["reportedAt"]
cl[countryN]["lastseen"] = report["reportedAt"]
for category in report["categories"]:
if category not in found:
found.append(category)
category_text = self.extract_abuse_ipdb_category(
category)
label = self.helper.api.label.create(
value=category_text)
self.helper.api.stix_cyber_observable.add_label(
id=observable_id, label_id=label["id"])
for ckey in list(cl.keys()):
country = self.helper.api.location.read(
filters=[{
"key": "x_opencti_aliases",
"values": [ckey],
}],
getAll=True,
)
if country is None:
self.helper.log_info(
"No country found with Alpha 2 code " + ckey)
else:
self.helper.api.stix_sighting_relationship.create(
fromId=observable_id,
toId=country["id"],
count=cl[ckey]["count"],
first_seen=cl[ckey]["firstseen"],
last_seen=cl[ckey]["lastseen"],
)
return "IP found in AbuseIPDB with reports, knowledge attached."
