def main():
"""
Working With Threats
"""
# optionally set max results
tc.set_max_results("500")
"""
Get Threat by ID
Method:
get_threat_by_id(id)
id -> threat id #
Use this method to return a single threat result by passing
an threat id.
To run sample code change the "False" value to "True"
"""
if False:
# get threat by id
threat_id = 85526
results = tc.get_threat_by_id(threat_id)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
"""
Get Threats
Method:
get_threats(owners=<list of owners>)
owners -> (optional) list of owners
Use this method to return threat results. A list of owners can be
optionally provided. If no owners are provided the default owner
organization is automatically used.
The "tc.get_owners()" function can be used to get a list of owners.
To run sample code change the "False" value to "True"
"""
if False:
# get all threats for default owner
tc.set_max_results("50") # optionally override default max results
results = tc.get_threats()
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# get all threats for all owner
tc.set_max_results("100") # optionally override default max results
requested_owners = tc.get_owners().data().name_list()
results = tc.get_threats(requested_owners)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
"""
Get Threats by Indicator
Method:
get_threats_by_indicator(indicator, indicator_type=None, owners=[]):
indicator -> any indicator
indicator_type -> (optional) indicator type
owners -> (optional) list of owners
Use this method to return threats by a user provided indicator.
Optionally provide the indicator type. If no indicator type is provided
the indicator type will be automatically determined. A list of owners can
be optionally provided. If no owners are provided the default owner
organization is used.
The "tc.get_owners()" function can be used to get a list of owners.
To run sample code change the "False" value to "True"
"""
if False:
# get groups by threats for default owner
indicator = "218.65.4.171"
results = tc.get_threats_by_indicator(indicator)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# get groups by threats for all owners
indicator = "218.65.4.171"
requested_owners = tc.get_owners().data().name_list()
results = tc.get_threats_by_indicator(indicator, owners=requested_owners)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
"""
Get Threats by Tag
Method:
get_threats_by_tag(tag_name, owners=[]):
tag_name -> a tag name
owners -> (optional) list of owners
Use this method to return threats by a user provided tag name. A
list of owners can be optionally provided. If no owners are provided
the default owner organization is used.
The "tc.get_owners()" function can be used to get a list of owners.
To run sample code change the "False" value to "True"
"""
if False:
# get threats by tag for default owner
tag = "adam"
results = tc.get_threats_by_tag(tag)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# get threats by tag for all owners
tag = "Advanced Persistent Threat"
requested_owners = tc.get_owners().data().name_list()
results = tc.get_threats_by_tag(tag, requested_owners)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
def printout(results):
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
def main():
"""
Working With Owners
"""
# optionally set max results
tc.set_max_results("500")
"""
Get Owners
Method:
get_owners()
Use this method to return all owners.
The "tc.get_owners()" function can be used to get a list of owners.
To run sample code change the "False" value to "True"
"""
if True:
# get all owners
results = tc.get_owners()
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
"""
Get Owners by Indicator
Method:
get_owners_by_indicator(indicator, indicator_type=None, owners=[]):
indicator -> any indicator
indicator_type -> (optional) indicator type
owners -> (optional) list of owners
Use this method to return owners by a user provided indicator.
Optionally provide the indicator type. If no indicator type is provided
the indicator type will be automatically determined. A list of owners can
be optionally provided. If no owners are provided the default owner
organization is used.
The "tc.get_owners()" function can be used to get a list of owners.
To run sample code change the "False" value to "True"
"""
if False:
# find owner for indicator
indicator = '218.65.4.171'
results = tc.get_owners_by_indicator(indicator)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# find owner for indicator
indicator = '1.2.3.4'
results = tc.get_owners_by_indicator(indicator)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# find indicator with wrong indicator type
# result data should be empty
indicator = '1.2.3.4'
indicator_type = 'files'
results = tc.get_owners_by_indicator(indicator, indicator_type)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# failure test
# good indicator with bad type
indicator = '1.2.3.4'
indicator_type = 'addressX'
results = tc.get_owners_by_indicator(indicator, indicator_type)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Failure":
easy_print('Error Message', results.error_message_list())
if False:
# bad indicator with bad type
indicator = 'X.2.3.4'
indicator_type = 'addressX'
results = tc.get_owners_by_indicator(indicator, indicator_type)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Failure":
easy_print('Error Message', results.error_message_list())
def main():
# optionally set max results
tc.set_max_results("500")
"""
To run sample code change the "False" value to "True"
"""
# Create IP address indicator
if False:
ip = "%d.%d.%d.%d" % (randint(1,255), randint(1,255), randint(1,255), randint(1,255))
results = tc.create_address(ip, rating="5.0", confidence=50)
printout(results)
# Create Email Address indicator
if False:
email = "*****@*****.**" % (randint(1,1000), randint(1,1000))
results = tc.create_emailAddress(email, rating="3.0", confidence=85)
printout(results)
# Create Host indicator
if False:
host = "testhost-%d-%d.net" % (randint(1,1000), randint(1,1000))
results = tc.create_host(host, rating="1.0", confidence=25)
printout(results)
# Create URL indicator
if False:
url = "https://badguy.net/%d/ok.php?id=%d" % (randint(1,1000), randint(1,1000))
results = tc.create_url(url, rating="4.0", confidence=44)
printout(results)
# Create File indicator
# NOTE: you cannot resolve associations as you can in the GUI (no linking/unlinking
# hashes, no adding a hash if it's already linked to other hashes)
if False:
randval = str(randint(1,10000000000))
md5 = hashlib.md5()
md5.update(randval)
md5_hash = md5.hexdigest()
sha1 = hashlib.sha1()
sha1.update(randval)
sha1_hash = sha1.hexdigest()
sha256 = hashlib.sha256()
sha256.update(randval)
sha256_hash = sha256.hexdigest()
hashes = {'md5' : md5_hash, 'sha1':sha1_hash, 'sha256':sha256_hash}
results = tc.create_file(hashes, rating="2.0", confidence=22)
printout(results)
# Create adversary group
if False:
adversary_name = "Test Adversary %d" % randint(1,1000000)
results = tc.create_adversary(adversary_name)
printout(results)
# Create email
if False:
name = "Test email %d" % randint(1,1000000)
to = "*****@*****.**"
fromField = "*****@*****.**"
subject = "Phishing attempt message"
header = """Delivered-To: [email protected]
Received: by 10.36.81.3 with SMTP id e3cs239nzb; Tue, 29 Mar 2005 15:11:47 -0800 (PST)
Return-Path:
Received: from mail.emailprovider.com (mail.emailprovider.com [111.111.11.111]) by mx.gmail.com with SMTP id h19si826631rnb.2005.03.29.15.11.46; Tue, 29 Mar 2005 15:11:47 -0800 (PST)
Message-ID: <*****@*****.**>
Received: from [11.11.111.111] by mail.emailprovider.com via HTTP; Tue, 29 Mar 2005 15:11:45 PST
Date: Tue, 29 Mar 2005 15:11:45 -0800 (PST)
From: Mr Jones
Subject: Hello
To: Mr Smith """
body = "Hello mr victim, open my link buddy"
results = tc.create_email(name, fromField, subject, header, body, toField=to)
if results.status() == "Success":
print "Email created successfully"
else:
print results.error_message_list()
# Note that the results contain the newly-created email!
new_email = results.single_result()
results = tc.update_email(new_email['id'], "Updated email", "*****@*****.**", "newsubject", header=None, emailBody="new body")
if results.status() == "Success":
print "Email updated successfully"
else:
print results.error_message_list()
# Create test incident
if False:
incident_name = "Test Incident %d" % randint(1,1000000000)
date = "2014-06-08T00:00:00-04:00"
results = tc.create_incident(incident_name, date)
printout(results)
# Create signature
if False:
signame = "Test signature %d" % randint(1,1000000)
sigtype = "YARA"
sigtext = """rule silent_banker : banker
{
meta:
description = "This is just an example"
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}"""
results = tc.create_signature(signame, signame + ".txt", sigtype, sigtext)
if results.status() == "Success":
print "Signature created successfully"
else:
print results.error_message_list()
# Create threat and associate
if False:
threat_name = "Test Threat %d" % randint(1,1000000)
results = tc.create_threat(threat_name)
data = results.data()
new_threat = json.loads(data.json())[0]
print "created threat '{0}', id# {1}".format(new_threat['name'], new_threat['id'])
email_address = "*****@*****.**" % randint(1,1000000)
print "creating email address {}".format(email_address)
tc.create_emailAddress(email_address)
# Create association between threat+indicator
# NOTE: Group-to-group not supported via V2 at this time
# NOTE: You can go group-to-indicator or indicator-to-group
# NOTE: You must specify the branch as it exists in the API for group/indicator types
# (e.g. 'emailAddresses' or 'threats')
#res = tc.associate_group_to_indicator("threats", new_threat['id'], "emailAddresses", email_address)
res = tc.associate_indicator_to_group("emailAddresses", email_address, "threats", new_threat['id'])
if res.status() == "Success":
print "...associated!"
else:
easy_print('err', res.error_message_list())
# Add tag to indicator
if False:
host = "testhost-%d-%d.net" % (randint(1,1000), randint(1,1000))
results = tc.create_host(host)
tag_name = "CSIT-14123|IntelNews/NEWS-081520141425"
results = tc.add_tag_to_indicator("hosts", host, tag_name)
print results.status()
print results.error_message_list()
# Add tag to group
if False:
incident_name = "Test Tag Incident %d" % randint(1,1000000)
date = "2014-06-08T00:00:00-04:00"
results = tc.create_incident(incident_name, date)
new_incident = json.loads(results.data().json())[0]
print "Created incident '{0}', ID# {1}".format(incident_name, new_incident['id'])
results = tc.add_tag_to_group("incidents", new_incident['id'], "api test tag")
# Delete tags from groups/indicators
if False:
host = "testhost-%d-%d.net" % (randint(1,1000), randint(1,1000))
results = tc.create_host(host)
tag_name = "deletable indicator tag"
results = tc.add_tag_to_indicator("hosts", host, tag_name)
incident_name = "Test Tag Incident %d" % randint(1,1000000)
date = "2014-06-08T00:00:00-04:00"
results = tc.create_incident(incident_name, date)
new_incident = json.loads(results.data().json())[0]
print "Created incident '{0}', ID# {1}".format(incident_name, new_incident['id'])
results = tc.add_tag_to_group("incidents", new_incident['id'], "deletable api test tag")
tc.delete_tag_from_indicator("hosts", host, tag_name)
tc.delete_tag_from_group("incidents", new_incident['id'], "deletable api test tag")
# Delete indicator
if False:
ip = "%d.%d.%d.%d" % (randint(1,255), randint(1,255), randint(1,255), randint(1,255))
results = tc.create_address(ip, rating="5.0", confidence=50)
print "IP {0} created? {1}".format(ip, results.status())
res = tc._delete_indicator("addresses", ip)
print "IP {0} deleted? {1}".format(ip, results.status())
# Delete group
if False:
incident_name = "Test Attribute Incident %d" % randint(1,100000000)
date = "2014-06-08T00:00:00-04:00"
results = tc.create_incident(incident_name, date)
new_incident = json.loads(results.data().json())[0]
print "Created incident '{0}', ID# {1}".format(incident_name, new_incident['id'])
results = tc._delete_group("incidents", new_incident['id'])
if results.status() == "Success":
print "Deleted successfully"
else:
print results.error_message_list()
# Get indicator attributes
if False:
results = tc.get_indicator_attributes("addresses", "142.112.222.37")
printout(results)
# Create an indicator + attributes
if False:
ip = "%d.%d.%d.%d" % (randint(1,255), randint(1,255), randint(1,255), randint(1,255))
results = tc.create_address(ip, rating="5.0", confidence=50)
print "Working with IP {}".format(ip)
results = tc.create_indicator_attribute("addresses", ip, "source", "API V2-created source", displayed=True)
if results.status() == "Success":
new_att = json.loads(results.data().json())[0]
print "Attribute created with ID {}".format(new_att['id'])
else:
print results.error_message_list()
results = tc.create_indicator_attribute("addresses", ip, "description", "API V2-created desc", displayed=True)
if results.status() == "Success":
new_att = json.loads(results.data().json())[0]
print "Attribute created with ID {}".format(new_att['id'])
else:
print results.error_message_list()
# Create a group + attributes
if False:
incident_name = "Test Attribute Incident %d" % randint(1,100000000)
date = "2014-06-08T00:00:00-04:00"
results = tc.create_incident(incident_name, date)
new_incident = json.loads(results.data().json())[0]
print "Created incident '{0}', ID# {1}".format(incident_name, new_incident['id'])
results = tc.create_group_attribute("incidents", new_incident['id'], "source", "API V2-created source", displayed=True)
if results.status() == "Success":
new_att = json.loads(results.data().json())[0]
print "Attribute created with ID {}".format(new_att['id'])
else:
print results.error_message_list()
results = tc.create_group_attribute("incidents", new_incident['id'], "description", "API V2-created desc", displayed=True)
if results.status() == "Success":
new_att = json.loads(results.data().json())[0]
print "Attribute created with ID {}".format(new_att['id'])
else:
print results.error_message_list()
# Delete indicator attribute
if False:
ip = "%d.%d.%d.%d" % (randint(1,255), randint(1,255), randint(1,255), randint(1,255))
results = tc.create_address(ip, rating="5.0", confidence=50)
print "Working with IP {}".format(ip)
results = tc.create_indicator_attribute("addresses", ip, "source", "deletable API v2 source", displayed=True)
if results.status() == "Success":
new_att = json.loads(results.data().json())[0]
print "Attribute created with ID {}".format(new_att['id'])
else:
print results.error_message_list()
results = tc.delete_indicator_attribute("addresses", ip, new_att['id'])
if results.status() == "Success":
print "Attribute deleted!"
else:
print results.error_message_list()
# Delete group attribute
if False:
incident_name = "Test Attribute Incident %d" % randint(1,100000000)
date = "2014-06-08T00:00:00-04:00"
results = tc.create_incident(incident_name, date)
new_incident = json.loads(results.data().json())[0]
print "Created incident '{0}', ID# {1}".format(incident_name, new_incident['id'])
results = tc.create_group_attribute("incidents", new_incident['id'], "source", "Deletable v2 source", displayed=True)
if results.status() == "Success":
new_att = json.loads(results.data().json())[0]
print "Attribute created with ID {}".format(new_att['id'])
else:
print results.error_message_list()
results = tc.delete_group_attribute("incidents", new_incident['id'], new_att['id'])
if results.status() == "Success":
print "Attribute deleted!"
else:
print results.error_message_list()
# Dissociate group from indicator
if False:
incident_name = "Test Attribute Incident %d" % randint(1,100000000)
date = "2014-06-08T00:00:00-04:00"
results = tc.create_incident(incident_name, date)
new_incident = json.loads(results.data().json())[0]
print "Created incident '{0}', ID# {1}".format(incident_name, new_incident['id'])
ip = "%d.%d.%d.%d" % (randint(1,255), randint(1,255), randint(1,255), randint(1,255))
results = tc.create_address(ip, rating="5.0", confidence=50)
print "Working with IP {}".format(ip)
results = tc.associate_group_to_indicator("incidents", new_incident['id'], "addresses", ip)
if results.status() == "Success":
print "Association created!"
else:
print results.error_message_list()
results = tc.dissociate_group_from_indicator("incidents", new_incident['id'], "addresses", ip)
if results.status() == "Success":
print "Association deleted!"
else:
print results.error_message_list()
# Update indicators
if False:
ip = "%d.%d.%d.%d" % (randint(1,255), randint(1,255), randint(1,255), randint(1,255))
results = tc.create_address(ip, rating="1.0", confidence=11)
email = "*****@*****.**" % (randint(1,1000), randint(1,1000))
results = tc.create_emailAddress(email, rating="1.0", confidence=11)
host = "editablehost-%d-%d.net" % (randint(1,1000), randint(1,1000))
results = tc.create_host(host, rating="1.0", confidence=11)
url = "https://editable-badguy.net/%d/ok.php?id=%d" % (randint(1,1000), randint(1,1000))
results = tc.create_url(url, rating="1.0", confidence=11)
sha256 = hashlib.sha256()
sha256.update(str(randint(1,100000)))
sha256_hash = sha256.hexdigest()
hashes = {'sha256':sha256_hash}
results = tc.create_file(hashes, rating="1.0", confidence=11)
results = tc.update_address(ip, rating="5.0", confidence=55)
if results.status() == "Success":
print "%s rating and confidence updated!" % ip
else:
print results.error_message_list()
results = tc.update_emailAddress(email, rating="5.0", confidence=55)
if results.status() == "Success":
print "%s rating and confidence updated!" % email
else:
print results.error_message_list()
results = tc.update_host(host, rating="5.0", confidence=55)
if results.status() == "Success":
print "%s rating and confidence updated!" % host
else:
print results.error_message_list()
results = tc.update_url(url, rating="5.0", confidence=55)
if results.status() == "Success":
print "%s rating and confidence updated!" % url
else:
print results.error_message_list()
results = tc.update_file(sha256_hash, rating="5.0", confidence=56, size=12345)
if results.status() == "Success":
print "%s rating and confidence updated!" % sha256_hash
else:
print results.error_message_list()
# Update groups
if False:
incident_name = "Test Editable Incident %d" % randint(1,100000000)
date = "2014-06-08T00:00:00-04:00"
results = tc.create_incident(incident_name, date)
new_incident = json.loads(results.data().json())[0]
print "Created incident '{0}', ID# {1}".format(incident_name, new_incident['id'])
results = tc.update_incident(new_incident['id'], name="Renamed Editable Incident", eventDate="2014-10-08T00:00:00-04:00")
if results.status() == "Success":
print "Incident edited!"
else:
print results.error_message_list()
threat_name = "Test Editable Threat %d" % randint(1,100000000)
results = tc.create_threat(threat_name)
new_threat = json.loads(results.data().json())[0]
print "Created threat '{0}', ID# {1}".format(threat_name, new_threat['id'])
results = tc.update_threat(new_threat['id'], name="Edited threat")
if results.status() == "Success":
print "Threat edited!"
else:
print results.error_message_list()
# Update attributes
if False:
ip = "%d.%d.%d.%d" % (randint(1,255), randint(1,255), randint(1,255), randint(1,255))
results = tc.create_address(ip, rating="5.0", confidence=50)
print "Working with IP {}".format(ip)
results = tc.create_indicator_attribute("addresses", ip, "source", "API V2-created source", displayed=True)
if results.status() == "Success":
new_att = json.loads(results.data().json())[0]
print "Attribute created with ID {}".format(new_att['id'])
else:
print results.error_message_list()
results = tc.update_indicator_attribute("addresses", ip, new_att['id'], "Edited API v2 source")
if results.status() == "Success":
print "Attribute edited!"
else:
print results.error_message_list()
incident_name = "Test Attribute Incident %d" % randint(1,100000000)
date = "2014-06-08T00:00:00-04:00"
results = tc.create_incident(incident_name, date)
new_incident = results.single_result()
print "Created incident '{0}', ID# {1}".format(incident_name, new_incident['id'])
results = tc.create_group_attribute("incidents", new_incident['id'], "description", "Pre-edit v2 source", displayed="true")
if results.status() == "Success":
new_att = json.loads(results.data().json())[0]
print "Attribute created with ID {}".format(new_att['id'])
else:
print results.error_message_list()
results = tc.update_group_attribute("incidents", new_incident['id'], new_att['id'], "Edited API v2 source")
if results.status() == "Success":
print "Attribute updated!"
else:
print results.error_message_list()
# Security labels for groups
if False:
threat_name = "Security Label Threat %d" % randint(1,100000000)
results = tc.create_threat(threat_name)
new_threat = results.single_result()
results = tc.add_securityLabel_to_group("threats", new_threat['id'], "API use only")
results = tc.add_securityLabel_to_group("threats", new_threat['id'], "Super Secret")
results = tc.get_securityLabels_for_group("threats", new_threat['id'])
labels = json.loads(results.data().json())
print "before: %s" % labels
results = tc.delete_securityLabel_from_group("threats", new_threat['id'], "Super Secret")
results = tc.get_securityLabels_for_group("threats", new_threat['id'])
labels = json.loads(results.data().json())
print "after: %s" % labels
# Security labels for indicators
if False:
ip = "%d.%d.%d.%d" % (randint(1,255), randint(1,255), randint(1,255), randint(1,255))
tc.create_address(ip)
tc.add_securityLabel_to_indicator("addresses", ip, "API use only")
tc.add_securityLabel_to_indicator("addresses", ip, "Super Secret")
results = tc.get_securityLabels_for_indicator("addresses", ip)
labels = json.loads(results.data().json())
print "before: %s" % labels
tc.delete_securityLabel_from_indicator("addresses", ip, "Super Secret")
results = tc.get_securityLabels_for_indicator("addresses", ip)
labels = json.loads(results.data().json())
print "before: %s" % labels
# Security labels for indicator attributes
if False:
randval = str(randint(1,10000000000))
md5 = hashlib.md5()
md5.update(randval)
md5_hash = md5.hexdigest()
tc.create_file({'md5':md5_hash})
results = tc.create_indicator_attribute('files', md5_hash, 'source', 'api v2 created source')
new_att = results.single_result()
print "Created attribute {0} on file {1}".format(new_att['id'], md5_hash)
tc.add_securityLabel_to_attribute('files', md5_hash, new_att['id'], "Super Secret")
tc.add_securityLabel_to_attribute('files', md5_hash, new_att['id'], "API use only")
results = tc.get_securityLabels_for_attribute('files', md5_hash, new_att['id'])
labels = json.loads(results.data().json())
print "before: %s" % labels
tc.delete_securityLabel_from_attribute('files', md5_hash, new_att['id'], "Super Secret")
results = tc.get_securityLabels_for_attribute('files', md5_hash, new_att['id'])
labels = json.loads(results.data().json())
print "after: %s" % labels
# Security labels for group attributes
if False:
threat_name = "Security Label Threat %d" % randint(1,100000000)
results = tc.create_threat(threat_name)
new_threat = results.single_result()
results = tc.create_group_attribute('threats', new_threat['id'], 'source', 'api v2 created source')
new_att = results.single_result()
print "Created attribute {0} on threat {1}".format(new_att['id'], new_threat['id'])
tc.add_securityLabel_to_attribute('threats', new_threat['id'], new_att['id'], "Super Secret")
tc.add_securityLabel_to_attribute('threats', new_threat['id'], new_att['id'], "API use only")
results = tc.get_securityLabels_for_attribute('threats', new_threat['id'], new_att['id'])
labels = json.loads(results.data().json())
print "before: %s" % labels
tc.delete_securityLabel_from_attribute('threats', new_threat['id'], new_att['id'], "Super Secret")
results = tc.get_securityLabels_for_attribute('threats', new_threat['id'], new_att['id'])
labels = json.loads(results.data().json())
print "after: %s" % labels
# file occurrences
if False:
randval = str(randint(1,10000000000))
md5 = hashlib.md5()
md5.update(randval)
md5_hash = md5.hexdigest()
tc.create_file({'md5':md5_hash})
print "Created file {}".format(md5_hash)
# Create file occurrence (filename, path, date)
results = tc.create_fileOccurrence(md5_hash, fileName="API file.exe", path="C:\\Runpath 23", date="2014-11-10T13:09:14-05:00")
new_occ = results.single_result()
print "Created occurrence with id {0}, path={1}".format(new_occ['id'], new_occ['path'])
# Update file occurrence
results = tc.update_fileOccurrence(md5_hash, new_occ['id'], fileName="Renamed API.exe", path='C:\\Win\\', date="2014-01-10T13:09:14-05:00")
if results.status() == "Success":
new_occ = results.single_result()
print "Occurrence updated successfully with path {}!".format(new_occ['path'])
else:
print results.error_message_list()
results = tc.create_fileOccurrence(md5_hash, fileName="deletable_file.exe", path="C:\\deleteme23", date="2014-11-10T13:09:14-05:00")
new_occ = results.single_result()
print "Created occurrence with id {0}, path={1}".format(new_occ['id'], new_occ['path'])
# Delete file occurrence
results = tc.delete_fileOccurrence(md5_hash, new_occ['id'])
if results.status() == "Success":
print "Occurrence deleted successfully!"
else:
print results.error_message_list()
# retrieve file occurrences
if False:
md5 = '84FA976D9ED693668B3F97D991DA0E97'
results = tc.get_fileOccurrences(md5)
print len(results.data().data())
for p in results.data().data():
print p['fileName']
# retrieve group:group
if False:
sig_id = '132117'
results = tc.get_groups_by_group(sig_id, 'signatures')
for p in results.data().data():
print p
# Read victims
if False:
results = tc.get_victims()
for p in results.data().data():
print p
# replace with relevant ones from your org
indicator = "www.googleserver.biz"
results = tc.get_victims_by_indicator(indicator)
for p in results.data().data():
print p
# replace with relevant ones from your org
results = tc.get_victims_by_group('incidents', '132112')
for p in results.data().data():
print p
results = tc.get_victim_by_id('543')
for p in results.data().data():
print p
# Read victimAssets
if False:
# replace with relevant ones from your org
vic_id = '543'
results = tc.get_victimAssets(vic_id)
for p in results.data().data():
print p
results = tc.get_victimEmailAddresses(vic_id)
for p in results.data().data():
print p
# Create victim + assets
if True:
results = tc.create_victim("Autovictim", org="My Company", suborg="HR", workLocation="Seattle", createIfExists=False)
newVic = results.single_result()
results = tc.create_victimEmailAddress(newVic['id'], '*****@*****.**', addressType='personal')
print results.status()
def main():
"""
Working With Indicators
"""
# optionally set max results
tc.set_max_results("500")
"""
Get Indicator
Method:
get_indicator(indicator, indicator_type=None, owners=[]):
indicator -> any indicator
indicator_type -> (optional) indicator type
owners -> (optional) list of owners
Use this method to return a indicator by a user provided indicator value.
Optionally provide the indicator type. If no indicator type is provided
the indicator type will be automatically determined. A list of owners can
be optionally provided. If no owners are provided the default owner
organization is used.
To run sample code change the "False" value to "True"
"""
if False:
# add filter
tc.add_filter('rating', '>=', '0', False)
tc.add_filter('confidence', '>=', '0')
# get indicator from default owner
# indicator = '1.2.3.4'
indicator = 'E801256DC033FF009EEA85C527FBCE10876C7708'
results = tc.get_indicator(indicator)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# get user defined indicator from default owners
# indicator = '1.2.3.4'
indicator = "*****@*****.**"
#indicator = "ABC87739E816DCB2D8D33AABFAADC6A7"
#indicator = "mail.gxdet.com"
#indicator = "http://mirefocus.com/kb2484033.exe"
requested_owners = tc.get_owners().data().name_list()
results = tc.get_indicator(indicator, owners=requested_owners)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# testing incorrect indicator type
indicator = "1.2.3.4"
results = tc.get_indicator(indicator, "files")
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if True:
# testing bad indicator
indicator = "X.2.3.4"
results = tc.get_indicator(indicator)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Failure":
easy_print('Error Message', results.error_message_list())
if False:
# get user defined indicator and indicator type for default owner
indicator = "ABC87739E816DCB2D8D33AABFAADC6A7"
results = tc.get_indicator(indicator, "files")
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# get user defined indicator for user defined owner
indicator = "*****@*****.**"
requested_owners = tc.get_owners().data().name_list()
results = tc.get_indicator(indicator, owners=requested_owners)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# get user defined indicator and indicator type for user defined owner
indicator = "*****@*****.**"
indicator_type = "emailAddresses"
requested_owners = ["Test Community"]
results = tc.get_indicator(indicator, indicator_type, requested_owners)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# get user defined indicator and indicator type for user defined owners
indicator = "mail.gxdet.com"
indicator_type = "hosts"
requested_owners = ["Acme corp", "Test Community"]
results = tc.get_indicator(indicator, indicator_type, requested_owners)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
"""
Get Indicators
Method:
get_indicators(indicator_type=<indicator type>, owners=<list of owners>):
indicator_type -> (optional) indicator type
owners -> (optional) list of owners
Use this method to return indicator results. Optionally provide the
indicator type. If no indicator type is provided the indicator type will
be automatically determined. A list of owners can be optionally provided.
If no owners are provided the default owner organization is automatically
used.
The "tc.get_owners()" function can be used to get a list of owners.
To run sample code change the "False" value to "True"
"""
if False:
# get all indicators for default owner
tc.set_max_results("500") # optionally override default max results
results = tc.get_indicators()
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# add filter
tc.add_filter('rating', '>=', '0', False)
tc.add_filter('confidence', '>=', '0')
# get all indicators by user defined indicator type for default owner
tc.set_max_results("350") # optionally override default max results
# indicator_type = 'addresses'
#indicator_type = 'emailAddresses'
indicator_type = 'files'
#indicator_type = 'hosts'
#indicator_type = 'urls'
results = tc.get_indicators(indicator_type=indicator_type)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
# count (int)
easy_print('count', results_data.count())
if False:
# get all indicators for user provided owner
tc.set_max_results("500") # optionally override default max results
requested_owners = ['Common Community']
results = tc.get_indicators(owners=requested_owners)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# get indicators by user defined indicator type for all owners
tc.set_max_results("500") # optionally override default max results
requested_owners = tc.get_owners().data().name_list()
results = tc.get_indicators('emailAddresses', requested_owners)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# get all indicators for all owners
tc.set_max_results("500") # optionally override default max results
requested_owners = tc.get_owners().data().name_list()
results = tc.get_indicators(owners=requested_owners)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
"""
Get Indicators by Group
Method:
get_indicators_by_group(group_type, group_id, indicator_type=None, owners=[]):
group_type -> predefined group type
group_id -> group id
indicator_type -> (optional) indicator type
owners (optional)
Use this method to return indicators by a user provided group type and
group id. Optionally provide the indicator type. If no indicator type is
provided the indicator type will be automatically determined. A list of
owners can be optionally provided. If no owners are provided the default
owner organization is used.
The "tc.get_owners()" function can be used to get a list of owners.
To run sample code change the "False" value to "True"
"""
if False:
# get all indicators by user defined group type/id for default owner
group_type = "signatures"
group_id = "47259"
results = tc.get_indicators_by_group(group_type, group_id)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# get all indicators by user defined group type/id for all owners
group_type = "threats"
group_id = "85526"
requested_owners = tc.get_owners().data().name_list()
results = tc.get_indicators_by_group(group_type, group_id, owners=requested_owners)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# get all indicators by user defined group type/id and indicator type
# for all owners
group_type = "threats"
group_id = "85526"
indicator_type = "addresses"
requested_owners = tc.get_owners().data().name_list()
results = tc.get_indicators_by_group(group_type, group_id, indicator_type, requested_owners)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
"""
Get Indicators by Tag
Method:
get_indicators_by_tag(tag_name, indicator_type=None, owners=[]):
tag_name -> a tag name
indicator_type -> (optional) indicator type
owners -> (optional) list of owners
Use this method to return indicators by a user provided tag name.
Optionally provide the indicator type. If no indicator type is provided
the indicator type will be automatically determined. A list of owners can
be optionally provided. If no owners are provided the default owner
organization is used.
The "tc.get_owners()" function can be used to get a list of owners.
To run sample code change the "False" value to "True"
"""
if False:
# get all indicators by user defined tag for default owner
tag = "adam"
results = tc.get_indicators_by_tag(tag)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# get all indicators by user defined tag for all owners
tag = "Advanced Persistent Threat"
requested_owners = tc.get_owners().data().name_list()
results = tc.get_indicators_by_tag(tag, owners=requested_owners)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
if False:
# get all indicators by user defined tag and indicator type for all owners
tag = "Advanced Persistent Threat"
indicator_type = "files"
requested_owners = tc.get_owners().data().name_list()
results = tc.get_indicators_by_tag(tag, indicator_type, requested_owners)
# Request Status (string)
easy_print('Request Status', results.status())
# Request URIs (list)
easy_print('Request URIs', results.uris())
# Response Count (int)
easy_print('Response Count', results.count())
# API Response (dict)
easy_print('API Response', results.api_response())
if results.status() == "Success":
# get indicator keys for data type
data_methods = ["%s_list" % item for item in results.data().data_structure]
# get data object
results_data = results.data()
# loop through all data methods
for meth in data_methods:
easy_print(meth, getattr(results_data, meth)())
# count (int)
easy_print('count', results_data.count())
# json (string)
easy_print('json', results_data.json())
# csv (string)
easy_print('csv', results_data.csv())
# keyval (string)
easy_print('keyval', results_data.keyval())
