def _create_report(
self, objects: List[Union[_DomainObject, _RelationshipObject]]
) -> Optional[Report]:
name = self.yara_rule_group
if name is None or not name:
return None
published = datetime_utc_now()
created_by = self.author
object_markings = self.object_markings
confidence_level = self.confidence_level
report_type = self.report_type
report_status = self.report_status
return create_report(
name,
published,
objects,
created_by=created_by,
report_types=[report_type],
confidence=confidence_level,
object_markings=object_markings,
x_opencti_report_status=report_status,
)
def run(self, state: Mapping[str, Any]) -> Mapping[str, Any]:
"""Run importer."""
self._info(
"Running Kaspersky Master YARA importer (update data: {0})...",
self.update_existing_data,
)
latest_master_yara_timestamp = state.get(
self._LATEST_MASTER_YARA_TIMESTAMP)
if latest_master_yara_timestamp is None:
latest_master_yara_datetime = None
else:
latest_master_yara_datetime = timestamp_to_datetime(
latest_master_yara_timestamp)
master_yara_fetch_weekday = self.master_yara_fetch_weekday
if master_yara_fetch_weekday is not None:
if not is_current_weekday_before_datetime(
master_yara_fetch_weekday, latest_master_yara_datetime):
self._info("It is not time to fetch the Master YARA yet.")
return state
yara = self._fetch_master_yara()
yara_rules = yara.rules
yara_rule_count = len(yara_rules)
self._info(
"Master YARA with {0} rules...",
yara_rule_count,
)
new_yara_rules = self.yara_rule_updater.update_existing(yara.rules)
new_yara_rule_count = len(new_yara_rules)
self._info(
"{0} new YARA rules...",
new_yara_rule_count,
)
failed_count = 0
for yara_rule in new_yara_rules:
result = self._process_yara_rule(yara_rule)
if not result:
failed_count += 1
success_count = new_yara_rule_count - failed_count
self._info(
"Kaspersky Master YARA importer completed (imported: {0}, total: {1})",
success_count,
new_yara_rule_count,
)
return {
self._LATEST_MASTER_YARA_TIMESTAMP:
datetime_to_timestamp(datetime_utc_now())
}
def _create_yara_indicator(self, yara_rule: YaraRule) -> Optional[Indicator]:
created_by = self.author
modified = datetime_utc_now()
object_markings = self.object_markings
confidence_level = self.confidence_level
return create_yara_indicator(
yara_rule,
created_by=created_by,
modified=modified,
confidence=confidence_level,
object_markings=object_markings,
)
def run(self, state: Mapping[str, Any]) -> Mapping[str, Any]:
"""Run importer."""
self._info(
"Running Kaspersky Master YARA importer (update data: {0}, include report: {1})...", # noqa: E501
self.update_existing_data,
self.master_yara_include_report,
)
latest_master_yara_timestamp = state.get(
self._LATEST_MASTER_YARA_TIMESTAMP)
if latest_master_yara_timestamp is None:
latest_master_yara_datetime = None
else:
latest_master_yara_datetime = timestamp_to_datetime(
latest_master_yara_timestamp)
master_yara_fetch_weekday = self.master_yara_fetch_weekday
if master_yara_fetch_weekday is not None:
if not is_current_weekday_before_datetime(
master_yara_fetch_weekday, latest_master_yara_datetime):
self._info("It is not time to fetch the Master YARA yet.")
return self._create_state(latest_master_yara_datetime)
yara = self._fetch_master_yara()
yara_rules = yara.rules
yara_rule_count = len(yara_rules)
self._info(
"Master YARA with {0} rules...",
yara_rule_count,
)
new_yara_rules = self.yara_rule_updater.update_existing(yara.rules)
new_yara_rule_count = len(new_yara_rules)
self._info(
"{0} new YARA rules...",
new_yara_rule_count,
)
grouped_yara_rules = self._group_yara_rules_by_report(new_yara_rules)
group_count = len(grouped_yara_rules)
self._info(
"{0} YARA rule groups...",
group_count,
)
for group, rules in grouped_yara_rules:
self._info("YARA rule group: ({0}) {1}", len(rules), group)
failed_count = 0
for yara_rule_group in grouped_yara_rules:
result = self._process_yara_rule_group(yara_rule_group)
if not result:
failed_count += 1
success_count = group_count - failed_count
self._info(
"Kaspersky Master YARA importer completed (imported: {0}, total: {1})",
success_count,
group_count,
)
return self._create_state(datetime_utc_now())
def run(self, state: Mapping[str, Any]) -> Mapping[str, Any]:
"""Run importer."""
self._info(
"Running Kaspersky Master IOC importer (update data: {0})...",
self.update_existing_data,
)
latest_master_ioc_timestamp = state.get(
self._LATEST_MASTER_IOC_TIMESTAMP)
if latest_master_ioc_timestamp is None:
latest_master_ioc_datetime = None
else:
latest_master_ioc_datetime = timestamp_to_datetime(
latest_master_ioc_timestamp)
master_ioc_fetch_weekday = self.master_ioc_fetch_weekday
if master_ioc_fetch_weekday is not None:
if not is_current_weekday_before_datetime(
master_ioc_fetch_weekday, latest_master_ioc_datetime):
self._info("It is not time to fetch the Master IOC yet.")
return state
openioc_csv = self._fetch_master_ioc()
indicators = openioc_csv.indicators
indicator_count = len(indicators)
self._info(
"Master IOC with {0} indicators...",
indicator_count,
)
indicators = self._filter_indicators(indicators,
latest_master_ioc_datetime)
indicator_count = len(indicators)
self._info(
"{0} indicators after filtering...",
indicator_count,
)
grouped_indicators = self._group_indicators_by_publication(indicators)
group_count = len(grouped_indicators)
self._info(
"{0} indicator groups...",
group_count,
)
failed_count = 0
for indicator_group in grouped_indicators:
result = self._process_indicator_group(indicator_group)
if not result:
failed_count += 1
success_count = group_count - failed_count
self._info(
"Kaspersky Master IOC importer completed (imported: {0}, total: {1})",
success_count,
group_count,
)
return {
self._LATEST_MASTER_IOC_TIMESTAMP:
datetime_to_timestamp(datetime_utc_now())
}