def run(self, state: Mapping[str, Any]) -> Mapping[str, Any]: """Run importer.""" self._info( "Running Kaspersky Master YARA importer (update data: {0})...", self.update_existing_data, ) latest_master_yara_timestamp = state.get( self._LATEST_MASTER_YARA_TIMESTAMP) if latest_master_yara_timestamp is None: latest_master_yara_datetime = None else: latest_master_yara_datetime = timestamp_to_datetime( latest_master_yara_timestamp) master_yara_fetch_weekday = self.master_yara_fetch_weekday if master_yara_fetch_weekday is not None: if not is_current_weekday_before_datetime( master_yara_fetch_weekday, latest_master_yara_datetime): self._info("It is not time to fetch the Master YARA yet.") return state yara = self._fetch_master_yara() yara_rules = yara.rules yara_rule_count = len(yara_rules) self._info( "Master YARA with {0} rules...", yara_rule_count, ) new_yara_rules = self.yara_rule_updater.update_existing(yara.rules) new_yara_rule_count = len(new_yara_rules) self._info( "{0} new YARA rules...", new_yara_rule_count, ) failed_count = 0 for yara_rule in new_yara_rules: result = self._process_yara_rule(yara_rule) if not result: failed_count += 1 success_count = new_yara_rule_count - failed_count self._info( "Kaspersky Master YARA importer completed (imported: {0}, total: {1})", success_count, new_yara_rule_count, ) return { self._LATEST_MASTER_YARA_TIMESTAMP: datetime_to_timestamp(datetime_utc_now()) }
def run(self, state: Mapping[str, Any]) -> Mapping[str, Any]: """Run importer.""" self._info( "Running Kaspersky publication importer (update data: {0})...", self.update_existing_data, ) self._load_opencti_regions() latest_publication_timestamp = state.get( self._LATEST_PUBLICATION_TIMESTAMP) if latest_publication_timestamp is None: latest_publication_timestamp = self.publication_start_timestamp latest_publication_datetime = timestamp_to_datetime( latest_publication_timestamp) publications = self._fetch_publications(latest_publication_datetime) publication_count = len(publications) self._info( "Fetched {0} publications...", publication_count, ) publications = self._filter_publications(publications, latest_publication_datetime) publication_count = len(publications) self._info( "{0} publications after filtering...", publication_count, ) failed_count = 0 for publication in publications: result = self._process_publication(publication) if not result: failed_count += 1 publication_updated = publication.updated if publication_updated > latest_publication_datetime: latest_publication_datetime = publication_updated success_count = publication_count - failed_count self._info( "Kaspersky publication importer completed (imported: {0}, failed: {1}, total: {2})", # noqa: E501 success_count, failed_count, publication_count, ) return { self._LATEST_PUBLICATION_TIMESTAMP: datetime_to_timestamp(latest_publication_datetime) }
def _initiate_work(self, timestamp: int) -> str: datetime_str = timestamp_to_datetime(timestamp) friendly_name = f"{self.helper.connect_name} @ {datetime_str}" work_id = self.helper.api.work.initiate_work(self.helper.connect_id, friendly_name) self._info("New work '{0}' initiated", work_id) return work_id
def run(self, state: Mapping[str, Any]) -> Mapping[str, Any]: """Run importer.""" self._info( "Running Kaspersky Master YARA importer (update data: {0}, include report: {1})...", # noqa: E501 self.update_existing_data, self.master_yara_include_report, ) latest_master_yara_timestamp = state.get( self._LATEST_MASTER_YARA_TIMESTAMP) if latest_master_yara_timestamp is None: latest_master_yara_datetime = None else: latest_master_yara_datetime = timestamp_to_datetime( latest_master_yara_timestamp) master_yara_fetch_weekday = self.master_yara_fetch_weekday if master_yara_fetch_weekday is not None: if not is_current_weekday_before_datetime( master_yara_fetch_weekday, latest_master_yara_datetime): self._info("It is not time to fetch the Master YARA yet.") return self._create_state(latest_master_yara_datetime) yara = self._fetch_master_yara() yara_rules = yara.rules yara_rule_count = len(yara_rules) self._info( "Master YARA with {0} rules...", yara_rule_count, ) new_yara_rules = self.yara_rule_updater.update_existing(yara.rules) new_yara_rule_count = len(new_yara_rules) self._info( "{0} new YARA rules...", new_yara_rule_count, ) grouped_yara_rules = self._group_yara_rules_by_report(new_yara_rules) group_count = len(grouped_yara_rules) self._info( "{0} YARA rule groups...", group_count, ) for group, rules in grouped_yara_rules: self._info("YARA rule group: ({0}) {1}", len(rules), group) failed_count = 0 for yara_rule_group in grouped_yara_rules: result = self._process_yara_rule_group(yara_rule_group) if not result: failed_count += 1 success_count = group_count - failed_count self._info( "Kaspersky Master YARA importer completed (imported: {0}, total: {1})", success_count, group_count, ) return self._create_state(datetime_utc_now())
def run(self, state: Mapping[str, Any]) -> Mapping[str, Any]: """Run importer.""" self._info( "Running Kaspersky Master IOC importer (update data: {0})...", self.update_existing_data, ) latest_master_ioc_timestamp = state.get( self._LATEST_MASTER_IOC_TIMESTAMP) if latest_master_ioc_timestamp is None: latest_master_ioc_datetime = None else: latest_master_ioc_datetime = timestamp_to_datetime( latest_master_ioc_timestamp) master_ioc_fetch_weekday = self.master_ioc_fetch_weekday if master_ioc_fetch_weekday is not None: if not is_current_weekday_before_datetime( master_ioc_fetch_weekday, latest_master_ioc_datetime): self._info("It is not time to fetch the Master IOC yet.") return state openioc_csv = self._fetch_master_ioc() indicators = openioc_csv.indicators indicator_count = len(indicators) self._info( "Master IOC with {0} indicators...", indicator_count, ) indicators = self._filter_indicators(indicators, latest_master_ioc_datetime) indicator_count = len(indicators) self._info( "{0} indicators after filtering...", indicator_count, ) grouped_indicators = self._group_indicators_by_publication(indicators) group_count = len(grouped_indicators) self._info( "{0} indicator groups...", group_count, ) failed_count = 0 for indicator_group in grouped_indicators: result = self._process_indicator_group(indicator_group) if not result: failed_count += 1 success_count = group_count - failed_count self._info( "Kaspersky Master IOC importer completed (imported: {0}, total: {1})", success_count, group_count, ) return { self._LATEST_MASTER_IOC_TIMESTAMP: datetime_to_timestamp(datetime_utc_now()) }