def _process_intel(self, entity_type, data, original_intel_document=None): entity = None intel_document = None if entity_type == "indicator": entity = self.helper.api.indicator.read(id=data["data"]["x_opencti_id"]) if ( entity is None or entity["revoked"] or entity["pattern_type"] not in self.tanium_indicator_types ): return {"entity": entity, "intel_document": intel_document} if entity["pattern_type"] == "stix": intel_document = self._create_indicator_stix( entity, original_intel_document ) elif entity["pattern_type"] == "yara": intel_document = self._create_indicator_yara( entity, original_intel_document ) elif entity["pattern_type"] == "tanium-signal": intel_document = self._create_tanium_signal( entity, original_intel_document ) elif ( StixCyberObservableTypes.has_value(entity_type) and entity_type.lower() in self.tanium_observable_types ): entity = self.helper.api.stix_cyber_observable.read( id=data["data"]["x_opencti_id"] ) if entity is None: return {"entity": entity, "intel_document": intel_document} intel_document = self._create_observable(entity, original_intel_document) return {"entity": entity, "intel_document": intel_document}
def _process_message(self, msg): data = json.loads(msg.data) try: if "create" in self.remote_opencti_events and msg.event == "create": bundle = json.dumps({ "objects": [data["data"]], "x_opencti_event_version": data["version"], }) self.helper.send_stix2_bundle(bundle) elif "update" in self.remote_opencti_events and msg.event == "update": bundle = json.dumps({ "objects": [data["data"]], "x_opencti_event_version": data["version"], }) self.helper.send_stix2_bundle(bundle) elif "delete" in self.remote_opencti_events and msg.event == "delete": if data["data"]["type"] == "relationship": self.helper.api.stix_core_relationship.delete( id=data["data"]["id"]) elif StixCyberObservableTypes.has_value(data["data"]["type"]): self.helper.api.stix_cyber_observable.delete( id=data["data"]["id"]) else: self.helper.api.stix_domain_object.delete( id=data["data"]["id"]) except: pass
def _process_message(self, msg): data = json.loads(msg.data) entity_type = data["data"]["type"] # If not an indicator, not an observable to import and if ( entity_type != "indicator" and entity_type not in self.tanium_observable_types and ( "labels" in data["data"] and self.tanium_reputation_blacklist_label not in data["data"]["labels"] ) and self.tanium_reputation_blacklist_label != "*" ): self.helper.log_info( "Not an indicator and not an observable to import, doing nothing" ) return # Handle creation if msg.event == "create": # No label if ( "labels" not in data["data"] and self.tanium_import_label != "*" and self.tanium_reputation_blacklist_label != "*" ): self.helper.log_info("No label marked as import, doing nothing") return # Import or blacklist labels are not in the given labels elif ( ( "labels" in data["data"] and self.tanium_import_label not in data["data"]["labels"] ) and self.tanium_import_label != "*" and self.tanium_reputation_blacklist_label not in data["data"]["labels"] and self.tanium_reputation_blacklist_label != "*" ): self.helper.log_info( "No label marked as import or no global label, doing nothing" ) return # Revoked is true elif "revoked" in data["data"] and data["data"]["revoked"]: return if ( "labels" in data["data"] and self.tanium_import_label in data["data"]["labels"] ) or self.tanium_import_label == "*": # Process intel processed_intel = self._process_intel(entity_type, data) intel_document = processed_intel["intel_document"] entity = processed_intel["entity"] # Create external reference and add object labels self._post_operations(entity, intel_document) if ( "labels" in data["data"] and self.tanium_reputation_blacklist_label in data["data"]["labels"] ) or self.tanium_reputation_blacklist_label == "*": if "hashes" in data["data"]: entry = {"list": "blacklist"} if "MD5" in data["data"]["hashes"]: entry["md5"] = data["data"]["hashes"]["MD5"] entry["uploadedHash"] = data["data"]["hashes"]["MD5"] else: entry["md5"] = "" if "SHA-1" in data["data"]["hashes"]: entry["sha1"] = data["data"]["hashes"]["SHA-1"] entry["uploadedHash"] = data["data"]["hashes"]["SHA-1"] else: entry["sha1"] = "" if "SHA-256" in data["data"]["hashes"]: entry["sha256"] = data["data"]["hashes"]["SHA-256"] entry["uploadedHash"] = data["data"]["hashes"]["SHA-256"] else: entry["sha256"] = "" entry["notes"] = ",".join(data["data"]["labels"]) self._query( "post", "/plugin/products/reputation/v3/reputations/custom/upload?append=true", [entry], ) elif msg.event == "update": if ( "x_data_update" in data["data"] and "add" in data["data"]["x_data_update"] and "labels" in data["data"]["x_data_update"]["add"] ): if self.tanium_reputation_blacklist_label in data["data"][ "x_data_update" ]["add"]["labels"] and StixCyberObservableTypes.has_value( data["data"]["type"] ): observable = self.helper.api.stix_cyber_observable.read( id=data["data"]["id"] ) observable = self.helper.api.stix2.generate_export(observable) if "hashes" in observable: entry = {"list": "blacklist"} if "MD5" in observable["hashes"]: entry["md5"] = observable["hashes"]["MD5"] entry["uploadedHash"] = observable["hashes"]["MD5"] else: entry["md5"] = "" if "SHA-1" in observable["hashes"]: entry["sha1"] = observable["hashes"]["SHA-1"] entry["uploadedHash"] = observable["hashes"]["SHA-1"] else: entry["sha1"] = "" if "SHA-256" in observable["hashes"]: entry["sha256"] = observable["hashes"]["SHA-256"] entry["uploadedHash"] = observable["hashes"]["SHA-256"] else: entry["sha256"] = "" entry["notes"] = ",".join(observable["labels"]) self._query( "post", "/plugin/products/reputation/v3/reputations/custom/upload?append=true", [entry], ) if ( self.tanium_import_label in data["data"]["x_data_update"]["add"]["labels"] ): # Process intel processed_intel = self._process_intel(entity_type, data) intel_document = processed_intel["intel_document"] entity = processed_intel["entity"] # Create external reference and add object labels self._post_operations(entity, intel_document) else: entity = self.helper.api.indicator.read( id=data["data"]["x_opencti_id"], customAttributes=""" pattern_type """, ) intel_document = self._get_by_id( data["data"]["x_opencti_id"], yara=True if entity is not None and entity["pattern_type"] == "yara" else False, ) if intel_document: new_labels = [] for label in data["data"]["x_data_update"]["add"]["labels"]: new_labels.append({"value": label}) labels = self._get_labels(new_labels) for label in labels: self._query( "put", "/plugin/products/detect3/api/v1/intels/" + str(intel_document["id"]) + "/labels", {"id": label["id"]}, ) elif ( "x_data_update" in data["data"] and "remove" in data["data"]["x_data_update"] and "labels" in data["data"]["x_data_update"]["remove"] ): if ( self.tanium_reputation_blacklist_label in data["data"]["x_data_update"]["remove"]["labels"] ): if "hashes" in data["data"]: if "SHA-256" in data["data"]["hashes"]: self._query( "post", "/plugin/products/reputation/v3/reputations/custom/delete", [data["data"]["hashes"]["SHA-256"]], ) if "SHA-1" in data["data"]["hashes"]: self._query( "post", "/plugin/products/reputation/v3/reputations/custom/delete", [data["data"]["hashes"]["SHA-1"]], ) if "MD5" in data["data"]["hashes"]: self._query( "post", "/plugin/products/reputation/v3/reputations/custom/delete", [data["data"]["hashes"]["MD5"]], ) if ( self.tanium_import_label in data["data"]["x_data_update"]["remove"]["labels"] ): # Import label has been removed intel_document = self._get_by_id(data["data"]["x_opencti_id"]) if intel_document is not None: self._query( "delete", "/plugin/products/detect3/api/v1/intels/" + str(intel_document["id"]), ) # Remove external references if entity_type == "indicator": entity = self.helper.api.indicator.read( id=data["data"]["x_opencti_id"] ) else: entity = self.helper.api.stix_cyber_observable.read( id=data["data"]["x_opencti_id"] ) if ( entity and "externalReferences" in entity and len(entity["externalReferences"]) > 0 ): for external_reference in entity["externalReferences"]: if external_reference["source_name"] == "Tanium": self.helper.api.external_reference.delete( external_reference["id"] ) else: intel_document = self._get_by_id(data["data"]["x_opencti_id"]) if intel_document: new_labels = [] for label in data["data"]["x_data_update"]["remove"]["labels"]: new_labels.append({"value": label}) labels = self._get_labels(new_labels) for label in labels: self._query( "delete", "/plugin/products/detect3/api/v1/intels/" + str(intel_document["id"]) + "/labels/" + str(label["id"]), ) elif ( "x_data_update" in data["data"] and "replace" in data["data"]["x_data_update"] ): if entity_type == "indicator": if "pattern" in data["data"]["x_data_update"]["replace"]: intel_document = self._get_by_id(data["data"]["x_opencti_id"]) if intel_document is not None: self._process_intel(entity_type, data, intel_document) elif ( "value" in data["data"]["x_data_update"]["replace"] or "hashes" in data["data"]["x_data_update"]["replace"] ): intel_document = self._get_by_id(data["data"]["x_opencti_id"]) if intel_document is not None: self._process_intel(entity_type, data, intel_document) elif ( "revoked" in data["data"]["x_data_update"]["replace"] and data["data"]["x_data_update"]["replace"]["revoked"] == True ): intel_document = self._get_by_id(data["data"]["x_opencti_id"]) if intel_document is not None: self._query( "delete", "/plugin/products/detect3/api/v1/intels/" + str(intel_document["id"]), ) # Remove external references if entity_type == "indicator": entity = self.helper.api.indicator.read( id=data["data"]["x_opencti_id"] ) else: entity = self.helper.api.stix_cyber_observable.read( id=data["data"]["x_opencti_id"] ) if ( entity and "externalReferences" in entity and len(entity["externalReferences"]) > 0 ): for external_reference in entity["externalReferences"]: if external_reference["source_name"] == "Tanium": self.helper.api.external_reference.delete( external_reference["id"] ) elif msg.event == "delete": intel_document = self._get_by_id(data["data"]["x_opencti_id"]) if intel_document is not None: self._query( "delete", "/plugin/products/detect3/api/v1/intels/" + str(intel_document["id"]), ) if data["data"]["type"] == "file": if "hashes" in data["data"]: if "SHA-256" in data["data"]["hashes"]: self._query( "post", "/plugin/products/reputation/v3/reputations/custom/delete", [data["data"]["hashes"]["SHA-256"]], ) if "SHA-1" in data["data"]["hashes"]: self._query( "post", "/plugin/products/reputation/v3/reputations/custom/delete", [data["data"]["hashes"]["SHA-1"]], ) if "MD5" in data["data"]["hashes"]: self._query( "post", "/plugin/products/reputation/v3/reputations/custom/delete", [data["data"]["hashes"]["MD5"]], )