def _process_intel(self, entity_type, data, original_intel_document=None):
entity = None
intel_document = None
if entity_type == "indicator":
entity = self.helper.api.indicator.read(id=data["data"]["x_opencti_id"])
if (
entity is None
or entity["revoked"]
or entity["pattern_type"] not in self.tanium_indicator_types
):
return {"entity": entity, "intel_document": intel_document}
if entity["pattern_type"] == "stix":
intel_document = self._create_indicator_stix(
entity, original_intel_document
)
elif entity["pattern_type"] == "yara":
intel_document = self._create_indicator_yara(
entity, original_intel_document
)
elif entity["pattern_type"] == "tanium-signal":
intel_document = self._create_tanium_signal(
entity, original_intel_document
)
elif (
StixCyberObservableTypes.has_value(entity_type)
and entity_type.lower() in self.tanium_observable_types
):
entity = self.helper.api.stix_cyber_observable.read(
id=data["data"]["x_opencti_id"]
)
if entity is None:
return {"entity": entity, "intel_document": intel_document}
intel_document = self._create_observable(entity, original_intel_document)
return {"entity": entity, "intel_document": intel_document}
def _process_message(self, msg):
data = json.loads(msg.data)
try:
if "create" in self.remote_opencti_events and msg.event == "create":
bundle = json.dumps({
"objects": [data["data"]],
"x_opencti_event_version": data["version"],
})
self.helper.send_stix2_bundle(bundle)
elif "update" in self.remote_opencti_events and msg.event == "update":
bundle = json.dumps({
"objects": [data["data"]],
"x_opencti_event_version": data["version"],
})
self.helper.send_stix2_bundle(bundle)
elif "delete" in self.remote_opencti_events and msg.event == "delete":
if data["data"]["type"] == "relationship":
self.helper.api.stix_core_relationship.delete(
id=data["data"]["id"])
elif StixCyberObservableTypes.has_value(data["data"]["type"]):
self.helper.api.stix_cyber_observable.delete(
id=data["data"]["id"])
else:
self.helper.api.stix_domain_object.delete(
id=data["data"]["id"])
except:
pass
def _process_message(self, msg):
data = json.loads(msg.data)
entity_type = data["data"]["type"]
# If not an indicator, not an observable to import and
if (
entity_type != "indicator"
and entity_type not in self.tanium_observable_types
and (
"labels" in data["data"]
and self.tanium_reputation_blacklist_label not in data["data"]["labels"]
)
and self.tanium_reputation_blacklist_label != "*"
):
self.helper.log_info(
"Not an indicator and not an observable to import, doing nothing"
)
return
# Handle creation
if msg.event == "create":
# No label
if (
"labels" not in data["data"]
and self.tanium_import_label != "*"
and self.tanium_reputation_blacklist_label != "*"
):
self.helper.log_info("No label marked as import, doing nothing")
return
# Import or blacklist labels are not in the given labels
elif (
(
"labels" in data["data"]
and self.tanium_import_label not in data["data"]["labels"]
)
and self.tanium_import_label != "*"
and self.tanium_reputation_blacklist_label not in data["data"]["labels"]
and self.tanium_reputation_blacklist_label != "*"
):
self.helper.log_info(
"No label marked as import or no global label, doing nothing"
)
return
# Revoked is true
elif "revoked" in data["data"] and data["data"]["revoked"]:
return
if (
"labels" in data["data"]
and self.tanium_import_label in data["data"]["labels"]
) or self.tanium_import_label == "*":
# Process intel
processed_intel = self._process_intel(entity_type, data)
intel_document = processed_intel["intel_document"]
entity = processed_intel["entity"]
# Create external reference and add object labels
self._post_operations(entity, intel_document)
if (
"labels" in data["data"]
and self.tanium_reputation_blacklist_label in data["data"]["labels"]
) or self.tanium_reputation_blacklist_label == "*":
if "hashes" in data["data"]:
entry = {"list": "blacklist"}
if "MD5" in data["data"]["hashes"]:
entry["md5"] = data["data"]["hashes"]["MD5"]
entry["uploadedHash"] = data["data"]["hashes"]["MD5"]
else:
entry["md5"] = ""
if "SHA-1" in data["data"]["hashes"]:
entry["sha1"] = data["data"]["hashes"]["SHA-1"]
entry["uploadedHash"] = data["data"]["hashes"]["SHA-1"]
else:
entry["sha1"] = ""
if "SHA-256" in data["data"]["hashes"]:
entry["sha256"] = data["data"]["hashes"]["SHA-256"]
entry["uploadedHash"] = data["data"]["hashes"]["SHA-256"]
else:
entry["sha256"] = ""
entry["notes"] = ",".join(data["data"]["labels"])
self._query(
"post",
"/plugin/products/reputation/v3/reputations/custom/upload?append=true",
[entry],
)
elif msg.event == "update":
if (
"x_data_update" in data["data"]
and "add" in data["data"]["x_data_update"]
and "labels" in data["data"]["x_data_update"]["add"]
):
if self.tanium_reputation_blacklist_label in data["data"][
"x_data_update"
]["add"]["labels"] and StixCyberObservableTypes.has_value(
data["data"]["type"]
):
observable = self.helper.api.stix_cyber_observable.read(
id=data["data"]["id"]
)
observable = self.helper.api.stix2.generate_export(observable)
if "hashes" in observable:
entry = {"list": "blacklist"}
if "MD5" in observable["hashes"]:
entry["md5"] = observable["hashes"]["MD5"]
entry["uploadedHash"] = observable["hashes"]["MD5"]
else:
entry["md5"] = ""
if "SHA-1" in observable["hashes"]:
entry["sha1"] = observable["hashes"]["SHA-1"]
entry["uploadedHash"] = observable["hashes"]["SHA-1"]
else:
entry["sha1"] = ""
if "SHA-256" in observable["hashes"]:
entry["sha256"] = observable["hashes"]["SHA-256"]
entry["uploadedHash"] = observable["hashes"]["SHA-256"]
else:
entry["sha256"] = ""
entry["notes"] = ",".join(observable["labels"])
self._query(
"post",
"/plugin/products/reputation/v3/reputations/custom/upload?append=true",
[entry],
)
if (
self.tanium_import_label
in data["data"]["x_data_update"]["add"]["labels"]
):
# Process intel
processed_intel = self._process_intel(entity_type, data)
intel_document = processed_intel["intel_document"]
entity = processed_intel["entity"]
# Create external reference and add object labels
self._post_operations(entity, intel_document)
else:
entity = self.helper.api.indicator.read(
id=data["data"]["x_opencti_id"],
customAttributes="""
pattern_type
""",
)
intel_document = self._get_by_id(
data["data"]["x_opencti_id"],
yara=True
if entity is not None and entity["pattern_type"] == "yara"
else False,
)
if intel_document:
new_labels = []
for label in data["data"]["x_data_update"]["add"]["labels"]:
new_labels.append({"value": label})
labels = self._get_labels(new_labels)
for label in labels:
self._query(
"put",
"/plugin/products/detect3/api/v1/intels/"
+ str(intel_document["id"])
+ "/labels",
{"id": label["id"]},
)
elif (
"x_data_update" in data["data"]
and "remove" in data["data"]["x_data_update"]
and "labels" in data["data"]["x_data_update"]["remove"]
):
if (
self.tanium_reputation_blacklist_label
in data["data"]["x_data_update"]["remove"]["labels"]
):
if "hashes" in data["data"]:
if "SHA-256" in data["data"]["hashes"]:
self._query(
"post",
"/plugin/products/reputation/v3/reputations/custom/delete",
[data["data"]["hashes"]["SHA-256"]],
)
if "SHA-1" in data["data"]["hashes"]:
self._query(
"post",
"/plugin/products/reputation/v3/reputations/custom/delete",
[data["data"]["hashes"]["SHA-1"]],
)
if "MD5" in data["data"]["hashes"]:
self._query(
"post",
"/plugin/products/reputation/v3/reputations/custom/delete",
[data["data"]["hashes"]["MD5"]],
)
if (
self.tanium_import_label
in data["data"]["x_data_update"]["remove"]["labels"]
):
# Import label has been removed
intel_document = self._get_by_id(data["data"]["x_opencti_id"])
if intel_document is not None:
self._query(
"delete",
"/plugin/products/detect3/api/v1/intels/"
+ str(intel_document["id"]),
)
# Remove external references
if entity_type == "indicator":
entity = self.helper.api.indicator.read(
id=data["data"]["x_opencti_id"]
)
else:
entity = self.helper.api.stix_cyber_observable.read(
id=data["data"]["x_opencti_id"]
)
if (
entity
and "externalReferences" in entity
and len(entity["externalReferences"]) > 0
):
for external_reference in entity["externalReferences"]:
if external_reference["source_name"] == "Tanium":
self.helper.api.external_reference.delete(
external_reference["id"]
)
else:
intel_document = self._get_by_id(data["data"]["x_opencti_id"])
if intel_document:
new_labels = []
for label in data["data"]["x_data_update"]["remove"]["labels"]:
new_labels.append({"value": label})
labels = self._get_labels(new_labels)
for label in labels:
self._query(
"delete",
"/plugin/products/detect3/api/v1/intels/"
+ str(intel_document["id"])
+ "/labels/"
+ str(label["id"]),
)
elif (
"x_data_update" in data["data"]
and "replace" in data["data"]["x_data_update"]
):
if entity_type == "indicator":
if "pattern" in data["data"]["x_data_update"]["replace"]:
intel_document = self._get_by_id(data["data"]["x_opencti_id"])
if intel_document is not None:
self._process_intel(entity_type, data, intel_document)
elif (
"value" in data["data"]["x_data_update"]["replace"]
or "hashes" in data["data"]["x_data_update"]["replace"]
):
intel_document = self._get_by_id(data["data"]["x_opencti_id"])
if intel_document is not None:
self._process_intel(entity_type, data, intel_document)
elif (
"revoked" in data["data"]["x_data_update"]["replace"]
and data["data"]["x_data_update"]["replace"]["revoked"] == True
):
intel_document = self._get_by_id(data["data"]["x_opencti_id"])
if intel_document is not None:
self._query(
"delete",
"/plugin/products/detect3/api/v1/intels/"
+ str(intel_document["id"]),
)
# Remove external references
if entity_type == "indicator":
entity = self.helper.api.indicator.read(
id=data["data"]["x_opencti_id"]
)
else:
entity = self.helper.api.stix_cyber_observable.read(
id=data["data"]["x_opencti_id"]
)
if (
entity
and "externalReferences" in entity
and len(entity["externalReferences"]) > 0
):
for external_reference in entity["externalReferences"]:
if external_reference["source_name"] == "Tanium":
self.helper.api.external_reference.delete(
external_reference["id"]
)
elif msg.event == "delete":
intel_document = self._get_by_id(data["data"]["x_opencti_id"])
if intel_document is not None:
self._query(
"delete",
"/plugin/products/detect3/api/v1/intels/"
+ str(intel_document["id"]),
)
if data["data"]["type"] == "file":
if "hashes" in data["data"]:
if "SHA-256" in data["data"]["hashes"]:
self._query(
"post",
"/plugin/products/reputation/v3/reputations/custom/delete",
[data["data"]["hashes"]["SHA-256"]],
)
if "SHA-1" in data["data"]["hashes"]:
self._query(
"post",
"/plugin/products/reputation/v3/reputations/custom/delete",
[data["data"]["hashes"]["SHA-1"]],
)
if "MD5" in data["data"]["hashes"]:
self._query(
"post",
"/plugin/products/reputation/v3/reputations/custom/delete",
[data["data"]["hashes"]["MD5"]],
)