def test_ip_get_indicators_multiple_owners(mocker):
mocker.patch('ThreatConnect_v2.get_xindapi',
side_effect=[GET_XINDAPI_OWNER1, GET_XINDAPI_OWNER2])
mocker.patch('ThreatConnect_v2.get_client', return_value=ThreatConnect())
indicators = get_indicators('127.0.0.1', 'Address',
'Demisto Inc.,PhishTank', -1, -1)
assert indicators == EXPECTED_INDOCATORS_OUTPUT
def test_associate_indicator_request(indicator_type, indicator, expected_url, mocker):
mocker.patch.object(Response, 'json', return_value={})
api_request = mocker.patch.object(ThreatConnect, 'api_request', return_value=Response())
mocker.patch('ThreatConnect_v2.get_client', return_value=ThreatConnect())
associate_indicator_request(indicator_type, indicator, 'test', '0')
url = f'/v2/indicators/{expected_url}/groups/test/0'
assert api_request.call_args[0][0].request_uri == url
def activate(self):
logger.debug('Activating %s' % self.__class__.__name__)
self.service = ThreatConnect(settings.THREATCONNECT_ACCESS_ID,
settings.THREATCONNECT_SECRET_KEY,
settings.THREATCONNECT_DEFAULT_ORG,
settings.THREATCONNECT_BASE_URL)
self.service.set_api_result_limit(100)
def get_client():
params = demisto.params()
access = params['accessId']
secret = params['secretKey']
default_org = params.get('defaultOrg')
url = params['baseUrl']
proxy_ip = params['proxyIp']
proxy_port = params['proxyPort']
tc = ThreatConnect(access, secret, default_org, url)
if proxy_ip and proxy_port and len(proxy_ip) > 0 and len(proxy_port) > 0:
tc.set_proxies(proxy_ip, int(proxy_port))
return tc
# retrieve configuration file
config = ConfigParser.RawConfigParser()
config.read(config_file)
try:
api_access_id = config.get('threatconnect', 'api_access_id')
api_secret_key = config.get('threatconnect', 'api_secret_key')
api_default_org = config.get('threatconnect', 'api_default_org')
api_base_url = config.get('threatconnect', 'api_base_url')
api_result_limit = int(config.get('threatconnect', 'api_result_limit'))
except ConfigParser.NoOptionError:
print('Could not retrieve configuration file.')
sys.exit(1)
tc = ThreatConnect(api_access_id, api_secret_key, api_default_org,
api_base_url)
tc.set_api_result_limit(api_result_limit)
tc.report_enable()
#
# CHANGE FOR YOUR TESTING ENVIRONMENT
# - These adversaries must be created before running this script
#
lu_id = 22 # task id for loop update
mu_id = 23 # task id for manual update
# dl_id = 999999 # adversary id to delete
email_id = 27 # email resource id to associate with adversary
victim_id = 2 # victim resource id to associate with adversary
ip_address = '10.121.82.247' # ip address to associate to adversary
rn = randint(1, 1000) # random number generator for testing
def __init__(self,
access_id="",
secret_key="",
default_org="",
base_url="",
out_file="tc.json",
sources="",
ioc_types="",
custom_ioc_key="",
feed_url="",
cb_server_token="",
cb_server_url="https://127.0.0.1",
cb_server_ssl_verify=False,
ioc_min=None,
niceness=None,
debug=False,
log_file=None,
max_iocs=5000):
logger.info("ThreatConnect Base URL: {0}".format(base_url))
self.tcapi = ThreatConnect(api_aid=access_id,
api_sec=secret_key,
api_url=base_url,
api_org=default_org)
self.sources = sources
self.ioc_min = ioc_min
self.ioc_types = ioc_types
logger.info("Configured IOC Types are : {0}".format(self.ioc_types))
logger.info("Configured IOC Min is : {0}".format(self.ioc_min))
self.custom_ioc_key = custom_ioc_key
self.max_iocs = max_iocs
if self.sources[0] == "*":
owners = self.tcapi.owners()
try:
# retrieve the Owners
owners.retrieve()
except RuntimeError as e:
logger.error(traceback.format_exc())
sys.exit(1)
# iterate through the Owners
self.sources = [owner.name for owner in owners]
logger.info("Sources = {0}".format(self.sources))
self.niceness = niceness
if self.niceness is not None:
os.nice(self.niceness)
self.debug = debug
if self.debug:
logger.setLevel(logging.DEBUG)
self.log_file = log_file
self.out_file = out_file
self.feed = None
self.cb = CbResponseAPI(url=cb_server_url,
token=cb_server_token,
ssl_verify=cb_server_ssl_verify)
self.feed_url = feed_url