# retrieve configuration file
config = ConfigParser.RawConfigParser()
config.read(config_file)

try:
    api_access_id = config.get('threatconnect', 'api_access_id')
    api_secret_key = config.get('threatconnect', 'api_secret_key')
    api_default_org = config.get('threatconnect', 'api_default_org')
    api_base_url = config.get('threatconnect', 'api_base_url')
    api_result_limit = int(config.get('threatconnect', 'api_result_limit'))
except ConfigParser.NoOptionError:
    print('Could not retrieve configuration file.')
    sys.exit(1)

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)
tc.set_api_result_limit(api_result_limit)
tc.report_enable()

#
# CHANGE FOR YOUR TESTING ENVIRONMENT
# - These victims must be created before running this script
#
owner = 'Example Community'  # org or community
lu_id = 1  # adversary id for loop update
mu_id = 4  # adversary id for manual update
# dl_id = 999999  # adversary id to delete
email_id = 17  # email resource id to associate with adversary
email_address = '*****@*****.**'  # email address to associate to adversary
rn = randint(1, 1000)  # random number generator for testing

config = ConfigParser.RawConfigParser()
config.read(config_file)

try:
    api_access_id = config.get('threatconnect', 'api_access_id')
    api_secret_key = config.get('threatconnect', 'api_secret_key')
    api_default_org = config.get('threatconnect', 'api_default_org')
    api_base_url = config.get('threatconnect', 'api_base_url')
    api_result_limit = int(config.get('threatconnect', 'api_result_limit'))
except ConfigParser.NoOptionError:
    print('Could not retrieve configuration file.')
    sys.exit(1)

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org,
                   api_base_url)
tc.set_api_result_limit(api_result_limit)
tc.report_enable()

#
# CHANGE FOR YOUR TESTING ENVIRONMENT
# - These adversaries must be created before running this script
#
lu_id = 22  # task id for loop update
mu_id = 23  # task id for manual update
# dl_id = 999999  # adversary id to delete
email_id = 27  # email resource id to associate with adversary
victim_id = 2  # victim resource id to associate with adversary
ip_address = '10.121.82.247'  # ip address to associate to adversary
rn = randint(1, 1000)  # random number generator for testing

Example #3
0
class ThreatConnectPlugin(Plugin):
    @property
    def enabled(self):
        return settings.THREATCONNECT_ACCESS_ID is not None and \
            settings.THREATCONNECT_SECRET_KEY is not None

    def activate(self):
        logger.debug('Activating %s' % self.__class__.__name__)
        self.service = ThreatConnect(
            settings.THREATCONNECT_ACCESS_ID,
            settings.THREATCONNECT_SECRET_KEY,
            settings.THREATCONNECT_DEFAULT_ORG,
            settings.THREATCONNECT_BASE_URL)
        self.service.set_api_result_limit(100)

    def retrieve_indicator(self, indicator, indicator_type=None):
        indicators = self.service.indicators()
        if indicator_type:
            f = indicators.add_filter(indicator_type)
        else:
            f = indicators.add_filter()
        f.add_owner(['Common Community'])
        f.add_indicator(indicator)
        results = sorted(indicators.retrieve(), key=lambda x: x.rating)
        return results[-1] if results else None

    def threshold_met(self, report):
        return hasattr(report, 'rating') and report.rating >= 1 and \
            hasattr(report, 'confidence') and report.confidence >= 50

    def react(self):
        if not any(self.reports.values()):
            return
        rating = max([0] + [r.rating for r in self.reports.values()
                     if r and hasattr(r, 'rating') and r.rating])
        return self.reaction(rating)

    def reaction(self, score):
        if score == 0:
            return 'sunny'
        elif 0 <= score < 0.5:
            return 'mostly_sunny'
        elif 0.5 <= score < 1:
            return 'partly_sunny'
        elif 1 <= score < 2:
            return 'barely_sunny'
        elif 2 <= score < 2.5:
            return 'cloud'
        elif 2.5 <= score < 3:
            return 'rain_cloud'
        elif 3 <= score < 3.5:
            return 'thunder_cloud_and_rain'
        elif 3.5 <= score < 4:
            return 'lightning'
        elif score >= 4:
            return 'tornado'

    def risk_level(self, score):
        try:
            score = float(score)
        except TypeError:
            return 'UNKNOWN'

        if score == 0:
            return 'UNKNOWN'
        elif 0 < score < 1:
            return 'VERY LOW'
        elif 1 <= score < 2:
            return 'LOW'
        elif 2 <= score < 3:
            return 'MODERATE'
        elif 3 <= score < 4:
            return 'HIGH'
        elif score >= 4:
            return 'VERY HIGH'
Example #4
0
class ThreatConnectPlugin(Plugin):
    @property
    def enabled(self):
        return settings.THREATCONNECT_ACCESS_ID is not None and \
            settings.THREATCONNECT_SECRET_KEY is not None

    def activate(self):
        logger.debug('Activating %s' % self.__class__.__name__)
        self.service = ThreatConnect(settings.THREATCONNECT_ACCESS_ID,
                                     settings.THREATCONNECT_SECRET_KEY,
                                     settings.THREATCONNECT_DEFAULT_ORG,
                                     settings.THREATCONNECT_BASE_URL)
        self.service.set_api_result_limit(100)

    def retrieve_indicator(self, indicator, indicator_type=None):
        indicators = self.service.indicators()
        if indicator_type:
            f = indicators.add_filter(indicator_type)
        else:
            f = indicators.add_filter()
        f.add_owner(['Common Community'])
        f.add_indicator(indicator)
        results = sorted(indicators.retrieve(), key=lambda x: x.rating)
        return results[-1] if results else None

    def threshold_met(self, report):
        return hasattr(report, 'rating') and report.rating >= 1 and \
            hasattr(report, 'confidence') and report.confidence >= 50

    def react(self):
        if not any(self.reports.values()):
            return
        rating = max([0] + [
            r.rating for r in self.reports.values()
            if r and hasattr(r, 'rating') and r.rating
        ])
        return self.reaction(rating)

    def reaction(self, score):
        if score == 0:
            return 'sunny'
        elif 0 <= score < 0.5:
            return 'mostly_sunny'
        elif 0.5 <= score < 1:
            return 'partly_sunny'
        elif 1 <= score < 2:
            return 'barely_sunny'
        elif 2 <= score < 2.5:
            return 'cloud'
        elif 2.5 <= score < 3:
            return 'rain_cloud'
        elif 3 <= score < 3.5:
            return 'thunder_cloud_and_rain'
        elif 3.5 <= score < 4:
            return 'lightning'
        elif score >= 4:
            return 'tornado'

    def risk_level(self, score):
        try:
            score = float(score)
        except TypeError:
            return 'UNKNOWN'

        if score == 0:
            return 'UNKNOWN'
        elif 0 < score < 1:
            return 'VERY LOW'
        elif 1 <= score < 2:
            return 'LOW'
        elif 2 <= score < 3:
            return 'MODERATE'
        elif 3 <= score < 4:
            return 'HIGH'
        elif score >= 4:
            return 'VERY HIGH'
Example #5
0
config.read('./tc.conf')

try:
    api_access_id = config.get('threatconnect', 'api_access_id')
    api_secret_key = config.get('threatconnect', 'api_secret_key')
    api_default_org = config.get('threatconnect', 'api_default_org')
    api_base_url = config.get('threatconnect', 'api_base_url')

    api_result_limit = config.get('threatconnect', 'api_result_limit')
except ConfigParser.NoOptionError:
    print('Could not read configuration file.')
    sys.exit(1)

tc = ThreatConnect(api_access_id, api_secret_key, api_default_org,
                   api_base_url)
tc.set_api_result_limit(1000)

# instantiate Owners object
#owners = tc.owners()
owners = ['ThreatConnect Intelligence', 'Common Community']

groups = tc.groups()

filter1 = groups.add_filter()
# only retrieve Groups from the given owner(s)
filter1.add_owner(owners)

try:
    groups.retrieve()
except RuntimeError as e:
    print('Error: {0}'.format(e))