def refer_observables():
observables = filter_observables(get_observables())
data = []
if not observables:
return jsonify_data(data)
for observable in observables:
type_ = current_app.config['AUTOFOCUS_OBSERVABLE_TYPES'][
observable['type']]
data.append({
'id':
'ref-palo-alto-autofocus-search-{type}-{value}'.format(
**observable),
'title':
f'Search for this {type_}',
'description':
f'Look up this {type_} on {SOURCE_NAME}',
'url':
Entity.get_source_uri(observable['type'], observable['value']),
'categories': ['Search', SOURCE_NAME]
})
return jsonify_data(data)
def respond_observables():
relay_input = get_observables()
observables = filter_observables(relay_input)
api_client = ReferenceDataClient(get_credentials(), current_app.config)
params = {
'filter': 'element_type = "IP"',
'fields': 'number_of_elements, name'
}
result = api_client.get_reference_sets(params)
actions = []
securex_set_absent = True
for observable in observables:
for set_ in result:
if set_['name'] == current_app.config['SECUREX_SET_NAME']:
securex_set_absent = False
if set_['number_of_elements'] > 0:
data = api_client.get_reference_set_data(set_['name'])
if observable in str(data):
actions.append(remove_from(observable, set_['name']))
continue
else:
actions.append(add_to(observable, set_['name']))
if securex_set_absent:
actions.append(add_and_create(observable))
securex_set_absent = True
actions.sort(key=lambda item: item['title'])
return jsonify_data(actions)
def observe_observables():
misp = create_misp_instance()
observables = filter_observables(get_observables())
g.verdicts = []
g.judgements = []
g.sightings = []
g.indicators = []
g.relationships = []
for observable in observables:
mapping = Mapping(observable)
# This check was added due to the fact that MISP
# returns all data in case of searching for spaces.
if not observable['value'].strip():
continue
events = misp.search(value=observable['value'],
metadata=False,
limit=current_app.config['CTR_ENTITIES_LIMIT'])
events.sort(key=lambda elem: elem['Event']['threat_level_id'])
judgements_for_observable = []
for event in events:
judgement = mapping.extract_judgement(event['Event'])
judgements_for_observable.append(judgement)
sighting = mapping.extract_sighting(event['Event'])
g.sightings.append(sighting)
indicator = mapping.extract_indicator(event['Event'])
g.indicators.append(indicator)
g.relationships.append(
mapping.extract_relationship(
sighting['id'], indicator['id'],
current_app.config['MEMBER_OF_RELATION']))
g.relationships.append(
mapping.extract_relationship(
judgement['id'], indicator['id'],
current_app.config['ELEMENT_OF_RELATION']))
if judgements_for_observable:
g.judgements.extend(judgements_for_observable)
verdict = mapping.extract_verdict(events[0]['Event'])
verdict['judgement_id'] = judgements_for_observable[0]['id']
g.verdicts.append(verdict)
return jsonify_result()
def refer_observables():
relay_input = get_observables()
observables = filter_observables(relay_input)
if not observables:
return jsonify_data([])
_ = get_credentials()
relay_output = []
for observable in observables:
relay_output.append(get_search_pivots(observable))
return jsonify_data(relay_output)
def observe_observables():
def query_qradar(obs):
query_with_observables = arial_query.build(
observable=obs,
names=names,
time=get_time_intervals(),
limit=current_app.config['CTR_ENTITIES_LIMIT'])
if not query_with_observables:
return jsonify_data({})
search_id, status = api_client.create_search(query_with_observables)
start_time = time()
while status != 'COMPLETED':
if (time() - start_time <
current_app.config['SEARCH_TIMOUT_IN_SEC']):
status = api_client.get_search(search_id)['status']
else:
raise QRadarTimeoutError
return api_client.get_search_results(search_id)['events']
relay_input = get_observables()
observables = filter_observables(relay_input)
if not observables:
return jsonify_data({})
api_client = ArielSearchClient(get_credentials(), current_app.config)
arial_query = ArielQuery()
params = {
'fields': 'columns (name)',
'filter': 'object_value_type = "Host"'
}
names = api_client.get_metadata(params)
g.sightings = []
for observable in observables:
response = query_qradar(observable)
for event in response:
mapping = Mapping()
g.sightings.append(mapping.sighting(observable, event))
return jsonify_result()
def deliberate_observables():
misp = create_misp_instance()
observables = filter_observables(get_observables())
g.verdicts = []
for observable in observables:
mapping = Mapping(observable)
events = misp.search(value=observable['value'], metadata=False)
events.sort(key=lambda elem: elem['Event']['threat_level_id'])
# We sort events in order to create a single Verdict for a set
# of events based on the fact that High threat level has
# priority over all others, then Medium threat level,
# and so on down to Undefined.
if events:
g.verdicts.append(mapping.extract_verdict(events[0]['Event']))
return jsonify_result()
def get_entities():
api_key = get_api_key()
observables = filter_observables(get_observables())
if not observables:
return {}
ApiClient.health_test_observable = current_app.config['HEALTH_OBSERVABLE']
client = ApiClient(api_key=api_key,
base_url=current_app.config['AUTOFOCUS_API_URL'],
user_agent=current_app.config['USER_AGENT'])
with ThreadPoolExecutor(
max_workers=get_workers(len(observables))) as executor:
entities = executor.map(
lambda observable: create_entity(
response=client.get_tic_indicator_data(observable),
observable=observable,
), observables)
return entities
def refer_observables():
_ = create_misp_instance()
observables = filter_observables(get_observables())
url = current_app.config['MISP_REFER_URL']
relay_output = [{
'id': (f'ref-misp-search-{observable["type"]}-' + observable["value"]),
'title':
('Search events with this '
f'{current_app.config["SUPPORTED_TYPES"][observable["type"]]}'),
'description':
('Lookup events with this '
f'{current_app.config["SUPPORTED_TYPES"][observable["type"]]} '
'on MISP'),
'url':
url.format(host=current_app.config['HOST'],
observable=observable['value']),
'categories': ['Search', 'MISP'],
} for observable in observables]
return jsonify_data(relay_output)
