def file_references(hash): config = get_client_config() with DxlClient(config) as client: client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) hash_type = get_hash_type(hash) hash_type_key = HASH_TYPE_KEYS.get(hash_type) if not hash_type_key: return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)') hash_param = {} hash_param[hash_type_key] = hash references = tie_client.get_file_first_references(hash_param) table = references_to_table(references) # creaet context context_file = {} hash_type_uppercase = hash_type.upper() context_file[hash_type_uppercase] = hash context_file['References'] = table ec = {} ec[outputPaths['file']] = context_file return { 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': references, 'ReadableContentsFormat': formats['markdown'], 'HumanReadable': tableToMarkdown('References for hash %s' % (hash,), table), 'EntryContext': ec }
class FunctionComponent(ResilientComponent): """Component that implements Resilient function 'mcafee_tie_search_hash""" config_file = "dxlclient_config" def __init__(self, opts): """constructor provides access to the configuration options""" super(FunctionComponent, self).__init__(opts) try: config = opts.get("fn_mcafee_tie").get(self.config_file) if config is None: LOG.error(self.config_file + " is not set. You must set this path to run this function") raise ValueError(self.config_file + " is not set. You must set this path to run this function") LOG.info("Using %s to create configuration for DxlClient", config) # Create configuration from file for DxlClient self.config = DxlClientConfig.create_dxl_config_from_file(config) except AttributeError: LOG.error("There is no [fn_mcafee_tie] section in the config file, " "please set that by running resilient-circuits config -u") raise AttributeError("[fn_mcafee_tie] section is not set in the config file") self.client = DxlClient(self.config) self._connect_client() def _connect_client(self): # Connect client if not self.client.connected: self.client.connect() self.tie_client = TieClient(self.client) @handler("reload") def _reload(self, event, opts): """Configuration options have changed, save new values""" self.options = opts.get("fn_mcafee_tie", {}) @function("mcafee_tie_search_hash") def _mcafee_tie_search_hash_function(self, event, *args, **kwargs): """Function: """ yield StatusMessage("Searching Hash...") try: response_dict = {} # Get the function parameters: mcafee_tie_hash_type = kwargs.get("mcafee_tie_hash_type") # text if not mcafee_tie_hash_type: yield FunctionError("mcafee_tie_hash_type is required") mcafee_tie_hash = kwargs.get("mcafee_tie_hash") # text if not mcafee_tie_hash: yield FunctionError("mcafee_tie_hash is required") LOG.debug("_lookup_hash started for Artifact Type {0} - Artifact Value {1}".format( mcafee_tie_hash_type, mcafee_tie_hash)) if mcafee_tie_hash_type == "md5": resilient_hash = {HashType.MD5: mcafee_tie_hash} elif mcafee_tie_hash_type == "sha1": resilient_hash = {HashType.SHA1: mcafee_tie_hash} elif mcafee_tie_hash_type == "sha256": resilient_hash = {HashType.SHA256: mcafee_tie_hash} else: yield FunctionError("Something went wrong setting the hash value") # Make sure client is connected self._connect_client() reputations_dict = \ self.tie_client.get_file_reputation( resilient_hash ) system_list = self.tie_client.get_file_first_references( resilient_hash ) response_dict["Enterprise"] = self._get_enterprise_info(reputations_dict) response_dict["GTI"] = self._get_gti_info(reputations_dict) response_dict["ATD"] = self._get_atd_info(reputations_dict) response_dict["MWG"] = self._get_mwg_info(reputations_dict) response_dict["system_list"] = system_list yield StatusMessage("Done...") # Produce a FunctionResult with the return value yield FunctionResult(response_dict) except Exception as err: yield FunctionError(err) def _get_enterprise_info(self, reputations_dict): ent_dict = {} # Information for Enterprise file provider if FileProvider.ENTERPRISE in reputations_dict: ent_rep = reputations_dict[FileProvider.ENTERPRISE] ent_dict["File Provider"] = "Enterprise" ent_dict["Create Date"] = EpochMixin.to_localtime_string(ent_rep[ReputationProp.CREATE_DATE]) trust_level = self._get_trust_level(ent_rep[ReputationProp.TRUST_LEVEL]) if trust_level: ent_dict["Trust Level"] = trust_level # Retrieve the enterprise reputation attributes if ReputationProp.ATTRIBUTES in ent_rep: ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES] attribs_dict = {} if FileEnterpriseAttrib.PREVALENCE in ent_rep_attribs: attribs_dict["Prevalence"] = ent_rep_attribs[FileEnterpriseAttrib.PREVALENCE] if FileEnterpriseAttrib.ENTERPRISE_SIZE in ent_rep_attribs: attribs_dict["Enterprise Size"] = ent_rep_attribs[FileEnterpriseAttrib.ENTERPRISE_SIZE] if FileEnterpriseAttrib.FIRST_CONTACT in ent_rep_attribs: attribs_dict["First Contact"] = FileEnterpriseAttrib.to_localtime_string( ent_rep_attribs[FileEnterpriseAttrib.FIRST_CONTACT]) if FileEnterpriseAttrib.PARENT_AVG_LOCAL_REP in ent_rep_attribs: attribs_dict["Parent Avg Local Rep"] = self._get_trust_level(int(ent_rep_attribs[ FileEnterpriseAttrib.PARENT_AVG_LOCAL_REP])) if FileEnterpriseAttrib.PARENT_FILE_REPS in ent_rep_attribs: attribs_dict["Parent File Reps"] = FileEnterpriseAttrib.to_aggregate_tuple(ent_rep_attribs[ FileEnterpriseAttrib.PARENT_FILE_REPS]) if FileEnterpriseAttrib.CHILD_FILE_REPS in ent_rep_attribs: attribs_dict["Child File Reps"] = FileEnterpriseAttrib.to_aggregate_tuple(ent_rep_attribs[ FileEnterpriseAttrib.CHILD_FILE_REPS]) if FileEnterpriseAttrib.AVG_LOCAL_REP in ent_rep_attribs: attribs_dict["Average Local Rep"] = self._get_trust_level(int(ent_rep_attribs[ FileEnterpriseAttrib.AVG_LOCAL_REP])) if FileEnterpriseAttrib.MAX_LOCAL_REP in ent_rep_attribs: attribs_dict["Max Local Rep"] = self._get_trust_level(int(ent_rep_attribs[ FileEnterpriseAttrib.MAX_LOCAL_REP])) if FileEnterpriseAttrib.MIN_LOCAL_REP in ent_rep_attribs: attribs_dict["Min Local Rep"] = self._get_trust_level(int(ent_rep_attribs[ FileEnterpriseAttrib.MIN_LOCAL_REP])) if FileEnterpriseAttrib.DETECTION_COUNT in ent_rep_attribs: attribs_dict["Detection Count"] = ent_rep_attribs[FileEnterpriseAttrib.DETECTION_COUNT] if FileEnterpriseAttrib.FILE_NAME_COUNT in ent_rep_attribs: attribs_dict["File Name Count"] = ent_rep_attribs[FileEnterpriseAttrib.FILE_NAME_COUNT] if FileEnterpriseAttrib.LAST_DETECTION_TIME in ent_rep_attribs: attribs_dict["Last Detection Time"] = FileEnterpriseAttrib.to_localtime_string( ent_rep_attribs[FileEnterpriseAttrib.FIRST_CONTACT]) if FileEnterpriseAttrib.IS_PREVALENT in ent_rep_attribs: attribs_dict["Is Prevalent"] = ent_rep_attribs[FileEnterpriseAttrib.IS_PREVALENT] if FileEnterpriseAttrib.PARENT_MIN_LOCAL_REP in ent_rep_attribs: attribs_dict["Parent Min Local Rep"] = self._get_trust_level(int(ent_rep_attribs[ FileEnterpriseAttrib.PARENT_MIN_LOCAL_REP])) if FileEnterpriseAttrib.PARENT_MAX_LOCAL_REP in ent_rep_attribs: attribs_dict["Parent Max Local Rep"] = self._get_trust_level(int(ent_rep_attribs[ FileEnterpriseAttrib.PARENT_MAX_LOCAL_REP])) ent_dict["Attributes"] = attribs_dict return ent_dict def _get_gti_info(self, reputations_dict): gti_dict = {} # Information for GTI file provider if FileProvider.GTI in reputations_dict: gti_rep = reputations_dict[FileProvider.GTI] gti_dict["File Provider"] = "GTI" gti_dict["Create Date"] = EpochMixin.to_localtime_string(gti_rep[ReputationProp.CREATE_DATE]) trust_level = self._get_trust_level(gti_rep[ReputationProp.TRUST_LEVEL]) if trust_level: gti_dict["Trust Level"] = trust_level # Retrieve the GTI reputation attributes if ReputationProp.ATTRIBUTES in gti_rep: gti_rep_attribs = gti_rep[ReputationProp.ATTRIBUTES] attribs_dict = {} # Get prevalence (if it exists) if FileGtiAttrib.PREVALENCE in gti_rep_attribs: attribs_dict["Prevalence"] = gti_rep_attribs[FileGtiAttrib.PREVALENCE] # Get First Contact Date (if it exists) if FileGtiAttrib.FIRST_CONTACT in gti_rep_attribs: attribs_dict["First Contact"] = EpochMixin.to_localtime_string(gti_rep_attribs[ FileGtiAttrib.FIRST_CONTACT]) gti_dict["Attributes"] = attribs_dict return gti_dict def _get_atd_info(self, reputations_dict): atd_dict = {} # Information for Advanced Threat Defense file provider if FileProvider.ATD in reputations_dict: atd_rep = reputations_dict[FileProvider.ATD] atd_dict["File Provider"] = "ATD" atd_dict["Create Date"] = EpochMixin.to_localtime_string(atd_rep[ReputationProp.CREATE_DATE]) trust_level = self._get_trust_level(atd_rep[ReputationProp.TRUST_LEVEL]) if trust_level: atd_dict["Trust Level"] = trust_level # Retrieve the ATD reputation attributes if ReputationProp.ATTRIBUTES in atd_rep: atd_rep_attribs = atd_rep[ReputationProp.ATTRIBUTES] attribs_dict = {} # Get Trust scores if AtdAttrib.GAM_SCORE in atd_rep_attribs: attribs_dict["GAM Score"] = self._get_atd_trust_level(atd_rep, AtdAttrib.GAM_SCORE) if AtdAttrib.AV_ENGINE_SCORE in atd_rep_attribs: attribs_dict["AV Engine Score"] = self._get_atd_trust_level(atd_rep, AtdAttrib.AV_ENGINE_SCORE) if AtdAttrib.GAM_SCORE in atd_rep_attribs: attribs_dict["Sandbox Score"] = self._get_atd_trust_level(atd_rep, AtdAttrib.SANDBOX_SCORE) if AtdAttrib.GAM_SCORE in atd_rep_attribs: attribs_dict["Verdict"] = self._get_atd_trust_level(atd_rep, AtdAttrib.VERDICT) if AtdAttrib.BEHAVIORS in atd_rep_attribs: attribs_dict["Behaviors"] = atd_rep_attribs[AtdAttrib.BEHAVIORS] atd_dict["Attributes"] = attribs_dict return atd_dict def _get_mwg_info(self, reputations_dict): mwg_dict = {} # Information for file provider if FileProvider.MWG in reputations_dict: mwg_rep = reputations_dict[FileProvider.MWG] mwg_dict["File Provider"] = "MWG" mwg_dict["Create Date"] = EpochMixin.to_localtime_string(mwg_rep[ReputationProp.CREATE_DATE]) trust_level = self._get_trust_level(mwg_rep[ReputationProp.TRUST_LEVEL]) if trust_level: mwg_dict["Trust Level"] = trust_level return mwg_dict @staticmethod def _get_trust_level(trust_level_number): trust_level = "" if TrustLevel.KNOWN_TRUSTED_INSTALLER is trust_level_number: trust_level = "Known Trusted Installer" elif TrustLevel.KNOWN_TRUSTED is trust_level_number: trust_level = "Known Trusted" elif TrustLevel.MOST_LIKELY_TRUSTED is trust_level_number: trust_level = "Most Likely Trusted" elif TrustLevel.MIGHT_BE_TRUSTED is trust_level_number: trust_level = "Might Be Trusted" elif TrustLevel.UNKNOWN is trust_level_number: trust_level = "Unknown" elif TrustLevel.MIGHT_BE_MALICIOUS is trust_level_number: trust_level = "Might be Malicious" elif TrustLevel.MOST_LIKELY_MALICIOUS is trust_level_number: trust_level = "Most Likely Malicious" elif TrustLevel.KNOWN_MALICIOUS is trust_level_number: trust_level = "Known Malicious" elif TrustLevel.NOT_SET is trust_level_number: trust_level = "Not Set" return trust_level @staticmethod def _get_atd_trust_level(atd_rep, rep_provider): trust_level = "" if AtdTrustLevel.KNOWN_TRUSTED is atd_rep[rep_provider]: trust_level = "Known Trusted" elif AtdTrustLevel.MOST_LIKELY_TRUSTED is atd_rep[rep_provider]: trust_level = "Most Likely Trusted" elif AtdTrustLevel.MIGHT_BE_TRUSTED is atd_rep[rep_provider]: trust_level = "Might Be Trusted" elif AtdTrustLevel.UNKNOWN is atd_rep[rep_provider]: trust_level = "Unknown" elif AtdTrustLevel.MIGHT_BE_MALICIOUS is atd_rep[rep_provider]: trust_level = "Might be Malicious" elif AtdTrustLevel.MOST_LIKELY_MALICIOUS is atd_rep[rep_provider]: trust_level = "Most Likely Malicious" elif AtdTrustLevel.KNOWN_MALICIOUS is atd_rep[rep_provider]: trust_level = "Known Malicious" elif AtdTrustLevel.NOT_SET is atd_rep[rep_provider]: trust_level = "Not Set" return trust_level
logger = logging.getLogger(__name__) # Create DXL configuration from file config = DxlClientConfig.create_dxl_config_from_file(CONFIG_FILE) FILE_MD5 = "<specify the MD5 for the file>" FILE_SHA1 = "<specify the SHA-1 for the file>" FILE_SHA256 = "<specify the SHA-256 for the file>" # Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) # Get the list of systems that have referenced the file system_list = \ tie_client.get_file_first_references({ HashType.MD5: FILE_MD5, HashType.SHA1: FILE_SHA1, HashType.SHA256: FILE_SHA256 }) print "\nSystems that have referenced the file:\n" for system in system_list: print "\t" + system[FirstRefProp.SYSTEM_GUID] + ": " + \ FirstRefProp.to_localtime_string(system[FirstRefProp.DATE])