def main(): role = "trustar" if len(sys.argv) > 1: role = sys.argv[1] ts = TruStar(config_file="trustar.conf", config_role=role) # generate random id to use as external_id external_id = str(randint(1, 100000)) # or use a specific external_id # external_id = "321" report_guid = None current_time = int(time.time()) * 1000 yesterday_time = current_time - to_milliseconds(days=1) if do_latest_reports: logger.info("Getting Latest Accessible Incident Reports Since 24 hours ago ...") try: # get each successive page of reports report_generator = ts.get_reports(from_time=yesterday_time, to_time=current_time, is_enclave=True, enclave_ids=ts.enclave_ids) for report in report_generator: logger.info(report) except Exception as e: logger.error('Could not get latest reports, error: %s' % e) print('') if do_reports_by_community: two_days_ago = current_time - to_milliseconds(days=2) logger.info("Getting community only reports for the previous day ...") try: reports = ts.get_reports(from_time=two_days_ago, to_time=yesterday_time, is_enclave=False) for report in reports: logger.info(report) except Exception as e: logger.error('Could not get community reports, error: %s' % e) print('') if do_reports_by_enclave: a_week_ago = current_time - to_milliseconds(days=7) logger.info("Getting enclave only reports for the previous week ...") try: reports = ts.get_reports(from_time=a_week_ago, to_time=current_time, is_enclave=True, enclave_ids=ts.enclave_ids) for report in reports: logger.info(report) except Exception as e: logger.error('Could not get community reports, error: %s' % e) print('') if do_correlated: logger.info("Querying Accessible Correlated Reports...") try: report_ids = ts.get_correlated_report_ids(search_string) logger.info(report_ids) logger.info("%d report(s) correlated with indicators '%s':\n" % (len(report_ids), search_string)) logger.info("\n".join(report_ids)) except Exception as e: logger.error('Could not get correlated reports, error: %s' % e) print('') if do_community_trends: logger.info("Get community trends...") try: indicators = ts.get_community_trends(indicator_type=None, days_back=1) for indicator in indicators: logger.info(indicator) except Exception as e: logger.error('Could not get community trends, error: %s' % e) print('') if do_query_indicators: try: logger.info("Getting related indicators...") indicators = ts.get_related_indicators(indicators=search_string) for indicator in indicators: logger.info(indicator) except Exception as e: logger.error('Could not get related indicators, error: %s' % e) # Submit simple test report to community if do_comm_submissions: logger.info("Submit New Community Incident Report") try: report = Report(title="COMMUNITY API SUBMISSION TEST", body=submit_indicators, time_began="2017-02-01T01:23:45", is_enclave=False) report = ts.submit_report(report) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not submit community report, error: %s' % e) print('') # Submit simple test report to your enclave if do_enclave_submissions: logger.info("Submit New Enclave Incident Report") try: report = Report(title="ENCLAVE API SUBMISSION TEST ", body=submit_indicators, time_began="2017-02-01T01:23:45", enclave_ids=ts.enclave_ids) report = ts.submit_report(report) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) logger.info(report) except Exception as e: logger.error('Could not submit enclave report, error: %s' % e) print('') # Submit a test report and retrieve it if do_submit_report: logger.info("Submit New Enclave Incident Report with External ID") try: report = Report(title="Sample SDK Test Report", body=submit_indicators, time_began="2017-02-01T01:23:45", is_enclave=True, enclave_ids=ts.enclave_ids, external_id=external_id) report = ts.submit_report(report) logger.info("Report Submitted") logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not submit report, error: %s' % e) print('') # Get test report previously submitted if do_report_details_by_ext_id: logger.info("Get Incident Report By External ID") try: report = ts.get_report_details(report_id=external_id, id_type=Report.ID_TYPE_EXTERNAL) logger.info("\ttitle: %s" % report.title) logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) report_guid = report.id except Exception as e: logger.error('Could not get report, error: %s' % e) print('') # Update a test report and test with get report if do_update_report_by_ext_id: logger.info("Update Incident Report By External ID") try: report = Report(title="Updated Sample Title", body="updated report body: 21.22.23.24", external_id=external_id, enclave_ids=ts.enclave_ids) report = ts.update_report(report) logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not update report, error: %s' % e) print('') # Get test report previously submitted if do_report_details_by_guid: logger.info("Get Incident Report Details by GUID (TruSTAR internal ID)") try: report = ts.get_report_details(report_guid) logger.info("\ttitle: %s" % report.title) logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not get report, error: %s' % e) print('') # Update a test report and test with get report if do_update_report_by_guid: logger.info("Update Incident Report by GUID (TruSTAR internal ID)") try: report = Report(id=report_guid, title="New Sample Title", body="new sample body - 7.8.9.10", enclave_ids=ts.enclave_ids) report = ts.update_report(report) logger.info("Updated Report using GUID") logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not update report, error: %s' % e) print('') # Get test report previously submitted if do_report_details_by_guid: logger.info("Get Report by GUID (TruSTAR internal ID)") try: report = ts.get_report_details(report_guid) logger.info("\ttitle: %s" % report.title) logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not get report, error: %s' % e) print('') # Release report to community if do_release_report_by_ext_id: logger.info("Release Incident Report by External ID") try: report = Report(external_id=external_id, is_enclave=False) report = ts.update_report(report) logger.info("Report Released using External ID:") logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not release report, error: %s' % e) print('') # Get test report previously submitted if do_report_details_by_ext_id_2: logger.info("Get Incident Report Details by External ID") try: report = ts.get_report_details(report_id=external_id, id_type=Report.ID_TYPE_EXTERNAL) logger.info("\ttitle: %s" % report.title) logger.info("\texternalTrackingId: %s" % report.external_id) logger.info("\tURL: %s\n" % ts.get_report_url(report.id)) except Exception as e: logger.error('Could not get report, error: %s' % e) print('') # Delete test report previously submitted if do_delete_report_by_ext_id: logger.info("Delete Incident Report by External ID") try: ts.delete_report(report_id=external_id, id_type=Report.ID_TYPE_EXTERNAL) logger.info("Report Deleted using External ID\n") except Exception as e: logger.error('Could not delete report, error: %s' % e) print('') # Add an enclave tag to a newly created report if do_add_enclave_tag: logger.info("Add enclave tag to incident report") try: # submit report report = Report(title="Enclave report with tag", body=submit_indicators, is_enclave=True, enclave_ids=ts.enclave_ids) report = ts.submit_report(report) logger.info("\tId of new report %s\n" % report.id) # get back report details, including the enclave it's in report = ts.get_report_details(report_id=report.id) enclave_id = report.enclave_ids[0] # add an enclave tag tag_id = ts.add_enclave_tag(report_id=report.id, name="triage", enclave_id=enclave_id) # logger.info the added enclave tag logger.info("\tId of new enclave tag %s\n" % tag_id) # add another enclave tag tag_id = ts.add_enclave_tag(report_id=report.id, name="resolved", enclave_id=enclave_id) # logger.info the added enclave tag logger.info("\tId of new enclave tag %s\n" % tag_id) # Get enclave tag info if do_get_enclave_tags: logger.info("Get enclave tags for report") tags = ts.get_enclave_tags(report.id) logger.info("\tEnclave tags for report %s\n" % report.id) logger.info(tags) # delete enclave tag by name if do_delete_enclave_tag: logger.info("Delete enclave tag from report") response = ts.delete_enclave_tag(report.id, tag_id) logger.info("\tDeleted enclave tag for report %s\n" % report.id) logger.info(response) # add it back ts.add_enclave_tag(report_id=report.id, name="triage", enclave_id=enclave_id) # List all enclave tags tags = ts.get_all_enclave_tags(enclave_ids=ts.enclave_ids) logger.info("List of enclave tags for enclave %s\n" % enclave_id) logger.info(tags) # Search report by tag logger.info("Getting reports tagged 'triage'.") reports = ts.get_reports(from_time=yesterday_time, to_time=current_time, enclave_ids=ts.enclave_ids, tag="triage") for report in reports: logger.info(report) except Exception as e: logger.error('Could not handle enclave tag operation, error: %s' % e) print('') # search for reports containing term "abc" if do_search_reports: try: logger.info("Searching reports:") reports = ts.search_reports("abc") for report in reports: logger.info(report) except Exception as e: logger.error("Could not search reports, error: %s" % e) print('') # search for indicators matching pattern "abc" if do_search_indicators: try: logger.info("Searching indicators:") indicators = ts.search_indicators("abc") for indicator in indicators: logger.info(indicator) except Exception as e: logger.error("Could not search indicators, error: %s" % e) print('') if do_redact_report: try: logger.info("Redacting report:") redacted_report = ts.redact_report(title="amazon phishing scam", report_body="apple, microsoft, and amazon suffered " "from a phishing scam via [email protected]") logger.info(redacted_report) except Exception as e: logger.error("Could not redact report, error: %s" % e) print('')
# keep count of reports (for logging) report_count = 0 # get all reports from the specified enclaves and in the given time interval reports = ts.get_reports(from_time=from_time, to_time=to_time, is_enclave=True, enclave_ids=ts.enclave_ids) # iterate over the reports, finding the tags and indicators for each for report in reports: logger.info("Found report %s." % report.id) # get all tags for the report and convert list to string tags = [tag.name for tag in ts.get_enclave_tags(report.id)] # join tags into a semicolon-separated list tags = ';'.join(tags) logger.info("Tags: %s" % tags) logger.info("Writing indicators for report...") # keep count of indicators for this report (for logging) indicator_count = 0 # get indicators for report and write CSV row for each for indicator in ts.get_indicators_for_report(report.id): # create CSV row row = {
for report in reports: # initialize and set MISPOrganisation() orgc = MISPOrganisation() orgc.name = 'RH-ISAC' orgc.id = '#{ORGC_ID}' # organisation id orgc.uuid = '#{ORGC_UUID}' # organisation uuid # initialize and set MISPEvent() event = MISPEvent() event.Orgc = orgc event.info = report.title event.distribution = 0 # Optional, defaults to MISP.default_event_distribution in MISP config event.threat_level_id = 2 # Optional, defaults to MISP.default_event_threat_level in MISP config event.analysis = 0 # Optional, defaults to 0 (initial analysis) # get tags for report for tag in tru.get_enclave_tags(report.id): event.add_tag(tag.name) # get indicators for report for indicator in tru.get_indicators_for_report(report.id): # map trustar indicator type to MISP format indicator_type = { "MD5": "md5", "SHA1": "sha1", "SHA256": "sha256", "SOFTWARE": "filename", "URL": "link", "EMAIL_ADDRESS": "email-src", "IP": "ip-dst", "MALWARE": "malware-type",