def dotransform(request, response, config): try: results = search(request.value) except ThreatCentralError as err: results = None response += UIMessage(err.value, type='PartialError') else: try: for result in results: rtype = lower(result.get('type')) if result.get('tcScore'): weight = int(result.get('tcScore')) else: weight = 1 # Title ID Description if rtype == 'actor': # Check Title, if no title get resource > name # Actor entity can have an empty title field if result.get('title'): e = Actor(encode_to_utf8(result.get('title')), weight=weight) else: e = Actor(encode_to_utf8(result.get('resource', dict()).get('name')), weight=weight) e.name = encode_to_utf8(result.get('resource', dict()).get('name')) e.actor = encode_to_utf8(result.get('resource', dict()).get('name')) elif rtype == 'case': e = Case(encode_to_utf8(result.get('title')), weight=weight) elif rtype == 'coursesofactions': e = CoursesOfAction(encode_to_utf8(result.get('title')), weight=weight) elif rtype == 'indicator': e = Indicator(encode_to_utf8(result.get('title')), weight=weight) elif rtype == 'incident': e = Incident(encode_to_utf8(result.get('title')), weight=weight) # elif rtype == 'tacticstechniquesandprocedures': elif rtype == 'ttp': e = TTP(encode_to_utf8(result.get('title')), weight=weight) else: # To be safe e = Phrase(encode_to_utf8(result.get('title')), weight=weight) debug(rtype) e.title = encode_to_utf8(result.get('title')) e.resourceId = result.get('id') if result.get('description'): e += Label('Description', '<br/>'.join(encode_to_utf8(result.get('description', '')).split('\n'))) response += e except AttributeError as err: response += UIMessage('Error: {}'.format(err), type='PartialError') except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') except TypeError: return response return response
def dotransform(request, response, config): try: results = search(request.value, size=10, pages=1) except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') else: try: for result in results: rtype = lower(result.get('type')) if result.get('tcScore'): weight = int(result.get('tcScore')) else: weight = 1 # Title ID Description if rtype == 'actor': # Check Title, if no title get resource > name # Actor entity can have an empty title field if result.get('title'): e = Actor(encode_to_utf8(result.get('title')), weight=weight) else: e = Actor(encode_to_utf8(result.get('resource', dict()).get('name')), weight=weight) e.name = encode_to_utf8(result.get('resource', dict()).get('name')) e.actor = encode_to_utf8(result.get('resource', dict()).get('name')) elif rtype == 'case': e = Case(encode_to_utf8(result.get('title')), weight=weight) elif rtype == 'coursesofactions': e = CoursesOfAction(encode_to_utf8(result.get('title')), weight=weight) elif rtype == 'indicator': e = Indicator(encode_to_utf8(result.get('title')), weight=weight) elif rtype == 'incident': e = Incident(encode_to_utf8(result.get('title')), weight=weight) # elif rtype == 'tacticstechniquesandprocedures': elif rtype == 'ttp': e = TTP(encode_to_utf8(result.get('title')), weight=weight) else: # To be safe e = Phrase(encode_to_utf8(result.get('title')), weight=weight) debug(rtype) e.title = encode_to_utf8(result.get('title')) e.resourceId = result.get('id') if result.get('description'): e += Label('Description', '<br/>'.join(encode_to_utf8(result.get('description', '')).split('\n'))) response += e except AttributeError as err: response += UIMessage('Error: {}'.format(err), type='PartialError') except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') except TypeError: return response return response
def dotransform(request, response, config): tr_details = ['Reference', 'Source', 'KillChain', 'Firstseen', 'Lastseen', 'Attribution', 'ProcessType', 'Rrname', 'Rdata', 'Country', 'Tags', 'Comment', 'RootNode', 'Confidence'] #Disable cache to get actual data from Threat Recon cache, found = search(request.value, cache=False) #Default linkcolor linkcolor = "0x000000" if found: if defaultdict == type(found): for rootnode, value in found.iteritems(): #If the RootNode is empty, display attributes if len(rootnode) == 0: for indicator in value: #debug(indicator) e = '' indtype = indicator['Type'].lower().strip() if "whois email" == indtype: e = EmailAddress(indicator['Indicator']) if "name server" == indtype: e = NSRecord(indicator['Indicator']) if "domain" == indtype: e = Domain(indicator['Indicator']) e.fqdn = indicator['Indicator'] if "ip" == indtype: e = IPv4Address(indicator['Indicator']) if "phone or fax no." == indtype: e = PhoneNumber(indicator['Indicator']) if "whois address component" == indtype: e = Phrase(indicator['Indicator']) if "email" == indtype: e = EmailAddress(indicator['Indicator']) if "netname" == indtype: e = NetNameThreatRecon(indicator['Indicator']) if "cidr" == indtype: e = IPv4Address(indicator['Indicator']) if "netrange" == indtype: e = Netblock(indicator['Indicator']) if e: #Set linkcolor e.linkcolor = linkcolor #Set comments if indicator['Comment']: e.notes = string_filter(indicator['Comment']) #Set Details for detail in tr_details: if detail in indicator: if indicator[detail]: e += Label(name=detail, value=string_filter(indicator[detail])) response += e else: #Display the RootNodes e = ThreatRecon(rootnode) response += e return response
def dotransform(request, response, config): tr_details = [ 'Reference', 'Source', 'KillChain', 'Firstseen', 'Lastseen', 'Attribution', 'ProcessType', 'Rrname', 'Rdata', 'Country', 'Tags', 'Comment', 'RootNode', 'Confidence' ] #Default link color is black linkcolor = "0x000000" cache, found = search(request.value) if found: if list == type(found): for indicator in found: debug(indicator) e = '' indtype = indicator['Type'].lower().strip() if "whois email" == indtype: e = EmailAddress(indicator['Indicator']) #response += e if "name server" == indtype: e = NSRecord(indicator['Indicator']) #response += e if "domain" == indtype: e = Domain(indicator['Indicator']) e.fqdn = indicator['Indicator'] #response += e #IF Type is not domain, check if Rrname is not empty elif indicator['Rrname'] and indicator['Rrname'] != 'NA': d = Domain(indicator['Rrname']) d.fqdn = indicator['Rrname'] response += d if "ip" == indtype: e = IPv4Address(indicator['Indicator']) #response += e #IF Type is not IP, check if Rdata is not empty elif indicator['Rdata']: i = IPv4Address(indicator['Rdata']) response += i if "phone or fax no." == indtype: e = PhoneNumber(indicator['Indicator']) #response += e if "whois address component" == indtype: e = Phrase(indicator['Indicator']) #response += e if "email" == indtype: e = EmailAddress(indicator['Indicator']) #response += e if "netname" == indtype: e = NetNameThreatRecon(indicator['Indicator']) #response += e if "cidr" == indtype: e = IPv4Address(indicator['Indicator']) #response += e if "netrange" == indtype: e = Netblock(indicator['Indicator']) #response += e if indicator['Country']: l = Location(indicator['Country']) response += l #Add Comments and details to own Entity entity = e #request.entity #Set comments if indicator['Comment']: entity.notes = string_filter(indicator['Comment']) #Set Details for detail in tr_details: if detail in indicator: if indicator[detail]: entity += Label(name=detail, value=string_filter( indicator[detail])) #Set link color if "Confidence" in indicator: if indicator['Confidence'] >= 70: linkcolor = "0xff0000" entity.linkcolor = linkcolor response += entity return response
def dotransform(request, response, config): tr_details = [ 'Reference', 'Source', 'KillChain', 'Firstseen', 'Lastseen', 'Attribution', 'ProcessType', 'Rrname', 'Rdata', 'Country', 'Tags', 'Comment', 'RootNode', 'Confidence' ] #Disable cache to get actual data from Threat Recon cache, found = search(request.value, cache=False) #Default linkcolor linkcolor = "0x000000" if found: if defaultdict == type(found): for rootnode, value in found.iteritems(): #If the RootNode is empty, display attributes if len(rootnode) == 0: for indicator in value: #debug(indicator) e = '' indtype = indicator['Type'].lower().strip() if "whois email" == indtype: e = EmailAddress(indicator['Indicator']) if "name server" == indtype: e = NSRecord(indicator['Indicator']) if "domain" == indtype: e = Domain(indicator['Indicator']) e.fqdn = indicator['Indicator'] if "ip" == indtype: e = IPv4Address(indicator['Indicator']) if "phone or fax no." == indtype: e = PhoneNumber(indicator['Indicator']) if "whois address component" == indtype: e = Phrase(indicator['Indicator']) if "email" == indtype: e = EmailAddress(indicator['Indicator']) if "netname" == indtype: e = NetNameThreatRecon(indicator['Indicator']) if "cidr" == indtype: e = IPv4Address(indicator['Indicator']) if "netrange" == indtype: e = Netblock(indicator['Indicator']) if e: #Set linkcolor e.linkcolor = linkcolor #Set comments if indicator['Comment']: e.notes = string_filter(indicator['Comment']) #Set Details for detail in tr_details: if detail in indicator: if indicator[detail]: e += Label(name=detail, value=string_filter( indicator[detail])) response += e else: #Display the RootNodes e = ThreatRecon(rootnode) response += e return response