def dotransform(request, response, config):

    try:
        results = search(request.value)
    except ThreatCentralError as err:
        results = None
        response += UIMessage(err.value, type='PartialError')

    else:
        try:
            for result in results:
                rtype = lower(result.get('type'))
                if result.get('tcScore'):
                    weight = int(result.get('tcScore'))
                else:
                    weight = 1
                # Title ID Description
                if rtype == 'actor':
                    # Check Title, if no title get resource > name
                    # Actor entity can have an empty title field
                    if result.get('title'):
                        e = Actor(encode_to_utf8(result.get('title')), weight=weight)
                    else:
                        e = Actor(encode_to_utf8(result.get('resource', dict()).get('name')), weight=weight)
                        e.name = encode_to_utf8(result.get('resource', dict()).get('name'))
                        e.actor = encode_to_utf8(result.get('resource', dict()).get('name'))
                elif rtype == 'case':
                    e = Case(encode_to_utf8(result.get('title')), weight=weight)
                elif rtype == 'coursesofactions':
                    e = CoursesOfAction(encode_to_utf8(result.get('title')), weight=weight)
                elif rtype == 'indicator':
                    e = Indicator(encode_to_utf8(result.get('title')), weight=weight)
                elif rtype == 'incident':
                    e = Incident(encode_to_utf8(result.get('title')), weight=weight)
                # elif rtype == 'tacticstechniquesandprocedures':
                elif rtype == 'ttp':
                    e = TTP(encode_to_utf8(result.get('title')), weight=weight)
                else:
                    # To be safe
                    e = Phrase(encode_to_utf8(result.get('title')), weight=weight)
                    debug(rtype)

                e.title = encode_to_utf8(result.get('title'))
                e.resourceId = result.get('id')

                if result.get('description'):
                    e += Label('Description', '<br/>'.join(encode_to_utf8(result.get('description',
                                                                                     '')).split('\n')))

                response += e

        except AttributeError as err:
            response += UIMessage('Error: {}'.format(err), type='PartialError')
        except ThreatCentralError as err:
            response += UIMessage(err.value, type='PartialError')
        except TypeError:
            return response

    return response
예제 #2
0
def dotransform(request, response, config):

    try:
        results = search(request.value, size=10, pages=1)
    except ThreatCentralError as err:
        response += UIMessage(err.value, type='PartialError')

    else:
        try:
            for result in results:
                rtype = lower(result.get('type'))
                if result.get('tcScore'):
                    weight = int(result.get('tcScore'))
                else:
                    weight = 1
                # Title ID Description
                if rtype == 'actor':
                    # Check Title, if no title get resource > name
                    # Actor entity can have an empty title field
                    if result.get('title'):
                        e = Actor(encode_to_utf8(result.get('title')), weight=weight)
                    else:
                        e = Actor(encode_to_utf8(result.get('resource', dict()).get('name')), weight=weight)
                        e.name = encode_to_utf8(result.get('resource', dict()).get('name'))
                        e.actor = encode_to_utf8(result.get('resource', dict()).get('name'))
                elif rtype == 'case':
                    e = Case(encode_to_utf8(result.get('title')), weight=weight)
                elif rtype == 'coursesofactions':
                    e = CoursesOfAction(encode_to_utf8(result.get('title')), weight=weight)
                elif rtype == 'indicator':
                    e = Indicator(encode_to_utf8(result.get('title')), weight=weight)
                elif rtype == 'incident':
                    e = Incident(encode_to_utf8(result.get('title')), weight=weight)
                # elif rtype == 'tacticstechniquesandprocedures':
                elif rtype == 'ttp':
                    e = TTP(encode_to_utf8(result.get('title')), weight=weight)
                else:
                    # To be safe
                    e = Phrase(encode_to_utf8(result.get('title')), weight=weight)
                    debug(rtype)

                e.title = encode_to_utf8(result.get('title'))
                e.resourceId = result.get('id')

                if result.get('description'):
                    e += Label('Description', '<br/>'.join(encode_to_utf8(result.get('description',
                                                                                     '')).split('\n')))

                response += e

        except AttributeError as err:
            response += UIMessage('Error: {}'.format(err), type='PartialError')
        except ThreatCentralError as err:
            response += UIMessage(err.value, type='PartialError')
        except TypeError:
            return response

    return response
예제 #3
0
def dotransform(request, response, config):

    tr_details = ['Reference', 'Source', 'KillChain', 'Firstseen', 'Lastseen', 'Attribution',
                  'ProcessType', 'Rrname', 'Rdata', 'Country', 'Tags', 'Comment',
                  'RootNode', 'Confidence']

    #Disable cache to get actual data from Threat Recon
    cache, found = search(request.value, cache=False)

    #Default linkcolor
    linkcolor = "0x000000"

    if found:
        if defaultdict == type(found):
            for rootnode, value in found.iteritems():
                #If the RootNode is empty, display attributes
                if len(rootnode) == 0:
                    for indicator in value:
                        #debug(indicator)
                        e = ''
                        indtype = indicator['Type'].lower().strip()

                        if "whois email" == indtype:
                            e = EmailAddress(indicator['Indicator'])

                        if "name server" == indtype:
                            e = NSRecord(indicator['Indicator'])

                        if "domain" == indtype:
                            e = Domain(indicator['Indicator'])
                            e.fqdn = indicator['Indicator']

                        if "ip" == indtype:
                            e = IPv4Address(indicator['Indicator'])

                        if "phone or fax no." == indtype:
                            e = PhoneNumber(indicator['Indicator'])

                        if "whois address component" == indtype:
                            e = Phrase(indicator['Indicator'])

                        if "email" == indtype:
                            e = EmailAddress(indicator['Indicator'])

                        if "netname" == indtype:
                            e = NetNameThreatRecon(indicator['Indicator'])

                        if "cidr" == indtype:
                            e = IPv4Address(indicator['Indicator'])

                        if "netrange" == indtype:
                            e = Netblock(indicator['Indicator'])

                        if e:
                            #Set linkcolor
                            e.linkcolor = linkcolor

                            #Set comments
                            if indicator['Comment']:
                                e.notes = string_filter(indicator['Comment'])

                            #Set Details
                            for detail in tr_details:
                                if detail in indicator:
                                    if indicator[detail]:
                                        e += Label(name=detail, value=string_filter(indicator[detail]))

                            response += e
                else:
                    #Display the RootNodes
                    e = ThreatRecon(rootnode)
                    response += e
    return response
예제 #4
0
def dotransform(request, response, config):

    tr_details = [
        'Reference', 'Source', 'KillChain', 'Firstseen', 'Lastseen',
        'Attribution', 'ProcessType', 'Rrname', 'Rdata', 'Country', 'Tags',
        'Comment', 'RootNode', 'Confidence'
    ]

    #Default link color is black
    linkcolor = "0x000000"

    cache, found = search(request.value)

    if found:
        if list == type(found):
            for indicator in found:
                debug(indicator)
                e = ''
                indtype = indicator['Type'].lower().strip()

                if "whois email" == indtype:
                    e = EmailAddress(indicator['Indicator'])
                    #response += e

                if "name server" == indtype:
                    e = NSRecord(indicator['Indicator'])
                    #response += e

                if "domain" == indtype:
                    e = Domain(indicator['Indicator'])
                    e.fqdn = indicator['Indicator']
                    #response += e
                #IF Type is not domain, check if Rrname is not empty
                elif indicator['Rrname'] and indicator['Rrname'] != 'NA':
                    d = Domain(indicator['Rrname'])
                    d.fqdn = indicator['Rrname']
                    response += d

                if "ip" == indtype:
                    e = IPv4Address(indicator['Indicator'])
                    #response += e
                #IF Type is not IP, check if Rdata is not empty
                elif indicator['Rdata']:
                    i = IPv4Address(indicator['Rdata'])
                    response += i

                if "phone or fax no." == indtype:
                    e = PhoneNumber(indicator['Indicator'])
                    #response += e

                if "whois address component" == indtype:
                    e = Phrase(indicator['Indicator'])
                    #response += e

                if "email" == indtype:
                    e = EmailAddress(indicator['Indicator'])
                    #response += e

                if "netname" == indtype:
                    e = NetNameThreatRecon(indicator['Indicator'])
                    #response += e

                if "cidr" == indtype:
                    e = IPv4Address(indicator['Indicator'])
                    #response += e

                if "netrange" == indtype:
                    e = Netblock(indicator['Indicator'])
                    #response += e

                if indicator['Country']:
                    l = Location(indicator['Country'])
                    response += l

                #Add Comments and details to own Entity
                entity = e  #request.entity

                #Set comments
                if indicator['Comment']:
                    entity.notes = string_filter(indicator['Comment'])

                    #Set Details
                for detail in tr_details:
                    if detail in indicator:
                        if indicator[detail]:
                            entity += Label(name=detail,
                                            value=string_filter(
                                                indicator[detail]))

                #Set link color
                if "Confidence" in indicator:
                    if indicator['Confidence'] >= 70:
                        linkcolor = "0xff0000"

                entity.linkcolor = linkcolor

                response += entity

    return response
예제 #5
0
def dotransform(request, response, config):

    tr_details = [
        'Reference', 'Source', 'KillChain', 'Firstseen', 'Lastseen',
        'Attribution', 'ProcessType', 'Rrname', 'Rdata', 'Country', 'Tags',
        'Comment', 'RootNode', 'Confidence'
    ]

    #Disable cache to get actual data from Threat Recon
    cache, found = search(request.value, cache=False)

    #Default linkcolor
    linkcolor = "0x000000"

    if found:
        if defaultdict == type(found):
            for rootnode, value in found.iteritems():
                #If the RootNode is empty, display attributes
                if len(rootnode) == 0:
                    for indicator in value:
                        #debug(indicator)
                        e = ''
                        indtype = indicator['Type'].lower().strip()

                        if "whois email" == indtype:
                            e = EmailAddress(indicator['Indicator'])

                        if "name server" == indtype:
                            e = NSRecord(indicator['Indicator'])

                        if "domain" == indtype:
                            e = Domain(indicator['Indicator'])
                            e.fqdn = indicator['Indicator']

                        if "ip" == indtype:
                            e = IPv4Address(indicator['Indicator'])

                        if "phone or fax no." == indtype:
                            e = PhoneNumber(indicator['Indicator'])

                        if "whois address component" == indtype:
                            e = Phrase(indicator['Indicator'])

                        if "email" == indtype:
                            e = EmailAddress(indicator['Indicator'])

                        if "netname" == indtype:
                            e = NetNameThreatRecon(indicator['Indicator'])

                        if "cidr" == indtype:
                            e = IPv4Address(indicator['Indicator'])

                        if "netrange" == indtype:
                            e = Netblock(indicator['Indicator'])

                        if e:
                            #Set linkcolor
                            e.linkcolor = linkcolor

                            #Set comments
                            if indicator['Comment']:
                                e.notes = string_filter(indicator['Comment'])

                            #Set Details
                            for detail in tr_details:
                                if detail in indicator:
                                    if indicator[detail]:
                                        e += Label(name=detail,
                                                   value=string_filter(
                                                       indicator[detail]))

                            response += e
                else:
                    #Display the RootNodes
                    e = ThreatRecon(rootnode)
                    response += e
    return response