def is_ioc(rec, lowercase_ioc=True): """Detect is any data in a record matching to known IOC Args: rec (dict): The parsed payload of any log lowercase_ioc (bool): Indicate if IOCs in IOC files are in lowercase or uppercase. If true, it will convert data found in the record to lowercase. This flag is implemented to achieve case-insensitive comparison between IOCs and related data in the record. Returns: (bool): Returns True if data matching to any IOCs, otherwise returns False. """ intel = StreamThreatIntel.get_intelligence() datatypes_ioc_mapping = StreamThreatIntel.get_config() if not (datatypes_ioc_mapping and rec.get(NORMALIZATION_KEY)): return False for datatype in rec[NORMALIZATION_KEY]: if datatype not in datatypes_ioc_mapping: continue results = fetch_values_by_datatype(rec, datatype) for result in results: if isinstance(result, str): result = result.lower() if lowercase_ioc else result.upper() if (intel.get(datatypes_ioc_mapping[datatype]) and result in intel[datatypes_ioc_mapping[datatype]]): insert_ioc_info(rec, datatypes_ioc_mapping[datatype], result) if StreamThreatIntel.IOC_KEY in rec: return True return False
def is_ioc(rec): """Detect is any data in a record matching to known IOC""" intel = StreamThreatIntel.get_intelligence() datatypes_ioc_mapping = StreamThreatIntel.get_config() if not (datatypes_ioc_mapping and rec.get('normalized_types')): return False for datatype in rec['normalized_types']: if datatype not in datatypes_ioc_mapping: continue results = fetch_values_by_datatype(rec, datatype) for result in results: if (intel.get(datatypes_ioc_mapping[datatype]) and result in intel[datatypes_ioc_mapping[datatype]]): if StreamThreatIntel.IOC_KEY in rec: rec[StreamThreatIntel.IOC_KEY].append({ 'type': datatypes_ioc_mapping[datatype], 'value': result }) else: rec.update({ StreamThreatIntel.IOC_KEY: { 'type': datatypes_ioc_mapping[datatype], 'value': result } }) if StreamThreatIntel.IOC_KEY in rec: return True return False
def test_get_intelligence(self): """Threat Intel - get intelligence dictionary""" test_config = { 'threat_intel': { 'enabled': True, 'mapping': { 'sourceAddress': 'ip', 'destinationDomain': 'domain', 'fileHash': 'md5' } } } StreamThreatIntel.load_intelligence(test_config, 'tests/unit/fixtures') intelligence = StreamThreatIntel.get_intelligence() expected_keys = ['domain', 'md5', 'ip'] assert_items_equal(intelligence.keys(), expected_keys) assert_equal(len(intelligence['domain']), 10) assert_equal(len(intelligence['md5']), 10) assert_equal(len(intelligence['ip']), 10)
def teardown(): """Clear class variable after each method""" StreamThreatIntel.get_intelligence().clear()