class SignatureFilterObject(FilterObject):
""" """
def __init__(self, base_uri, tcl):
""" """
super(SignatureFilterObject, self).__init__(base_uri, tcl)
self._owners = []
# define properties for resource type
self._properties = SignaturesProperties(base_uri=self.base_uri)
self._resource_type = self._properties.resource_type
# create default request object for filtered request with only owners
self._request_object = RequestObject('signatures', 'default')
self._request_object.set_http_method(self._properties.http_method)
self._request_object.set_owner_allowed(self._properties.base_owner_allowed)
self._request_object.set_request_uri(self._properties.base_path)
self._request_object.set_resource_pagination(self._properties.resource_pagination)
self._request_object.set_resource_type(self._properties.resource_type)
#
# add_obj filter methods
#
for method_name in self._properties.filters:
# special case for download
if method_name == 'add_id':
method = getattr(FilterMethods, 'add_id_signature')
setattr(self, method_name, types.MethodType(method, self))
else:
method = getattr(FilterMethods, method_name)
setattr(self, method_name, types.MethodType(method, self))
def __init__(self, base_uri, tcl):
""" """
super(BulkFilterObject, self).__init__(base_uri, tcl)
self._owners = []
# define properties for resource type
# self._properties = BulkProperties(base_uri=self.base_uri)
self._properties = None
self._resource_type = self._properties.resource_type
# create default request object for filtered request with only owners
self._request_object = RequestObject('groups', 'default')
self._request_object.set_http_method(self._properties.http_method)
self._request_object.set_owner_allowed(
self._properties.base_owner_allowed)
self._request_object.set_request_uri(self._properties.base_path)
self._request_object.set_resource_pagination(
self._properties.resource_pagination)
self._request_object.set_resource_type(self._properties.resource_type)
#
# add_obj filter methods
#
for method_name in self._properties.filters:
method = getattr(IndicatorFilterMethods, method_name)
setattr(self, method_name, types.MethodType(method, self))
class VictimAssetFilterObject(FilterObject):
""" """
def __init__(self, base_uri, tcl, victim_asset_type_enum=None):
""" """
super(VictimAssetFilterObject, self).__init__(base_uri, tcl)
self._owners = []
# get resource type from indicator type
if isinstance(victim_asset_type_enum, VictimAssetType):
# get resource type from indicator type number
resource_type = ResourceType(victim_asset_type_enum.value)
# get resource properties from resource type name
self._properties = ResourceProperties[resource_type.name].value(base_uri=self.base_uri)
else:
self._properties = ResourceProperties['VICTIM_ASSETS'].value(base_uri=self.base_uri)
self._resource_type = self._properties.resource_type
# create default request object for filtered request with only owners
self._request_object = RequestObject('victimAssets', 'default')
self._request_object.set_http_method(self._properties.http_method)
self._request_object.set_owner_allowed(self._properties.base_owner_allowed)
self._request_object.set_request_uri(self._properties.base_path)
self._request_object.set_resource_pagination(self._properties.resource_pagination)
self._request_object.set_resource_type(self._properties.resource_type)
#
# add_obj filter methods
#
for method_name in self._properties.filters:
method = getattr(FilterMethods, method_name)
setattr(self, method_name, types.MethodType(method, self))
class BulkFilterObject(FilterObject):
""" """
def __init__(self, base_uri, tcl):
""" """
super(BulkFilterObject, self).__init__(base_uri, tcl)
self._owners = []
# define properties for resource type
# self._properties = BulkProperties(base_uri=self.base_uri)
self._properties = None
self._resource_type = self._properties.resource_type
# create default request object for filtered request with only owners
self._request_object = RequestObject('groups', 'default')
self._request_object.set_http_method(self._properties.http_method)
self._request_object.set_owner_allowed(self._properties.base_owner_allowed)
self._request_object.set_request_uri(self._properties.base_path)
self._request_object.set_resource_pagination(self._properties.resource_pagination)
self._request_object.set_resource_type(self._properties.resource_type)
#
# add_obj filter methods
#
for method_name in self._properties.filters:
method = getattr(IndicatorFilterMethods, method_name)
setattr(self, method_name, types.MethodType(method, self))
class BulkIndicatorFilterObject(FilterObject):
""" """
def __init__(self, base_uri, tcl):
""" """
super(BulkIndicatorFilterObject, self).__init__(base_uri, tcl)
self._owners = []
# pd('IndicatorFilterObject', header=True)
# pd('indicator_type_enum', indicator_type_enum)
self._properties = BulkIndicatorsProperties(base_uri=self.base_uri)
self._resource_type = self._properties.resource_type
# create default request object for filtered request with only owners
self._request_object = RequestObject('indicators', 'default')
self._request_object.set_http_method(self._properties.http_method)
self._request_object.set_owner_allowed(self._properties.base_owner_allowed)
self._request_object.set_request_uri(self._properties.base_path)
self._request_object.set_resource_pagination(self._properties.resource_pagination)
self._request_object.set_resource_type(self._properties.resource_type)
#
# add_obj filter methods
#
for method_name in self._properties.filters:
# pd('method_name', method_name)
method = getattr(FilterMethods, method_name)
setattr(self, method_name, types.MethodType(method, self))
def add_id(self, data_int, asset_id=None):
""" """
resource_type = ResourceType(self._resource_type.value - 5)
properties = ResourceProperties[resource_type.name].value()
if asset_id is not None:
# resource_type = ResourceType(self._resource_type.value - 5)
# properties = ResourceProperties[resource_type.name].value()
uri_data = [data_int, asset_id]
else:
# properties = self._properties
uri_data = [data_int]
# validation of data input
if not isinstance(data_int, int):
self.add_error(ErrorCodes.e4020.value.format(data_int))
self._error = True
else:
filter_type = 'id'
if asset_id is not None:
filter_values = '{0}-{1}'.format(data_int, asset_id)
else:
filter_values = data_int
ro = RequestObject(filter_type, filter_values)
ro.set_owner_allowed(properties.id_owner_allowed)
ro.set_resource_pagination(properties.resource_pagination)
ro.set_request_uri(properties.id_path, uri_data)
ro.set_resource_type(properties.resource_type)
self._add_request_objects(ro)
class VictimFilterObject(FilterObject):
""" """
def __init__(self, base_uri, tcl):
""" """
super(VictimFilterObject, self).__init__(base_uri, tcl)
self._owners = []
# define properties for resource type
self._properties = VictimsProperties(base_uri=self.base_uri)
self._resource_type = self._properties.resource_type
# create default request object for filtered request with only owners
self._request_object = RequestObject('victims', 'default')
self._request_object.set_http_method(self._properties.http_method)
self._request_object.set_owner_allowed(self._properties.base_owner_allowed)
self._request_object.set_request_uri(self._properties.base_path)
self._request_object.set_resource_pagination(self._properties.resource_pagination)
self._request_object.set_resource_type(self._properties.resource_type)
#
# add_obj filter methods
#
for method_name in self._properties.filters:
method = getattr(FilterMethods, method_name)
setattr(self, method_name, types.MethodType(method, self))
# special case for indicator associations
def filter_associations(self, base_resource_type, identifier):
"""Get victims associated with base resource object
GET /v2/groups/adversaries/747266/victims
GET /v2/indicators/addresses/4.3.2.1/victims
"""
base_properties = ResourceProperties[base_resource_type.name].value()
request_uri = base_properties.base_path + '/'
request_uri += str(identifier)
request_uri += '/victims'
description = 'Get victim associations for {0} resource ({1}).'.format(
base_resource_type.name.lower(), str(identifier))
filter_type = 'victim association'
ro = RequestObject(
filter_type, '{0}|{1}'.format(base_resource_type.name.lower(), identifier))
ro.set_description(description)
ro.set_owner_allowed(False)
ro.set_resource_pagination(True)
ro.set_request_uri(request_uri)
ro.set_resource_type(ResourceType.VICTIMS)
self._add_request_objects(ro)
def add_indicator(self, data, data_type_enum=None):
""" """
if data_type_enum is None:
# use indicator value to get the resource type
data_type_enum = _get_resource_type(data)
else:
# indicator type provided
if isinstance(data_type_enum, IndicatorType):
data_type_enum = ResourceType(data_type_enum.value)
error = False
# validation indicator
if not validate_indicator(data):
self.add_error(ErrorCodes.e5010.value.format(data))
self._error = True
error = True
# validation resource type
if not isinstance(data_type_enum, ResourceType):
self.add_error(ErrorCodes.e5011.value.format(data_type_enum))
self._error = True
error = True
if not error:
# get properties for indicator
# (e.g ADDRESSES is 515 and ADDRESS is 510.
indicator_resource_type = ResourceType(data_type_enum.value - 5)
indicator_properties = ResourceProperties[indicator_resource_type.name].value()
indicator_type = indicator_properties.resource_uri_attribute
# determine properties
indicator_resources = [
'INDICATORS', 'ADDRESSES', 'EMAIL_ADDRESSES', 'FILES', 'HOSTS', 'URLS']
if self._properties.resource_type.name in indicator_resources:
# if the resource type is one of the above use the properties of that indicator
properties = indicator_properties
else:
# otherwise use the properties of the resource
properties = self._properties
# url
if data_type_enum == ResourceType.URLS:
data = urllib.quote(data, safe='~')
filter_type = data_type_enum.name.lower()
ro = RequestObject(filter_type, data)
ro.set_owner_allowed(properties.indicator_owner_allowed)
ro.set_resource_pagination(properties.resource_pagination)
ro.set_request_uri(
properties.indicator_path, [indicator_type, data])
ro.set_resource_type(properties.resource_type)
self._add_request_objects(ro)
def tc_indicators(owners, limit):
tc = get_client()
tc.set_api_result_limit(limit)
ro = RequestObject()
ro.set_http_method('GET')
ro.set_request_uri('/v2/indicators?resultLimit={}'.format(limit))
if owners is not None:
ro.set_owner(owners)
ro.set_owner_allowed(True)
response = tc.api_request(ro).json()
indicators = response['data']['indicator']
ec, indicators = create_context(indicators, include_dbot_score=True)
return ec, indicators, response
class BulkIndicators(Resource):
""" """
def __init__(self, tc_obj):
""" """
super(BulkIndicators, self).__init__(tc_obj)
self._filter_class = BulkIndicatorFilterObject
self._modified_since = None
# set properties
properties = BulkIndicatorsProperties(base_uri=self.base_uri)
self._resource_type = properties.resource_type
# create default request object for non-filtered requests
self._request_object = RequestObject('bulk_indicators', 'default')
self._request_object.set_http_method(properties.http_method)
self._request_object.set_owner_allowed(properties.base_owner_allowed)
self._request_object.set_request_uri(properties.base_path)
self._request_object.set_resource_pagination(properties.resource_pagination)
self._request_object.set_resource_type(properties.resource_type)
@property
def csv(self):
""" """
headers = [
'confidence', 'dateAdded', 'id', 'indicator', 'lastModified', 'ownerName', 'rating', 'type', 'webLink']
csv_output = io.BytesIO()
csv_data = csv.writer(csv_output, delimiter=',', quotechar='"', quoting=csv.QUOTE_NONNUMERIC)
csv_data.writerow(headers)
for obj in self._objects:
csv_row = [
obj.get_confidence(),
obj.get_date_added(),
obj.get_id(),
obj.get_indicator(),
obj.get_last_modified(),
obj.get_owner_name(),
obj.get_rating(),
obj.get_type(),
obj.get_web_link(),
]
csv_data.writerow(csv_row)
for row in csv_output.getvalue().split('\r\n'):
yield row
def add_tag(self, data):
""" """
properties = self._properties
if not isinstance(data, str):
self.add_error(ErrorCodes.e4080.value.format(data))
self._error = True
else:
filter_type = 'tag'
ro = RequestObject(filter_type, data)
ro.set_owner_allowed(properties.tag_owner_allowed)
ro.set_resource_pagination(properties.resource_pagination)
ro.set_request_uri(properties.tag_path, [data])
ro.set_resource_type(properties.resource_type)
self._add_request_objects(ro)
class Victims(Resource):
""" """
def __init__(self, tc_obj):
""" """
super(Victims, self).__init__(tc_obj)
self._filter_class = VictimFilterObject
# set properties
properties = VictimsProperties(base_uri=self.base_uri)
self._resource_type = properties.resource_type
# create default request object for non-filtered requests
self._request_object = RequestObject('victims', 'default')
self._request_object.set_http_method(properties.http_method)
self._request_object.set_owner_allowed(properties.base_owner_allowed)
self._request_object.set_request_uri(properties.base_path)
self._request_object.set_resource_pagination(properties.resource_pagination)
self._request_object.set_resource_type(properties.resource_type)
def add_victim_id(self, data_int):
""" """
properties = self._properties
# validation of data input
if not isinstance(data_int, int):
self.add_error(ErrorCodes.e4060.value.format(data_int))
self._error = True
else:
filter_type = 'victim_id'
ro = RequestObject(filter_type, data_int)
ro.set_owner_allowed(properties.victim_owner_allowed)
ro.set_resource_pagination(properties.resource_pagination)
ro.set_request_uri(properties.victim_path, [data_int])
ro.set_resource_type(properties.resource_type)
self._add_request_objects(ro)
def add_name(self, data):
""" """
resource_type = ResourceType(self._resource_type.value - 5)
properties = ResourceProperties[resource_type.name].value()
# validation of data input
if not isinstance(data, str):
self.add_error(ErrorCodes.e4080.value.format(data))
self._error = True
else:
filter_type = 'name'
ro = RequestObject(filter_type, data)
ro.set_owner_allowed(properties.name_owner_allowed)
ro.set_resource_pagination(properties.resource_pagination)
ro.set_request_uri(properties.name_path, [data])
ro.set_resource_type(properties.resource_type)
self._add_request_objects(ro)
def set_format(self, data):
""" """
properties = self._properties
# if invalid format specified return json
if data in ['json', 'csv']:
d_format = data
else:
d_format = 'json'
ro = RequestObject('bulk download', d_format)
ro.set_owner_allowed(properties.base_owner_allowed)
ro.set_resource_pagination(properties.resource_pagination)
ro.set_request_uri(properties.base_path, [d_format])
ro.set_resource_type(properties.resource_type)
self._add_request_objects(ro)
def __init__(self, tc_obj):
""" """
super(Bulk, self).__init__(tc_obj)
self._filter_class = BulkFilterObject
# set properties
# properties = BulkProperties(base_uri=self.base_uri)
# self._resource_type = properties.resource_type
# create default request object for non-filtered requests
self._request_object = RequestObject('bulk', 'default')
def get_groups_request(group_type):
tc = get_client()
ro = RequestObject()
ro.set_http_method('GET')
ro.set_request_uri('/v2/groups/{}'.format(group_type))
return tc.api_request(ro).json()
def tc_get_tags():
tc = get_client()
ro = RequestObject()
ro.set_http_method('GET')
ro.set_request_uri('/v2/tags')
return tc.api_request(ro).json()
def tc_get_indicator_types_request():
tc = get_client()
ro = RequestObject()
ro.set_http_method('GET')
ro.set_request_uri('/v2/types/indicatorTypes')
return tc.api_request(ro).json()
def get_events_request():
tc = get_client()
ro = RequestObject()
ro.set_http_method('GET')
ro.set_request_uri('/v2/groups/events')
return tc.api_request(ro).json()
def tc_owners():
tc = get_client()
ro = RequestObject()
ro.set_http_method('GET')
ro.set_request_uri('/v2/owners')
results = tc.api_request(ro)
return results.json()
def tc_delete_group(group_id, group_type):
tc = get_client()
ro = RequestObject()
ro.set_http_method('DELETE')
ro.set_request_uri('/v2/groups/{}/{}'.format(group_type, group_id))
response = tc.api_request(ro).json()
return response['status'] == 'Success'
def tc_add_group_attribute_request(group_type, group_id, attribute_type,
attribute_value):
tc = get_client()
ro = RequestObject()
ro.set_http_method('POST')
ro.set_request_uri('/v2/groups/{}/{}/attributes'.format(
group_type, group_id))
body = {
'type': attribute_type,
'value': attribute_value,
'displayed': 'true'
}
ro.set_body(json.dumps(body))
response = tc.api_request(ro).json()
return response
class Owners(Resource):
""" """
def __init__(self, tc_obj):
""" """
super(Owners, self).__init__(tc_obj)
self._filter_class = OwnerFilterObject
# set properties
properties = OwnersProperties(base_uri=self.base_uri)
self._resource_type = properties.resource_type
# create default request object for non-filtered requests
self._request_object = RequestObject('owners', 'default')
self._request_object.set_http_method(properties.http_method)
self._request_object.set_owner_allowed(properties.base_owner_allowed)
self._request_object.set_request_uri(properties.base_path)
self._request_object.set_resource_pagination(properties.resource_pagination)
self._request_object.set_resource_type(properties.resource_type)
def get_owner_by_id(self, data):
for obj in self._objects:
if obj.get_id() == data:
return obj
return None
def get_owner_by_name(self, data):
for obj in self._objects:
if obj.get_name() == data:
return obj
return None
def get_owner_names(self):
owner_names = []
for obj in self._objects:
owner_names.append(obj.get_name())
return owner_names
def add_group_tags_request(group_type, group_id, tag_name):
tc = get_client()
ro = RequestObject()
ro.set_http_method('POST')
ro.set_request_uri('/v2/groups/{}/{}/tags/{}'.format(
group_type, group_id, tag_name))
response = tc.api_request(ro).json()
return response.get('status') == 'Success'
def add_group_security_label_request(group_type, group_id, security_label):
tc = get_client()
ro = RequestObject()
ro.set_http_method('POST')
ro.set_request_uri('/v2/groups/{}/{}/securityLabels/{}'.format(
group_type, group_id, security_label))
response = tc.api_request(ro).json()
return response.get('status') == 'Success'
def associate_indicator_request(indicator_type, indicator, group_type,
group_id):
tc = get_client()
ro = RequestObject()
ro.set_http_method('POST')
ro.set_request_uri('/v2/indicators/{}/{}/groups/{}/{}'.format(
indicator_type, indicator, group_type, group_id))
response = tc.api_request(ro).json()
return response
def __init__(self, base_uri, tcl, indicator_type_enum=None):
""" """
super(IndicatorFilterObject, self).__init__(base_uri, tcl)
self._owners = []
# pd('IndicatorFilterObject', header=True)
# pd('indicator_type_enum', indicator_type_enum)
# get resource type from indicator type
if isinstance(indicator_type_enum, IndicatorType):
# get resource type from indicator type number
resource_type = ResourceType(indicator_type_enum.value)
# get resource properties from resource type name
self._properties = ResourceProperties[resource_type.name].value(base_uri=self.base_uri)
else:
self._properties = ResourceProperties['INDICATORS'].value(base_uri=self.base_uri)
self._resource_type = self._properties.resource_type
# create default request object for filtered request with only owners
self._request_object = RequestObject('adversaries', 'default')
self._request_object.set_http_method(self._properties.http_method)
self._request_object.set_owner_allowed(self._properties.base_owner_allowed)
self._request_object.set_request_uri(self._properties.base_path)
self._request_object.set_resource_pagination(self._properties.resource_pagination)
self._request_object.set_resource_type(self._properties.resource_type)
# add_obj properties for filter objects with no request object
# happens when a indicator type is specified, but no other
# filters are provided
# self._owner_allowed = self._properties.base_owner_allowed
# self._request_uri = self._properties.base_path
# self._resource_pagination = self._properties.resource_pagination
# self._resource_type = self._properties.resource_type
# pd('owner_allowed', self._owner_allowed)
# pd('resource_pagination', self._resource_pagination)
# pd('resource_type', self._resource_type)
#
# add_obj filter methods
#
for method_name in self._properties.filters:
# pd('method_name', method_name)
method = getattr(FilterMethods, method_name)
setattr(self, method_name, types.MethodType(method, self))
def tc_get_indicators_by_tag(tag, owner):
tc = get_client()
ro = RequestObject()
ro.set_http_method('GET')
cmd = '/v2/tags/{}/indicators'.format(tag)
if owner is not None:
cmd += '?owner={}'.format(owner)
ro.set_request_uri(cmd)
return tc.api_request(ro).json()
def add_adversary_id(self, data_int, asset_id=None):
""" """
if asset_id is not None:
resource_type = ResourceType(self._resource_type.value - 5)
properties = ResourceProperties[resource_type.name].value()
uri_data = [data_int, asset_id]
else:
properties = self._properties
uri_data = [data_int]
# validation of data input
if not isinstance(data_int, int):
self.add_error(ErrorCodes.e4000.value.format(data_int))
self._error = True
else:
filter_type = 'adversary_id'
ro = RequestObject(filter_type, data_int)
ro.set_owner_allowed(properties.adversary_owner_allowed)
ro.set_resource_pagination(properties.resource_pagination)
ro.set_request_uri(properties.adversary_path, uri_data)
ro.set_resource_type(properties.resource_type)
self._add_request_objects(ro)
def __init__(self, tc_obj):
""" """
super(Attributes, self).__init__(tc_obj)
self._filter_class = AttributeFilterObject
# self._object_class = AttributeObject
# set properties for non filtered request
properties = AttributesProperties(base_uri=self.base_uri)
self._resource_type = properties.resource_type
# create default request object for non-filtered requests
self._request_object = RequestObject('attribute', 'default')
self._request_object.set_http_method(properties.http_method)
self._request_object.set_owner_allowed(properties.base_owner_allowed)
self._request_object.set_request_uri(properties.base_path)
self._request_object.set_resource_pagination(properties.resource_pagination)
self._request_object.set_resource_type(properties.resource_type)
def __init__(self, tc_obj):
""" """
super(BulkIndicators, self).__init__(tc_obj)
self._filter_class = BulkIndicatorFilterObject
self._modified_since = None
# set properties
properties = BulkIndicatorsProperties(base_uri=self.base_uri)
self._resource_type = properties.resource_type
# create default request object for non-filtered requests
self._request_object = RequestObject('bulk_indicators', 'default')
self._request_object.set_http_method(properties.http_method)
self._request_object.set_owner_allowed(properties.base_owner_allowed)
self._request_object.set_request_uri(properties.base_path)
self._request_object.set_resource_pagination(properties.resource_pagination)
self._request_object.set_resource_type(properties.resource_type)
def default_request_object(self):
""" default request when only a owner filter is provided """
request_object = RequestObject()
request_object.set_description('filter by owner')
request_object.set_http_method(self._resource_properties['base']['http_method'])
request_object.set_owner_allowed(self._resource_properties['base']['owner_allowed'])
request_object.set_request_uri(self._resource_properties['base']['uri'])
request_object.set_resource_pagination(self._resource_properties['base']['pagination'])
request_object.set_resource_type(self._resource_type)
return request_object
def default_request_object(self):
""" default request when no filters are provided """
resource_properties = ApiProperties.api_properties[self._resource_type.name]['properties']
# create default request object for non-filtered requests
request_object = RequestObject()
request_object.set_http_method(resource_properties['base']['http_method'])
request_object.set_owner_allowed(resource_properties['base']['owner_allowed'])
request_object.set_request_uri(resource_properties['base']['uri'])
request_object.set_resource_pagination(resource_properties['base']['pagination'])
request_object.set_resource_type(self._resource_type)
return request_object
def main():
""" """
# set threat connect log (tcl) level
tc.set_tcl_file('log/tc.log', 'debug')
tc.set_tcl_console_level('critical')
if enable_example1:
""" get community/source status using basic retrieve """
# build INDICATORS request object
#
ro = RequestObject()
ro.set_http_method('GET')
ro.set_owner(owners)
ro.set_owner_allowed(True)
ro.set_resource_pagination(True)
ro.set_request_uri('/v2/indicators/bulk')
#
# retrieve and display the results
#
try:
results = tc.api_request(ro)
except RuntimeError as e:
print(e)
sys.exit(1)
if results.headers['content-type'] == 'application/json':
data = results.json()
print(json.dumps(data, indent=4))
if enable_example2:
""" get bulk indicators """
# optionally set max results
tc.set_api_result_limit(500)
# indicator object
indicators = tc.bulk_indicators()
# filter results
try:
filter1 = indicators.add_filter()
filter1.add_owner(owners)
# filter1.add_pf_confidence(90, FilterOperator.GE)
# filter1.add_pf_date_added('2014-04-10T00:00:00Z', FilterOperator.GE)
# filter1.add_pf_rating('4.0', FilterOperator.GE)
# filter1.add_pf_type('Host')
# filter1.add_pf_type('Address')
# filter1.add_pf_last_modified('2015-01-21T00:31:44Z', FilterOperator.GE)
# filter1.add_pf_threat_assess_confidence('50', FilterOperator.GE)
# filter1.add_pf_threat_assess_rating('4.0', FilterOperator.GE)
# filter1.add_pf_tag('EXAMPLE', FilterOperator.EQ)
# filter1.add_pf_attribute('Description', FilterOperator.EQ)
except AttributeError as e:
print('Error: {0!s}'.format(e))
sys.exit(1)
# retrieve indicators
try:
indicators.retrieve()
except RuntimeError as e:
print('Error: {0!s}'.format(e))
sys.exit(1)
# show indicator data
show_data(indicators)
if enable_example3:
""" get bulk indicators """
# optionally set max results
tc.set_api_result_limit(500)
# indicator object
indicators = tc.bulk_indicators()
# filter results
try:
filter1 = indicators.add_filter()
filter1.add_owner(owners)
# filter1.add_pf_confidence(50, FilterOperator.GE)
# filter1.add_pf_rating('2.5', FilterOperator.GE)
filter1.add_pf_tag('CnC', FilterOperator.EQ)
except AttributeError as e:
print('Error: {0!s}'.format(e))
sys.exit(1)
# retrieve indicators
try:
indicators.retrieve()
except RuntimeError as e:
print('Error: {0!s}'.format(e))
sys.exit(1)
# show indicator data
show_data(indicators)
if enable_example4:
""" get bulk indicator in csv format """
# build INDICATORS request object
#
ro = RequestObject()
ro.set_http_method('GET')
ro.set_owner(owners)
ro.set_owner_allowed(True)
ro.set_resource_pagination(True)
ro.set_request_uri('/v2/indicators/bulk/csv')
#
# retrieve and display the results
#
results = tc.api_request(ro)
if results.headers['content-type'] == 'text/csv':
data = results.content
print(data)
def default_request_object(self):
""" default request when no filters are provided """
resource_properties = ApiProperties.api_properties[self._resource_type.name]['properties']
# create default request object for non-filtered requests
request_object = RequestObject()
request_object.set_http_method(resource_properties['base']['http_method'])
request_object.set_owner_allowed(resource_properties['base']['owner_allowed'])
request_object.set_request_uri(resource_properties['base']['uri'])
request_object.set_resource_pagination(resource_properties['base']['pagination'])
request_object.set_resource_type(self._resource_type)
# modified since is only support on base (/v2/indicator) api call
if self._modified_since is not None:
request_object.set_modified_since(self._modified_since)
request_object.set_description('Owner Filter modified since {0}'.format(self._modified_since))
return request_object
def filter_associations(self, base_resource_type, identifier):
"""Get victims associated with base resource object
GET /v2/groups/adversaries/747266/victims
GET /v2/indicators/addresses/4.3.2.1/victims
"""
base_properties = ResourceProperties[base_resource_type.name].value()
request_uri = base_properties.base_path + '/'
request_uri += str(identifier)
request_uri += '/victims'
description = 'Get victim associations for {0} resource ({1}).'.format(
base_resource_type.name.lower(), str(identifier))
filter_type = 'victim association'
ro = RequestObject(
filter_type, '{0}|{1}'.format(base_resource_type.name.lower(), identifier))
ro.set_description(description)
ro.set_owner_allowed(False)
ro.set_resource_pagination(True)
ro.set_request_uri(request_uri)
ro.set_resource_type(ResourceType.VICTIMS)
self._add_request_objects(ro)
def associate_victim(self, resource_id):
""" associate victim from group """
prop = self._resource_properties['association_victim_add']
ro = RequestObject()
ro.set_description('associate victim id {0} from "{1}"'.format(
resource_id, self._name))
ro.set_http_method(prop['http_method'])
ro.set_owner_allowed(prop['owner_allowed'])
ro.set_request_uri(prop['uri'].format(
self._id, resource_id))
ro.set_resource_pagination(prop['pagination'])
ro.set_resource_type(self._resource_type)
self._resource_container.add_commit_queue(self.id, ro)
def add_indicator(self, data):
""" """
# validation indicator
if not SharedMethods.validate_indicator(data):
raise AttributeError(ErrorCodes.e5010.value.format(data))
# get indicator uri attribute
indicator_type = SharedMethods.get_resource_type(data)
indicator_uri_attribute = ApiProperties.api_properties[indicator_type.name]['uri_attribute']
prop = self._resource_properties['indicators']
ro = RequestObject()
ro.set_description('api filter by indicator id {0}'.format(data))
ro.set_owner_allowed(prop['owner_allowed'])
ro.set_request_uri(prop['uri'], [indicator_uri_attribute, SharedMethods.urlsafe(data)])
ro.set_resource_pagination(prop['pagination'])
ro.set_resource_type(self._resource_type)
self._add_request_objects(ro)
print('Could not retrieve configuration file.')
sys.exit(1)
tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)
tc.set_api_result_limit(api_result_limit)
tc.report_enable()
""" Toggle the Boolean to enable specific examples """
enable_example1 = False
enable_example2 = False
if enable_example1:
#
# build DOCUMENT request object
#
ro = RequestObject()
ro.set_http_method('POST')
body = {'name': 'Raw Upload Example', 'fileName': 'raw_example.txt'}
ro.set_body(json.dumps(body))
ro.set_content_type('application/json')
ro.set_owner('Example Community')
ro.set_owner_allowed(True)
ro.set_resource_pagination(False)
ro.set_request_uri('/v2/groups/documents')
# display request object parameters
print(ro)
#
# retrieve and display the results
#
def download_request(self):
""" """
# build request object
request_object = RequestObject(self._drd['name1'], self._drd['name2_method']())
request_object.set_content_type(self._drd['content_type'])
request_object.set_description(
self._drd['description'].format(self._drd['identifier_method']()))
request_object.set_http_method(self._drd['http_method'])
request_object.set_request_uri(
self._drd['request_uri_path'].format(self._drd['identifier_method']()))
request_object.set_owner_allowed(self._drd['owner_allowed'])
request_object.set_resource_pagination(self._drd['resource_pagination'])
request_object.set_resource_type(self._drd['resource_type'])
return request_object
def add_tag(self, data):
""" filter api results by tag """
# validation of data input
if not isinstance(data, str):
raise AttributeError(ErrorCodes.e4070.value.format(data))
prop = self._resource_properties['tags']
ro = RequestObject()
ro.set_description('api filter by tag "{0}"'.format(data))
ro.set_owner_allowed(prop['owner_allowed'])
ro.set_resource_pagination(prop['pagination'])
ro.set_request_uri(prop['uri'], [SharedMethods.urlsafe(data)])
ro.set_resource_type(self._resource_type)
self._add_request_objects(ro)
def log_to_api(self):
if len(self.entries) > 0:
# make api call
ro = RequestObject()
ro.set_http_method('POST')
ro.set_owner_allowed(True)
ro.set_resource_pagination(False)
ro.set_request_uri('/v2/logs/app')
ro.set_body(dumps(self.entries))
# retrieve and display the results; don't log during api request so we don't end up with duplicate info
try:
self.tc.api_request(ro, log=False)
except RuntimeError as re:
# can't really do anything if it fails
error_data = {
'levelname':
'ERROR',
'created':
time.time(),
'msg':
'API LOGGING FAILURE -- Unable to send log entries to api: {}'
.format(self.entries)
}
lr = makeLogRecord(error_data)
self.entries = []
self.emit(lr)
self.entries = []
def associate_indicator(self, indicator_type, indicator):
""" associate a group to group by id """
prop = self._resource_properties['association_indicator_add']
ro = RequestObject()
ro.set_description('associate indicator {0} to "{1}"'.format(
indicator, self._name))
ro.set_http_method(prop['http_method'])
ro.set_owner_allowed(prop['owner_allowed'])
ro.set_resource_pagination(prop['pagination'])
indicator_uri_attribute = ApiProperties.api_properties[indicator_type.name]['uri_attribute']
ro.set_request_uri(prop['uri'].format(indicator_uri_attribute, self._urlsafe(indicator), self.id))
ro.set_resource_type(self._resource_type)
self._resource_container.add_commit_queue(self.id, ro)
def default_request_object(self):
""" default request when only a owner filter is provided """
request_object = RequestObject()
request_object.set_description('filter by owner')
request_object.set_http_method(self._resource_properties['base']['http_method'])
request_object.set_owner_allowed(self._resource_properties['base']['owner_allowed'])
request_object.set_request_uri(self._resource_properties['base']['uri'])
request_object.set_resource_pagination(self._resource_properties['base']['pagination'])
request_object.set_resource_type(self._resource_type)
# modified since is only support on base (/v2/indicator) api call
if self._modified_since is not None:
request_object.set_modified_since(self._modified_since)
request_object.set_description('Indicator Owner Filter modified since {0}'.format(self._modified_since))
return request_object
def default_request_object(self):
""" default request when no filters are provided """
resource_properties = ApiProperties.api_properties[
self._resource_type.name]['properties']
# create default request object for non-filtered requests
request_object = RequestObject()
request_object.set_http_method(
resource_properties['base']['http_method'])
request_object.set_owner_allowed(
resource_properties['base']['owner_allowed'])
request_object.set_request_uri(resource_properties['base']['uri'])
request_object.set_resource_pagination(
resource_properties['base']['pagination'])
request_object.set_resource_type(self._resource_type)
return request_object
def add_indicator(self, data, indicator_type=None):
""" filter api results by indicator """
# validation indicator
if not SharedMethods.validate_indicator(self.tc._indicators_regex, data):
raise AttributeError(ErrorCodes.e5010.value.format(data))
# get indicator uri attribute
if indicator_type is None:
indicator_type = SharedMethods.get_resource_type(
self.tc._indicators_regex, data)
indicator_uri_attribute = ApiProperties.api_properties[
indicator_type.name]['uri_attribute']
prop = self._resource_properties['indicator']
ro = RequestObject()
ro.set_description('api filter by indicator id {0}'.format(data))
ro.set_owner_allowed(prop['owner_allowed'])
# TODO: Check this logic
if self._resource_type == ResourceType.INDICATORS:
ro.set_request_uri(
prop['uri'],
[indicator_uri_attribute,
SharedMethods.urlsafe(data)])
else:
ro.set_request_uri(prop['uri'], [SharedMethods.urlsafe(data)])
ro.set_resource_pagination(prop['pagination'])
ro.set_resource_type(indicator_type)
self._add_request_objects(ro)
def default_request_object(self):
""" default request when only a owner filter is provided """
request_object = RequestObject()
request_object.set_description('filter by owner')
request_object.set_http_method(
self._resource_properties['base']['http_method'])
request_object.set_owner_allowed(
self._resource_properties['base']['owner_allowed'])
request_object.set_request_uri(
self._resource_properties['base']['uri'])
request_object.set_resource_pagination(
self._resource_properties['base']['pagination'])
request_object.set_resource_type(self._resource_type)
return request_object
def commit(self):
# phase 0 (no action) -> don't validate and don't POST group, only POST items in commit queue.
# phase 1 (add) -> validate before POST group, only POST items in commit queue if group POST succeeded.
# phase 2 (update) -> don't validate before PUT group, POST/PUT items in commit queue.
""" commit group and related associations, attributes, security labels and tags """
r_id = self.id
ro = RequestObject()
ro.set_body(self.gen_body)
if self.owner_name is not None:
ro.set_owner(self.owner_name)
ro.set_resource_type(self.resource_type)
if self.phase == 1:
prop = self._resource_properties['add']
ro.set_description('adding group "{0}".'.format(self._name))
ro.set_http_method(prop['http_method'])
ro.set_owner_allowed(prop['owner_allowed'])
ro.set_request_uri(prop['uri'].format(self._id))
ro.set_resource_pagination(prop['pagination'])
if self.validate:
api_response = self._tc.api_request(ro)
if api_response.headers['content-type'] == 'application/json':
api_response_dict = api_response.json()
if api_response_dict['status'] == 'Success':
resource_key = ApiProperties.api_properties[self.resource_type.name]['resource_key']
r_id = api_response_dict['data'][resource_key]['id']
else:
self._tc.tcl.debug('Resource Object'.format(self))
raise AttributeError(ErrorCodes.e10040.value)
elif self.phase == 2:
prop = self._resource_properties['update']
ro.set_description('update group "{0}".'.format(self._name))
ro.set_http_method(prop['http_method'])
ro.set_owner_allowed(prop['owner_allowed'])
ro.set_request_uri(prop['uri'].format(self._id))
ro.set_resource_pagination(prop['pagination'])
api_response = self._tc.api_request(ro)
if api_response.headers['content-type'] == 'application/json':
api_response_dict = api_response.json()
if api_response_dict['status'] != 'Success':
self._tc.tcl.error('API Request Failure: [{0}]'.format(ro.description))
# validate all required fields are present
if r_id is not None:
#
# commit all associations, attributes, tags, etc
#
for ro in self._resource_container.commit_queue(self.id):
if self.owner_name is not None:
ro.set_owner(self.owner_name)
# replace the id
if self.phase == 1 and self.id != r_id:
request_uri = str(ro.request_uri.replace(str(self.id), str(r_id)))
ro.set_request_uri(request_uri)
self._tc.tcl.debug('Replacing {0} with {1}'.format(self.id, str(r_id)))
api_response2 = self._tc.api_request(ro)
if 'content-type' in api_response2.headers:
if api_response2.headers['content-type'] == 'application/json':
api_response_dict2 = api_response2.json()
if api_response_dict2['status'] != 'Success':
self._tc.tcl.error('API Request Failure: [{0}]'.format(ro.description))
else:
if ro.success_callback is not None:
ro.success_callback(ro, api_response2)
elif api_response2.headers['content-type'] == 'application/octet-stream':
if api_response2.status_code in [200, 201, 202]:
self.set_contents(ro.body)
if ro.success_callback is not None:
ro.success_callback(ro, api_response2)
else:
# upload PUT response
if api_response2.status_code in [200, 201, 202]:
self.set_contents(ro.body)
if ro.success_callback is not None:
ro.success_callback(ro, api_response2)
# clear the commit queue
self._resource_container.clear_commit_queue_id(self.id)
self.set_id(r_id)
# clear phase
self.set_phase(0)
if self._reload_attributes:
self.load_attributes(automatically_reload=True)
# return object
return self
def add_incident_id(self, data_int):
""" filter api results by incident id """
# validation of data input
if not isinstance(data_int, int):
raise AttributeError(ErrorCodes.e4040.value.format(data_int))
prop = self._resource_properties['groups']
ro = RequestObject()
ro.set_description('api filter by incident id {0}'.format(data_int))
ro.set_http_method(prop['http_method'])
ro.set_owner_allowed(prop['owner_allowed'])
ro.set_request_uri(prop['uri'], ['incidents', data_int])
ro.set_resource_pagination(prop['pagination'])
ro.set_resource_type(self._resource_type)
self._add_request_objects(ro)
def load_security_labels(self):
""" retrieve attributes for this indicator """
prop = self._resource_properties['load_security_labels']
ro = RequestObject()
ro.set_description(
'load security labels for attribute {0} of object {1}'.format(
self.id, self._container.id))
ro.set_http_method(prop['http_method'])
ro.set_owner_allowed(prop['owner_allowed'])
resource_uri = self._container._resource_properties['id']['uri']
try:
resource_uri = resource_uri.format(self._container.indicator)
except AttributeError:
resource_uri = resource_uri.format(self._container.id)
ro.set_request_uri(prop['uri'].format(resource_uri, self.id))
ro.set_resource_pagination(prop['pagination'])
api_response = self._container._tc.api_request(ro)
if api_response.headers['content-type'] == 'application/json':
api_response_dict = api_response.json()
if api_response_dict['status'] == 'Success':
self._security_labels = []
data = api_response_dict['data']['securityLabel']
for item in data:
self.__add_security_label(parse_security_label(
item)) # add to main resource object
def add_id_signature(self, data_int, download=False):
""" """
resource_type = ResourceType(self._resource_type.value - 5)
properties = ResourceProperties[resource_type.name].value()
uri_data = [data_int]
# validation of data input
if not isinstance(data_int, int):
self.add_error(ErrorCodes.e4020.value.format(data_int))
self._error = True
else:
filter_type = 'id'
ro = RequestObject(filter_type, data_int)
ro.set_owner_allowed(properties.id_owner_allowed)
ro.set_resource_pagination(properties.resource_pagination)
ro.set_request_uri(properties.id_path, uri_data)
ro.set_resource_type(properties.resource_type)
# add_obj download
if download:
ro.set_download(True)
self._add_request_objects(ro)
def add_security_label(self, security_label_name):
""" retrieve attributes for this indicator """
prop = self._resource_properties['add_security_label']
ro = RequestObject()
ro.set_description(
'deleting security label {0} for attribute {1} of object {2}'.
format(security_label_name, self.id, self._container.id))
ro.set_http_method(prop['http_method'])
ro.set_owner_allowed(prop['owner_allowed'])
resource_uri = self._container._resource_properties['id']['uri']
try:
resource_uri = resource_uri.format(self._container.indicator)
except AttributeError:
resource_uri = resource_uri.format(self._container.id)
ro.set_request_uri(prop['uri'].format(resource_uri, self.id,
security_label_name))
ro.set_resource_pagination(prop['pagination'])
callback = lambda status: self.__failed_add_security_label(
security_label_name)
ro.set_failure_callback(callback)
self._container._resource_container.add_commit_queue(
self._container.id, ro)
security_label = SecurityLabelObject()
security_label.set_name(security_label_name)
self.__add_security_label(security_label)
def add_tag(self, data):
""" filter api results by tag """
# validation of data input
if not isinstance(data, str):
raise AttributeError(ErrorCodes.e4070.value.format(data))
prop = self._resource_properties['tags']
ro = RequestObject()
ro.set_description('api filter by tag "{0}"'.format(data))
ro.set_owner_allowed(prop['owner_allowed'])
ro.set_resource_pagination(prop['pagination'])
ro.set_request_uri(prop['uri'], [SharedMethods.urlsafe(data)])
ro.set_resource_type(self._resource_type)
self._add_request_objects(ro)
def add_hash(self, data, data_int=None):
""" """
if data_int is not None:
resource_type = ResourceType(self._resource_type.value - 5)
properties = ResourceProperties[resource_type.name].value()
else:
properties = self._properties
# validation of data input
if not isinstance(data, str):
self.add_error(ErrorCodes.e4020.value.format(data))
self._error = True
else:
filter_type = 'hash'
ro = RequestObject(filter_type, data)
ro.set_owner_allowed(properties.hash_owner_allowed)
ro.set_resource_pagination(properties.resource_pagination)
if data_int is not None:
ro.set_request_uri(properties.hash_path, [data, data_int])
else:
ro.set_request_uri(properties.hash_path, [data])
ro.set_resource_type(properties.resource_type)
self._add_request_objects(ro)
def add_incident_id(self, data_int):
""" filter api results by incident id """
# validation of data input
if not isinstance(data_int, int):
raise AttributeError(ErrorCodes.e4040.value.format(data_int))
prop = self._resource_properties['groups']
ro = RequestObject()
ro.set_description('api filter by incident id {0}'.format(data_int))
ro.set_http_method(prop['http_method'])
ro.set_owner_allowed(prop['owner_allowed'])
ro.set_request_uri(prop['uri'], ['incidents', data_int])
ro.set_resource_pagination(prop['pagination'])
ro.set_resource_type(self._resource_type)
self._add_request_objects(ro)
def add_indicator(self, data):
""" """
# validation indicator
if not SharedMethods.validate_indicator(self.tc._indicators_regex, data):
raise AttributeError(ErrorCodes.e5010.value.format(data))
# get indicator uri attribute
indicator_type = SharedMethods.get_resource_type(self.tc._indicators_regex, data)
indicator_uri_attribute = ApiProperties.api_properties[indicator_type.name]['uri_attribute']
prop = self._resource_properties['indicators']
ro = RequestObject()
ro.set_description('api filter by indicator id {0}'.format(data))
ro.set_owner_allowed(prop['owner_allowed'])
ro.set_request_uri(prop['uri'], [indicator_uri_attribute, SharedMethods.urlsafe(data)])
ro.set_resource_pagination(prop['pagination'])
ro.set_resource_type(self._resource_type)
self._add_request_objects(ro)
