# retrieve configuration file
config = ConfigParser.RawConfigParser()
config.read(config_file)
try:
api_access_id = config.get('threatconnect', 'api_access_id')
api_secret_key = config.get('threatconnect', 'api_secret_key')
api_default_org = config.get('threatconnect', 'api_default_org')
api_base_url = config.get('threatconnect', 'api_base_url')
api_result_limit = int(config.get('threatconnect', 'api_result_limit'))
except ConfigParser.NoOptionError:
print('Could not retrieve configuration file.')
sys.exit(1)
tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)
tc.set_api_result_limit(api_result_limit)
tc.report_enable()
#
# CHANGE FOR YOUR TESTING ENVIRONMENT
# - These victims must be created before running this script
#
owner = 'Example Community' # org or community
lu_id = 1 # adversary id for loop update
mu_id = 4 # adversary id for manual update
# dl_id = 999999 # adversary id to delete
email_id = 17 # email resource id to associate with adversary
email_address = '*****@*****.**' # email address to associate to adversary
rn = randint(1, 1000) # random number generator for testing
config = ConfigParser.RawConfigParser()
config.read(config_file)
try:
api_access_id = config.get('threatconnect', 'api_access_id')
api_secret_key = config.get('threatconnect', 'api_secret_key')
api_default_org = config.get('threatconnect', 'api_default_org')
api_base_url = config.get('threatconnect', 'api_base_url')
api_result_limit = int(config.get('threatconnect', 'api_result_limit'))
except ConfigParser.NoOptionError:
print('Could not retrieve configuration file.')
sys.exit(1)
tc = ThreatConnect(api_access_id, api_secret_key, api_default_org,
api_base_url)
tc.set_api_result_limit(api_result_limit)
tc.report_enable()
#
# CHANGE FOR YOUR TESTING ENVIRONMENT
# - These adversaries must be created before running this script
#
lu_id = 22 # task id for loop update
mu_id = 23 # task id for manual update
# dl_id = 999999 # adversary id to delete
email_id = 27 # email resource id to associate with adversary
victim_id = 2 # victim resource id to associate with adversary
ip_address = '10.121.82.247' # ip address to associate to adversary
rn = randint(1, 1000) # random number generator for testing
class ThreatConnectPlugin(Plugin):
@property
def enabled(self):
return settings.THREATCONNECT_ACCESS_ID is not None and \
settings.THREATCONNECT_SECRET_KEY is not None
def activate(self):
logger.debug('Activating %s' % self.__class__.__name__)
self.service = ThreatConnect(
settings.THREATCONNECT_ACCESS_ID,
settings.THREATCONNECT_SECRET_KEY,
settings.THREATCONNECT_DEFAULT_ORG,
settings.THREATCONNECT_BASE_URL)
self.service.set_api_result_limit(100)
def retrieve_indicator(self, indicator, indicator_type=None):
indicators = self.service.indicators()
if indicator_type:
f = indicators.add_filter(indicator_type)
else:
f = indicators.add_filter()
f.add_owner(['Common Community'])
f.add_indicator(indicator)
results = sorted(indicators.retrieve(), key=lambda x: x.rating)
return results[-1] if results else None
def threshold_met(self, report):
return hasattr(report, 'rating') and report.rating >= 1 and \
hasattr(report, 'confidence') and report.confidence >= 50
def react(self):
if not any(self.reports.values()):
return
rating = max([0] + [r.rating for r in self.reports.values()
if r and hasattr(r, 'rating') and r.rating])
return self.reaction(rating)
def reaction(self, score):
if score == 0:
return 'sunny'
elif 0 <= score < 0.5:
return 'mostly_sunny'
elif 0.5 <= score < 1:
return 'partly_sunny'
elif 1 <= score < 2:
return 'barely_sunny'
elif 2 <= score < 2.5:
return 'cloud'
elif 2.5 <= score < 3:
return 'rain_cloud'
elif 3 <= score < 3.5:
return 'thunder_cloud_and_rain'
elif 3.5 <= score < 4:
return 'lightning'
elif score >= 4:
return 'tornado'
def risk_level(self, score):
try:
score = float(score)
except TypeError:
return 'UNKNOWN'
if score == 0:
return 'UNKNOWN'
elif 0 < score < 1:
return 'VERY LOW'
elif 1 <= score < 2:
return 'LOW'
elif 2 <= score < 3:
return 'MODERATE'
elif 3 <= score < 4:
return 'HIGH'
elif score >= 4:
return 'VERY HIGH'
class ThreatConnectPlugin(Plugin):
@property
def enabled(self):
return settings.THREATCONNECT_ACCESS_ID is not None and \
settings.THREATCONNECT_SECRET_KEY is not None
def activate(self):
logger.debug('Activating %s' % self.__class__.__name__)
self.service = ThreatConnect(settings.THREATCONNECT_ACCESS_ID,
settings.THREATCONNECT_SECRET_KEY,
settings.THREATCONNECT_DEFAULT_ORG,
settings.THREATCONNECT_BASE_URL)
self.service.set_api_result_limit(100)
def retrieve_indicator(self, indicator, indicator_type=None):
indicators = self.service.indicators()
if indicator_type:
f = indicators.add_filter(indicator_type)
else:
f = indicators.add_filter()
f.add_owner(['Common Community'])
f.add_indicator(indicator)
results = sorted(indicators.retrieve(), key=lambda x: x.rating)
return results[-1] if results else None
def threshold_met(self, report):
return hasattr(report, 'rating') and report.rating >= 1 and \
hasattr(report, 'confidence') and report.confidence >= 50
def react(self):
if not any(self.reports.values()):
return
rating = max([0] + [
r.rating for r in self.reports.values()
if r and hasattr(r, 'rating') and r.rating
])
return self.reaction(rating)
def reaction(self, score):
if score == 0:
return 'sunny'
elif 0 <= score < 0.5:
return 'mostly_sunny'
elif 0.5 <= score < 1:
return 'partly_sunny'
elif 1 <= score < 2:
return 'barely_sunny'
elif 2 <= score < 2.5:
return 'cloud'
elif 2.5 <= score < 3:
return 'rain_cloud'
elif 3 <= score < 3.5:
return 'thunder_cloud_and_rain'
elif 3.5 <= score < 4:
return 'lightning'
elif score >= 4:
return 'tornado'
def risk_level(self, score):
try:
score = float(score)
except TypeError:
return 'UNKNOWN'
if score == 0:
return 'UNKNOWN'
elif 0 < score < 1:
return 'VERY LOW'
elif 1 <= score < 2:
return 'LOW'
elif 2 <= score < 3:
return 'MODERATE'
elif 3 <= score < 4:
return 'HIGH'
elif score >= 4:
return 'VERY HIGH'
config.read('./tc.conf')
try:
api_access_id = config.get('threatconnect', 'api_access_id')
api_secret_key = config.get('threatconnect', 'api_secret_key')
api_default_org = config.get('threatconnect', 'api_default_org')
api_base_url = config.get('threatconnect', 'api_base_url')
api_result_limit = config.get('threatconnect', 'api_result_limit')
except ConfigParser.NoOptionError:
print('Could not read configuration file.')
sys.exit(1)
tc = ThreatConnect(api_access_id, api_secret_key, api_default_org,
api_base_url)
tc.set_api_result_limit(1000)
# instantiate Owners object
#owners = tc.owners()
owners = ['ThreatConnect Intelligence', 'Common Community']
groups = tc.groups()
filter1 = groups.add_filter()
# only retrieve Groups from the given owner(s)
filter1.add_owner(owners)
try:
groups.retrieve()
except RuntimeError as e:
print('Error: {0}'.format(e))