def is_ioc(rec, lowercase_ioc=True):
"""Detect is any data in a record matching to known IOC
Args:
rec (dict): The parsed payload of any log
lowercase_ioc (bool): Indicate if IOCs in IOC files are in lowercase or
uppercase. If true, it will convert data found in the record to
lowercase.
This flag is implemented to achieve case-insensitive comparison
between IOCs and related data in the record.
Returns:
(bool): Returns True if data matching to any IOCs, otherwise returns
False.
"""
intel = StreamThreatIntel.get_intelligence()
datatypes_ioc_mapping = StreamThreatIntel.get_config()
if not (datatypes_ioc_mapping and rec.get(NORMALIZATION_KEY)):
return False
for datatype in rec[NORMALIZATION_KEY]:
if datatype not in datatypes_ioc_mapping:
continue
results = fetch_values_by_datatype(rec, datatype)
for result in results:
if isinstance(result, str):
result = result.lower() if lowercase_ioc else result.upper()
if (intel.get(datatypes_ioc_mapping[datatype])
and result in intel[datatypes_ioc_mapping[datatype]]):
insert_ioc_info(rec, datatypes_ioc_mapping[datatype], result)
if StreamThreatIntel.IOC_KEY in rec:
return True
return False
def is_ioc(rec):
"""Detect is any data in a record matching to known IOC"""
intel = StreamThreatIntel.get_intelligence()
datatypes_ioc_mapping = StreamThreatIntel.get_config()
if not (datatypes_ioc_mapping and rec.get('normalized_types')):
return False
for datatype in rec['normalized_types']:
if datatype not in datatypes_ioc_mapping:
continue
results = fetch_values_by_datatype(rec, datatype)
for result in results:
if (intel.get(datatypes_ioc_mapping[datatype])
and result in intel[datatypes_ioc_mapping[datatype]]):
if StreamThreatIntel.IOC_KEY in rec:
rec[StreamThreatIntel.IOC_KEY].append({
'type': datatypes_ioc_mapping[datatype],
'value': result
})
else:
rec.update({
StreamThreatIntel.IOC_KEY: {
'type': datatypes_ioc_mapping[datatype],
'value': result
}
})
if StreamThreatIntel.IOC_KEY in rec:
return True
return False
def test_get_intelligence(self):
"""Threat Intel - get intelligence dictionary"""
test_config = {
'threat_intel': {
'enabled': True,
'mapping': {
'sourceAddress': 'ip',
'destinationDomain': 'domain',
'fileHash': 'md5'
}
}
}
StreamThreatIntel.load_intelligence(test_config, 'tests/unit/fixtures')
intelligence = StreamThreatIntel.get_intelligence()
expected_keys = ['domain', 'md5', 'ip']
assert_items_equal(intelligence.keys(), expected_keys)
assert_equal(len(intelligence['domain']), 10)
assert_equal(len(intelligence['md5']), 10)
assert_equal(len(intelligence['ip']), 10)
def teardown():
"""Clear class variable after each method"""
StreamThreatIntel.get_intelligence().clear()
