def main():
parser = build_cli_parser("Create a CbTH feed and report from a stream of IOCs")
# Feed metadata arguments.
parser.add_argument("--name", type=str, help="Feed name", required=True)
parser.add_argument("--owner", type=str, help="Feed owner", required=True)
parser.add_argument("--url", type=str, help="Feed provider url", required=True)
parser.add_argument("--summary", type=str, help="Feed summary", required=True)
parser.add_argument("--category", type=str, help="Feed category", required=True)
parser.add_argument("--access", type=str, help="Feed access scope", default="private")
# Report metadata arguments.
parser.add_argument("--rep_timestamp", type=int, help="Report timestamp", default=int(time.time()))
parser.add_argument("--rep_title", type=str, help="Report title", required=True)
parser.add_argument("--rep_desc", type=str, help="Report description", required=True)
parser.add_argument("--rep_severity", type=int, help="Report severity", default=1)
parser.add_argument("--rep_link", type=str, help="Report link")
parser.add_argument("--rep_tags", type=str, help="Report tags, comma separated")
parser.add_argument("--rep_visibility", type=str, help="Report visibility")
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
feed_info = {
"name": args.name,
"owner": args.owner,
"provider_url": args.url,
"summary": args.summary,
"category": args.category,
"access": args.access,
}
rep_tags = []
if args.rep_tags:
rep_tags = args.rep_tags.split(",")
report = {
"timestamp": args.rep_timestamp,
"title": args.rep_title,
"description": args.rep_desc,
"severity": args.rep_severity,
"link": args.rep_link,
"tags": rep_tags,
"iocs_v2": [], # NOTE(ww): The feed server will convert IOCs to v2s for us.
}
report_id, iocs = read_iocs(cb)
report["id"] = report_id
report["iocs"] = iocs
feed = {
"feedinfo": feed_info,
"reports": [report]
}
feed = cb.create(Feed, feed)
feed.save()
print(feed)
def main():
parser = build_cli_parser("Query processes")
parser.add_argument("-p", type=str, help="process guid", default=None)
parser.add_argument("-f", type=str, help="output file name", default=None)
parser.add_argument("-of",
type=str,
help="output file format: csv or json",
default="json")
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
if not args.p:
print("Error: Missing Process GUID to query the process tree with")
sys.exit(1)
tree = cb.select(Process).where(process_guid=args.p)[0].tree()
for idx, child in enumerate(tree.children):
print("Child #{}".format(idx))
print("\tName: {}".format(child.process_name))
print("\tNumber of children: {}".format(len(child.children)))
if args.f is not None:
if args.of == "json":
with open(args.f, 'w') as outfile:
for idx, child in enumerate(tree.children):
json.dump(child.original_document, outfile)
else:
with open(args.f, 'w') as outfile:
csvwriter = csv.writer(outfile)
for idx, child in enumerate(tree.children):
csvwriter.writerow(child.original_document)
def main():
parser = build_cli_parser("Query processes")
parser.add_argument("-p", type=str, help="process guid", default=None)
parser.add_argument("-f", type=str, help="output file name", default=None)
parser.add_argument("-of", type=str, help="output file format: csv or json", default="json")
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
if not args.p:
print("Error: Missing Process GUID to query the process tree with")
sys.exit(1)
tree = cb.select(Process).where(process_guid=args.p)[0].tree()
for idx, child in enumerate(tree.children):
print("Child #{}".format(idx))
print("\tName: {}".format(child.process_name))
print("\tNumber of children: {}".format(len(child.children)))
if args.f is not None:
if args.of == "json":
with open(args.f, 'w') as outfile:
for idx, child in enumerate(tree.children):
json.dump(child.original_document, outfile)
else:
with open(args.f, 'w') as outfile:
csvwriter = csv.writer(outfile)
for idx,child in enumerate(tree.children):
csvwriter.writerow(child.original_document)
def main():
parser = build_cli_parser("Query processes")
parser.add_argument("-p", type=str, help="process guid", default=None)
parser.add_argument("-q", type=str, help="query string", default=None)
parser.add_argument("-s", type=bool, help="silent mode", default=False)
parser.add_argument("-n",
type=int,
help="only output N events",
default=None)
parser.add_argument("-f", type=str, help="output file name", default=None)
parser.add_argument("-of",
type=str,
help="output file format: csv or json",
default="json")
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
if not args.p and not args.q:
print("Error: Missing Process GUID to search for events with")
sys.exit(1)
if args.q:
processes = cb.select(Process).where(args.q)
else:
processes = cb.select(Process).where(process_guid=args.p)
if args.n:
processes = [p for p in processes[0:args.n]]
if not args.s:
for process in processes:
print("Process: {}".format(process.process_name))
print("\tPIDs: {}".format(process.process_pids))
print("\tSHA256: {}".format(process.process_sha256))
print("\tGUID: {}".format(process.process_guid))
if args.f is not None:
if args.of == "json":
with open(args.f, 'w') as outfile:
for p in processes:
json.dump(p.original_document, outfile)
print(p.original_document)
else:
headers = set()
headers.update(*(d.original_document.keys() for d in processes))
with open(args.f, 'w') as outfile:
csvwriter = csv.DictWriter(outfile, fieldnames=headers)
csvwriter.writeheader()
for p in processes:
csvwriter.writerow(p.original_document)
def main():
parser = build_cli_parser("Query processes")
parser.add_argument("-p", type=str, help="process guid", default=None)
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
if not args.p:
print("Error: Missing Process GUID to query the process tree with")
sys.exit(1)
tree = cb.select(Process).where(process_guid=args.p)[0].tree()
for idx, child in enumerate(tree.children):
print("Child #{}".format(idx))
print("\tName: {}".format(child.process_name))
print("\tGUID: {}".format(child.process_guid))
print("\tNumber of children: {}".format(len(child.children)))
def main():
parser = build_cli_parser("Query processes")
parser.add_argument("-q", type=str, help="process query", default="process_name:notepad.exe")
parser.add_argument("-n", type=int, help="only output N processes", default=None)
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
processes = cb.select(Process).where(args.q)
if args.n:
processes = processes[0:args.n]
for process in processes:
print("Process: {}".format(process.process_name))
print("\tPIDs: {}".format(process.process_pids))
print("\tSHA256: {}".format(process.process_sha256))
print("\tGUID: {}".format(process.process_guid))
def main():
parser = build_cli_parser("Query processes")
parser.add_argument("-p", type=str, help="process guid", default=None)
parser.add_argument("-s", type=bool, help="silent mode", default=False)
parser.add_argument("-n",
type=int,
help="only output N events",
default=None)
parser.add_argument("-f", type=str, help="output file name", default=None)
parser.add_argument("-of",
type=str,
help="output file format: csv or json",
default="json")
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
if not args.p:
print("Error: Missing Process GUID to search for events with")
sys.exit(1)
events = cb.select(Event).where(process_guid=args.p)
if args.n:
events = events[0:args.n]
if not args.s:
for event in events:
print("Event type: {}".format(event.event_type))
print("\tEvent GUID: {}".format(event.event_guid))
print("\tEvent Timestamp: {}".format(event.event_timestamp))
if args.f is not None:
if args.of == "json":
with open(args.f, 'w') as outfile:
for event in events:
json.dump(event.original_document, outfile)
else:
with open(args.f, 'w') as outfile:
csvwriter = csv.writer(outfile)
for event in events:
csvwriter.writerows(event)
def main():
parser = build_cli_parser("Query processes")
parser.add_argument("-p", type=str, help="process guid", default=None)
parser.add_argument("-q",type=str,help="query string",default=None)
parser.add_argument("-s",type=bool, help="silent mode",default=False)
parser.add_argument("-n", type=int, help="only output N events", default=None)
parser.add_argument("-f", type=str, help="output file name",default=None)
parser.add_argument("-of", type=str,help="output file format: csv or json",default="json")
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
if not args.p and not args.q:
print("Error: Missing Process GUID to search for events with")
sys.exit(1)
if args.q:
processes = cb.select(Process).where(args.q)
else:
processes = cb.select(Process).where(process_guid=args.p)
if args.n:
processes = [ p for p in processes[0:args.n]]
if not args.s:
for process in processes:
print("Process: {}".format(process.process_name))
print("\tPIDs: {}".format(process.process_pids))
print("\tSHA256: {}".format(process.process_sha256))
print("\tGUID: {}".format(process.process_guid))
if args.f is not None:
if args.of == "json":
with open(args.f, 'w') as outfile:
for p in processes:
json.dump(p.original_document, outfile)
else:
with open(args.f, 'w') as outfile:
csvwriter = csv.writer(outfile)
for p in processes:
csvwriter.writerow(p.original_document)
def main():
parser = build_cli_parser("Query processes")
parser.add_argument("-p", type=str, help="process guid", default=None)
parser.add_argument("-n", type=int, help="only output N events", default=None)
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
if not args.p:
print("Error: Missing Process GUID to search for events with")
sys.exit(1)
events = cb.select(Event).where(process_guid=args.p)
if args.n:
events = events[0:args.n]
for event in events:
print("Event type: {}".format(event.event_type))
print("\tEvent GUID: {}".format(event.event_guid))
print("\tEvent Timestamp: {}".format(event.event_timestamp))
def main():
parser = build_cli_parser("Query processes")
parser.add_argument("-p", type=str, help="process guid", default=None)
parser.add_argument("-n", type=int, help="only output N events", default=None)
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
if not args.p:
print("Error: Missing Process GUID to search for events with")
sys.exit(1)
events = cb.select(Event).where(process_guid=args.p)
if args.n:
events = events[0:args.n]
for event in events:
print("Event type: {}".format(event.event_type))
print("\tEvent GUID: {}".format(event.event_guid))
print("\tEvent Timestamp: {}".format(event.event_timestamp))
def main():
parser = build_cli_parser("Query processes")
parser.add_argument("-q",
type=str,
help="process query",
default="process_name:notepad.exe")
parser.add_argument("-n",
type=int,
help="only output N processes",
default=None)
parser.add_argument("-b",
action="store_true",
help="show binary information",
default=False)
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
processes = cb.select(Process).where(args.q)
if args.n:
processes = processes[0:args.n]
for process in processes:
print("Process: {}".format(process.process_name))
print("\tPIDs: {}".format(process.process_pids))
print("\tSHA256: {}".format(process.process_sha256))
print("\tGUID: {}".format(process.process_guid))
if args.b:
try:
binary = cb.select(Binary, process.process_sha256)
print(binary)
print(binary.summary)
except ObjectNotFoundError:
print("No binary found for process with hash: {}".format(
process.process_sha256))
def main():
parser = build_cli_parser("Query processes")
parser.add_argument("-p", type=str, help="process guid", default=None)
parser.add_argument("-s",type=bool, help="silent mode",default=False)
parser.add_argument("-n", type=int, help="only output N events", default=None)
parser.add_argument("-f", type=str, help="output file name",default=None)
parser.add_argument("-of", type=str,help="output file format: csv or json",default="json")
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
if not args.p:
print("Error: Missing Process GUID to search for events with")
sys.exit(1)
events = cb.select(Event).where(process_guid=args.p)
if args.n:
events = events[0:args.n]
if not args.s:
for event in events:
print("Event type: {}".format(event.event_type))
print("\tEvent GUID: {}".format(event.event_guid))
print("\tEvent Timestamp: {}".format(event.event_timestamp))
if args.f is not None:
if args.of == "json":
with open(args.f, 'w') as outfile:
for event in events:
json.dump(event.original_document, outfile)
else:
with open(args.f, 'w') as outfile:
csvwriter = csv.writer(outfile)
for event in events:
csvwriter.writerows(event)
def main():
parser = build_cli_parser("Query processes")
parser.add_argument("-q",
type=str,
help="process query",
default="process_name:notepad.exe")
parser.add_argument("-n",
type=int,
help="only output N processes",
default=None)
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
processes = cb.select(Process).where(args.q)
if args.n:
processes = processes[0:args.n]
for process in processes:
print("Process: {}".format(process.process_name))
print("\tPIDs: {}".format(process.process_pids))
print("\tSHA256: {}".format(process.process_sha256))
print("\tGUID: {}".format(process.process_guid))
def main():
parser = build_cli_parser()
commands = parser.add_subparsers(help="Feed commands", dest="command_name")
list_command = commands.add_parser("list", help="List all configured watchlists")
list_command.add_argument("-r", "--reports", action="store_true", help="List reports for each watchlist", default=False)
subscribe_command = commands.add_parser("subscribe", help="Create a watchlist with a feed")
subscribe_command.add_argument("-i", "--feed_id", type=str, help="The Feed ID", required=True)
subscribe_command.add_argument("-w", "--watchlist_name", type=str, help="Watchlist name", required=True)
subscribe_command.add_argument("-d", "--description", type=str, help="Watchlist description", required=True)
subscribe_command.add_argument("-t", "--tags", action="store_true", help="Enable tags", default=False)
subscribe_command.add_argument("-a", "--alerts", action="store_true", help="Enable alerts", default=False)
subscribe_command.add_argument("-T", "--timestamp", type=int, help="Creation timestamp", default=int(time.time()))
subscribe_command.add_argument("-U", "--last_update", type=int, help="Last update timestamp", default=int(time.time()))
create_command = commands.add_parser("create", help="Create a watchlist with a report")
create_command.add_argument("-w", "--watchlist_name", type=str, help="Watchlist name", required=True)
create_command.add_argument("-d", "--description", type=str, help="Watchlist description", required=True)
create_command.add_argument("-t", "--tags", action="store_true", help="Enable tags", default=False)
create_command.add_argument("-a", "--alerts", action="store_true", help="Enable alerts", default=False)
create_command.add_argument("-T", "--timestamp", type=int, help="Creation timestamp", default=int(time.time()))
create_command.add_argument("-U", "--last_update", type=int, help="Last update timestamp", default=int(time.time()))
# Report metadata arguments.
create_command.add_argument("--rep_timestamp", type=int, help="Report timestamp", default=int(time.time()))
create_command.add_argument("--rep_title", type=str, help="Report title", required=True)
create_command.add_argument("--rep_desc", type=str, help="Report description", required=True)
create_command.add_argument("--rep_severity", type=int, help="Report severity", default=1)
create_command.add_argument("--rep_link", type=str, help="Report link")
create_command.add_argument("--rep_tags", type=str, help="Report tags, comma separated")
create_command.add_argument("--rep_visibility", type=str, help="Report visibility")
delete_command = commands.add_parser("delete", help="Delete a watchlist")
delete_command.add_argument("-R", "--reports", action="store_true", help="Delete all associated reports too", default=False)
specifier = delete_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-i", "--watchlist_id", type=str, help="The watchlist ID")
specifier.add_argument("-w", "--watchlist_name", type=str, help="The watchlist name")
alter_report_command = commands.add_parser("alter-report", help="Change the properties of a watchlist's report")
alter_report_command.add_argument("-i", "--watchlist_id", type=str, help="Watchlist ID", required=True)
alter_report_command.add_argument("-r", "--report_id", type=str, help="Report ID", required=True)
alter_report_command.add_argument("-s", "--severity", type=int, help="The report's severity", required=False)
specifier = alter_report_command.add_mutually_exclusive_group(required=False)
specifier.add_argument("-d", "--deactivate", action="store_true", help="Deactive alerts for this report")
specifier.add_argument("-a", "--activate", action="store_true", help="Activate alerts for this report")
alter_ioc_command = commands.add_parser("alter-ioc", help="Change the properties of a watchlist's IOC")
alter_ioc_command.add_argument("-i", "--watchlist_id", type=str, help="Watchlist ID", required=True)
alter_ioc_command.add_argument("-r", "--report_id", type=str, help="Report ID", required=True)
alter_ioc_command.add_argument("-I", "--ioc_id", type=str, help="IOC ID", required=True)
specifier = alter_ioc_command.add_mutually_exclusive_group(required=False)
specifier.add_argument("-d", "--deactivate", action="store_true", help="Deactive alerts for this IOC")
specifier.add_argument("-a", "--activate", action="store_true", help="Activate alerts for this IOC")
export_command = commands.add_parser("export", help="Export a watchlist into an importable format")
specifier = export_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-i", "--watchlist_id", type=str, help="Watchlist ID")
specifier.add_argument("-w", "--watchlist_name", type=str, help="Watchlist name")
commands.add_parser("import", help="Import a previously exported watchlist")
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
if args.command_name == "list":
return list_watchlists(cb, parser, args)
elif args.command_name == "subscribe":
return subscribe_watchlist(cb, parser, args)
elif args.command_name == "create":
return create_watchlist(cb, parser, args)
elif args.command_name == "delete":
return delete_watchlist(cb, parser, args)
elif args.command_name == "alter-report":
return alter_report(cb, parser, args)
elif args.command_name == "alter-ioc":
return alter_ioc(cb, parser, args)
elif args.command_name == "export":
return export_watchlist(cb, parser, args)
elif args.command_name == "import":
return import_watchlist(cb, parser, args)
def main():
parser = build_cli_parser(
"Create a CbTH feed and report from a stream of IOCs")
# Feed metadata arguments.
parser.add_argument("--name", type=str, help="Feed name", required=True)
parser.add_argument("--owner", type=str, help="Feed owner", required=True)
parser.add_argument("--url",
type=str,
help="Feed provider url",
required=True)
parser.add_argument("--summary",
type=str,
help="Feed summary",
required=True)
parser.add_argument("--category",
type=str,
help="Feed category",
required=True)
parser.add_argument("--access",
type=str,
help="Feed access scope",
default="private")
# Report metadata arguments.
parser.add_argument("--rep_timestamp",
type=int,
help="Report timestamp",
default=int(time.time()))
parser.add_argument("--rep_title",
type=str,
help="Report title",
required=True)
parser.add_argument("--rep_desc",
type=str,
help="Report description",
required=True)
parser.add_argument("--rep_severity",
type=int,
help="Report severity",
default=1)
parser.add_argument("--rep_link", type=str, help="Report link")
parser.add_argument("--rep_tags",
type=str,
help="Report tags, comma separated")
parser.add_argument("--rep_visibility", type=str, help="Report visibility")
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
feed_info = {
"name": args.name,
"owner": args.owner,
"provider_url": args.url,
"summary": args.summary,
"category": args.category,
"access": args.access,
}
rep_tags = []
if args.rep_tags:
rep_tags = args.rep_tags.split(",")
report = {
"timestamp": args.rep_timestamp,
"title": args.rep_title,
"description": args.rep_desc,
"severity": args.rep_severity,
"link": args.rep_link,
"tags": rep_tags,
"iocs_v2":
[], # NOTE(ww): The feed server will convert IOCs to v2s for us.
}
report_id, iocs = read_iocs(cb)
report["id"] = report_id
report["iocs"] = iocs
feed = {"feedinfo": feed_info, "reports": [report]}
feed = cb.create(Feed, feed)
feed.save()
print(feed)
def main():
parser = build_cli_parser()
commands = parser.add_subparsers(help="Feed commands", dest="command_name")
list_command = commands.add_parser("list", help="List all configured feeds")
list_command.add_argument("-P", "--public", help="Include public feeds", action="store_true", default=False)
list_command.add_argument("-r", "--reports", help="Include reports for each feed", action="store_true", default=False)
list_command.add_argument("-i", "--iocs", help="Include IOCs for each feed's reports", action="store_true", default=False)
list_iocs_command = commands.add_parser("list-iocs", help="List all IOCs for a feed")
specifier = list_iocs_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-i", "--id", type=str, help="Feed ID")
specifier.add_argument("-f", "--feedname", type=str, help="Feed Name")
export_command = commands.add_parser("export", help="Export a feed into an importable format")
specifier = export_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-i", "--id", type=str, help="Feed ID")
specifier.add_argument("-f", "--feedname", type=str, help="Feed Name")
import_command = commands.add_parser("import", help="Import a previously exported feed")
import_command.add_argument("-f", "--feedname", type=str, help="Renames the imported feed")
del_command = commands.add_parser("delete", help="Delete feed")
specifier = del_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-i", "--id", type=str, help="Feed ID")
specifier.add_argument("-f", "--feedname", type=str, help="Feed Name")
export_report_command = commands.add_parser("export-report", help="Export a feed's report into an importable format")
specifier = export_report_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-i", "--id", type=str, help="Feed ID")
specifier.add_argument("-f", "--feedname", type=str, help="Feed Name")
specifier = export_report_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-I", "--reportid", type=str, help="Report ID")
specifier.add_argument("-r", "--reportname", type=str, help="Report Name")
import_report_command = commands.add_parser("import-report", help="Import a previously exported report")
specifier = import_report_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-i", "--id", type=str, help="Feed ID")
specifier.add_argument("-f", "--feedname", type=str, help="Feed Name")
delete_report_command = commands.add_parser("delete-report", help="Delete a report from a feed")
specifier = delete_report_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-i", "--id", type=str, help="Feed ID")
specifier.add_argument("-f", "--feedname", type=str, help="Feed Name")
specifier = delete_report_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-I", "--reportid", type=str, help="Report ID")
specifier.add_argument("-r", "--reportname", type=str, help="Report Name")
replace_report_command = commands.add_parser("replace-report", help="Replace a feed's report")
specifier = replace_report_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-i", "--id", type=str, help="Feed ID")
specifier.add_argument("-f", "--feedname", type=str, help="Feed Name")
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
if args.command_name == "list":
return list_feeds(cb, parser, args)
elif args.command_name == "list-iocs":
return list_iocs(cb, parser, args)
elif args.command_name == "export":
return export_feed(cb, parser, args)
elif args.command_name == "import":
return import_feed(cb, parser, args)
elif args.command_name == "delete":
return delete_feed(cb, parser, args)
elif args.command_name == "export-report":
return export_report(cb, parser, args)
elif args.command_name == "import-report":
return import_report(cb, parser, args)
elif args.command_name == "delete-report":
return delete_report(cb, parser, args)
elif args.command_name == "replace-report":
return replace_report(cb, parser, args)
def main():
parser = build_cli_parser("Search processes")
parser.add_argument("-q",
type=str,
help="process query",
default="process_name:notepad.exe")
parser.add_argument("-f",
help="show full objects",
action="store_true",
default=False)
parser.add_argument("-n",
type=int,
help="only output N processes",
default=None)
parser.add_argument("-e",
help="show events for query results",
action="store_true",
default=False)
parser.add_argument("-c",
help="show children for query results",
action="store_true",
default=False)
parser.add_argument("-p",
help="show parents for query results",
action="store_true",
default=False)
parser.add_argument("-t",
help="show tree for query results",
action="store_true",
default=False)
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
processes = cb.select(Process).where(args.q)
print("Number of processes: {}".format(len(processes)))
if args.n:
processes = processes[0:args.n]
for process in processes:
if args.f:
print(process)
else:
print("{}: {}".format(process.process_guid,
process.process_sha256))
if args.e:
print("=========== events ===========")
for event in process.events():
if args.f:
print(event)
else:
print("\t{}".format(event.event_type))
if args.c:
print("========== children ==========")
for child in process.children:
if args.f:
print(child)
else:
print("\t{}: {}".format(child.process_name,
child.process_sha256))
if args.p:
print("========== parents ==========")
for parent in process.parents:
if args.f:
print(parent)
else:
print("\t{}: {}".format(parent.process_name,
parent.process_sha256))
if args.t:
print("=========== tree =============")
tree = process.tree()
print(tree)
print(tree.nodes)
print("===========================")
def main():
parser = build_cli_parser()
commands = parser.add_subparsers(help="Feed commands", dest="command_name")
list_command = commands.add_parser("list",
help="List all configured watchlists")
list_command.add_argument("-r",
"--reports",
action="store_true",
help="List reports for each watchlist",
default=False)
subscribe_command = commands.add_parser(
"subscribe", help="Create a watchlist with a feed")
subscribe_command.add_argument("-i",
"--feed_id",
type=str,
help="The Feed ID",
required=True)
subscribe_command.add_argument("-w",
"--watchlist_name",
type=str,
help="Watchlist name",
required=True)
subscribe_command.add_argument("-d",
"--description",
type=str,
help="Watchlist description",
required=True)
subscribe_command.add_argument("-t",
"--tags",
action="store_true",
help="Enable tags",
default=False)
subscribe_command.add_argument("-a",
"--alerts",
action="store_true",
help="Enable alerts",
default=False)
subscribe_command.add_argument("-T",
"--timestamp",
type=int,
help="Creation timestamp",
default=int(time.time()))
subscribe_command.add_argument("-U",
"--last_update",
type=int,
help="Last update timestamp",
default=int(time.time()))
create_command = commands.add_parser(
"create", help="Create a watchlist with a report")
create_command.add_argument("-w",
"--watchlist_name",
type=str,
help="Watchlist name",
required=True)
create_command.add_argument("-d",
"--description",
type=str,
help="Watchlist description",
required=True)
create_command.add_argument("-t",
"--tags",
action="store_true",
help="Enable tags",
default=False)
create_command.add_argument("-a",
"--alerts",
action="store_true",
help="Enable alerts",
default=False)
create_command.add_argument("-T",
"--timestamp",
type=int,
help="Creation timestamp",
default=int(time.time()))
create_command.add_argument("-U",
"--last_update",
type=int,
help="Last update timestamp",
default=int(time.time()))
# Report metadata arguments.
create_command.add_argument("--rep_timestamp",
type=int,
help="Report timestamp",
default=int(time.time()))
create_command.add_argument("--rep_title",
type=str,
help="Report title",
required=True)
create_command.add_argument("--rep_desc",
type=str,
help="Report description",
required=True)
create_command.add_argument("--rep_severity",
type=int,
help="Report severity",
default=1)
create_command.add_argument("--rep_link", type=str, help="Report link")
create_command.add_argument("--rep_tags",
type=str,
help="Report tags, comma separated")
create_command.add_argument("--rep_visibility",
type=str,
help="Report visibility")
delete_command = commands.add_parser("delete", help="Delete a watchlist")
delete_command.add_argument("-R",
"--reports",
action="store_true",
help="Delete all associated reports too",
default=False)
specifier = delete_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-i",
"--watchlist_id",
type=str,
help="The watchlist ID")
specifier.add_argument("-w",
"--watchlist_name",
type=str,
help="The watchlist name")
alter_report_command = commands.add_parser(
"alter-report", help="Change the properties of a watchlist's report")
alter_report_command.add_argument("-i",
"--watchlist_id",
type=str,
help="Watchlist ID",
required=True)
alter_report_command.add_argument("-r",
"--report_id",
type=str,
help="Report ID",
required=True)
alter_report_command.add_argument("-s",
"--severity",
type=int,
help="The report's severity",
required=False)
specifier = alter_report_command.add_mutually_exclusive_group(
required=False)
specifier.add_argument("-d",
"--deactivate",
action="store_true",
help="Deactive alerts for this report")
specifier.add_argument("-a",
"--activate",
action="store_true",
help="Activate alerts for this report")
alter_ioc_command = commands.add_parser(
"alter-ioc", help="Change the properties of a watchlist's IOC")
alter_ioc_command.add_argument("-i",
"--watchlist_id",
type=str,
help="Watchlist ID",
required=True)
alter_ioc_command.add_argument("-r",
"--report_id",
type=str,
help="Report ID",
required=True)
alter_ioc_command.add_argument("-I",
"--ioc_id",
type=str,
help="IOC ID",
required=True)
specifier = alter_ioc_command.add_mutually_exclusive_group(required=False)
specifier.add_argument("-d",
"--deactivate",
action="store_true",
help="Deactive alerts for this IOC")
specifier.add_argument("-a",
"--activate",
action="store_true",
help="Activate alerts for this IOC")
export_command = commands.add_parser(
"export", help="Export a watchlist into an importable format")
specifier = export_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-i",
"--watchlist_id",
type=str,
help="Watchlist ID")
specifier.add_argument("-w",
"--watchlist_name",
type=str,
help="Watchlist name")
import_command = commands.add_parser(
"import", help="Import a previously exported watchlist")
specifier = import_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-f",
"--watchlistfile",
help="Filename containing the JSON watchlist")
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
if args.command_name == "list":
return list_watchlists(cb, parser, args)
elif args.command_name == "subscribe":
return subscribe_watchlist(cb, parser, args)
elif args.command_name == "create":
return create_watchlist(cb, parser, args)
elif args.command_name == "delete":
return delete_watchlist(cb, parser, args)
elif args.command_name == "alter-report":
return alter_report(cb, parser, args)
elif args.command_name == "alter-ioc":
return alter_ioc(cb, parser, args)
elif args.command_name == "export":
return export_watchlist(cb, parser, args)
elif args.command_name == "import":
return import_watchlist(cb, parser, args)
def main():
parser = build_cli_parser()
commands = parser.add_subparsers(help="Feed commands", dest="command_name")
list_command = commands.add_parser("list",
help="List all configured feeds")
list_command.add_argument("-P",
"--public",
help="Include public feeds",
action="store_true",
default=False)
list_command.add_argument("-r",
"--reports",
help="Include reports for each feed",
action="store_true",
default=False)
list_command.add_argument("-i",
"--iocs",
help="Include IOCs for each feed's reports",
action="store_true",
default=False)
list_iocs_command = commands.add_parser("list-iocs",
help="List all IOCs for a feed")
specifier = list_iocs_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-i", "--id", type=str, help="Feed ID")
specifier.add_argument("-f", "--feedname", type=str, help="Feed Name")
export_command = commands.add_parser(
"export", help="Export a feed into an importable format")
specifier = export_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-i", "--id", type=str, help="Feed ID")
specifier.add_argument("-f", "--feedname", type=str, help="Feed Name")
import_command = commands.add_parser(
"import", help="Import a previously exported feed")
import_command.add_argument("-f",
"--feedname",
type=str,
help="Renames the imported feed")
del_command = commands.add_parser("delete", help="Delete feed")
specifier = del_command.add_mutually_exclusive_group(required=True)
specifier.add_argument("-i", "--id", type=str, help="Feed ID")
specifier.add_argument("-f", "--feedname", type=str, help="Feed Name")
export_report_command = commands.add_parser(
"export-report",
help="Export a feed's report into an importable format")
specifier = export_report_command.add_mutually_exclusive_group(
required=True)
specifier.add_argument("-i", "--id", type=str, help="Feed ID")
specifier.add_argument("-f", "--feedname", type=str, help="Feed Name")
specifier = export_report_command.add_mutually_exclusive_group(
required=True)
specifier.add_argument("-I", "--reportid", type=str, help="Report ID")
specifier.add_argument("-r", "--reportname", type=str, help="Report Name")
import_report_command = commands.add_parser(
"import-report", help="Import a previously exported report")
specifier = import_report_command.add_mutually_exclusive_group(
required=True)
specifier.add_argument("-i", "--id", type=str, help="Feed ID")
specifier.add_argument("-f", "--feedname", type=str, help="Feed Name")
delete_report_command = commands.add_parser(
"delete-report", help="Delete a report from a feed")
specifier = delete_report_command.add_mutually_exclusive_group(
required=True)
specifier.add_argument("-i", "--id", type=str, help="Feed ID")
specifier.add_argument("-f", "--feedname", type=str, help="Feed Name")
specifier = delete_report_command.add_mutually_exclusive_group(
required=True)
specifier.add_argument("-I", "--reportid", type=str, help="Report ID")
specifier.add_argument("-r", "--reportname", type=str, help="Report Name")
replace_report_command = commands.add_parser(
"replace-report", help="Replace a feed's report")
specifier = replace_report_command.add_mutually_exclusive_group(
required=True)
specifier.add_argument("-i", "--id", type=str, help="Feed ID")
specifier.add_argument("-f", "--feedname", type=str, help="Feed Name")
args = parser.parse_args()
cb = get_cb_threathunter_object(args)
if args.command_name == "list":
return list_feeds(cb, parser, args)
elif args.command_name == "list-iocs":
return list_iocs(cb, parser, args)
elif args.command_name == "export":
return export_feed(cb, parser, args)
elif args.command_name == "import":
return import_feed(cb, parser, args)
elif args.command_name == "delete":
return delete_feed(cb, parser, args)
elif args.command_name == "export-report":
return export_report(cb, parser, args)
elif args.command_name == "import-report":
return import_report(cb, parser, args)
elif args.command_name == "delete-report":
return delete_report(cb, parser, args)
elif args.command_name == "replace-report":
return replace_report(cb, parser, args)