def run(self, state: Mapping[str, Any]) -> Mapping[str, Any]:
"""Run importer."""
self._info(
"Running Kaspersky Master YARA importer (update data: {0})...",
self.update_existing_data,
)
latest_master_yara_timestamp = state.get(
self._LATEST_MASTER_YARA_TIMESTAMP)
if latest_master_yara_timestamp is None:
latest_master_yara_datetime = None
else:
latest_master_yara_datetime = timestamp_to_datetime(
latest_master_yara_timestamp)
master_yara_fetch_weekday = self.master_yara_fetch_weekday
if master_yara_fetch_weekday is not None:
if not is_current_weekday_before_datetime(
master_yara_fetch_weekday, latest_master_yara_datetime):
self._info("It is not time to fetch the Master YARA yet.")
return state
yara = self._fetch_master_yara()
yara_rules = yara.rules
yara_rule_count = len(yara_rules)
self._info(
"Master YARA with {0} rules...",
yara_rule_count,
)
new_yara_rules = self.yara_rule_updater.update_existing(yara.rules)
new_yara_rule_count = len(new_yara_rules)
self._info(
"{0} new YARA rules...",
new_yara_rule_count,
)
failed_count = 0
for yara_rule in new_yara_rules:
result = self._process_yara_rule(yara_rule)
if not result:
failed_count += 1
success_count = new_yara_rule_count - failed_count
self._info(
"Kaspersky Master YARA importer completed (imported: {0}, total: {1})",
success_count,
new_yara_rule_count,
)
return {
self._LATEST_MASTER_YARA_TIMESTAMP:
datetime_to_timestamp(datetime_utc_now())
}
def run(self, state: Mapping[str, Any]) -> Mapping[str, Any]:
"""Run importer."""
self._info(
"Running Kaspersky publication importer (update data: {0})...",
self.update_existing_data,
)
self._load_opencti_regions()
latest_publication_timestamp = state.get(
self._LATEST_PUBLICATION_TIMESTAMP)
if latest_publication_timestamp is None:
latest_publication_timestamp = self.publication_start_timestamp
latest_publication_datetime = timestamp_to_datetime(
latest_publication_timestamp)
publications = self._fetch_publications(latest_publication_datetime)
publication_count = len(publications)
self._info(
"Fetched {0} publications...",
publication_count,
)
publications = self._filter_publications(publications,
latest_publication_datetime)
publication_count = len(publications)
self._info(
"{0} publications after filtering...",
publication_count,
)
failed_count = 0
for publication in publications:
result = self._process_publication(publication)
if not result:
failed_count += 1
publication_updated = publication.updated
if publication_updated > latest_publication_datetime:
latest_publication_datetime = publication_updated
success_count = publication_count - failed_count
self._info(
"Kaspersky publication importer completed (imported: {0}, failed: {1}, total: {2})", # noqa: E501
success_count,
failed_count,
publication_count,
)
return {
self._LATEST_PUBLICATION_TIMESTAMP:
datetime_to_timestamp(latest_publication_datetime)
}
def _initiate_work(self, timestamp: int) -> str:
datetime_str = timestamp_to_datetime(timestamp)
friendly_name = f"{self.helper.connect_name} @ {datetime_str}"
work_id = self.helper.api.work.initiate_work(self.helper.connect_id,
friendly_name)
self._info("New work '{0}' initiated", work_id)
return work_id
def run(self, state: Mapping[str, Any]) -> Mapping[str, Any]:
"""Run importer."""
self._info(
"Running Kaspersky Master YARA importer (update data: {0}, include report: {1})...", # noqa: E501
self.update_existing_data,
self.master_yara_include_report,
)
latest_master_yara_timestamp = state.get(
self._LATEST_MASTER_YARA_TIMESTAMP)
if latest_master_yara_timestamp is None:
latest_master_yara_datetime = None
else:
latest_master_yara_datetime = timestamp_to_datetime(
latest_master_yara_timestamp)
master_yara_fetch_weekday = self.master_yara_fetch_weekday
if master_yara_fetch_weekday is not None:
if not is_current_weekday_before_datetime(
master_yara_fetch_weekday, latest_master_yara_datetime):
self._info("It is not time to fetch the Master YARA yet.")
return self._create_state(latest_master_yara_datetime)
yara = self._fetch_master_yara()
yara_rules = yara.rules
yara_rule_count = len(yara_rules)
self._info(
"Master YARA with {0} rules...",
yara_rule_count,
)
new_yara_rules = self.yara_rule_updater.update_existing(yara.rules)
new_yara_rule_count = len(new_yara_rules)
self._info(
"{0} new YARA rules...",
new_yara_rule_count,
)
grouped_yara_rules = self._group_yara_rules_by_report(new_yara_rules)
group_count = len(grouped_yara_rules)
self._info(
"{0} YARA rule groups...",
group_count,
)
for group, rules in grouped_yara_rules:
self._info("YARA rule group: ({0}) {1}", len(rules), group)
failed_count = 0
for yara_rule_group in grouped_yara_rules:
result = self._process_yara_rule_group(yara_rule_group)
if not result:
failed_count += 1
success_count = group_count - failed_count
self._info(
"Kaspersky Master YARA importer completed (imported: {0}, total: {1})",
success_count,
group_count,
)
return self._create_state(datetime_utc_now())
def run(self, state: Mapping[str, Any]) -> Mapping[str, Any]:
"""Run importer."""
self._info(
"Running Kaspersky Master IOC importer (update data: {0})...",
self.update_existing_data,
)
latest_master_ioc_timestamp = state.get(
self._LATEST_MASTER_IOC_TIMESTAMP)
if latest_master_ioc_timestamp is None:
latest_master_ioc_datetime = None
else:
latest_master_ioc_datetime = timestamp_to_datetime(
latest_master_ioc_timestamp)
master_ioc_fetch_weekday = self.master_ioc_fetch_weekday
if master_ioc_fetch_weekday is not None:
if not is_current_weekday_before_datetime(
master_ioc_fetch_weekday, latest_master_ioc_datetime):
self._info("It is not time to fetch the Master IOC yet.")
return state
openioc_csv = self._fetch_master_ioc()
indicators = openioc_csv.indicators
indicator_count = len(indicators)
self._info(
"Master IOC with {0} indicators...",
indicator_count,
)
indicators = self._filter_indicators(indicators,
latest_master_ioc_datetime)
indicator_count = len(indicators)
self._info(
"{0} indicators after filtering...",
indicator_count,
)
grouped_indicators = self._group_indicators_by_publication(indicators)
group_count = len(grouped_indicators)
self._info(
"{0} indicator groups...",
group_count,
)
failed_count = 0
for indicator_group in grouped_indicators:
result = self._process_indicator_group(indicator_group)
if not result:
failed_count += 1
success_count = group_count - failed_count
self._info(
"Kaspersky Master IOC importer completed (imported: {0}, total: {1})",
success_count,
group_count,
)
return {
self._LATEST_MASTER_IOC_TIMESTAMP:
datetime_to_timestamp(datetime_utc_now())
}