def main(): parser = build_cli_parser("Create a CbTH feed and report from a stream of IOCs") # Feed metadata arguments. parser.add_argument("--name", type=str, help="Feed name", required=True) parser.add_argument("--owner", type=str, help="Feed owner", required=True) parser.add_argument("--url", type=str, help="Feed provider url", required=True) parser.add_argument("--summary", type=str, help="Feed summary", required=True) parser.add_argument("--category", type=str, help="Feed category", required=True) parser.add_argument("--access", type=str, help="Feed access scope", default="private") # Report metadata arguments. parser.add_argument("--rep_timestamp", type=int, help="Report timestamp", default=int(time.time())) parser.add_argument("--rep_title", type=str, help="Report title", required=True) parser.add_argument("--rep_desc", type=str, help="Report description", required=True) parser.add_argument("--rep_severity", type=int, help="Report severity", default=1) parser.add_argument("--rep_link", type=str, help="Report link") parser.add_argument("--rep_tags", type=str, help="Report tags, comma separated") parser.add_argument("--rep_visibility", type=str, help="Report visibility") args = parser.parse_args() cb = get_cb_threathunter_object(args) feed_info = { "name": args.name, "owner": args.owner, "provider_url": args.url, "summary": args.summary, "category": args.category, "access": args.access, } rep_tags = [] if args.rep_tags: rep_tags = args.rep_tags.split(",") report = { "timestamp": args.rep_timestamp, "title": args.rep_title, "description": args.rep_desc, "severity": args.rep_severity, "link": args.rep_link, "tags": rep_tags, "iocs_v2": [], # NOTE(ww): The feed server will convert IOCs to v2s for us. } report_id, iocs = read_iocs(cb) report["id"] = report_id report["iocs"] = iocs feed = { "feedinfo": feed_info, "reports": [report] } feed = cb.create(Feed, feed) feed.save() print(feed)
def main(): parser = build_cli_parser("Query processes") parser.add_argument("-p", type=str, help="process guid", default=None) parser.add_argument("-f", type=str, help="output file name", default=None) parser.add_argument("-of", type=str, help="output file format: csv or json", default="json") args = parser.parse_args() cb = get_cb_threathunter_object(args) if not args.p: print("Error: Missing Process GUID to query the process tree with") sys.exit(1) tree = cb.select(Process).where(process_guid=args.p)[0].tree() for idx, child in enumerate(tree.children): print("Child #{}".format(idx)) print("\tName: {}".format(child.process_name)) print("\tNumber of children: {}".format(len(child.children))) if args.f is not None: if args.of == "json": with open(args.f, 'w') as outfile: for idx, child in enumerate(tree.children): json.dump(child.original_document, outfile) else: with open(args.f, 'w') as outfile: csvwriter = csv.writer(outfile) for idx, child in enumerate(tree.children): csvwriter.writerow(child.original_document)
def main(): parser = build_cli_parser("Query processes") parser.add_argument("-p", type=str, help="process guid", default=None) parser.add_argument("-f", type=str, help="output file name", default=None) parser.add_argument("-of", type=str, help="output file format: csv or json", default="json") args = parser.parse_args() cb = get_cb_threathunter_object(args) if not args.p: print("Error: Missing Process GUID to query the process tree with") sys.exit(1) tree = cb.select(Process).where(process_guid=args.p)[0].tree() for idx, child in enumerate(tree.children): print("Child #{}".format(idx)) print("\tName: {}".format(child.process_name)) print("\tNumber of children: {}".format(len(child.children))) if args.f is not None: if args.of == "json": with open(args.f, 'w') as outfile: for idx, child in enumerate(tree.children): json.dump(child.original_document, outfile) else: with open(args.f, 'w') as outfile: csvwriter = csv.writer(outfile) for idx,child in enumerate(tree.children): csvwriter.writerow(child.original_document)
def main(): parser = build_cli_parser("Query processes") parser.add_argument("-p", type=str, help="process guid", default=None) parser.add_argument("-q", type=str, help="query string", default=None) parser.add_argument("-s", type=bool, help="silent mode", default=False) parser.add_argument("-n", type=int, help="only output N events", default=None) parser.add_argument("-f", type=str, help="output file name", default=None) parser.add_argument("-of", type=str, help="output file format: csv or json", default="json") args = parser.parse_args() cb = get_cb_threathunter_object(args) if not args.p and not args.q: print("Error: Missing Process GUID to search for events with") sys.exit(1) if args.q: processes = cb.select(Process).where(args.q) else: processes = cb.select(Process).where(process_guid=args.p) if args.n: processes = [p for p in processes[0:args.n]] if not args.s: for process in processes: print("Process: {}".format(process.process_name)) print("\tPIDs: {}".format(process.process_pids)) print("\tSHA256: {}".format(process.process_sha256)) print("\tGUID: {}".format(process.process_guid)) if args.f is not None: if args.of == "json": with open(args.f, 'w') as outfile: for p in processes: json.dump(p.original_document, outfile) print(p.original_document) else: headers = set() headers.update(*(d.original_document.keys() for d in processes)) with open(args.f, 'w') as outfile: csvwriter = csv.DictWriter(outfile, fieldnames=headers) csvwriter.writeheader() for p in processes: csvwriter.writerow(p.original_document)
def main(): parser = build_cli_parser("Query processes") parser.add_argument("-p", type=str, help="process guid", default=None) args = parser.parse_args() cb = get_cb_threathunter_object(args) if not args.p: print("Error: Missing Process GUID to query the process tree with") sys.exit(1) tree = cb.select(Process).where(process_guid=args.p)[0].tree() for idx, child in enumerate(tree.children): print("Child #{}".format(idx)) print("\tName: {}".format(child.process_name)) print("\tGUID: {}".format(child.process_guid)) print("\tNumber of children: {}".format(len(child.children)))
def main(): parser = build_cli_parser("Query processes") parser.add_argument("-q", type=str, help="process query", default="process_name:notepad.exe") parser.add_argument("-n", type=int, help="only output N processes", default=None) args = parser.parse_args() cb = get_cb_threathunter_object(args) processes = cb.select(Process).where(args.q) if args.n: processes = processes[0:args.n] for process in processes: print("Process: {}".format(process.process_name)) print("\tPIDs: {}".format(process.process_pids)) print("\tSHA256: {}".format(process.process_sha256)) print("\tGUID: {}".format(process.process_guid))
def main(): parser = build_cli_parser("Query processes") parser.add_argument("-p", type=str, help="process guid", default=None) parser.add_argument("-s", type=bool, help="silent mode", default=False) parser.add_argument("-n", type=int, help="only output N events", default=None) parser.add_argument("-f", type=str, help="output file name", default=None) parser.add_argument("-of", type=str, help="output file format: csv or json", default="json") args = parser.parse_args() cb = get_cb_threathunter_object(args) if not args.p: print("Error: Missing Process GUID to search for events with") sys.exit(1) events = cb.select(Event).where(process_guid=args.p) if args.n: events = events[0:args.n] if not args.s: for event in events: print("Event type: {}".format(event.event_type)) print("\tEvent GUID: {}".format(event.event_guid)) print("\tEvent Timestamp: {}".format(event.event_timestamp)) if args.f is not None: if args.of == "json": with open(args.f, 'w') as outfile: for event in events: json.dump(event.original_document, outfile) else: with open(args.f, 'w') as outfile: csvwriter = csv.writer(outfile) for event in events: csvwriter.writerows(event)
def main(): parser = build_cli_parser("Query processes") parser.add_argument("-p", type=str, help="process guid", default=None) parser.add_argument("-q",type=str,help="query string",default=None) parser.add_argument("-s",type=bool, help="silent mode",default=False) parser.add_argument("-n", type=int, help="only output N events", default=None) parser.add_argument("-f", type=str, help="output file name",default=None) parser.add_argument("-of", type=str,help="output file format: csv or json",default="json") args = parser.parse_args() cb = get_cb_threathunter_object(args) if not args.p and not args.q: print("Error: Missing Process GUID to search for events with") sys.exit(1) if args.q: processes = cb.select(Process).where(args.q) else: processes = cb.select(Process).where(process_guid=args.p) if args.n: processes = [ p for p in processes[0:args.n]] if not args.s: for process in processes: print("Process: {}".format(process.process_name)) print("\tPIDs: {}".format(process.process_pids)) print("\tSHA256: {}".format(process.process_sha256)) print("\tGUID: {}".format(process.process_guid)) if args.f is not None: if args.of == "json": with open(args.f, 'w') as outfile: for p in processes: json.dump(p.original_document, outfile) else: with open(args.f, 'w') as outfile: csvwriter = csv.writer(outfile) for p in processes: csvwriter.writerow(p.original_document)
def main(): parser = build_cli_parser("Query processes") parser.add_argument("-p", type=str, help="process guid", default=None) parser.add_argument("-n", type=int, help="only output N events", default=None) args = parser.parse_args() cb = get_cb_threathunter_object(args) if not args.p: print("Error: Missing Process GUID to search for events with") sys.exit(1) events = cb.select(Event).where(process_guid=args.p) if args.n: events = events[0:args.n] for event in events: print("Event type: {}".format(event.event_type)) print("\tEvent GUID: {}".format(event.event_guid)) print("\tEvent Timestamp: {}".format(event.event_timestamp))
def main(): parser = build_cli_parser("Query processes") parser.add_argument("-q", type=str, help="process query", default="process_name:notepad.exe") parser.add_argument("-n", type=int, help="only output N processes", default=None) parser.add_argument("-b", action="store_true", help="show binary information", default=False) args = parser.parse_args() cb = get_cb_threathunter_object(args) processes = cb.select(Process).where(args.q) if args.n: processes = processes[0:args.n] for process in processes: print("Process: {}".format(process.process_name)) print("\tPIDs: {}".format(process.process_pids)) print("\tSHA256: {}".format(process.process_sha256)) print("\tGUID: {}".format(process.process_guid)) if args.b: try: binary = cb.select(Binary, process.process_sha256) print(binary) print(binary.summary) except ObjectNotFoundError: print("No binary found for process with hash: {}".format( process.process_sha256))
def main(): parser = build_cli_parser("Query processes") parser.add_argument("-p", type=str, help="process guid", default=None) parser.add_argument("-s",type=bool, help="silent mode",default=False) parser.add_argument("-n", type=int, help="only output N events", default=None) parser.add_argument("-f", type=str, help="output file name",default=None) parser.add_argument("-of", type=str,help="output file format: csv or json",default="json") args = parser.parse_args() cb = get_cb_threathunter_object(args) if not args.p: print("Error: Missing Process GUID to search for events with") sys.exit(1) events = cb.select(Event).where(process_guid=args.p) if args.n: events = events[0:args.n] if not args.s: for event in events: print("Event type: {}".format(event.event_type)) print("\tEvent GUID: {}".format(event.event_guid)) print("\tEvent Timestamp: {}".format(event.event_timestamp)) if args.f is not None: if args.of == "json": with open(args.f, 'w') as outfile: for event in events: json.dump(event.original_document, outfile) else: with open(args.f, 'w') as outfile: csvwriter = csv.writer(outfile) for event in events: csvwriter.writerows(event)
def main(): parser = build_cli_parser() commands = parser.add_subparsers(help="Feed commands", dest="command_name") list_command = commands.add_parser("list", help="List all configured watchlists") list_command.add_argument("-r", "--reports", action="store_true", help="List reports for each watchlist", default=False) subscribe_command = commands.add_parser("subscribe", help="Create a watchlist with a feed") subscribe_command.add_argument("-i", "--feed_id", type=str, help="The Feed ID", required=True) subscribe_command.add_argument("-w", "--watchlist_name", type=str, help="Watchlist name", required=True) subscribe_command.add_argument("-d", "--description", type=str, help="Watchlist description", required=True) subscribe_command.add_argument("-t", "--tags", action="store_true", help="Enable tags", default=False) subscribe_command.add_argument("-a", "--alerts", action="store_true", help="Enable alerts", default=False) subscribe_command.add_argument("-T", "--timestamp", type=int, help="Creation timestamp", default=int(time.time())) subscribe_command.add_argument("-U", "--last_update", type=int, help="Last update timestamp", default=int(time.time())) create_command = commands.add_parser("create", help="Create a watchlist with a report") create_command.add_argument("-w", "--watchlist_name", type=str, help="Watchlist name", required=True) create_command.add_argument("-d", "--description", type=str, help="Watchlist description", required=True) create_command.add_argument("-t", "--tags", action="store_true", help="Enable tags", default=False) create_command.add_argument("-a", "--alerts", action="store_true", help="Enable alerts", default=False) create_command.add_argument("-T", "--timestamp", type=int, help="Creation timestamp", default=int(time.time())) create_command.add_argument("-U", "--last_update", type=int, help="Last update timestamp", default=int(time.time())) # Report metadata arguments. create_command.add_argument("--rep_timestamp", type=int, help="Report timestamp", default=int(time.time())) create_command.add_argument("--rep_title", type=str, help="Report title", required=True) create_command.add_argument("--rep_desc", type=str, help="Report description", required=True) create_command.add_argument("--rep_severity", type=int, help="Report severity", default=1) create_command.add_argument("--rep_link", type=str, help="Report link") create_command.add_argument("--rep_tags", type=str, help="Report tags, comma separated") create_command.add_argument("--rep_visibility", type=str, help="Report visibility") delete_command = commands.add_parser("delete", help="Delete a watchlist") delete_command.add_argument("-R", "--reports", action="store_true", help="Delete all associated reports too", default=False) specifier = delete_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--watchlist_id", type=str, help="The watchlist ID") specifier.add_argument("-w", "--watchlist_name", type=str, help="The watchlist name") alter_report_command = commands.add_parser("alter-report", help="Change the properties of a watchlist's report") alter_report_command.add_argument("-i", "--watchlist_id", type=str, help="Watchlist ID", required=True) alter_report_command.add_argument("-r", "--report_id", type=str, help="Report ID", required=True) alter_report_command.add_argument("-s", "--severity", type=int, help="The report's severity", required=False) specifier = alter_report_command.add_mutually_exclusive_group(required=False) specifier.add_argument("-d", "--deactivate", action="store_true", help="Deactive alerts for this report") specifier.add_argument("-a", "--activate", action="store_true", help="Activate alerts for this report") alter_ioc_command = commands.add_parser("alter-ioc", help="Change the properties of a watchlist's IOC") alter_ioc_command.add_argument("-i", "--watchlist_id", type=str, help="Watchlist ID", required=True) alter_ioc_command.add_argument("-r", "--report_id", type=str, help="Report ID", required=True) alter_ioc_command.add_argument("-I", "--ioc_id", type=str, help="IOC ID", required=True) specifier = alter_ioc_command.add_mutually_exclusive_group(required=False) specifier.add_argument("-d", "--deactivate", action="store_true", help="Deactive alerts for this IOC") specifier.add_argument("-a", "--activate", action="store_true", help="Activate alerts for this IOC") export_command = commands.add_parser("export", help="Export a watchlist into an importable format") specifier = export_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--watchlist_id", type=str, help="Watchlist ID") specifier.add_argument("-w", "--watchlist_name", type=str, help="Watchlist name") commands.add_parser("import", help="Import a previously exported watchlist") args = parser.parse_args() cb = get_cb_threathunter_object(args) if args.command_name == "list": return list_watchlists(cb, parser, args) elif args.command_name == "subscribe": return subscribe_watchlist(cb, parser, args) elif args.command_name == "create": return create_watchlist(cb, parser, args) elif args.command_name == "delete": return delete_watchlist(cb, parser, args) elif args.command_name == "alter-report": return alter_report(cb, parser, args) elif args.command_name == "alter-ioc": return alter_ioc(cb, parser, args) elif args.command_name == "export": return export_watchlist(cb, parser, args) elif args.command_name == "import": return import_watchlist(cb, parser, args)
def main(): parser = build_cli_parser( "Create a CbTH feed and report from a stream of IOCs") # Feed metadata arguments. parser.add_argument("--name", type=str, help="Feed name", required=True) parser.add_argument("--owner", type=str, help="Feed owner", required=True) parser.add_argument("--url", type=str, help="Feed provider url", required=True) parser.add_argument("--summary", type=str, help="Feed summary", required=True) parser.add_argument("--category", type=str, help="Feed category", required=True) parser.add_argument("--access", type=str, help="Feed access scope", default="private") # Report metadata arguments. parser.add_argument("--rep_timestamp", type=int, help="Report timestamp", default=int(time.time())) parser.add_argument("--rep_title", type=str, help="Report title", required=True) parser.add_argument("--rep_desc", type=str, help="Report description", required=True) parser.add_argument("--rep_severity", type=int, help="Report severity", default=1) parser.add_argument("--rep_link", type=str, help="Report link") parser.add_argument("--rep_tags", type=str, help="Report tags, comma separated") parser.add_argument("--rep_visibility", type=str, help="Report visibility") args = parser.parse_args() cb = get_cb_threathunter_object(args) feed_info = { "name": args.name, "owner": args.owner, "provider_url": args.url, "summary": args.summary, "category": args.category, "access": args.access, } rep_tags = [] if args.rep_tags: rep_tags = args.rep_tags.split(",") report = { "timestamp": args.rep_timestamp, "title": args.rep_title, "description": args.rep_desc, "severity": args.rep_severity, "link": args.rep_link, "tags": rep_tags, "iocs_v2": [], # NOTE(ww): The feed server will convert IOCs to v2s for us. } report_id, iocs = read_iocs(cb) report["id"] = report_id report["iocs"] = iocs feed = {"feedinfo": feed_info, "reports": [report]} feed = cb.create(Feed, feed) feed.save() print(feed)
def main(): parser = build_cli_parser() commands = parser.add_subparsers(help="Feed commands", dest="command_name") list_command = commands.add_parser("list", help="List all configured feeds") list_command.add_argument("-P", "--public", help="Include public feeds", action="store_true", default=False) list_command.add_argument("-r", "--reports", help="Include reports for each feed", action="store_true", default=False) list_command.add_argument("-i", "--iocs", help="Include IOCs for each feed's reports", action="store_true", default=False) list_iocs_command = commands.add_parser("list-iocs", help="List all IOCs for a feed") specifier = list_iocs_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") export_command = commands.add_parser("export", help="Export a feed into an importable format") specifier = export_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") import_command = commands.add_parser("import", help="Import a previously exported feed") import_command.add_argument("-f", "--feedname", type=str, help="Renames the imported feed") del_command = commands.add_parser("delete", help="Delete feed") specifier = del_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") export_report_command = commands.add_parser("export-report", help="Export a feed's report into an importable format") specifier = export_report_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") specifier = export_report_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-I", "--reportid", type=str, help="Report ID") specifier.add_argument("-r", "--reportname", type=str, help="Report Name") import_report_command = commands.add_parser("import-report", help="Import a previously exported report") specifier = import_report_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") delete_report_command = commands.add_parser("delete-report", help="Delete a report from a feed") specifier = delete_report_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") specifier = delete_report_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-I", "--reportid", type=str, help="Report ID") specifier.add_argument("-r", "--reportname", type=str, help="Report Name") replace_report_command = commands.add_parser("replace-report", help="Replace a feed's report") specifier = replace_report_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") args = parser.parse_args() cb = get_cb_threathunter_object(args) if args.command_name == "list": return list_feeds(cb, parser, args) elif args.command_name == "list-iocs": return list_iocs(cb, parser, args) elif args.command_name == "export": return export_feed(cb, parser, args) elif args.command_name == "import": return import_feed(cb, parser, args) elif args.command_name == "delete": return delete_feed(cb, parser, args) elif args.command_name == "export-report": return export_report(cb, parser, args) elif args.command_name == "import-report": return import_report(cb, parser, args) elif args.command_name == "delete-report": return delete_report(cb, parser, args) elif args.command_name == "replace-report": return replace_report(cb, parser, args)
def main(): parser = build_cli_parser("Search processes") parser.add_argument("-q", type=str, help="process query", default="process_name:notepad.exe") parser.add_argument("-f", help="show full objects", action="store_true", default=False) parser.add_argument("-n", type=int, help="only output N processes", default=None) parser.add_argument("-e", help="show events for query results", action="store_true", default=False) parser.add_argument("-c", help="show children for query results", action="store_true", default=False) parser.add_argument("-p", help="show parents for query results", action="store_true", default=False) parser.add_argument("-t", help="show tree for query results", action="store_true", default=False) args = parser.parse_args() cb = get_cb_threathunter_object(args) processes = cb.select(Process).where(args.q) print("Number of processes: {}".format(len(processes))) if args.n: processes = processes[0:args.n] for process in processes: if args.f: print(process) else: print("{}: {}".format(process.process_guid, process.process_sha256)) if args.e: print("=========== events ===========") for event in process.events(): if args.f: print(event) else: print("\t{}".format(event.event_type)) if args.c: print("========== children ==========") for child in process.children: if args.f: print(child) else: print("\t{}: {}".format(child.process_name, child.process_sha256)) if args.p: print("========== parents ==========") for parent in process.parents: if args.f: print(parent) else: print("\t{}: {}".format(parent.process_name, parent.process_sha256)) if args.t: print("=========== tree =============") tree = process.tree() print(tree) print(tree.nodes) print("===========================")
def main(): parser = build_cli_parser() commands = parser.add_subparsers(help="Feed commands", dest="command_name") list_command = commands.add_parser("list", help="List all configured watchlists") list_command.add_argument("-r", "--reports", action="store_true", help="List reports for each watchlist", default=False) subscribe_command = commands.add_parser( "subscribe", help="Create a watchlist with a feed") subscribe_command.add_argument("-i", "--feed_id", type=str, help="The Feed ID", required=True) subscribe_command.add_argument("-w", "--watchlist_name", type=str, help="Watchlist name", required=True) subscribe_command.add_argument("-d", "--description", type=str, help="Watchlist description", required=True) subscribe_command.add_argument("-t", "--tags", action="store_true", help="Enable tags", default=False) subscribe_command.add_argument("-a", "--alerts", action="store_true", help="Enable alerts", default=False) subscribe_command.add_argument("-T", "--timestamp", type=int, help="Creation timestamp", default=int(time.time())) subscribe_command.add_argument("-U", "--last_update", type=int, help="Last update timestamp", default=int(time.time())) create_command = commands.add_parser( "create", help="Create a watchlist with a report") create_command.add_argument("-w", "--watchlist_name", type=str, help="Watchlist name", required=True) create_command.add_argument("-d", "--description", type=str, help="Watchlist description", required=True) create_command.add_argument("-t", "--tags", action="store_true", help="Enable tags", default=False) create_command.add_argument("-a", "--alerts", action="store_true", help="Enable alerts", default=False) create_command.add_argument("-T", "--timestamp", type=int, help="Creation timestamp", default=int(time.time())) create_command.add_argument("-U", "--last_update", type=int, help="Last update timestamp", default=int(time.time())) # Report metadata arguments. create_command.add_argument("--rep_timestamp", type=int, help="Report timestamp", default=int(time.time())) create_command.add_argument("--rep_title", type=str, help="Report title", required=True) create_command.add_argument("--rep_desc", type=str, help="Report description", required=True) create_command.add_argument("--rep_severity", type=int, help="Report severity", default=1) create_command.add_argument("--rep_link", type=str, help="Report link") create_command.add_argument("--rep_tags", type=str, help="Report tags, comma separated") create_command.add_argument("--rep_visibility", type=str, help="Report visibility") delete_command = commands.add_parser("delete", help="Delete a watchlist") delete_command.add_argument("-R", "--reports", action="store_true", help="Delete all associated reports too", default=False) specifier = delete_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--watchlist_id", type=str, help="The watchlist ID") specifier.add_argument("-w", "--watchlist_name", type=str, help="The watchlist name") alter_report_command = commands.add_parser( "alter-report", help="Change the properties of a watchlist's report") alter_report_command.add_argument("-i", "--watchlist_id", type=str, help="Watchlist ID", required=True) alter_report_command.add_argument("-r", "--report_id", type=str, help="Report ID", required=True) alter_report_command.add_argument("-s", "--severity", type=int, help="The report's severity", required=False) specifier = alter_report_command.add_mutually_exclusive_group( required=False) specifier.add_argument("-d", "--deactivate", action="store_true", help="Deactive alerts for this report") specifier.add_argument("-a", "--activate", action="store_true", help="Activate alerts for this report") alter_ioc_command = commands.add_parser( "alter-ioc", help="Change the properties of a watchlist's IOC") alter_ioc_command.add_argument("-i", "--watchlist_id", type=str, help="Watchlist ID", required=True) alter_ioc_command.add_argument("-r", "--report_id", type=str, help="Report ID", required=True) alter_ioc_command.add_argument("-I", "--ioc_id", type=str, help="IOC ID", required=True) specifier = alter_ioc_command.add_mutually_exclusive_group(required=False) specifier.add_argument("-d", "--deactivate", action="store_true", help="Deactive alerts for this IOC") specifier.add_argument("-a", "--activate", action="store_true", help="Activate alerts for this IOC") export_command = commands.add_parser( "export", help="Export a watchlist into an importable format") specifier = export_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--watchlist_id", type=str, help="Watchlist ID") specifier.add_argument("-w", "--watchlist_name", type=str, help="Watchlist name") import_command = commands.add_parser( "import", help="Import a previously exported watchlist") specifier = import_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-f", "--watchlistfile", help="Filename containing the JSON watchlist") args = parser.parse_args() cb = get_cb_threathunter_object(args) if args.command_name == "list": return list_watchlists(cb, parser, args) elif args.command_name == "subscribe": return subscribe_watchlist(cb, parser, args) elif args.command_name == "create": return create_watchlist(cb, parser, args) elif args.command_name == "delete": return delete_watchlist(cb, parser, args) elif args.command_name == "alter-report": return alter_report(cb, parser, args) elif args.command_name == "alter-ioc": return alter_ioc(cb, parser, args) elif args.command_name == "export": return export_watchlist(cb, parser, args) elif args.command_name == "import": return import_watchlist(cb, parser, args)
def main(): parser = build_cli_parser() commands = parser.add_subparsers(help="Feed commands", dest="command_name") list_command = commands.add_parser("list", help="List all configured feeds") list_command.add_argument("-P", "--public", help="Include public feeds", action="store_true", default=False) list_command.add_argument("-r", "--reports", help="Include reports for each feed", action="store_true", default=False) list_command.add_argument("-i", "--iocs", help="Include IOCs for each feed's reports", action="store_true", default=False) list_iocs_command = commands.add_parser("list-iocs", help="List all IOCs for a feed") specifier = list_iocs_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") export_command = commands.add_parser( "export", help="Export a feed into an importable format") specifier = export_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") import_command = commands.add_parser( "import", help="Import a previously exported feed") import_command.add_argument("-f", "--feedname", type=str, help="Renames the imported feed") del_command = commands.add_parser("delete", help="Delete feed") specifier = del_command.add_mutually_exclusive_group(required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") export_report_command = commands.add_parser( "export-report", help="Export a feed's report into an importable format") specifier = export_report_command.add_mutually_exclusive_group( required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") specifier = export_report_command.add_mutually_exclusive_group( required=True) specifier.add_argument("-I", "--reportid", type=str, help="Report ID") specifier.add_argument("-r", "--reportname", type=str, help="Report Name") import_report_command = commands.add_parser( "import-report", help="Import a previously exported report") specifier = import_report_command.add_mutually_exclusive_group( required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") delete_report_command = commands.add_parser( "delete-report", help="Delete a report from a feed") specifier = delete_report_command.add_mutually_exclusive_group( required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") specifier = delete_report_command.add_mutually_exclusive_group( required=True) specifier.add_argument("-I", "--reportid", type=str, help="Report ID") specifier.add_argument("-r", "--reportname", type=str, help="Report Name") replace_report_command = commands.add_parser( "replace-report", help="Replace a feed's report") specifier = replace_report_command.add_mutually_exclusive_group( required=True) specifier.add_argument("-i", "--id", type=str, help="Feed ID") specifier.add_argument("-f", "--feedname", type=str, help="Feed Name") args = parser.parse_args() cb = get_cb_threathunter_object(args) if args.command_name == "list": return list_feeds(cb, parser, args) elif args.command_name == "list-iocs": return list_iocs(cb, parser, args) elif args.command_name == "export": return export_feed(cb, parser, args) elif args.command_name == "import": return import_feed(cb, parser, args) elif args.command_name == "delete": return delete_feed(cb, parser, args) elif args.command_name == "export-report": return export_report(cb, parser, args) elif args.command_name == "import-report": return import_report(cb, parser, args) elif args.command_name == "delete-report": return delete_report(cb, parser, args) elif args.command_name == "replace-report": return replace_report(cb, parser, args)