def dotransform(request, response, config): try: url = request.fields['url'] except KeyError: url = request.value try: indicators = search_indicator(url) except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') else: try: for indicator in indicators: if indicator.get('tcScore'): weight = int(indicator.get('tcScore')) else: weight = 1 indicator = indicator.get('resource') e = Indicator(encode_to_utf8(indicator.get('title')), weight=weight) e.title = encode_to_utf8(indicator.get('title')) # e.resourceId = indicator.get('resourceId') e.resourceId = indicator.get('resourceId') if indicator.get('severity'): e += Label( 'Severity', indicator.get('severity', dict()).get('displayName')) e.severity = indicator.get('severity', dict()).get('displayName') if indicator.get('confidence'): e += Label( 'Confidence', indicator.get('confidence', dict()).get('displayName')) e.confidence = indicator.get('confidence', dict()).get('displayName') if indicator.get('indicatorType'): e += Label( 'Indicator Type', indicator.get('indicatorType', dict()).get('displayName')) e.indicatorType = indicator.get('indicatorType', dict()).get('displayName') if indicator.get('description'): e += Label( 'Description', '<br/>'.join( encode_to_utf8( indicator.get('description')).split('\n'))) response += e except AttributeError as err: response += UIMessage('Error: {}'.format(err), type='PartialError') except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') except TypeError: return response return response
def dotransform(request, response, config): try: results = search(request.value, size=10, pages=1) except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') else: try: for result in results: rtype = lower(result.get('type')) if result.get('tcScore'): weight = int(result.get('tcScore')) else: weight = 1 # Title ID Description if rtype == 'actor': # Check Title, if no title get resource > name # Actor entity can have an empty title field if result.get('title'): e = Actor(encode_to_utf8(result.get('title')), weight=weight) else: e = Actor(encode_to_utf8(result.get('resource', dict()).get('name')), weight=weight) e.name = encode_to_utf8(result.get('resource', dict()).get('name')) e.actor = encode_to_utf8(result.get('resource', dict()).get('name')) elif rtype == 'case': e = Case(encode_to_utf8(result.get('title')), weight=weight) elif rtype == 'coursesofactions': e = CoursesOfAction(encode_to_utf8(result.get('title')), weight=weight) elif rtype == 'indicator': e = Indicator(encode_to_utf8(result.get('title')), weight=weight) elif rtype == 'incident': e = Incident(encode_to_utf8(result.get('title')), weight=weight) # elif rtype == 'tacticstechniquesandprocedures': elif rtype == 'ttp': e = TTP(encode_to_utf8(result.get('title')), weight=weight) else: # To be safe e = Phrase(encode_to_utf8(result.get('title')), weight=weight) debug(rtype) e.title = encode_to_utf8(result.get('title')) e.resourceId = result.get('id') if result.get('description'): e += Label('Description', '<br/>'.join(encode_to_utf8(result.get('description', '')).split('\n'))) response += e except AttributeError as err: response += UIMessage('Error: {}'.format(err), type='PartialError') except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') except TypeError: return response return response
def dotransform(request, response, config): if 'ThreatCentral.resourceId' in request.fields: try: indicator = get_indicator(request.fields['ThreatCentral.resourceId']) except ThreatCentralError as err: indicator = None response += UIMessage(err.value, type='PartialError') if indicator: try: # Update Indicator entity ? e = Indicator(request.value) e.title = encode_to_utf8(indicator.get('title')) e.resourceId = indicator.get('resourceId') e.severity = indicator.get('severity', dict()).get('displayName') e.confidence = indicator.get('confidence', dict()).get('displayName') e.indicatorType = indicator.get('indicatorType', dict()).get('displayName') e += Label('Severity', indicator.get('severity', dict()).get('displayName')) e += Label('Confidence', indicator.get('confidence', dict()).get('displayName')) e += Label('Indicator Type', indicator.get('indicatorType', dict()).get('displayName')) if indicator.get('description'): e += Label('Description', '<br/>'.join(encode_to_utf8(indicator.get('description') ).split('\n'))) response += e if len(indicator.get('observables', list())) is not 0: for observable in indicator.get('observables'): if upper(observable.get('type', dict()).get('value')) == 'URI': e = URL(observable.get('value')) e.url = observable.get('value') e += Label('URI', observable.get('value')) response += e except AttributeError as err: response += UIMessage('Error: {}'.format(err), type='PartialError') except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') except TypeError: return response return response
def dotransform(request, response, config): if 'ThreatCentral.resourceId' in request.fields: try: indicator = get_indicator( request.fields['ThreatCentral.resourceId']) except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') else: try: # Update Indicator entity e = Indicator(request.value) e.title = encode_to_utf8(indicator.get('title')) e.resourceId = indicator.get('resourceId') e += Label( 'Severity', indicator.get('severity', dict()).get('displayName')) e += Label( 'Confidence', indicator.get('confidence', dict()).get('displayName')) e += Label( 'Indicator Type', indicator.get('indicatorType', dict()).get('displayName')) if indicator.get('description'): e += Label( 'Description', '<br/>'.join( encode_to_utf8( indicator.get('description')).split('\n'))) response += e except AttributeError as err: response += UIMessage('Error: {}'.format(err), type='PartialError') except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') except TypeError: return response return response
def dotransform(request, response, config): if 'ThreatCentral.resourceId' in request.fields: try: indicator = get_indicator( request.fields['ThreatCentral.resourceId']) except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') else: try: # Update Indicator entity ? e = Indicator(request.value) e.title = encode_to_utf8(indicator.get('title')) e.resourceId = indicator.get('resourceId') e.severity = indicator.get('severity', dict()).get('displayName') e.confidence = indicator.get('confidence', dict()).get('displayName') e.indicatorType = indicator.get('indicatorType', dict()).get('displayName') e += Label( 'Severity', indicator.get('severity', dict()).get('displayName')) e += Label( 'Confidence', indicator.get('confidence', dict()).get('displayName')) e += Label( 'Indicator Type', indicator.get('indicatorType', dict()).get('displayName')) if indicator.get('description'): e += Label( 'Description', '<br/>'.join( encode_to_utf8( indicator.get('description')).split('\n'))) response += e if len(indicator.get('observables', list())) is not 0: for observable in indicator.get('observables'): if upper(observable.get('type', dict()).get('value')) == 'IP': e = IPv4Address(observable.get('value')) e += Label('IP Address', observable.get('value')) if observable.get('port'): e += Label('Port', observable.get('port')) if upper( observable.get('location', dict()).get('city') ) != 'UNDEFINED_GEO_LOCATION_STRING': e += Label( 'Location', '<br/>'.join([ '{}:{}'.format(encode_to_utf8(k), encode_to_utf8(v)) for k, v in observable.get( 'location', dict()).iteritems() ])) response += e except AttributeError as err: response += UIMessage('Error: {}'.format(err), type='PartialError') except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') except TypeError: return response return response
def dotransform(request, response, config): if 'ThreatCentral.resourceId' in request.fields: try: indicator = get_indicator( request.fields['ThreatCentral.resourceId']) except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') else: try: # Update Indicator entity ? e = Indicator(request.value) e.title = encode_to_utf8(indicator.get('title')) e.resourceId = indicator.get('resourceId') e.severity = indicator.get('severity', dict()).get('displayName') e.confidence = indicator.get('confidence', dict()).get('displayName') e.indicatorType = indicator.get('indicatorType', dict()).get('displayName') e += Label( 'Severity', indicator.get('severity', dict()).get('displayName')) e += Label( 'Confidence', indicator.get('confidence', dict()).get('displayName')) e += Label( 'Indicator Type', indicator.get('indicatorType', dict()).get('displayName')) if indicator.get('description'): e += Label( 'Description', '<br/>'.join( encode_to_utf8( indicator.get('description')).split('\n'))) response += e if len(indicator.get('observables', list())) is not 0: for observable in indicator.get('observables'): if upper(observable.get( 'type', dict()).get('value')) == 'FILE_HASH': # Use sighting if observable.get('sighting'): weight = int(observable.get('sighting')) else: weight = 1 filehashes = observable.get('fileHashes', list()) for filehash in filehashes: e = FileHash(filehash.get('value'), weight=weight) #e.name = observable.get('name') e.value = filehash.get('value') e.htype = filehash.get('type') e.resourceId = observable.get('resourceId') response += e except AttributeError as err: response += UIMessage('Error: {}'.format(err), type='PartialError') except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') except TypeError: return response return response
def dotransform(request, response, config): if 'ThreatCentral.resourceId' in request.fields: try: indicator = get_indicator( request.fields['ThreatCentral.resourceId']) except ThreatCentralError as err: indicator = None response += UIMessage(err.value, type='PartialError') if indicator: try: # Update Indicator entity ? e = Indicator(request.value) e.title = encode_to_utf8(indicator.get('title')) e.resourceId = indicator.get('resourceId') e.severity = indicator.get('severity', dict()).get('displayName') e.confidence = indicator.get('confidence', dict()).get('displayName') e.indicatorType = indicator.get('indicatorType', dict()).get('displayName') e += Label( 'Severity', indicator.get('severity', dict()).get('displayName')) e += Label( 'Confidence', indicator.get('confidence', dict()).get('displayName')) e += Label( 'Indicator Type', indicator.get('indicatorType', dict()).get('displayName')) if indicator.get('description'): e += Label( 'Description', '<br/>'.join( encode_to_utf8( indicator.get('description')).split('\n'))) response += e if len(indicator.get('observables', list())) is not 0: for observable in indicator.get('observables'): if upper(observable.get( 'type', dict()).get('value')) == 'REGISTRY_KEY': # Use sighting if observable.get('sighting'): weight = int(observable.get('sighting')) else: weight = 1 e = RegistryKey(observable.get('value'), weight=weight) # TODO : Verify this # e.name = observable.get('name') e.value = observable.get('value') # TODO : Verify this # e.action = observable.get('action', dict()).get('displayName') e.hive = observable.get('hive') e.key = observable.get('key') # TODO : Verify this # e.data = registryKeyValues # e.rtype = type e.resourceId = observable.get('resourceId') response += e except AttributeError as err: response += UIMessage('Error: {}'.format(err), type='PartialError') except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') except TypeError: return response return response
def dotransform(request, response, config): if 'ThreatCentral.resourceId' in request.fields: try: case = get_case(request.fields['ThreatCentral.resourceId']) except ThreatCentralError as err: response += UIMessage(err.value, type='PartialError') else: try: # Show linked Indicators if len(case.get('indicators', list())) is not 0: for indicator in case.get('indicators'): if indicator.get('tcScore'): weight = int(indicator.get('tcScore')) else: weight = 1 e = Indicator(encode_to_utf8(indicator.get('title')), weight=weight) e.title = encode_to_utf8(indicator.get('title')) e.resourceId = indicator.get('resourceId') e += Label( 'Severity', indicator.get('severity', dict()).get('displayName')) e += Label( 'Confidence', indicator.get('confidence', dict()).get('displayName')) e += Label( 'Indicator Type', indicator.get('indicatorType', dict()).get('displayName'))