def process_iocs(results):
"""Return data formatted for Splunk from Malshare."""
if results != None:
provided_iocs = [y for x in results for y in x.values()]
else:
provided_iocs = sys.argv[1:]
session = commons.create_session()
api_key = commons.get_apikey("malshare")
splunk_table = []
for provided_ioc in set(provided_iocs):
provided_ioc = commons.deobfuscate_string(provided_ioc)
provided_ioc = provided_ioc.lower()
if validators.ipv4(provided_ioc) or validators.domain(provided_ioc) or \
re.match("^[a-f\d]{32}$", provided_ioc) or re.match("^[a-f\d]{64}$", provided_ioc):
pass
else:
splunk_table.append({"invalid": provided_ioc})
continue
ioc_dicts = query_malshare(provided_ioc, api_key, session)
for ioc_dict in ioc_dicts:
splunk_table.append(ioc_dict)
session.close()
return splunk_table
def get_feed():
"""Return the latest report summaries from the feed."""
session = commons.create_session()
api_key = commons.get_apikey("greynoise")
tags = query_list(session)
if tags == None:
return
if api_key != None:
session.params = {"key": api_key}
return query_tags(tags, session)
def create_session():
"""Return Twitter session."""
keys = commons.get_apikey("twitter")
auth = tweepy.OAuthHandler(keys["consumer_key"], keys["consumer_secret"])
auth.set_access_token(keys["access_token"], keys["access_token_secret"])
session = tweepy.API(auth)
try:
session.rate_limit_status()
except:
sc = session.last_response.status_code
msg = session.last_response.content
return {"error": "HTTP Status Code {}: {}".format(sc, msg)}
return session
def process_iocs(results):
"""Return data formatted for Splunk from Hybrid-Analysis."""
params = [
'authentihash', 'av_detect', 'context', 'country', 'domain', 'env_id',
'filename', 'filetype_desc', 'filetype', 'hash', 'host', 'imp_hash',
'port', 'similar_to', 'ssdeep', 'tag', 'url', 'verdict', 'vx_family'
]
if results != None:
provided_iocs = [y for x in results for y in x.values()]
elif sys.argv[1] == "terms" and sys.argv[2] in params:
if len(sys.argv) > 2:
endpoint = sys.argv[1]
param = sys.argv[2]
provided_iocs = sys.argv[3:]
elif sys.argv[1] == "hash" and sys.argv[2] == "hash":
if len(sys.argv) > 2:
endpoint = sys.argv[1]
param = sys.argv[2]
provided_iocs = sys.argv[3:]
session = commons.create_session()
api_domain = commons.get_apidomain("hybrid-analysis")
api_key = commons.get_apikey("hybrid-analysis")
splunk_table = []
for provided_ioc in set(provided_iocs):
provided_ioc = commons.deobfuscate_string(provided_ioc)
provided_ioc = provided_ioc.lower()
ioc_dicts = query_hybridanalysis(endpoint, param, provided_ioc,
api_domain, api_key, session)
for ioc_dict in ioc_dicts:
splunk_table.append(ioc_dict)
session.close()
return splunk_table