def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml" config = ( yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {} ) self.helper = OpenCTIConnectorHelper(config) # Extra config self.cve_import_history = get_config_variable( "CVE_IMPORT_HISTORY", ["cve", "import_history"], config, False ) self.cve_nvd_data_feed = get_config_variable( "CVE_NVD_DATA_FEED", ["cve", "nvd_data_feed"], config ) self.cve_history_data_feed = get_config_variable( "CVE_HISTORY_DATA_FEED", ["cve", "history_data_feed"], config ) self.cve_interval = get_config_variable( "CVE_INTERVAL", ["cve", "interval"], config, True ) self.update_existing_data = get_config_variable( "CONNECTOR_UPDATE_EXISTING_DATA", ["connector", "update_existing_data"], config, )
def __init__(self): # get config variable config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/config.yml" config = (yaml.load(open(config_file_path, Loader=yaml.FullLoader)) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) self.update_existing_data = get_config_variable( "UPDATE_EXISTING_DATA", ["connector", "update_existing_data"], config) self.interval_scan = get_config_variable( "INTERVAL_SCAN", ["internal_import", "interval_scan"], config) self._data_path = os.path.dirname(os.path.abspath(__file__)) + "/data" self.identity = self.helper.api.identity.create( name="Internal Collector", type="Organization", description="Importing internal data from CSV file", ) self.markingDefinitions = self.helper.api.marking_definition.create( definition_type="tlp", definition="TLP:WHITE") self.tag = self.helper.api.tag.create(tag_type="Internal-Import", value="internal-importer", color="#2e99db") self.tagFE = self.helper.api.tag.create(tag_type="Internal-Import", value="FireEye", color="#fb4d28") self.filename = ""
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config)
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) # Extra config self.urlhaus_csv_url = get_config_variable("URLHAUS_CSV_URL", ["urlhaus", "csv_url"], config) self.urlhaus_import_offline = get_config_variable( "URLHAUS_IMPORT_OFFLINE", ["urlhaus", "import_offline"], config, False, True) self.urlhaus_interval = get_config_variable("URLHAUS_INTERVAL", ["urlhaus", "interval"], config, True) self.create_indicators = get_config_variable( "URLHAUS_CREATE_INDICATORS", ["urlhaus", "create_indicators"], config, False, True, ) self.update_existing_data = get_config_variable( "CONNECTOR_UPDATE_EXISTING_DATA", ["connector", "update_existing_data"], config, ) self.identity = self.helper.api.identity.create( type="Organization", name="Abuse.ch", description= "abuse.ch is operated by a random swiss guy fighting malware for non-profit, running a couple of projects helping internet service providers and network operators protecting their infrastructure from malware.", )
def __init__(self): # Get configuration config_file_path = os.path.dirname(os.path.abspath(__file__)) + '/config.yml' self.config = dict() if os.path.isfile(config_file_path): config = yaml.load(open(config_file_path), Loader=yaml.FullLoader) self.config_rabbitmq = config['rabbitmq'] self.config['name'] = config['cve']['name'] self.config['confidence_level'] = config['cve']['confidence_level'] self.config['nvd_data_feed'] = config['cve']['nvd_data_feed'] self.config['entities'] = config['cve']['entities'].split(',') self.config['interval'] = config['cve']['interval'] self.config['log_level'] = config['cve']['log_level'] else: self.config_rabbitmq = dict() self.config_rabbitmq['hostname'] = os.getenv('RABBITMQ_HOSTNAME', 'localhost') self.config_rabbitmq['port'] = os.getenv('RABBITMQ_PORT', 5672) self.config_rabbitmq['username'] = os.getenv('RABBITMQ_USERNAME', 'guest') self.config_rabbitmq['password'] = os.getenv('RABBITMQ_PASSWORD', 'guest') self.config['name'] = os.getenv('CVE_NAME', 'Common Vulnerabilities and Exposures') self.config['confidence_level'] = int(os.getenv('CVE_CONFIDENCE_LEVEL', 3)) self.config['nvd_data_feed'] = os.getenv('CVE_DATA_FEED', 'https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-recent.json.gz') self.config['entities'] = os.getenv('CVE_ENTITIES', 'vulnerability').split(',') self.config['interval'] = os.getenv('CVE_INTERVAL', 5) self.config['log_level'] = os.getenv('CVE_LOG_LEVEL', 'info') # Initialize OpenCTI Connector connector_identifier = ''.join(e for e in self.config['name'] if e.isalnum()) self.opencti_connector_helper = OpenCTIConnectorHelper( connector_identifier.lower(), self.config, self.config_rabbitmq, self.config['log_level'] )
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml" config = ( yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {} ) self.helper = OpenCTIConnectorHelper(config) self.create_indicator = get_config_variable( "PDF_OBSERVABLES_CREATE_INDICATOR", ["pdf_observables", "create_indicator"], config, ) self.types = { "MD5": "File.hashes.MD5", "SHA1": "File.hashes.SHA-1", "SHA256": "File.hashes.SHA-256", "Filename": "File.name", "IP": "IPv4-Addr.value", "DomainName": "Domain-Name.value", # Directory is not yet fully functional # "Directory": "Directory.path", "URL": "Url.value", "Email": "Email-Addr.value", "CVE": "Vulnerability.name", "Registry": "Windows-Registry-Key.key", }
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) # Extra config self.amitt_file_url = get_config_variable("AMITT_FILE_URL", ["amitt", "amitt_file_url"], config) self.pre_amitt_file_url = get_config_variable( "PRE_AMITT_FILE_URL", ["amitt", "pre_amitt_file_url"], config) self.amitt_interval = get_config_variable("AMITT_INTERVAL", ["amitt", "interval"], config, True) self.update_existing_data = get_config_variable( "CONNECTOR_UPDATE_EXISTING_DATA", ["connector", "update_existing_data"], config, ) # Create the corresponding identity self.helper.api.identity.create( stix_id="identity--c9c1a598-7d0e-42fa-b8ec-e42c3de95ae4", type="Organization", name="CogSec", description= "A nonprofit that helps specialists form teams to combat disinformation.", ) self.helper.api.marking_definition.create( stix_id="marking-definition--8c9e2257-1c62-4ff0-9de0-1deed93cf282", definition_type="statement", definition="Copyright 2021, CogSec.", )
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml" config = ( <<<<<<< HEAD yaml.load(open(config_file_path)) if os.path.isfile(config_file_path) else {} ) self.interval = 1 #1 Day interval between each scraping self.helper = OpenCTIConnectorHelper(config) # Extra config self.confidence_level = get_config_variable( "CONNECTOR_CONFIDENCE_LEVEL", ["connector", "confidence_level"], config, ======= yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {} ) self.interval = 1 # 1 Day interval between each scraping self.helper = OpenCTIConnectorHelper(config) # Extra config self.confidence_level = get_config_variable( "CONNECTOR_CONFIDENCE_LEVEL", ["connector", "confidence_level"], config, >>>>>>> 67675da1148528e484339cc30b2795d4cc0f5ce3 ) self.data = {}
class ImportFileStix: def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) def _process_message(self, data): old_token = self.helper.api.get_token() token = None if "token" in data: token = data["token"] file_path = data["file_path"] update = data["update"] file_uri = self.helper.opencti_url + file_path self.helper.log_info("Importing the file " + file_uri) file_content = self.helper.api.fetch_opencti_file(file_uri) if token: self.helper.api.set_token(token) bundles_sent = self.helper.send_stix2_bundle(file_content, None, update) self.helper.api.set_token(old_token) return [ "Sent " + str(len(bundles_sent)) + " stix bundle(s) for worker import" ] # Start the main loop def start(self): self.helper.listen(self._process_message)
def __init__(self): config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) self.logger_config = self.helper.api.get_logs_worker_config() if (self.logger_config["elasticsearch_username"] is not None and self.logger_config["elasticsearch_password"] is not None): self.elasticsearch = Elasticsearch( [self.logger_config["elasticsearch_url"]], verify_certs=self. logger_config["elasticsearch_ssl_reject_unauthorized"], http_auth=( self.logger_config["elasticsearch_username"], self.logger_config["elasticsearch_password"], ), ) elif self.logger_config["elasticsearch_api_key"] is not None: self.elasticsearch = Elasticsearch( [self.logger_config["elasticsearch_url"]], verify_certs=self. logger_config["elasticsearch_ssl_reject_unauthorized"], api_key=self.logger_config["elasticsearch_api_key"], ) else: self.elasticsearch = Elasticsearch( [self.logger_config["elasticsearch_url"]], verify_certs=self. logger_config["elasticsearch_ssl_reject_unauthorized"], ) self.elasticsearch_index = self.logger_config["elasticsearch_index"]
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname( os.path.abspath(__file__)) + '/config.yml' config = yaml.load(open(config_file_path), Loader=yaml.FullLoader ) if os.path.isfile(config_file_path) else {} self.helper = OpenCTIConnectorHelper(config) # Extra config self.misp_url = os.getenv('MISP_URL') or config['misp']['url'] self.misp_key = os.getenv('MISP_KEY') or config['misp']['key'] self.misp_tag = os.getenv('MISP_TAG') or config['misp'][ 'tag'] if 'tag' in config['misp'] else None self.misp_untag_event = os.getenv('MISP_UNTAG_EVENT') or config['misp']['untag_event'] \ if 'untag_event' in config['misp'] else None self.misp_imported_tag = os.getenv( 'MISP_IMPORTED_TAG') or config['misp']['imported_tag'] self.misp_filter_on_imported_tag = os.getenv( 'MISP_FILTER_ON_IMPORTED_TAG' ) or config['misp']['filter_on_imported_tag'] self.misp_interval = os.getenv( 'MISP_INTERVAL') or config['misp']['interval'] # Initialize MISP self.misp = ExpandedPyMISP(url=self.misp_url, key=self.misp_key, ssl=False, debug=False)
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml" config = ( yaml.load(open(config_file_path), Loader=yaml.SafeLoader) if os.path.isfile(config_file_path) else {} ) self.helper = OpenCTIConnectorHelper(config) self.confidence_level = get_config_variable( "CONNECTOR_CONFIDENCE_LEVEL", ["connector", "confidence_level"], config ) self.api_key = get_config_variable( "MALBEACON_API_KEY", ["malbeacon", "api_key"], config ) self.author = self.helper.api.identity.create( name="Malbeacon", type="Organization", description="""The first system of its kind, MalBeacon implants \ beacons via malware bot check-in traffic. Adversaries conducting \ campaigns in the wild who are logging in to these malware C2 \ panels can now be tracked. MalBeacon is a tool for the good guys \ that provides additional intelligence on attack attribution.""", update=True, )
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml" config = ( yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {} ) self.helper = OpenCTIConnectorHelper(config) # Extra config self.cyber_threat_coalition_interval = get_config_variable( "CYBER_THREAT_COALITION_INTERVAL", ["cyber-threat-coalition", "interval_sec"], config, True, ) self.cyber_threat_coalition_base_url = get_config_variable( "CYBER_THREAT_COALITION_BASE_URL", ["cyber-threat-coalition", "base_url"], config, False, ) self.update_existing_data = get_config_variable( "CONNECTOR_UPDATE_EXISTING_DATA", ["connector", "update_existing_data"], config, )
def __init__(self) -> None: # Instantiate the connector helper from config base_path = os.path.dirname(os.path.abspath(__file__)) config_file_path = base_path + "/../config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) self.create_indicator = get_config_variable( "IMPORT_REPORT_CREATE_INDICATOR", ["import_report", "create_indicator"], config, ) # Load Entity and Observable configs observable_config_file = base_path + "/config/observable_config.ini" entity_config_file = base_path + "/config/entity_config.ini" if os.path.isfile(observable_config_file) and os.path.isfile( entity_config_file): self.observable_config = self._parse_config( observable_config_file, Observable) else: raise FileNotFoundError(f"{observable_config_file} was not found") if os.path.isfile(entity_config_file): self.entity_config = self._parse_config(entity_config_file, EntityConfig) else: raise FileNotFoundError(f"{entity_config_file} was not found")
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/../config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) # Extra config self.confidence_level = get_config_variable( "CONNECTOR_CONFIDENCE_LEVEL", ["connector", "confidence_level"], config, isNumber=True, ) self.update_existing_data = get_config_variable( "CONNECTOR_UPDATE_EXISTING_DATA", ["connector", "update_existing_data"], config, ) self.AUTH_KEY = get_config_variable("MALPEDIA_AUTH_KEY", ["malpedia", "auth_key"], config) self.INTERVAL_SEC = get_config_variable("MALPEDIA_INTERVAL_SEC", ["malpedia", "interval_sec"], config) self.import_intrusion_sets = get_config_variable( "MALPEDIA_IMPORT_INTRUSION_SETS", ["malpedia", "import_intrusion_sets"], config, ) self.import_yara = get_config_variable("MALPEDIA_IMPORT_YARA", ["malpedia", "import_yara"], config) self.helper = OpenCTIConnectorHelper(config) self.helper.log_info(f"loaded malpedia config: {config}") # Create Malpedia client and importers self.client = MalpediaClient(self.AUTH_KEY) # If we run without API key we can assume all data is TLP:WHITE else we # default to TLP:AMBER to be safe. if self.client.unauthenticated: self.default_marking = self.helper.api.marking_definition.read( id=TLP_WHITE["id"]) else: self.default_marking = self.helper.api.marking_definition.read( id=TLP_AMBER["id"]) self.knowledge_importer = KnowledgeImporter( self.helper, self.client, self.confidence_level, self.update_existing_data, self.import_intrusion_sets, self.import_yara, self.default_marking, ) self.malpedia_interval = get_config_variable("MALPEDIA_INTERVAL_SEC", ["amitt", "interval"], config, True)
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) # Extra config self.vxvault_url = get_config_variable("VXVAULT_URL", ["vxvault", "url"], config) self.vxvault_interval = get_config_variable("VXVAULT_INTERVAL", ["vxvault", "interval"], config, True) self.create_indicators = get_config_variable( "VXVAULT_CREATE_INDICATORS", ["vxvault", "create_indicators"], config, True) self.update_existing_data = get_config_variable( "CONNECTOR_UPDATE_EXISTING_DATA", ["connector", "update_existing_data"], config, ) self.identity = self.helper.api.identity.create( type="Organization", name="VX Vault", description= "VX Vault is providing URLs of potential malicious payload.", )
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml" config = ( yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {} ) self.helper = OpenCTIConnectorHelper(config) self.api_key = get_config_variable( "HYBRID_ANALYSIS_TOKEN", ["hybrid_analysis", "api_key"], config ) self.environment_id = get_config_variable( "HYBRID_ANALYSIS_ENVIRONMENT_ID", ["hybrid_analysis", "environment_id"], config, True, 110, ) self.max_tlp = get_config_variable( "HYBRID_ANALYSIS_MAX_TLP", ["hybrid_analysis", "max_tlp"], config ) self.api_url = "https://www.hybrid-analysis.com/api/v2" self.headers = { "api-key": self.api_key, "user-agent": "OpenCTI Hybrid Analysis Connector - Version 5.1.4", "accept": "application/json", } self.identity = self.helper.api.identity.create( type="Organization", name="Hybrid Analysis", description="Hybrid Analysis Sandbox.", )["standard_id"] self._CONNECTOR_RUN_INTERVAL_SEC = 60 * 60
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml" config = ( yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {} ) self.helper = OpenCTIConnectorHelper(config) self._cache = {} # Extra config self.base_url = self.get_config("base_url", config, "https://api.sekoia.io") self.start_date: str = self.get_config("start_date", config, None) self.collection = self.get_config( "collection", config, "d6092c37-d8d7-45c3-8aff-c4dc26030608" ) self.helper.log_info("Setting up api key") self.api_key = self.get_config("api_key", config) if not self.api_key: self.helper.log_error("API key is Missing") raise ValueError("API key is Missing") self._load_data_sets() self.helper.log_info("All datasets has been loaded")
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) # Extra config self.mitre_enterprise_file_url = get_config_variable( "MITRE_ENTERPRISE_FILE_URL", ["mitre", "enterprise_file_url"], config) self.mitre_pre_attack_file_url = get_config_variable( "MITRE_PRE_ATTACK_FILE_URL", ["mitre", "pre_attack_file_url"], config) self.mitre_mobile_attack_file_url = get_config_variable( "MITRE_MOBILE_ATTACK_FILE_URL", ["mitre", "mobile_attack_file_url"], config) self.mitre_interval = get_config_variable("MITRE_INTERVAL", ["mitre", "interval"], config, True) self.update_existing_data = get_config_variable( "CONNECTOR_UPDATE_EXISTING_DATA", ["connector", "update_existing_data"], config, )
def __init__(self): config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) self.greynoise_key = get_config_variable("GREYNOISE_KEY", ["greynoise", "key"], config) self.max_tlp = get_config_variable("GREYNOISE_MAX_TLP", ["greynoise", "max_tlp"], config) self.spoofable_confidence_level = get_config_variable( "GREYNOISE_SPOOFABLE_CONFIDENCE_LEVEL", ["greynoise", "spoofable_confidence_level"], config, ) self.sighting_not_seen = get_config_variable( "GREYNOISE_SIGHTING_NOT_SEEN", ["greynoise", "sighting_not_seen"], config) self.greynoise_ent_name = get_config_variable("GREYNOISE_NAME", ["greynoise", "name"], config) self.greynoise_ent_desc = get_config_variable( "GREYNOISE_DESCRIPTION", ["greynoise", "description"], config) self.api_url = "https://api.greynoise.io/v2/noise/" self.headers = { "key": self.greynoise_key, "Accept": "application/json" } self._CONNECTOR_RUN_INTERVAL_SEC = 60 * 60 self.greynoise_id = None
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) self.identity = self.helper.api.identity.create( type="Organization", name="MalwareBazaar", description="For more info, see https://bazaar.abuse.ch/about/", ) self.api_url = get_config_variable( "MALWAREBAZAAR_RECENT_ADDITIONS_API_URL", ["malwarebazaar_recent_additions", "api_url"], config, ) self.cooldown_seconds = get_config_variable( "MALWAREBAZAAR_RECENT_ADDITIONS_COOLDOWN_SECONDS", ["malwarebazaar_recent_additions", "cooldown_seconds"], config, ) self.labels_color = get_config_variable( "MALWAREBAZAAR_RECENT_ADDITIONS_LABELS_COLOR", ["malwarebazaar_recent_additions", "labels_color"], config, ) self.include_tags = get_config_variable( "MALWAREBAZAAR_RECENT_ADDITIONS_INCLUDE_TAGS", ["malwarebazaar_recent_additions", "include_tags"], config, ) if self.include_tags: self.include_tags = self.include_tags.split(",") self.include_reporters = get_config_variable( "MALWAREBAZAAR_RECENT_ADDITIONS_INCLUDE_REPORTERS", ["malwarebazaar_recent_additions", "include_reporters"], config, ) if self.include_reporters: self.include_reporters = self.include_reporters.split(",") labels = get_config_variable( "MALWAREBAZAAR_RECENT_ADDITIONS_LABELS", ["malwarebazaar_recent_additions", "labels"], config, ).split(",") # Create default labels self.label_ids = [] for label in labels: created_label = self.helper.api.label.create( value=label, color=self.labels_color) self.label_ids.append(created_label["id"])
class Mitre: def __init__(self): # Get configuration config_file_path = os.path.dirname( os.path.abspath(__file__)) + '/config.yml' self.config = dict() if os.path.isfile(config_file_path): config = yaml.load(open(config_file_path), Loader=yaml.FullLoader) self.config_rabbitmq = config['rabbitmq'] self.config['name'] = config['mitre']['name'] self.config['confidence_level'] = config['mitre'][ 'confidence_level'] self.config['enterprise_file_url'] = config['mitre'][ 'enterprise_file_url'] self.config['entities'] = config['mitre']['entities'].split(',') self.config['interval'] = config['mitre']['interval'] self.config['log_level'] = config['mitre']['log_level'] else: self.config_rabbitmq = dict() self.config_rabbitmq['hostname'] = os.getenv( 'RABBITMQ_HOSTNAME', 'localhost') self.config_rabbitmq['port'] = os.getenv('RABBITMQ_PORT', 5672) self.config_rabbitmq['username'] = os.getenv( 'RABBITMQ_USERNAME', 'guest') self.config_rabbitmq['password'] = os.getenv( 'RABBITMQ_PASSWORD', 'guest') self.config['name'] = os.getenv('MITRE_NAME', 'MITRE ATT&CK') self.config['confidence_level'] = int( os.getenv('MITRE_CONFIDENCE_LEVEL', 3)) self.config['enterprise_file_url'] = os.getenv( 'MITRE_ENTERPRISE_FILE_URL', 'https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json' ) self.config['entities'] = os.getenv( 'MITRE_ENTITIES', 'attack-pattern,course-of-action,intrusion-set,malware,tool' ).split(',') self.config['interval'] = os.getenv('MITRE_INTERVAL', 5) self.config['log_level'] = os.getenv('MITRE_LOG_LEVEL', 'info') # Initialize OpenCTI Connector connector_identifier = ''.join(e for e in self.config['name'] if e.isalnum()) self.opencti_connector_helper = OpenCTIConnectorHelper( connector_identifier.lower(), self.config, self.config_rabbitmq, self.config['log_level']) def get_log_level(self): return self.config['log_level'] def get_interval(self): return int(self.config['interval']) * 60 * 60 * 24 def run(self): enterprise_data = urllib.request.urlopen( self.config['enterprise_file_url']).read() self.opencti_connector_helper.send_stix2_bundle( enterprise_data.decode('utf-8'), self.config['entities'])
def __init__(self): # Get configuration config_file_path = os.path.dirname( os.path.abspath(__file__)) + '/config.yml' self.config = dict() if os.path.isfile(config_file_path): config = yaml.load(open(config_file_path), Loader=yaml.FullLoader) self.config_rabbitmq = config['rabbitmq'] self.config['name'] = config['misp']['name'] self.config['confidence_level'] = config['misp'][ 'confidence_level'] self.config['url'] = config['misp']['url'] self.config['key'] = config['misp']['key'] self.config['tag'] = config['misp']['tag'] if 'tag' in config[ 'misp'] else None self.config['untag_event'] = config['misp'][ 'untag_event'] if 'untag_event' in config['misp'] else None self.config['imported_tag'] = config['misp']['imported_tag'] self.config['filter_on_imported_tag'] = config['misp'][ 'filter_on_imported_tag'] self.config['interval'] = config['misp']['interval'] self.config['log_level'] = config['misp']['log_level'] else: self.config_rabbitmq = dict() self.config_rabbitmq['hostname'] = os.getenv( 'RABBITMQ_HOSTNAME', 'localhost') self.config_rabbitmq['port'] = os.getenv('RABBITMQ_PORT', 5672) self.config_rabbitmq['username'] = os.getenv( 'RABBITMQ_USERNAME', 'guest') self.config_rabbitmq['password'] = os.getenv( 'RABBITMQ_PASSWORD', 'guest') self.config['name'] = os.getenv('MISP_NAME', 'MISP') self.config['confidence_level'] = int( os.getenv('MISP_CONFIDENCE_LEVEL', 3)) self.config['url'] = os.getenv('MISP_URL', 'http://localhost') self.config['key'] = os.getenv('MISP_KEY', 'ChangeMe') self.config['tag'] = os.getenv('MISP_TAG', None) self.config['untag_event'] = os.getenv('MISP_UNTAG_EVENT', None) == "true" self.config['imported_tag'] = os.getenv('MISP_IMPORTED_TAG', 'OpenCTI: Imported') self.config['filter_on_imported_tag'] = os.getenv( 'MISP_FILTER_ON_IMPORTED_TAG', "true") == "true" self.config['interval'] = os.getenv('MISP_INTERVAL', 5) self.config['log_level'] = os.getenv('MISP_LOG_LEVEL', 'info') # Initialize OpenCTI Connector connector_identifier = ''.join(e for e in self.config['name'] if e.isalnum()) self.opencti_connector_helper = OpenCTIConnectorHelper( connector_identifier.lower(), self.config, self.config_rabbitmq, self.config['log_level']) # Initialize MISP self.misp = ExpandedPyMISP(url=self.config['url'], key=self.config['key'], ssl=False, debug=False)
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) self.identity = self.helper.api.identity.create( type="Organization", name="UnpacMe", description="UnpacMe", )["standard_id"] self.octi_api_url = get_config_variable("OPENCTI_URL", ["opencti", "url"], config) # Get URL and private from config, use to instantiate the client user_agent = get_config_variable( "UNPAC_ME_USER_AGENT", ["unpac_me", "user_agent"], config, ) api_key = get_config_variable( "UNPAC_ME_API_KEY", ["unpac_me", "api_key"], config, ) self.private = get_config_variable( "UNPAC_ME_PRIVATE", ["unpac_me", "private"], config, ) self.unpacme_client = UnpacMeApi(api_key=api_key, user_agent=user_agent) # Other config settings self.family_color = get_config_variable( "UNPAC_ME_FAMILY_COLOR", ["unpac_me", "family_color"], config, ) self.default_tag_color = get_config_variable( "UNPAC_ME_FAMILY_COLOR", ["unpac_me", "tag_color"], config, ) self.less_noise = get_config_variable( "UNPAC_ME_LESS_NOISE", ["unpac_me", "less_noise"], config, ) self.max_tlp = get_config_variable( "UNPAC_ME_MAX_TLP", ["unpac_me", "max_tlp"], config, )
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname( os.path.abspath(__file__)) + '/config.yml' config = yaml.load(open(config_file_path), Loader=yaml.FullLoader ) if os.path.isfile(config_file_path) else {} self.helper = OpenCTIConnectorHelper(config) self.token = get_config_variable('IPINFO_TOKEN', ['ipinfo', 'token'], config)
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) self.identity = self.helper.api.identity.create( type="Organization", name="CAPEv2 Sandbox", description="CAPEv2 Sandbox.", )["standard_id"] self.octi_api_url = get_config_variable("OPENCTI_URL", ["opencti", "url"], config) self.cape_url = get_config_variable("CAPE_SANDBOX_URL", ["cape_sandbox", "url"], config) self.cape_api_url = f"{self.cape_url}/apiv2" self.token = get_config_variable("CAPE_SANDBOX_TOKEN", ["cape_sandbox", "token"], config) self.max_tlp = get_config_variable("CAPE_SANDBOX_MAX_TLP", ["cape_sandbox", "max_tlp"], config) self.less_noise = get_config_variable("CAPE_SANDBOX_LESS_NOISE", ["cape_sandbox", "less_noise"], config) self._cooldown_time = get_config_variable( "CAPE_SANDBOX_COOLDOWN_TIME", ["cape_sandbox", "cooldown_time"], config) self._max_retries = get_config_variable( "CAPE_SANDBOX_MAX_RETRIES", ["cape_sandbox", "max_retries"], config) self.headers = {"Authorization": f"Token {self.token}"} # Analysis options self.route = get_config_variable("CAPE_SANDBOX_ROUTE", ["cape_sandbox", "route"], config) self.try_extract = get_config_variable("CAPE_SANDBOX_TRY_EXTRACT", ["cape_sandbox", "try_extract"], config) self.options = get_config_variable("CAPE_SANDBOX_OPTIONS", ["cape_sandbox", "options"], config) self.timeout = get_config_variable("CAPE_SANDBOX_TIMEOUT", ["cape_sandbox", "timeout"], config) self.enforce_timeout = get_config_variable( "CAPE_SANDBOX_ENFORCE_TIMEOUT", ["cape_sandbox", "enforce_timeout"], config) self.priority = get_config_variable("CAPE_SANDBOX_PRIORITY", ["cape_sandbox", "priority"], config)
def __init__(self): config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) # Extra config self.tanium_url = get_config_variable("TANIUM_URL", ["tanium", "url"], config) self.tanium_login = get_config_variable("TANIUM_LOGIN", ["tanium", "login"], config) self.tanium_password = get_config_variable("TANIUM_PASSWORD", ["tanium", "password"], config) self.tanium_indicator_types = get_config_variable( "TANIUM_INDICATOR_TYPES", ["tanium", "indicator_types"], config).split(",") self.tanium_observable_types = get_config_variable( "TANIUM_OBSERVABLE_TYPES", ["tanium", "observable_types"], config).split(",") self.tanium_import_label = get_config_variable( "TANIUM_IMPORT_LABEL", ["tanium", "import_label"], config, ) self.tanium_auto_quickscan = get_config_variable( "TANIUM_AUTO_QUICKSCAN", ["tanium", "auto_quickscan"], config, False, False) self.tanium_computer_groups = get_config_variable( "TANIUM_COMPUTER_GROUPS", ["tanium", "computer_groups"], config, False, "").split(",") # Variables self.session = None # Open a session self._get_session() # Create the source if not exist self.source_id = None sources = self._query("get", "/plugin/products/detect3/api/v1/sources") for source in sources: if source["name"] == "OpenCTI": self.source_id = source["id"] if self.source_id is None: source = self._query( "post", "/plugin/products/detect3/api/v1/sources", { "type": "api-client", "name": "OpenCTI", "description": "Cyber Threat Intelligence knowledge imported from OpenCTI.", "canAutoQuickScan": True, }, ) self.source_id = source["id"]
def __init__(self): """Read in config variables""" config_file_path = os.path.dirname(os.path.abspath(__file__)) config_file_path += "/config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) self.cape_api_url = get_config_variable("CAPE_API_URL", ["cape", "api_url"], config) self.cape_url = get_config_variable("CAPE_BASE_URL", ["cape", "base_url"], config) self.EnableNetTraffic = get_config_variable( "CAPE_ENABLE_NETWORK_TRAFFIC", ["cape", "enable_network_traffic"], config, default=False, ) self.EnableRegKeys = get_config_variable( "CAPE_ENABLE_REGISTRY_KEYS", ["cape", "enable_registry_keys"], config, default=False, ) self.verify_ssl = get_config_variable("VERIFY_SSL", ["cape", "verify_ssl"], config, default=True) self.interval = get_config_variable("CAPE_INTERVAL", ["cape", "interval"], config, True, 30) self.start_id = get_config_variable("CAPE_START_TASK_ID", ["cape", "start_task_id"], config, True, 0) self.report_score = get_config_variable("CAPE_REPORT_SCORE", ["cape", "report_score"], config, True, 0) self.create_indicators = get_config_variable( "CAPE_CREATE_INDICATORS", ["cape", "create_indicators"], config) self.update_existing_data = get_config_variable( "CONNECTOR_UPDATE_EXISTING_DATA", ["connector", "update_existing_data"], config, ) self.cape_api: cuckoo = cuckoo(self.helper, self.cape_api_url, self.verify_ssl)
class OpenCTI: def __init__(self): # Get configuration config_file_path = os.path.dirname( os.path.abspath(__file__)) + '/config.yml' self.config = dict() if os.path.isfile(config_file_path): config = yaml.load(open(config_file_path), Loader=yaml.FullLoader) self.config_rabbitmq = config['rabbitmq'] self.config['name'] = config['opencti']['name'] self.config['confidence_level'] = config['opencti'][ 'confidence_level'] self.config['sectors_file_url'] = config['opencti'][ 'sectors_file_url'] self.config['entities'] = config['opencti']['entities'].split(',') self.config['interval'] = config['opencti']['interval'] self.config['log_level'] = config['opencti']['log_level'] else: self.config_rabbitmq = dict() self.config_rabbitmq['hostname'] = os.getenv( 'RABBITMQ_HOSTNAME', 'localhost') self.config_rabbitmq['port'] = os.getenv('RABBITMQ_PORT', 5672) self.config_rabbitmq['username'] = os.getenv( 'RABBITMQ_USERNAME', 'guest') self.config_rabbitmq['password'] = os.getenv( 'RABBITMQ_PASSWORD', 'guest') self.config['name'] = os.getenv('OPENCTI_NAME', 'OpenCTI') self.config['confidence_level'] = int( os.getenv('OPENCTI_CONFIDENCE_LEVEL', 5)) self.config['sectors_file_url'] = os.getenv( 'OPENCTI_SECTORS_FILE_URL', 'https://raw.githubusercontent.com/OpenCTI-Platform/datasets/master/data/sectors.json' ) self.config['entities'] = os.getenv( 'OPENCTI_ENTITIES', 'sector,region,country,city').split(',') self.config['interval'] = os.getenv('OPENCTI_INTERVAL', 1) self.config['log_level'] = os.getenv('OPENCTI_LOG_LEVEL', 'info') # Initialize OpenCTI Connector connector_identifier = ''.join(e for e in self.config['name'] if e.isalnum()) self.opencti_connector_helper = OpenCTIConnectorHelper( connector_identifier.lower(), self.config, self.config_rabbitmq, self.config['log_level']) def get_log_level(self): return self.config['log_level'] def get_interval(self): return int(self.config['interval']) * 60 * 60 * 24 def run(self): sectors_data = urllib.request.urlopen( self.config['sectors_file_url']).read() self.opencti_connector_helper.send_stix2_bundle( sectors_data.decode('utf-8'), self.config['entities'])
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname( os.path.abspath(__file__)) + "/config.yml" config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}) self.helper = OpenCTIConnectorHelper(config) self.identity = self.helper.api.identity.create( type="Organization", name="Intezer Sandbox", description="Intezer Sandbox", )["standard_id"] self.octi_api_url = get_config_variable("OPENCTI_URL", ["opencti", "url"], config) # Get api key from config, use to instantiate the client api_key = get_config_variable( "INTEZER_SANDBOX_API_KEY", ["intezer_sandbox", "api_key"], config, ) self.intezer_client = IntezerApi(api_key=api_key) # Other config settings self.family_color = get_config_variable( "INTEZER_SANDBOX_FAMILY_COLOR", ["intezer_sandbox", "family_color"], config, ) self.malicious_color = get_config_variable( "INTEZER_SANDBOX_MALICIOUS_COLOR", ["intezer_sandbox", "malicious_color"], config, ) self.trusted_color = get_config_variable( "INTEZER_SANDBOX_TRUSTED_COLOR", ["intezer_sandbox", "trusted_color"], config, ) self.unknown_color = get_config_variable( "INTEZER_SANDBOX_UNKNOWN_COLOR", ["intezer_sandbox", "unknown_color"], config, ) self.suspicious_color = get_config_variable( "INTEZER_SANDBOX_SUSPICIOUS_COLOR", ["intezer_sandbox", "suspicious_color"], config, ) self.max_tlp = get_config_variable( "INTEZER_SANDBOX_MAX_TLP", ["intezer_sandbox", "max_tlp"], config, )