def _process_message(self, data): entity_id = data["entity_id"] observable = self.helper.api.stix_cyber_observable.read(id=entity_id) # Extract TLP tlp = "TLP:WHITE" for marking_definition in observable["objectMarking"]: if marking_definition["definition_type"] == "TLP": tlp = marking_definition["definition"] if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp): raise ValueError( "Do not send any data, TLP of the observable is greater than MAX TLP" ) # Extract IP from entity data observable_value = observable["value"] # Get Shodan API Response try: response = self.shodanAPI.host(observable_value) except Exception as e: return str(e) # Process and send Shodan Data to OpenCTI self._convert_shodan_to_stix(response, observable) return "[SUCCESS] Shodan IP Found, data sent in"
def _process_message(self, data): entity_id = data['entity_id'] observable = self.helper.api.stix_observable.read(id=entity_id) # Extract TLP tlp = 'TLP:WHITE' for marking_definition in observable['markingDefinitions']: if marking_definition['definition_type'] == 'TLP': tlp = marking_definition['definition'] if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp): return [ 'Do not send any data, TLP of the observable is greater than MAX TLP' ] # Extract IP from entity data observable_id = observable['stix_id_key'] observable_value = observable['observable_value'] # Get the geo loc from the API api_url = 'https://ipinfo.io/' + observable_value + '?token=' + self.token response = requests.request("GET", api_url, headers={ 'accept': "application/json", 'content-type': "application/json", }) json_data = json.loads(response.text) country = pycountry.countries.get(alpha_2=json_data['country']) bundle = self._generate_stix_bundle(country, json_data['city'], observable_id) bundles_sent = self.helper.send_stix2_bundle(bundle) return [ 'Sent ' + str(len(bundles_sent)) + ' stix bundle(s) for worker import' ]
def _process_message(self, data): entity_id = data["entity_id"] observable = self.helper.api.stix_cyber_observable.read(id=entity_id) if observable is None: raise ValueError( "Observable not found (or the connector does not has access to this observable, check the group of the connector user)" ) TLPs = ["TLP:WHITE"] if "objectMarking" in observable: for marking_definition in observable["objectMarking"]: if marking_definition["definition_type"] == "TLP": TLPs.append(marking_definition["definition"]) for TLPx in TLPs: if not OpenCTIConnectorHelper.check_max_tlp(TLPx, self.max_tlp): raise ValueError( "Do not send any data, TLP of the observable is greater than MAX TLP" ) # Extract IP from entity data observable_value = observable["value"] # Get Shodan API Response try: response = self.shodanAPI.host(observable_value) except Exception as e: return str(e) # Process and send Shodan Data to OpenCTI self._convert_shodan_to_stix(response, observable) return "[SUCCESS] Shodan IP Found, data sent in"
def _process_message(self, data): entity_id = data["entity_id"] observable = self.helper.api.stix_cyber_observable.read(id=entity_id) # Extract TLP tlp = "TLP:WHITE" for marking_definition in observable["objectMarking"]: if marking_definition["definition_type"] == "TLP": tlp = marking_definition["definition"] if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp): raise ValueError( "Do not send any data, TLP of the observable is greater than MAX TLP" ) return self._process_file(observable)
def _process_message(self, data): entity_id = data["entity_id"] observable = self.helper.api.stix_cyber_observable.read(id=entity_id) if observable is None: raise ValueError( "Observable not found (or the connector does not has access to this observable, check the group of the connector user)" ) # Extract TLP tlp = "TLP:WHITE" for marking_definition in observable.get("objectMarking", []): if marking_definition["definition_type"] == "TLP": tlp = marking_definition["definition"] if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp): raise ValueError( "Do not send any data, TLP of the observable is greater than MAX TLP" ) return self._process_file(observable)
def _process_message(self, data): entity_id = data["entity_id"] observable = self.helper.api.stix_cyber_observable.read(id=entity_id) if observable is None: raise ValueError( "Observable not found " "(may be linked to data seggregation, check your group and permissions)" ) # Extract TLP tlp = "TLP:WHITE" for marking_definition in observable["objectMarking"]: if marking_definition["definition_type"] == "TLP": tlp = marking_definition["definition"] if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp): raise ValueError( "Do not send any data, TLP of the observable is greater than MAX TLP" ) return self._process_observable(observable)
def _process_message(self, data): entity_id = data["entity_id"] observable = self.helper.api.stix_cyber_observable.read(id=entity_id) if observable is None: raise ValueError( "Observable not found (or the connector does not has access to this observable, check the group of the connector user)" ) # Extract TLP tlp = "TLP:WHITE" for marking_definition in observable["objectMarking"]: if marking_definition["definition_type"] == "TLP": tlp = marking_definition["definition"] if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp): raise ValueError( "Do not send any data, TLP of the observable is greater than MAX TLP" ) # Extract IP from entity data observable_id = observable["standard_id"] observable_value = observable["value"] # Get the geo loc from the API api_url = "https://ipinfo.io/" + observable_value + "/json/?token=" + self.token response = requests.request( "GET", api_url, headers={ "accept": "application/json", "content-type": "application/json" }, ) json_data = response.json() if "status" in json_data and json_data["status"] == 429: raise ValueError("IpInfo Rate limit exceeded") country = pycountry.countries.get(alpha_2=json_data["country"]) if country is None: raise ValueError( "IpInfo was not able to find a country for this IP address") bundle = self._generate_stix_bundle(country, json_data["city"], json_data["loc"], observable_id) bundles_sent = self.helper.send_stix2_bundle(bundle) return "Sent " + str( len(bundles_sent)) + " stix bundle(s) for worker import"
def _process_message(self, data): entity_id = data["entity_id"] observable = self.helper.api.stix_observable.read(id=entity_id) # Extract TLP tlp = "TLP:WHITE" for marking_definition in observable["markingDefinitions"]: if marking_definition["definition_type"] == "TLP": tlp = marking_definition["definition"] if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp): raise ValueError( "Do not send any data, TLP of the observable is greater than MAX TLP" ) # Extract IP from entity data observable_id = observable["stix_id_key"] observable_value = observable["observable_value"] # Get the geo loc from the API api_url = "https://ipinfo.io/" + observable_value + "?token=" + self.token response = requests.request( "GET", api_url, headers={ "accept": "application/json", "content-type": "application/json", }, ) json_data = json.loads(response.text) country = pycountry.countries.get(alpha_2=json_data["country"]) if country is None: raise ValueError( "IpInfo was not able to find a country for this IP address") bundle = self._generate_stix_bundle(country, json_data["city"], observable_id) bundles_sent = self.helper.send_stix2_bundle(bundle) return [ "Sent " + str(len(bundles_sent)) + " stix bundle(s) for worker import" ]
def _process_message(self, data): """Process a message, depending on its type.""" entity_id = data["entity_id"] observable = self.helper.api.stix_cyber_observable.read(id=entity_id) if observable is None: return # Extract TLP tlp = "TLP:WHITE" for marking_definition in observable["objectMarking"]: if marking_definition["definition_type"] == "TLP": tlp = marking_definition["definition"] break if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp): raise ValueError( "Do not send any data, TLP of the observable is greater than MAX TLP" ) if self.use_data: self.process_data_observable(observable) if self.use_passive: self.process_passive_observable(observable) if self.use_scans: self.process_scans_observable(observable)
def _process_message(self, data): entity_id = data["entity_id"] observable = self.helper.api.stix_cyber_observable.read(id=entity_id) # Extract TLP tlp = "TLP:WHITE" for marking_definition in observable["objectMarking"]: if marking_definition["definition_type"] == "TLP": tlp = marking_definition["definition"] if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp): raise ValueError( "Do not send any data, TLP of the observable is greater than MAX TLP" ) # Extract IP from entity data observable_id = observable["standard_id"] observable_value = observable["value"] url = "https://api.abuseipdb.com/api/v2/check" headers = { "Accept": "application/json", "Content-Type": "application/x-www-form-urlencoded", "Key": "%s" % self.api_key, } params = { "maxAgeInDays": 365, "verbose": "True", "ipAddress": observable_value } response = requests.get(url, headers=headers, params=params) data = response.json() data = data["data"] self.helper.api.stix_cyber_observable.update_field( id=observable_id, key="x_opencti_score", value=str(data["abuseConfidenceScore"]), ) if data["isWhitelisted"]: external_reference = self.helper.api.external_reference.create( source_name="AbuseIPDB (whitelist)", url="https://www.abuseipdb.com/check/" + observable_value, description="This IP address is from within our whitelist.", ) self.helper.api.stix_cyber_observable.add_external_reference( id=observable_id, external_reference_id=external_reference["id"]) self.helper.api.stix_cyber_observable.add_label( id=observable_id, label_id=self.whitelist_label["id"]) return "IP found in AbuseIPDB WHITELIST." if len(data["reports"]) > 0: for report in data["reports"]: country = self.helper.api.stix_domain_object.get_by_stix_id_or_name( name=report["reporterCountryName"]) self.helper.api.stix_sighting_relationship.create( fromId=observable_id, toId=country["id"], count=1, first_seen=report["reportedAt"], last_seen=report["reportedAt"], ) for category in report["categories"]: category_text = self.extract_abuse_ipdb_category(category) label = self.helper.api.label.create(value=category_text) self.helper.api.stix_cyber_observable.add_label( id=observable_id, label_id=label["id"]) return "IP found in AbuseIPDB with reports, knowledge attached."
def _process_message(self, data): entity_id = data["entity_id"] observable = self.helper.api.stix_cyber_observable.read(id=entity_id) # Extract TLP tlp = "TLP:WHITE" for marking_definition in observable.get("objectMarking", []): if marking_definition["definition_type"] == "TLP": tlp = marking_definition["definition"] if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp): raise ValueError( "Do not send any data, TLP of the observable is greater than MAX TLP" ) # Extract IP from entity data observable_id = observable["standard_id"] observable_value = observable["value"] url = "https://api.abuseipdb.com/api/v2/check" headers = { "Accept": "application/json", "Content-Type": "application/x-www-form-urlencoded", "Key": "%s" % self.api_key, } params = { "maxAgeInDays": 365, "verbose": "True", "ipAddress": observable_value } r = requests.get(url, headers=headers, params=params) r.raise_for_status() data = r.json() data = data["data"] self.helper.api.stix_cyber_observable.update_field( id=observable_id, input={ "key": "x_opencti_score", "value": str(data["abuseConfidenceScore"]), }, ) if data["isWhitelisted"]: external_reference = self.helper.api.external_reference.create( source_name="AbuseIPDB (whitelist)", url="https://www.abuseipdb.com/check/" + observable_value, description="This IP address is from within our whitelist.", ) self.helper.api.stix_cyber_observable.add_external_reference( id=observable_id, external_reference_id=external_reference["id"]) self.helper.api.stix_cyber_observable.add_label( id=observable_id, label_id=self.whitelist_label["id"]) return "IP found in AbuseIPDB WHITELIST." if len(data["reports"]) > 0: found = [] cl = defaultdict(dict) for report in data["reports"]: countryN = report["reporterCountryCode"] if countryN in cl: cl[countryN]["count"] += 1 cl[countryN]["firstseen"] = report["reportedAt"] else: cl[countryN]["count"] = 1 cl[countryN]["firstseen"] = report["reportedAt"] cl[countryN]["lastseen"] = report["reportedAt"] for category in report["categories"]: if category not in found: found.append(category) category_text = self.extract_abuse_ipdb_category( category) label = self.helper.api.label.create( value=category_text) self.helper.api.stix_cyber_observable.add_label( id=observable_id, label_id=label["id"]) for ckey in list(cl.keys()): country = self.helper.api.location.read( filters=[{ "key": "x_opencti_aliases", "values": [ckey], }], getAll=True, ) if country is None: self.helper.log_info( "No country found with Alpha 2 code " + ckey) else: self.helper.api.stix_sighting_relationship.create( fromId=observable_id, toId=country["id"], count=cl[ckey]["count"], first_seen=cl[ckey]["firstseen"], last_seen=cl[ckey]["lastseen"], ) return "IP found in AbuseIPDB with reports, knowledge attached."