class SignatureFilterObject(FilterObject): """ """ def __init__(self, base_uri, tcl): """ """ super(SignatureFilterObject, self).__init__(base_uri, tcl) self._owners = [] # define properties for resource type self._properties = SignaturesProperties(base_uri=self.base_uri) self._resource_type = self._properties.resource_type # create default request object for filtered request with only owners self._request_object = RequestObject('signatures', 'default') self._request_object.set_http_method(self._properties.http_method) self._request_object.set_owner_allowed(self._properties.base_owner_allowed) self._request_object.set_request_uri(self._properties.base_path) self._request_object.set_resource_pagination(self._properties.resource_pagination) self._request_object.set_resource_type(self._properties.resource_type) # # add_obj filter methods # for method_name in self._properties.filters: # special case for download if method_name == 'add_id': method = getattr(FilterMethods, 'add_id_signature') setattr(self, method_name, types.MethodType(method, self)) else: method = getattr(FilterMethods, method_name) setattr(self, method_name, types.MethodType(method, self))
def __init__(self, base_uri, tcl): """ """ super(BulkFilterObject, self).__init__(base_uri, tcl) self._owners = [] # define properties for resource type # self._properties = BulkProperties(base_uri=self.base_uri) self._properties = None self._resource_type = self._properties.resource_type # create default request object for filtered request with only owners self._request_object = RequestObject('groups', 'default') self._request_object.set_http_method(self._properties.http_method) self._request_object.set_owner_allowed( self._properties.base_owner_allowed) self._request_object.set_request_uri(self._properties.base_path) self._request_object.set_resource_pagination( self._properties.resource_pagination) self._request_object.set_resource_type(self._properties.resource_type) # # add_obj filter methods # for method_name in self._properties.filters: method = getattr(IndicatorFilterMethods, method_name) setattr(self, method_name, types.MethodType(method, self))
class VictimAssetFilterObject(FilterObject): """ """ def __init__(self, base_uri, tcl, victim_asset_type_enum=None): """ """ super(VictimAssetFilterObject, self).__init__(base_uri, tcl) self._owners = [] # get resource type from indicator type if isinstance(victim_asset_type_enum, VictimAssetType): # get resource type from indicator type number resource_type = ResourceType(victim_asset_type_enum.value) # get resource properties from resource type name self._properties = ResourceProperties[resource_type.name].value(base_uri=self.base_uri) else: self._properties = ResourceProperties['VICTIM_ASSETS'].value(base_uri=self.base_uri) self._resource_type = self._properties.resource_type # create default request object for filtered request with only owners self._request_object = RequestObject('victimAssets', 'default') self._request_object.set_http_method(self._properties.http_method) self._request_object.set_owner_allowed(self._properties.base_owner_allowed) self._request_object.set_request_uri(self._properties.base_path) self._request_object.set_resource_pagination(self._properties.resource_pagination) self._request_object.set_resource_type(self._properties.resource_type) # # add_obj filter methods # for method_name in self._properties.filters: method = getattr(FilterMethods, method_name) setattr(self, method_name, types.MethodType(method, self))
class BulkFilterObject(FilterObject): """ """ def __init__(self, base_uri, tcl): """ """ super(BulkFilterObject, self).__init__(base_uri, tcl) self._owners = [] # define properties for resource type # self._properties = BulkProperties(base_uri=self.base_uri) self._properties = None self._resource_type = self._properties.resource_type # create default request object for filtered request with only owners self._request_object = RequestObject('groups', 'default') self._request_object.set_http_method(self._properties.http_method) self._request_object.set_owner_allowed(self._properties.base_owner_allowed) self._request_object.set_request_uri(self._properties.base_path) self._request_object.set_resource_pagination(self._properties.resource_pagination) self._request_object.set_resource_type(self._properties.resource_type) # # add_obj filter methods # for method_name in self._properties.filters: method = getattr(IndicatorFilterMethods, method_name) setattr(self, method_name, types.MethodType(method, self))
class BulkIndicatorFilterObject(FilterObject): """ """ def __init__(self, base_uri, tcl): """ """ super(BulkIndicatorFilterObject, self).__init__(base_uri, tcl) self._owners = [] # pd('IndicatorFilterObject', header=True) # pd('indicator_type_enum', indicator_type_enum) self._properties = BulkIndicatorsProperties(base_uri=self.base_uri) self._resource_type = self._properties.resource_type # create default request object for filtered request with only owners self._request_object = RequestObject('indicators', 'default') self._request_object.set_http_method(self._properties.http_method) self._request_object.set_owner_allowed(self._properties.base_owner_allowed) self._request_object.set_request_uri(self._properties.base_path) self._request_object.set_resource_pagination(self._properties.resource_pagination) self._request_object.set_resource_type(self._properties.resource_type) # # add_obj filter methods # for method_name in self._properties.filters: # pd('method_name', method_name) method = getattr(FilterMethods, method_name) setattr(self, method_name, types.MethodType(method, self))
def add_id(self, data_int, asset_id=None): """ """ resource_type = ResourceType(self._resource_type.value - 5) properties = ResourceProperties[resource_type.name].value() if asset_id is not None: # resource_type = ResourceType(self._resource_type.value - 5) # properties = ResourceProperties[resource_type.name].value() uri_data = [data_int, asset_id] else: # properties = self._properties uri_data = [data_int] # validation of data input if not isinstance(data_int, int): self.add_error(ErrorCodes.e4020.value.format(data_int)) self._error = True else: filter_type = 'id' if asset_id is not None: filter_values = '{0}-{1}'.format(data_int, asset_id) else: filter_values = data_int ro = RequestObject(filter_type, filter_values) ro.set_owner_allowed(properties.id_owner_allowed) ro.set_resource_pagination(properties.resource_pagination) ro.set_request_uri(properties.id_path, uri_data) ro.set_resource_type(properties.resource_type) self._add_request_objects(ro)
class VictimFilterObject(FilterObject): """ """ def __init__(self, base_uri, tcl): """ """ super(VictimFilterObject, self).__init__(base_uri, tcl) self._owners = [] # define properties for resource type self._properties = VictimsProperties(base_uri=self.base_uri) self._resource_type = self._properties.resource_type # create default request object for filtered request with only owners self._request_object = RequestObject('victims', 'default') self._request_object.set_http_method(self._properties.http_method) self._request_object.set_owner_allowed(self._properties.base_owner_allowed) self._request_object.set_request_uri(self._properties.base_path) self._request_object.set_resource_pagination(self._properties.resource_pagination) self._request_object.set_resource_type(self._properties.resource_type) # # add_obj filter methods # for method_name in self._properties.filters: method = getattr(FilterMethods, method_name) setattr(self, method_name, types.MethodType(method, self)) # special case for indicator associations def filter_associations(self, base_resource_type, identifier): """Get victims associated with base resource object GET /v2/groups/adversaries/747266/victims GET /v2/indicators/addresses/4.3.2.1/victims """ base_properties = ResourceProperties[base_resource_type.name].value() request_uri = base_properties.base_path + '/' request_uri += str(identifier) request_uri += '/victims' description = 'Get victim associations for {0} resource ({1}).'.format( base_resource_type.name.lower(), str(identifier)) filter_type = 'victim association' ro = RequestObject( filter_type, '{0}|{1}'.format(base_resource_type.name.lower(), identifier)) ro.set_description(description) ro.set_owner_allowed(False) ro.set_resource_pagination(True) ro.set_request_uri(request_uri) ro.set_resource_type(ResourceType.VICTIMS) self._add_request_objects(ro)
def add_indicator(self, data, data_type_enum=None): """ """ if data_type_enum is None: # use indicator value to get the resource type data_type_enum = _get_resource_type(data) else: # indicator type provided if isinstance(data_type_enum, IndicatorType): data_type_enum = ResourceType(data_type_enum.value) error = False # validation indicator if not validate_indicator(data): self.add_error(ErrorCodes.e5010.value.format(data)) self._error = True error = True # validation resource type if not isinstance(data_type_enum, ResourceType): self.add_error(ErrorCodes.e5011.value.format(data_type_enum)) self._error = True error = True if not error: # get properties for indicator # (e.g ADDRESSES is 515 and ADDRESS is 510. indicator_resource_type = ResourceType(data_type_enum.value - 5) indicator_properties = ResourceProperties[indicator_resource_type.name].value() indicator_type = indicator_properties.resource_uri_attribute # determine properties indicator_resources = [ 'INDICATORS', 'ADDRESSES', 'EMAIL_ADDRESSES', 'FILES', 'HOSTS', 'URLS'] if self._properties.resource_type.name in indicator_resources: # if the resource type is one of the above use the properties of that indicator properties = indicator_properties else: # otherwise use the properties of the resource properties = self._properties # url if data_type_enum == ResourceType.URLS: data = urllib.quote(data, safe='~') filter_type = data_type_enum.name.lower() ro = RequestObject(filter_type, data) ro.set_owner_allowed(properties.indicator_owner_allowed) ro.set_resource_pagination(properties.resource_pagination) ro.set_request_uri( properties.indicator_path, [indicator_type, data]) ro.set_resource_type(properties.resource_type) self._add_request_objects(ro)
def tc_indicators(owners, limit): tc = get_client() tc.set_api_result_limit(limit) ro = RequestObject() ro.set_http_method('GET') ro.set_request_uri('/v2/indicators?resultLimit={}'.format(limit)) if owners is not None: ro.set_owner(owners) ro.set_owner_allowed(True) response = tc.api_request(ro).json() indicators = response['data']['indicator'] ec, indicators = create_context(indicators, include_dbot_score=True) return ec, indicators, response
class BulkIndicators(Resource): """ """ def __init__(self, tc_obj): """ """ super(BulkIndicators, self).__init__(tc_obj) self._filter_class = BulkIndicatorFilterObject self._modified_since = None # set properties properties = BulkIndicatorsProperties(base_uri=self.base_uri) self._resource_type = properties.resource_type # create default request object for non-filtered requests self._request_object = RequestObject('bulk_indicators', 'default') self._request_object.set_http_method(properties.http_method) self._request_object.set_owner_allowed(properties.base_owner_allowed) self._request_object.set_request_uri(properties.base_path) self._request_object.set_resource_pagination(properties.resource_pagination) self._request_object.set_resource_type(properties.resource_type) @property def csv(self): """ """ headers = [ 'confidence', 'dateAdded', 'id', 'indicator', 'lastModified', 'ownerName', 'rating', 'type', 'webLink'] csv_output = io.BytesIO() csv_data = csv.writer(csv_output, delimiter=',', quotechar='"', quoting=csv.QUOTE_NONNUMERIC) csv_data.writerow(headers) for obj in self._objects: csv_row = [ obj.get_confidence(), obj.get_date_added(), obj.get_id(), obj.get_indicator(), obj.get_last_modified(), obj.get_owner_name(), obj.get_rating(), obj.get_type(), obj.get_web_link(), ] csv_data.writerow(csv_row) for row in csv_output.getvalue().split('\r\n'): yield row
def add_tag(self, data): """ """ properties = self._properties if not isinstance(data, str): self.add_error(ErrorCodes.e4080.value.format(data)) self._error = True else: filter_type = 'tag' ro = RequestObject(filter_type, data) ro.set_owner_allowed(properties.tag_owner_allowed) ro.set_resource_pagination(properties.resource_pagination) ro.set_request_uri(properties.tag_path, [data]) ro.set_resource_type(properties.resource_type) self._add_request_objects(ro)
class Victims(Resource): """ """ def __init__(self, tc_obj): """ """ super(Victims, self).__init__(tc_obj) self._filter_class = VictimFilterObject # set properties properties = VictimsProperties(base_uri=self.base_uri) self._resource_type = properties.resource_type # create default request object for non-filtered requests self._request_object = RequestObject('victims', 'default') self._request_object.set_http_method(properties.http_method) self._request_object.set_owner_allowed(properties.base_owner_allowed) self._request_object.set_request_uri(properties.base_path) self._request_object.set_resource_pagination(properties.resource_pagination) self._request_object.set_resource_type(properties.resource_type)
def add_victim_id(self, data_int): """ """ properties = self._properties # validation of data input if not isinstance(data_int, int): self.add_error(ErrorCodes.e4060.value.format(data_int)) self._error = True else: filter_type = 'victim_id' ro = RequestObject(filter_type, data_int) ro.set_owner_allowed(properties.victim_owner_allowed) ro.set_resource_pagination(properties.resource_pagination) ro.set_request_uri(properties.victim_path, [data_int]) ro.set_resource_type(properties.resource_type) self._add_request_objects(ro)
def add_name(self, data): """ """ resource_type = ResourceType(self._resource_type.value - 5) properties = ResourceProperties[resource_type.name].value() # validation of data input if not isinstance(data, str): self.add_error(ErrorCodes.e4080.value.format(data)) self._error = True else: filter_type = 'name' ro = RequestObject(filter_type, data) ro.set_owner_allowed(properties.name_owner_allowed) ro.set_resource_pagination(properties.resource_pagination) ro.set_request_uri(properties.name_path, [data]) ro.set_resource_type(properties.resource_type) self._add_request_objects(ro)
def set_format(self, data): """ """ properties = self._properties # if invalid format specified return json if data in ['json', 'csv']: d_format = data else: d_format = 'json' ro = RequestObject('bulk download', d_format) ro.set_owner_allowed(properties.base_owner_allowed) ro.set_resource_pagination(properties.resource_pagination) ro.set_request_uri(properties.base_path, [d_format]) ro.set_resource_type(properties.resource_type) self._add_request_objects(ro)
def __init__(self, tc_obj): """ """ super(Bulk, self).__init__(tc_obj) self._filter_class = BulkFilterObject # set properties # properties = BulkProperties(base_uri=self.base_uri) # self._resource_type = properties.resource_type # create default request object for non-filtered requests self._request_object = RequestObject('bulk', 'default')
def get_groups_request(group_type): tc = get_client() ro = RequestObject() ro.set_http_method('GET') ro.set_request_uri('/v2/groups/{}'.format(group_type)) return tc.api_request(ro).json()
def tc_get_tags(): tc = get_client() ro = RequestObject() ro.set_http_method('GET') ro.set_request_uri('/v2/tags') return tc.api_request(ro).json()
def tc_get_indicator_types_request(): tc = get_client() ro = RequestObject() ro.set_http_method('GET') ro.set_request_uri('/v2/types/indicatorTypes') return tc.api_request(ro).json()
def get_events_request(): tc = get_client() ro = RequestObject() ro.set_http_method('GET') ro.set_request_uri('/v2/groups/events') return tc.api_request(ro).json()
def tc_owners(): tc = get_client() ro = RequestObject() ro.set_http_method('GET') ro.set_request_uri('/v2/owners') results = tc.api_request(ro) return results.json()
def tc_delete_group(group_id, group_type): tc = get_client() ro = RequestObject() ro.set_http_method('DELETE') ro.set_request_uri('/v2/groups/{}/{}'.format(group_type, group_id)) response = tc.api_request(ro).json() return response['status'] == 'Success'
def tc_add_group_attribute_request(group_type, group_id, attribute_type, attribute_value): tc = get_client() ro = RequestObject() ro.set_http_method('POST') ro.set_request_uri('/v2/groups/{}/{}/attributes'.format( group_type, group_id)) body = { 'type': attribute_type, 'value': attribute_value, 'displayed': 'true' } ro.set_body(json.dumps(body)) response = tc.api_request(ro).json() return response
class Owners(Resource): """ """ def __init__(self, tc_obj): """ """ super(Owners, self).__init__(tc_obj) self._filter_class = OwnerFilterObject # set properties properties = OwnersProperties(base_uri=self.base_uri) self._resource_type = properties.resource_type # create default request object for non-filtered requests self._request_object = RequestObject('owners', 'default') self._request_object.set_http_method(properties.http_method) self._request_object.set_owner_allowed(properties.base_owner_allowed) self._request_object.set_request_uri(properties.base_path) self._request_object.set_resource_pagination(properties.resource_pagination) self._request_object.set_resource_type(properties.resource_type) def get_owner_by_id(self, data): for obj in self._objects: if obj.get_id() == data: return obj return None def get_owner_by_name(self, data): for obj in self._objects: if obj.get_name() == data: return obj return None def get_owner_names(self): owner_names = [] for obj in self._objects: owner_names.append(obj.get_name()) return owner_names
def add_group_tags_request(group_type, group_id, tag_name): tc = get_client() ro = RequestObject() ro.set_http_method('POST') ro.set_request_uri('/v2/groups/{}/{}/tags/{}'.format( group_type, group_id, tag_name)) response = tc.api_request(ro).json() return response.get('status') == 'Success'
def add_group_security_label_request(group_type, group_id, security_label): tc = get_client() ro = RequestObject() ro.set_http_method('POST') ro.set_request_uri('/v2/groups/{}/{}/securityLabels/{}'.format( group_type, group_id, security_label)) response = tc.api_request(ro).json() return response.get('status') == 'Success'
def associate_indicator_request(indicator_type, indicator, group_type, group_id): tc = get_client() ro = RequestObject() ro.set_http_method('POST') ro.set_request_uri('/v2/indicators/{}/{}/groups/{}/{}'.format( indicator_type, indicator, group_type, group_id)) response = tc.api_request(ro).json() return response
def __init__(self, base_uri, tcl, indicator_type_enum=None): """ """ super(IndicatorFilterObject, self).__init__(base_uri, tcl) self._owners = [] # pd('IndicatorFilterObject', header=True) # pd('indicator_type_enum', indicator_type_enum) # get resource type from indicator type if isinstance(indicator_type_enum, IndicatorType): # get resource type from indicator type number resource_type = ResourceType(indicator_type_enum.value) # get resource properties from resource type name self._properties = ResourceProperties[resource_type.name].value(base_uri=self.base_uri) else: self._properties = ResourceProperties['INDICATORS'].value(base_uri=self.base_uri) self._resource_type = self._properties.resource_type # create default request object for filtered request with only owners self._request_object = RequestObject('adversaries', 'default') self._request_object.set_http_method(self._properties.http_method) self._request_object.set_owner_allowed(self._properties.base_owner_allowed) self._request_object.set_request_uri(self._properties.base_path) self._request_object.set_resource_pagination(self._properties.resource_pagination) self._request_object.set_resource_type(self._properties.resource_type) # add_obj properties for filter objects with no request object # happens when a indicator type is specified, but no other # filters are provided # self._owner_allowed = self._properties.base_owner_allowed # self._request_uri = self._properties.base_path # self._resource_pagination = self._properties.resource_pagination # self._resource_type = self._properties.resource_type # pd('owner_allowed', self._owner_allowed) # pd('resource_pagination', self._resource_pagination) # pd('resource_type', self._resource_type) # # add_obj filter methods # for method_name in self._properties.filters: # pd('method_name', method_name) method = getattr(FilterMethods, method_name) setattr(self, method_name, types.MethodType(method, self))
def tc_get_indicators_by_tag(tag, owner): tc = get_client() ro = RequestObject() ro.set_http_method('GET') cmd = '/v2/tags/{}/indicators'.format(tag) if owner is not None: cmd += '?owner={}'.format(owner) ro.set_request_uri(cmd) return tc.api_request(ro).json()
def add_adversary_id(self, data_int, asset_id=None): """ """ if asset_id is not None: resource_type = ResourceType(self._resource_type.value - 5) properties = ResourceProperties[resource_type.name].value() uri_data = [data_int, asset_id] else: properties = self._properties uri_data = [data_int] # validation of data input if not isinstance(data_int, int): self.add_error(ErrorCodes.e4000.value.format(data_int)) self._error = True else: filter_type = 'adversary_id' ro = RequestObject(filter_type, data_int) ro.set_owner_allowed(properties.adversary_owner_allowed) ro.set_resource_pagination(properties.resource_pagination) ro.set_request_uri(properties.adversary_path, uri_data) ro.set_resource_type(properties.resource_type) self._add_request_objects(ro)
def __init__(self, tc_obj): """ """ super(Attributes, self).__init__(tc_obj) self._filter_class = AttributeFilterObject # self._object_class = AttributeObject # set properties for non filtered request properties = AttributesProperties(base_uri=self.base_uri) self._resource_type = properties.resource_type # create default request object for non-filtered requests self._request_object = RequestObject('attribute', 'default') self._request_object.set_http_method(properties.http_method) self._request_object.set_owner_allowed(properties.base_owner_allowed) self._request_object.set_request_uri(properties.base_path) self._request_object.set_resource_pagination(properties.resource_pagination) self._request_object.set_resource_type(properties.resource_type)
def __init__(self, tc_obj): """ """ super(BulkIndicators, self).__init__(tc_obj) self._filter_class = BulkIndicatorFilterObject self._modified_since = None # set properties properties = BulkIndicatorsProperties(base_uri=self.base_uri) self._resource_type = properties.resource_type # create default request object for non-filtered requests self._request_object = RequestObject('bulk_indicators', 'default') self._request_object.set_http_method(properties.http_method) self._request_object.set_owner_allowed(properties.base_owner_allowed) self._request_object.set_request_uri(properties.base_path) self._request_object.set_resource_pagination(properties.resource_pagination) self._request_object.set_resource_type(properties.resource_type)
def default_request_object(self): """ default request when only a owner filter is provided """ request_object = RequestObject() request_object.set_description('filter by owner') request_object.set_http_method(self._resource_properties['base']['http_method']) request_object.set_owner_allowed(self._resource_properties['base']['owner_allowed']) request_object.set_request_uri(self._resource_properties['base']['uri']) request_object.set_resource_pagination(self._resource_properties['base']['pagination']) request_object.set_resource_type(self._resource_type) return request_object
def default_request_object(self): """ default request when no filters are provided """ resource_properties = ApiProperties.api_properties[self._resource_type.name]['properties'] # create default request object for non-filtered requests request_object = RequestObject() request_object.set_http_method(resource_properties['base']['http_method']) request_object.set_owner_allowed(resource_properties['base']['owner_allowed']) request_object.set_request_uri(resource_properties['base']['uri']) request_object.set_resource_pagination(resource_properties['base']['pagination']) request_object.set_resource_type(self._resource_type) return request_object
def main(): """ """ # set threat connect log (tcl) level tc.set_tcl_file('log/tc.log', 'debug') tc.set_tcl_console_level('critical') if enable_example1: """ get community/source status using basic retrieve """ # build INDICATORS request object # ro = RequestObject() ro.set_http_method('GET') ro.set_owner(owners) ro.set_owner_allowed(True) ro.set_resource_pagination(True) ro.set_request_uri('/v2/indicators/bulk') # # retrieve and display the results # try: results = tc.api_request(ro) except RuntimeError as e: print(e) sys.exit(1) if results.headers['content-type'] == 'application/json': data = results.json() print(json.dumps(data, indent=4)) if enable_example2: """ get bulk indicators """ # optionally set max results tc.set_api_result_limit(500) # indicator object indicators = tc.bulk_indicators() # filter results try: filter1 = indicators.add_filter() filter1.add_owner(owners) # filter1.add_pf_confidence(90, FilterOperator.GE) # filter1.add_pf_date_added('2014-04-10T00:00:00Z', FilterOperator.GE) # filter1.add_pf_rating('4.0', FilterOperator.GE) # filter1.add_pf_type('Host') # filter1.add_pf_type('Address') # filter1.add_pf_last_modified('2015-01-21T00:31:44Z', FilterOperator.GE) # filter1.add_pf_threat_assess_confidence('50', FilterOperator.GE) # filter1.add_pf_threat_assess_rating('4.0', FilterOperator.GE) # filter1.add_pf_tag('EXAMPLE', FilterOperator.EQ) # filter1.add_pf_attribute('Description', FilterOperator.EQ) except AttributeError as e: print('Error: {0!s}'.format(e)) sys.exit(1) # retrieve indicators try: indicators.retrieve() except RuntimeError as e: print('Error: {0!s}'.format(e)) sys.exit(1) # show indicator data show_data(indicators) if enable_example3: """ get bulk indicators """ # optionally set max results tc.set_api_result_limit(500) # indicator object indicators = tc.bulk_indicators() # filter results try: filter1 = indicators.add_filter() filter1.add_owner(owners) # filter1.add_pf_confidence(50, FilterOperator.GE) # filter1.add_pf_rating('2.5', FilterOperator.GE) filter1.add_pf_tag('CnC', FilterOperator.EQ) except AttributeError as e: print('Error: {0!s}'.format(e)) sys.exit(1) # retrieve indicators try: indicators.retrieve() except RuntimeError as e: print('Error: {0!s}'.format(e)) sys.exit(1) # show indicator data show_data(indicators) if enable_example4: """ get bulk indicator in csv format """ # build INDICATORS request object # ro = RequestObject() ro.set_http_method('GET') ro.set_owner(owners) ro.set_owner_allowed(True) ro.set_resource_pagination(True) ro.set_request_uri('/v2/indicators/bulk/csv') # # retrieve and display the results # results = tc.api_request(ro) if results.headers['content-type'] == 'text/csv': data = results.content print(data)
def default_request_object(self): """ default request when no filters are provided """ resource_properties = ApiProperties.api_properties[self._resource_type.name]['properties'] # create default request object for non-filtered requests request_object = RequestObject() request_object.set_http_method(resource_properties['base']['http_method']) request_object.set_owner_allowed(resource_properties['base']['owner_allowed']) request_object.set_request_uri(resource_properties['base']['uri']) request_object.set_resource_pagination(resource_properties['base']['pagination']) request_object.set_resource_type(self._resource_type) # modified since is only support on base (/v2/indicator) api call if self._modified_since is not None: request_object.set_modified_since(self._modified_since) request_object.set_description('Owner Filter modified since {0}'.format(self._modified_since)) return request_object
def filter_associations(self, base_resource_type, identifier): """Get victims associated with base resource object GET /v2/groups/adversaries/747266/victims GET /v2/indicators/addresses/4.3.2.1/victims """ base_properties = ResourceProperties[base_resource_type.name].value() request_uri = base_properties.base_path + '/' request_uri += str(identifier) request_uri += '/victims' description = 'Get victim associations for {0} resource ({1}).'.format( base_resource_type.name.lower(), str(identifier)) filter_type = 'victim association' ro = RequestObject( filter_type, '{0}|{1}'.format(base_resource_type.name.lower(), identifier)) ro.set_description(description) ro.set_owner_allowed(False) ro.set_resource_pagination(True) ro.set_request_uri(request_uri) ro.set_resource_type(ResourceType.VICTIMS) self._add_request_objects(ro)
def associate_victim(self, resource_id): """ associate victim from group """ prop = self._resource_properties['association_victim_add'] ro = RequestObject() ro.set_description('associate victim id {0} from "{1}"'.format( resource_id, self._name)) ro.set_http_method(prop['http_method']) ro.set_owner_allowed(prop['owner_allowed']) ro.set_request_uri(prop['uri'].format( self._id, resource_id)) ro.set_resource_pagination(prop['pagination']) ro.set_resource_type(self._resource_type) self._resource_container.add_commit_queue(self.id, ro)
def add_indicator(self, data): """ """ # validation indicator if not SharedMethods.validate_indicator(data): raise AttributeError(ErrorCodes.e5010.value.format(data)) # get indicator uri attribute indicator_type = SharedMethods.get_resource_type(data) indicator_uri_attribute = ApiProperties.api_properties[indicator_type.name]['uri_attribute'] prop = self._resource_properties['indicators'] ro = RequestObject() ro.set_description('api filter by indicator id {0}'.format(data)) ro.set_owner_allowed(prop['owner_allowed']) ro.set_request_uri(prop['uri'], [indicator_uri_attribute, SharedMethods.urlsafe(data)]) ro.set_resource_pagination(prop['pagination']) ro.set_resource_type(self._resource_type) self._add_request_objects(ro)
print('Could not retrieve configuration file.') sys.exit(1) tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url) tc.set_api_result_limit(api_result_limit) tc.report_enable() """ Toggle the Boolean to enable specific examples """ enable_example1 = False enable_example2 = False if enable_example1: # # build DOCUMENT request object # ro = RequestObject() ro.set_http_method('POST') body = {'name': 'Raw Upload Example', 'fileName': 'raw_example.txt'} ro.set_body(json.dumps(body)) ro.set_content_type('application/json') ro.set_owner('Example Community') ro.set_owner_allowed(True) ro.set_resource_pagination(False) ro.set_request_uri('/v2/groups/documents') # display request object parameters print(ro) # # retrieve and display the results #
def download_request(self): """ """ # build request object request_object = RequestObject(self._drd['name1'], self._drd['name2_method']()) request_object.set_content_type(self._drd['content_type']) request_object.set_description( self._drd['description'].format(self._drd['identifier_method']())) request_object.set_http_method(self._drd['http_method']) request_object.set_request_uri( self._drd['request_uri_path'].format(self._drd['identifier_method']())) request_object.set_owner_allowed(self._drd['owner_allowed']) request_object.set_resource_pagination(self._drd['resource_pagination']) request_object.set_resource_type(self._drd['resource_type']) return request_object
def add_tag(self, data): """ filter api results by tag """ # validation of data input if not isinstance(data, str): raise AttributeError(ErrorCodes.e4070.value.format(data)) prop = self._resource_properties['tags'] ro = RequestObject() ro.set_description('api filter by tag "{0}"'.format(data)) ro.set_owner_allowed(prop['owner_allowed']) ro.set_resource_pagination(prop['pagination']) ro.set_request_uri(prop['uri'], [SharedMethods.urlsafe(data)]) ro.set_resource_type(self._resource_type) self._add_request_objects(ro)
def log_to_api(self): if len(self.entries) > 0: # make api call ro = RequestObject() ro.set_http_method('POST') ro.set_owner_allowed(True) ro.set_resource_pagination(False) ro.set_request_uri('/v2/logs/app') ro.set_body(dumps(self.entries)) # retrieve and display the results; don't log during api request so we don't end up with duplicate info try: self.tc.api_request(ro, log=False) except RuntimeError as re: # can't really do anything if it fails error_data = { 'levelname': 'ERROR', 'created': time.time(), 'msg': 'API LOGGING FAILURE -- Unable to send log entries to api: {}' .format(self.entries) } lr = makeLogRecord(error_data) self.entries = [] self.emit(lr) self.entries = []
def associate_indicator(self, indicator_type, indicator): """ associate a group to group by id """ prop = self._resource_properties['association_indicator_add'] ro = RequestObject() ro.set_description('associate indicator {0} to "{1}"'.format( indicator, self._name)) ro.set_http_method(prop['http_method']) ro.set_owner_allowed(prop['owner_allowed']) ro.set_resource_pagination(prop['pagination']) indicator_uri_attribute = ApiProperties.api_properties[indicator_type.name]['uri_attribute'] ro.set_request_uri(prop['uri'].format(indicator_uri_attribute, self._urlsafe(indicator), self.id)) ro.set_resource_type(self._resource_type) self._resource_container.add_commit_queue(self.id, ro)
def default_request_object(self): """ default request when only a owner filter is provided """ request_object = RequestObject() request_object.set_description('filter by owner') request_object.set_http_method(self._resource_properties['base']['http_method']) request_object.set_owner_allowed(self._resource_properties['base']['owner_allowed']) request_object.set_request_uri(self._resource_properties['base']['uri']) request_object.set_resource_pagination(self._resource_properties['base']['pagination']) request_object.set_resource_type(self._resource_type) # modified since is only support on base (/v2/indicator) api call if self._modified_since is not None: request_object.set_modified_since(self._modified_since) request_object.set_description('Indicator Owner Filter modified since {0}'.format(self._modified_since)) return request_object
def default_request_object(self): """ default request when no filters are provided """ resource_properties = ApiProperties.api_properties[ self._resource_type.name]['properties'] # create default request object for non-filtered requests request_object = RequestObject() request_object.set_http_method( resource_properties['base']['http_method']) request_object.set_owner_allowed( resource_properties['base']['owner_allowed']) request_object.set_request_uri(resource_properties['base']['uri']) request_object.set_resource_pagination( resource_properties['base']['pagination']) request_object.set_resource_type(self._resource_type) return request_object
def add_indicator(self, data, indicator_type=None): """ filter api results by indicator """ # validation indicator if not SharedMethods.validate_indicator(self.tc._indicators_regex, data): raise AttributeError(ErrorCodes.e5010.value.format(data)) # get indicator uri attribute if indicator_type is None: indicator_type = SharedMethods.get_resource_type( self.tc._indicators_regex, data) indicator_uri_attribute = ApiProperties.api_properties[ indicator_type.name]['uri_attribute'] prop = self._resource_properties['indicator'] ro = RequestObject() ro.set_description('api filter by indicator id {0}'.format(data)) ro.set_owner_allowed(prop['owner_allowed']) # TODO: Check this logic if self._resource_type == ResourceType.INDICATORS: ro.set_request_uri( prop['uri'], [indicator_uri_attribute, SharedMethods.urlsafe(data)]) else: ro.set_request_uri(prop['uri'], [SharedMethods.urlsafe(data)]) ro.set_resource_pagination(prop['pagination']) ro.set_resource_type(indicator_type) self._add_request_objects(ro)
def default_request_object(self): """ default request when only a owner filter is provided """ request_object = RequestObject() request_object.set_description('filter by owner') request_object.set_http_method( self._resource_properties['base']['http_method']) request_object.set_owner_allowed( self._resource_properties['base']['owner_allowed']) request_object.set_request_uri( self._resource_properties['base']['uri']) request_object.set_resource_pagination( self._resource_properties['base']['pagination']) request_object.set_resource_type(self._resource_type) return request_object
def commit(self): # phase 0 (no action) -> don't validate and don't POST group, only POST items in commit queue. # phase 1 (add) -> validate before POST group, only POST items in commit queue if group POST succeeded. # phase 2 (update) -> don't validate before PUT group, POST/PUT items in commit queue. """ commit group and related associations, attributes, security labels and tags """ r_id = self.id ro = RequestObject() ro.set_body(self.gen_body) if self.owner_name is not None: ro.set_owner(self.owner_name) ro.set_resource_type(self.resource_type) if self.phase == 1: prop = self._resource_properties['add'] ro.set_description('adding group "{0}".'.format(self._name)) ro.set_http_method(prop['http_method']) ro.set_owner_allowed(prop['owner_allowed']) ro.set_request_uri(prop['uri'].format(self._id)) ro.set_resource_pagination(prop['pagination']) if self.validate: api_response = self._tc.api_request(ro) if api_response.headers['content-type'] == 'application/json': api_response_dict = api_response.json() if api_response_dict['status'] == 'Success': resource_key = ApiProperties.api_properties[self.resource_type.name]['resource_key'] r_id = api_response_dict['data'][resource_key]['id'] else: self._tc.tcl.debug('Resource Object'.format(self)) raise AttributeError(ErrorCodes.e10040.value) elif self.phase == 2: prop = self._resource_properties['update'] ro.set_description('update group "{0}".'.format(self._name)) ro.set_http_method(prop['http_method']) ro.set_owner_allowed(prop['owner_allowed']) ro.set_request_uri(prop['uri'].format(self._id)) ro.set_resource_pagination(prop['pagination']) api_response = self._tc.api_request(ro) if api_response.headers['content-type'] == 'application/json': api_response_dict = api_response.json() if api_response_dict['status'] != 'Success': self._tc.tcl.error('API Request Failure: [{0}]'.format(ro.description)) # validate all required fields are present if r_id is not None: # # commit all associations, attributes, tags, etc # for ro in self._resource_container.commit_queue(self.id): if self.owner_name is not None: ro.set_owner(self.owner_name) # replace the id if self.phase == 1 and self.id != r_id: request_uri = str(ro.request_uri.replace(str(self.id), str(r_id))) ro.set_request_uri(request_uri) self._tc.tcl.debug('Replacing {0} with {1}'.format(self.id, str(r_id))) api_response2 = self._tc.api_request(ro) if 'content-type' in api_response2.headers: if api_response2.headers['content-type'] == 'application/json': api_response_dict2 = api_response2.json() if api_response_dict2['status'] != 'Success': self._tc.tcl.error('API Request Failure: [{0}]'.format(ro.description)) else: if ro.success_callback is not None: ro.success_callback(ro, api_response2) elif api_response2.headers['content-type'] == 'application/octet-stream': if api_response2.status_code in [200, 201, 202]: self.set_contents(ro.body) if ro.success_callback is not None: ro.success_callback(ro, api_response2) else: # upload PUT response if api_response2.status_code in [200, 201, 202]: self.set_contents(ro.body) if ro.success_callback is not None: ro.success_callback(ro, api_response2) # clear the commit queue self._resource_container.clear_commit_queue_id(self.id) self.set_id(r_id) # clear phase self.set_phase(0) if self._reload_attributes: self.load_attributes(automatically_reload=True) # return object return self
def add_incident_id(self, data_int): """ filter api results by incident id """ # validation of data input if not isinstance(data_int, int): raise AttributeError(ErrorCodes.e4040.value.format(data_int)) prop = self._resource_properties['groups'] ro = RequestObject() ro.set_description('api filter by incident id {0}'.format(data_int)) ro.set_http_method(prop['http_method']) ro.set_owner_allowed(prop['owner_allowed']) ro.set_request_uri(prop['uri'], ['incidents', data_int]) ro.set_resource_pagination(prop['pagination']) ro.set_resource_type(self._resource_type) self._add_request_objects(ro)
def load_security_labels(self): """ retrieve attributes for this indicator """ prop = self._resource_properties['load_security_labels'] ro = RequestObject() ro.set_description( 'load security labels for attribute {0} of object {1}'.format( self.id, self._container.id)) ro.set_http_method(prop['http_method']) ro.set_owner_allowed(prop['owner_allowed']) resource_uri = self._container._resource_properties['id']['uri'] try: resource_uri = resource_uri.format(self._container.indicator) except AttributeError: resource_uri = resource_uri.format(self._container.id) ro.set_request_uri(prop['uri'].format(resource_uri, self.id)) ro.set_resource_pagination(prop['pagination']) api_response = self._container._tc.api_request(ro) if api_response.headers['content-type'] == 'application/json': api_response_dict = api_response.json() if api_response_dict['status'] == 'Success': self._security_labels = [] data = api_response_dict['data']['securityLabel'] for item in data: self.__add_security_label(parse_security_label( item)) # add to main resource object
def add_id_signature(self, data_int, download=False): """ """ resource_type = ResourceType(self._resource_type.value - 5) properties = ResourceProperties[resource_type.name].value() uri_data = [data_int] # validation of data input if not isinstance(data_int, int): self.add_error(ErrorCodes.e4020.value.format(data_int)) self._error = True else: filter_type = 'id' ro = RequestObject(filter_type, data_int) ro.set_owner_allowed(properties.id_owner_allowed) ro.set_resource_pagination(properties.resource_pagination) ro.set_request_uri(properties.id_path, uri_data) ro.set_resource_type(properties.resource_type) # add_obj download if download: ro.set_download(True) self._add_request_objects(ro)
def add_security_label(self, security_label_name): """ retrieve attributes for this indicator """ prop = self._resource_properties['add_security_label'] ro = RequestObject() ro.set_description( 'deleting security label {0} for attribute {1} of object {2}'. format(security_label_name, self.id, self._container.id)) ro.set_http_method(prop['http_method']) ro.set_owner_allowed(prop['owner_allowed']) resource_uri = self._container._resource_properties['id']['uri'] try: resource_uri = resource_uri.format(self._container.indicator) except AttributeError: resource_uri = resource_uri.format(self._container.id) ro.set_request_uri(prop['uri'].format(resource_uri, self.id, security_label_name)) ro.set_resource_pagination(prop['pagination']) callback = lambda status: self.__failed_add_security_label( security_label_name) ro.set_failure_callback(callback) self._container._resource_container.add_commit_queue( self._container.id, ro) security_label = SecurityLabelObject() security_label.set_name(security_label_name) self.__add_security_label(security_label)
def add_hash(self, data, data_int=None): """ """ if data_int is not None: resource_type = ResourceType(self._resource_type.value - 5) properties = ResourceProperties[resource_type.name].value() else: properties = self._properties # validation of data input if not isinstance(data, str): self.add_error(ErrorCodes.e4020.value.format(data)) self._error = True else: filter_type = 'hash' ro = RequestObject(filter_type, data) ro.set_owner_allowed(properties.hash_owner_allowed) ro.set_resource_pagination(properties.resource_pagination) if data_int is not None: ro.set_request_uri(properties.hash_path, [data, data_int]) else: ro.set_request_uri(properties.hash_path, [data]) ro.set_resource_type(properties.resource_type) self._add_request_objects(ro)
def add_indicator(self, data): """ """ # validation indicator if not SharedMethods.validate_indicator(self.tc._indicators_regex, data): raise AttributeError(ErrorCodes.e5010.value.format(data)) # get indicator uri attribute indicator_type = SharedMethods.get_resource_type(self.tc._indicators_regex, data) indicator_uri_attribute = ApiProperties.api_properties[indicator_type.name]['uri_attribute'] prop = self._resource_properties['indicators'] ro = RequestObject() ro.set_description('api filter by indicator id {0}'.format(data)) ro.set_owner_allowed(prop['owner_allowed']) ro.set_request_uri(prop['uri'], [indicator_uri_attribute, SharedMethods.urlsafe(data)]) ro.set_resource_pagination(prop['pagination']) ro.set_resource_type(self._resource_type) self._add_request_objects(ro)