Skip to content

Commit

Permalink
Intsights api update (#710)
Browse files Browse the repository at this point in the history
* Updating to v3

* Update parsing logic

* Update tests

---------

Co-authored-by: Ian Hellen <[email protected]>
  • Loading branch information
FlorianBracq and ianhelle authored Sep 29, 2023
1 parent 0d1b18e commit 900cefe
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 40 deletions.
41 changes: 21 additions & 20 deletions msticpy/context/tiproviders/intsights.py
Original file line number Diff line number Diff line change
Expand Up @@ -46,42 +46,42 @@ class IntSights(HttpTIProvider):

_QUERIES = {
"ipv4": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
"ipv6": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
"dns": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
"url": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
"md5_hash": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
"sha1_hash": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
"sha256_hash": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
"email": _IntSightsParams(
path="/public/v2/iocs/ioc-by-value",
path="/public/v3/iocs/ioc-by-value",
params={"iocValue": "{observable}"},
headers=_DEF_HEADERS,
),
Expand Down Expand Up @@ -111,27 +111,28 @@ def parse_results(self, response: Dict) -> Tuple[bool, ResultSeverity, Any]:
):
return False, ResultSeverity.information, "Not found."

if response["RawResult"]["Whitelist"] == "True":
if response["RawResult"].get("whitelisted", False):
return False, ResultSeverity.information, "Whitelisted."

sev = response["RawResult"]["Severity"]
sev = response["RawResult"].get("severity", "Low")
result_dict = {
"threat_actors": response["RawResult"]["RelatedThreatActors"],
"geolocation": response["RawResult"].get("Geolocation", ""),
"threat_actors": response["RawResult"].get("relatedThreatActors", ""),
"geolocation": response["RawResult"].get("geolocation", None),
"response_code": response["Status"],
"tags": response["RawResult"]["Tags"] + response["RawResult"]["SystemTags"],
"malware": response["RawResult"]["RelatedMalware"],
"campaigns": response["RawResult"]["RelatedCampaigns"],
"sources": response["RawResult"]["Sources"],
"score": response["RawResult"]["Score"],
"tags": response["RawResult"].get("tags", [])
+ response["RawResult"].get("SystemTags", []),
"malware": response["RawResult"].get("relatedMalware", []),
"campaigns": response["RawResult"].get("relatedCampaigns", []),
"score": response["RawResult"].get("score", 0),
"first_seen": dt.datetime.strptime(
response["RawResult"]["FirstSeen"], "%Y-%m-%dT%H:%M:%S.%fZ"
response["RawResult"].get("firstSeen", None), "%Y-%m-%dT%H:%M:%S.%fZ"
),
"last_seen": dt.datetime.strptime(
response["RawResult"]["LastSeen"], "%Y-%m-%dT%H:%M:%S.%fZ"
response["RawResult"].get("lastSeen", None), "%Y-%m-%dT%H:%M:%S.%fZ"
),
"last_update": dt.datetime.strptime(
response["RawResult"]["LastUpdate"], "%Y-%m-%dT%H:%M:%S.%fZ"
response["RawResult"].get("lastUpdateDate", None),
"%Y-%m-%dT%H:%M:%S.%fZ",
),
}

Expand Down
35 changes: 15 additions & 20 deletions tests/context/test_tiproviders.py
Original file line number Diff line number Diff line change
Expand Up @@ -885,32 +885,27 @@ def _get_riskiq_classification():
"https://api.ti.insight.rapid7.com": {
"ioc_param": "params",
"response": {
"Value": "124.5.6.7",
"Type": "IpAddresses",
"Score": 42,
"Severity": "Medium",
"Whitelist": False,
"FirstSeen": dt.datetime.strftime(
"value": "124.5.6.7",
"type": "IpAddresses",
"score": 42,
"severity": "Medium",
"whitelist": False,
"firstSeen": dt.datetime.strftime(
dt.datetime.now(), "%Y-%m-%dT%H:%M:%S.%fZ"
),
"LastSeen": dt.datetime.strftime(
"lastSeen": dt.datetime.strftime(
dt.datetime.now(), "%Y-%m-%dT%H:%M:%S.%fZ"
),
"LastUpdate": dt.datetime.strftime(
"lastUpdateDate": dt.datetime.strftime(
dt.datetime.now(), "%Y-%m-%dT%H:%M:%S.%fZ"
),
"Sources": [
{"ConfidenceLevel": 2, "Name": "Source A"},
{"ConfidenceLevel": 1, "Name": "Source B"},
{"ConfidenceLevel": 1, "Name": "Source C"},
{"ConfidenceLevel": 3, "Name": "Source D"},
],
"SystemTags": ["bot", "malware related"],
"Geolocation": "FR",
"RelatedMalware": ["malware1"],
"RelatedCampaigns": ["Campaign A"],
"RelatedThreatActors": ["Threat Actor 00"],
"Tags": ["tag"],
"systemTags": ["bot", "malware related"],
"geolocation": "FR",
"relatedMalware": ["malware1"],
"relatedCampaigns": ["Campaign A"],
"relatedThreatActors": ["Threat Actor 00"],
"tags": ["tag"],
"whitelisted": False,
},
},
"https://cti.api.crowdsec.net": {
Expand Down

0 comments on commit 900cefe

Please sign in to comment.