diff --git a/msticpy/context/tiproviders/intsights.py b/msticpy/context/tiproviders/intsights.py index b1c094e7c..b5bc1f620 100644 --- a/msticpy/context/tiproviders/intsights.py +++ b/msticpy/context/tiproviders/intsights.py @@ -46,42 +46,42 @@ class IntSights(HttpTIProvider): _QUERIES = { "ipv4": _IntSightsParams( - path="/public/v2/iocs/ioc-by-value", + path="/public/v3/iocs/ioc-by-value", params={"iocValue": "{observable}"}, headers=_DEF_HEADERS, ), "ipv6": _IntSightsParams( - path="/public/v2/iocs/ioc-by-value", + path="/public/v3/iocs/ioc-by-value", params={"iocValue": "{observable}"}, headers=_DEF_HEADERS, ), "dns": _IntSightsParams( - path="/public/v2/iocs/ioc-by-value", + path="/public/v3/iocs/ioc-by-value", params={"iocValue": "{observable}"}, headers=_DEF_HEADERS, ), "url": _IntSightsParams( - path="/public/v2/iocs/ioc-by-value", + path="/public/v3/iocs/ioc-by-value", params={"iocValue": "{observable}"}, headers=_DEF_HEADERS, ), "md5_hash": _IntSightsParams( - path="/public/v2/iocs/ioc-by-value", + path="/public/v3/iocs/ioc-by-value", params={"iocValue": "{observable}"}, headers=_DEF_HEADERS, ), "sha1_hash": _IntSightsParams( - path="/public/v2/iocs/ioc-by-value", + path="/public/v3/iocs/ioc-by-value", params={"iocValue": "{observable}"}, headers=_DEF_HEADERS, ), "sha256_hash": _IntSightsParams( - path="/public/v2/iocs/ioc-by-value", + path="/public/v3/iocs/ioc-by-value", params={"iocValue": "{observable}"}, headers=_DEF_HEADERS, ), "email": _IntSightsParams( - path="/public/v2/iocs/ioc-by-value", + path="/public/v3/iocs/ioc-by-value", params={"iocValue": "{observable}"}, headers=_DEF_HEADERS, ), @@ -111,27 +111,28 @@ def parse_results(self, response: Dict) -> Tuple[bool, ResultSeverity, Any]: ): return False, ResultSeverity.information, "Not found." - if response["RawResult"]["Whitelist"] == "True": + if response["RawResult"].get("whitelisted", False): return False, ResultSeverity.information, "Whitelisted." - sev = response["RawResult"]["Severity"] + sev = response["RawResult"].get("severity", "Low") result_dict = { - "threat_actors": response["RawResult"]["RelatedThreatActors"], - "geolocation": response["RawResult"].get("Geolocation", ""), + "threat_actors": response["RawResult"].get("relatedThreatActors", ""), + "geolocation": response["RawResult"].get("geolocation", None), "response_code": response["Status"], - "tags": response["RawResult"]["Tags"] + response["RawResult"]["SystemTags"], - "malware": response["RawResult"]["RelatedMalware"], - "campaigns": response["RawResult"]["RelatedCampaigns"], - "sources": response["RawResult"]["Sources"], - "score": response["RawResult"]["Score"], + "tags": response["RawResult"].get("tags", []) + + response["RawResult"].get("SystemTags", []), + "malware": response["RawResult"].get("relatedMalware", []), + "campaigns": response["RawResult"].get("relatedCampaigns", []), + "score": response["RawResult"].get("score", 0), "first_seen": dt.datetime.strptime( - response["RawResult"]["FirstSeen"], "%Y-%m-%dT%H:%M:%S.%fZ" + response["RawResult"].get("firstSeen", None), "%Y-%m-%dT%H:%M:%S.%fZ" ), "last_seen": dt.datetime.strptime( - response["RawResult"]["LastSeen"], "%Y-%m-%dT%H:%M:%S.%fZ" + response["RawResult"].get("lastSeen", None), "%Y-%m-%dT%H:%M:%S.%fZ" ), "last_update": dt.datetime.strptime( - response["RawResult"]["LastUpdate"], "%Y-%m-%dT%H:%M:%S.%fZ" + response["RawResult"].get("lastUpdateDate", None), + "%Y-%m-%dT%H:%M:%S.%fZ", ), } diff --git a/tests/context/test_tiproviders.py b/tests/context/test_tiproviders.py index 2b9d722b8..f2166cd4a 100644 --- a/tests/context/test_tiproviders.py +++ b/tests/context/test_tiproviders.py @@ -885,32 +885,27 @@ def _get_riskiq_classification(): "https://api.ti.insight.rapid7.com": { "ioc_param": "params", "response": { - "Value": "124.5.6.7", - "Type": "IpAddresses", - "Score": 42, - "Severity": "Medium", - "Whitelist": False, - "FirstSeen": dt.datetime.strftime( + "value": "124.5.6.7", + "type": "IpAddresses", + "score": 42, + "severity": "Medium", + "whitelist": False, + "firstSeen": dt.datetime.strftime( dt.datetime.now(), "%Y-%m-%dT%H:%M:%S.%fZ" ), - "LastSeen": dt.datetime.strftime( + "lastSeen": dt.datetime.strftime( dt.datetime.now(), "%Y-%m-%dT%H:%M:%S.%fZ" ), - "LastUpdate": dt.datetime.strftime( + "lastUpdateDate": dt.datetime.strftime( dt.datetime.now(), "%Y-%m-%dT%H:%M:%S.%fZ" ), - "Sources": [ - {"ConfidenceLevel": 2, "Name": "Source A"}, - {"ConfidenceLevel": 1, "Name": "Source B"}, - {"ConfidenceLevel": 1, "Name": "Source C"}, - {"ConfidenceLevel": 3, "Name": "Source D"}, - ], - "SystemTags": ["bot", "malware related"], - "Geolocation": "FR", - "RelatedMalware": ["malware1"], - "RelatedCampaigns": ["Campaign A"], - "RelatedThreatActors": ["Threat Actor 00"], - "Tags": ["tag"], + "systemTags": ["bot", "malware related"], + "geolocation": "FR", + "relatedMalware": ["malware1"], + "relatedCampaigns": ["Campaign A"], + "relatedThreatActors": ["Threat Actor 00"], + "tags": ["tag"], + "whitelisted": False, }, }, "https://cti.api.crowdsec.net": {