2018-11-12 14:13:05 +01:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
|
|
import requests
|
|
|
|
import logging
|
|
|
|
import base64
|
2018-11-12 15:21:47 +01:00
|
|
|
from datetime import datetime
|
2018-11-12 14:13:05 +01:00
|
|
|
|
|
|
|
|
|
|
|
logger = logging.getLogger('pyintel471')
|
|
|
|
logger.setLevel(logging.DEBUG)
|
|
|
|
|
|
|
|
|
|
|
|
class PyIntel471:
|
|
|
|
|
|
|
|
def __init__(self, email: str, authkey: str):
|
|
|
|
self.auth = base64.b64encode(f'{email}:{authkey}'.encode()).decode()
|
|
|
|
|
|
|
|
def _prepare_request(self, request_type: str, url: str, data=None):
|
|
|
|
if logger.isEnabledFor(logging.DEBUG):
|
|
|
|
logger.debug('{} - {}'.format(request_type, url))
|
|
|
|
if data is not None:
|
|
|
|
logger.debug(data)
|
|
|
|
if data is None:
|
|
|
|
req = requests.Request(request_type, url)
|
|
|
|
else:
|
|
|
|
req = requests.Request(request_type, url, data=data)
|
|
|
|
with requests.Session() as s:
|
|
|
|
prepped = s.prepare_request(req)
|
|
|
|
prepped.headers.update({'Authorization': f'Basic {self.auth}'})
|
|
|
|
if logger.isEnabledFor(logging.DEBUG):
|
|
|
|
logger.debug(prepped.headers)
|
|
|
|
# TODO? handle the status codes
|
|
|
|
return s.send(prepped)
|
|
|
|
|
2018-11-12 15:21:47 +01:00
|
|
|
def url_parameters(self, createdFrom: datetime=None, createdUntil: datetime=None, lastUpdatedFrom: datetime=None, lastUpdatedUntil: datetime=None,
|
|
|
|
sort: str='relevance', offset: int=0, count: int=10, prettyPrint: bool=True, responseFormat: str=None):
|
|
|
|
'''Create a string with the parameters to append to the URL.
|
|
|
|
|
|
|
|
:param createdFrom:Search reports starting from given creation time (including). Object field: created. Empty indicates unbounded.
|
|
|
|
:param createdUntil:Search reports starting from given creation time (including). Object field: created. Empty indicates unbounded.
|
|
|
|
:param lastUpdatedFrom: Search results starting from given last updated time (including). Empty indicates unbounded.
|
|
|
|
:param lastUpdatedUntil: Search results ending before given last updated time (excluding). Empty indicates unbounded.
|
|
|
|
:param sort: Sort results by relevance or an object native time. Allowed values: "relevance" (default), "earliest" or "latest"
|
|
|
|
:param offset: Skip leading number of records. Default: 0
|
|
|
|
:param count: Returns given number of records starting from offset position. Default value: 10. Size range: 0-100
|
|
|
|
:param prettyPrint: Formats output json in human-readable form if present. Empty indicates Json. Allowed values: "csv".
|
|
|
|
'''
|
|
|
|
f = locals()
|
|
|
|
f.pop('self')
|
|
|
|
# Some parameters have to be renamed due to reserved words in Python.
|
|
|
|
if createdFrom:
|
|
|
|
f['from'] = f.pop('createdFrom')
|
|
|
|
if createdUntil:
|
|
|
|
f['until'] = f.pop('createdUntil')
|
|
|
|
f['format'] = f.pop('responseFormat')
|
|
|
|
return self.__prepare_url_path(f)
|
|
|
|
|
|
|
|
def search_filters(self, text: str=None, ipAddress: str=None, url: str=None, contactInfoEmail: str=None,
|
|
|
|
post: str=None, privateMessage: str=None, actor: str=None, entity: str=None, forum: str=None,
|
|
|
|
ioc: str=None, report: str=None, reportTag: str=None, reportLocation: str=None, reportAdmiraltyCode: str=None,
|
|
|
|
event: str=None, indicator: str=None, yara: str=None, nids: str=None, malwareReport: str=None, eventType: str=None,
|
|
|
|
indicatorType: str=None, nidsType: str=None, threatType: str=None, threatUid: str=None, malwareFamily: str=None,
|
|
|
|
malwareFamilyProfileUid: str=None, confidence: str=None, intelRequirement: str=None):
|
|
|
|
|
|
|
|
'''Returns selection of results matching filter criteria.
|
|
|
|
|
|
|
|
:param text: Search text everywhere
|
|
|
|
:param ipAddress: IP address search
|
|
|
|
:param url: URL search
|
|
|
|
:param contactInfoEmail: E-mail address search
|
|
|
|
:param post: Forum post search
|
|
|
|
:param privateMessage: Forum private message search
|
|
|
|
:param actor: Actor search
|
|
|
|
:param entity: Entity search
|
|
|
|
:param forum: Search posts in specific forum
|
|
|
|
:param ioc: Indicators of compromise search
|
|
|
|
:param report: Report search
|
|
|
|
:param reportTag: Search reports by tag
|
|
|
|
:param reportLocation: Search reports by location
|
|
|
|
:param reportAdmiraltyCode: Search reports by admiralty code
|
|
|
|
:param event: Free text event search
|
|
|
|
:param indicator: Free text indicator search
|
|
|
|
:param yara: Free text YARAs search
|
|
|
|
:param nids: Free text NIDS search
|
|
|
|
:param malwareReport: Free text malware reports search
|
|
|
|
:param eventType: Search events by type
|
|
|
|
:param indicatorType: Search indicators by type
|
|
|
|
:param nidsType: Search NIDS by type
|
|
|
|
:param threatType: Search events, indicators, YARAs, NIDS and malware reports by threat type.
|
|
|
|
:param threatUid: Search events, indicators, YARAs, NIDS and malware reports by threat uid.
|
|
|
|
:param malwareFamily: Search events, indicators, YARAs, NIDS and malware reports by malware family
|
|
|
|
:param malwareFamilyProfileUid: Search events, indicators, YARAs, NIDS and malware reports by malware family profile UID
|
|
|
|
'''
|
2018-11-12 14:13:05 +01:00
|
|
|
f = locals()
|
|
|
|
f.pop('self')
|
2018-11-12 15:21:47 +01:00
|
|
|
return self.__prepare_url_path(f)
|
2018-11-12 14:13:05 +01:00
|
|
|
|
2018-11-12 15:21:47 +01:00
|
|
|
def __prepare_url_path(self, params: dict):
|
|
|
|
to_return = []
|
|
|
|
for key, value in params.items():
|
|
|
|
if value is None:
|
|
|
|
continue
|
|
|
|
if isinstance(value, datetime):
|
|
|
|
# Date and time entries are UNIX timestamp multiplied by 1000
|
|
|
|
value = int(value.timestamp() * 1000)
|
|
|
|
to_return.append(f'{key}={value}')
|
|
|
|
return '&'.join(to_return)
|
2018-11-12 14:13:05 +01:00
|
|
|
|
2018-11-12 15:21:47 +01:00
|
|
|
def search(self, filters: str, parameters: str=None):
|
|
|
|
if parameters is None:
|
|
|
|
full_url = f'https://api.intel471.com/v1/search?{filters}'
|
|
|
|
else:
|
|
|
|
full_url = f'https://api.intel471.com/v1/search?{filters}&{parameters}'
|
2018-11-12 14:13:05 +01:00
|
|
|
return self._prepare_request('GET', full_url)
|