Examples

Threat Intelligence

Create Indicator to Group Association 1

 1# Creating a Indicator and Group to insure that a association can be made.
 2indicator_kwargs = {'ip': '1.1.1.1', 'rating': 0, 'confidence': 0 }
 3group_kwargs = { 'fileName': 'rand_filename', 'name': 'rand_name' }
 4indicator = self.ti.indicator('address', self.owner, **indicator_kwargs)
 5group = self.ti.group('document', self.owner, **group_kwargs)
 6# Can be done this way as well:
 7# indicator = self.ti.address(self.owner, **indicator_kwargs)
 8# group = self.ti.document(self.owner, **group_kwargs)
 9indicator.create()
10group.create()
11
12# indicator to associate
13indicator.add_association(group)

Create Indicator to Group Association 2

 1# Creating a Indicator and Group to insure that a association can be made.
 2indicator_kwargs = {'ip': '1.1.1.1', 'rating': 0, 'confidence': 0 }
 3group_kwargs = { 'fileName': 'rand_filename', 'name': 'rand_name' }
 4indicator = self.ti.indicator('address', self.owner, **indicator_kwargs)
 5group = self.ti.group('document', self.owner, **group_kwargs)
 6indicator.create()
 7group.create()
 8
 9# Create indicators/groups representing the indicators/groups in TC
10indicator = self.ti.indicator('address', self.owner, ip='1.1.1.1')
11group = self.ti.group('document', self.owner, id=group.unique_id)
12# Can be done this way as well:
13# indicator = self.ti.address(self.owner, '1.1.1.1')
14# group = self.ti.document(self.owner, id=group.unique_id)
15
16# indicator to associate
17indicator.add_association(group)

Retrieve Indicator to Group Associations

1# Creating a Indicator to make sure group associations can be retrieved.
2indicator_kwargs = {'ip': '1.1.1.1', 'rating': 0, 'confidence': 0 }
3indicator = self.ti.address(owner=self.owner, ip='1.1.1.1', 'rating': 0, 'confidence': 0)
4indicator.create()
5
6for association in indicator.group_associations():
7    print(association)

Retrieve Group to Indicator Associations

1# Creating a Indicator to make sure group associations can be retrieved.
2group_kwargs = { 'fileName': 'rand_filename', 'name': 'rand_name' }
3group = self.ti.document(owner=self.owner, **group_kwargs)
4group.create()
5
6for association in group.indicator_associations():
7    print(association)

Enable DNS Whois Group

 1group = self.tcex.ti.group(group_type=group_type, owner=owner, unique_id=group_id)
 2# get indicator associations
 3for indicator in group.indicator_associations():
 4    if indicator.get('type') == 'Host':
 5        ti_host = self.ti.host(
 6            hostName=indicator.get('summary'),
 7            owner=self.owner,
 8            dns_active=True,
 9            whois_active=True
10        )
11        r = ti_host.update()
12        ti_host_data = r.json().get('data', {}).get('host', {})

Retrieve Inactive Indicators

1ti = self.ti.address()
2filters = self.ti.filters()
3filters.add_filter('active', '=', 'false')
4for address in ti.many(filters=filters):
5    print(address)

Retrieve Active and Inactive Indicators

1ti = self.ti.address()
2filters = self.ti.filters()
3filters.add_filter('active', '=', 'true')
4filters.add_filter('active', '=', 'false')
5parameters = {'orParams': 'true'}
6for address in ti.many(filters=filters, params=parameters):
7    print(address)

Retrieve Indicators with Date Added filters

1filters = self.tcex.ti.filters()
2filters.add_filter('dateAdded', '>', '2020-01-01')
3filters.add_filter('dateAdded', '<', '2020-01-02')
4indicators = self.tcex.ti.indicator(owner='example')
5for indicator in indicators.many(filters=filters):
6    print(indicator)

Retrieve Indicators Owners

1# Create a example indicator
2indicator_kwargs = {'ip': '1.1.1.1', 'rating': randint(0, 5), 'confidence': randint(0, 100)}
3indicator = self.ti.indicator('address', self.owner, **indicator_kwargs)
4indicator.create()
5# Get the owners that indicator is in.
6owner = indicator.owners()
7# indicator.owners() return the response, time to get the owner data.
8owner_data = owner.get('data', {}).get('owner', [])

Snippets

Feature

Batch

Initialize Batch Create

1batch = self.tcex.batch(owner="MyOwner")

Initialize Batch Delete

1batch = self.tcex.batch(owner="MyOwner", action="Delete")

Add Group Interface 1

1ti = batch.campaign(name="camp-1", first_seen="12-12-08", xid="my-unique-external-id")

Add Group Interface 2

1ti = batch.group(group_type="Campaign", name="camp-2", date_added="12-12-2008", first_seen="12-12-08", xid="my-unique-external-id")

Add Attribute

1ti.attribute(attr_type="Description", attr_value="Example Description", displayed=True)

Add Tag

1ti.tag(name="Crimeware")

Add Security Label

1ti.security_label(name="My Custom Label", description="My Label Description", color="ffffff")

Add Association

1ti.association("my-unique-adversary-external-id")

Save

1# temporarily save group to disk to preserve memory
2batch.save(ti)

Add Indicator Interface 1

1ti = batch.file(md5="43c3609411c83f363e051d455ade78a6", rating="5.0", confidence="100")

Add Indicator Interface 2

1ti = batch.indicator(indicator_type="File", summary="43c3609411c83f363e051d455ade78a6")
2ti.confidence = "50"
3ti.rating = "3.2"
4ti.occurrence(file_name="drop1.exe", path="C:\\\\test\\\\", date="2017-02-02")
5ti.occurrence(file_name="drop2.exe", path="C:\\\\test2\\\\", date="2017-01-01")

Submit

1batch_status = batch.submit_all()

Case Management

Create Case

1case_data = {
2    "name": "Case Name",
3    "severity": "Low",
4    "status": "Open",
5}
6case = self.cm.case(**case_data)
7case.submit()

Update Case

1case = self.cm.case(id=2)
2case.name = "Updated Name"
3case.submit()

Delete Case

1case = self.cm.case(id=2)
2case.delete()

Get Case

1case = self.cm.case(id=2)
2case.get()

Get Sub Artifacts

1case = self.cm.case(id=2)
2case.get(all_available_fields=True)
3for artifact in case.artifacts:
4    self.tcex.log.debug(f"artifact: {artifact}")

Create Case with Artifacts

 1case_data = {
 2    "name": "Case Name",
 3    "severity": "Low",
 4    "status": "Open",
 5}
 6
 7case = self.cm.case(**case_data)
 8
 9# artifact data
10artifact_data = [
11    {"summary": "asn4455", "intel_type": "indicator-ASN", "type": "ASN"},
12    {"summary": "asn5544", "intel_type": "indicator-ASN", "type": "ASN"},
13]
14
15# add artifacts
16for artifact in artifact_data:
17    case.add_artifact(**artifact)
18case.submit()

Get Cases with TQL

1cases = self.tcex.cm.cases()
2cases.filter.id(TQL.Operator.EQ, case.id)
3
4for case in cases:
5    self.tcex.log.debug(f"case: {case}")

Get Cases with Linked TQL

1cases = self.tcex.cm.cases()
2cases.filter.has_artifact.id(TQL.Operator.EQ, artifact.id)
3
4for case in cases:
5    self.tcex.log.debug(f"case: {case}")

Create Artifact

1artifact_data = {
2    "case_id": 1,
3    "summary": f"asn2342",
4    "type": "ASN",
5}
6
7# create artifact
8artifact = self.tcex.cm.artifact(**artifact_data)
9artifact.submit()

Create Note

1note_data = {
2    "case_id": 1,
3    "text": f"sample note for test case."
4}
5
6# create note
7note = self.tcex.cm.note(**note_data)
8note.submit()

Add Tag

1case = self.tcex.cm.case(id=1)
2case.add_tag("sample tag")
3case.submit()

Create Task

 1task_data = {
 2    "case_id": 1,
 3    "description": f"a description for new task",
 4    "name": f"new task",
 5    "xid": "unique-task-xid"
 6}
 7
 8# create task
 9self.tcex.cm.task(**task_data)
10task.submit()

Create Workflow Event

1workflow_event_data = {
2    "case_id": 1,
3    "summary": "workflow event summary"
4}
5
6# create workflow_event
7self.tcex.cm.workflow_event(**workflow_event_data)
8workflow_event.submit()

DataStore

Initialize Local

1# when using a value of "local" the scope of the datastore is limited to this App in the current Playbook
2ds = self.tcex.datastore("local", "myDnsData")

Initialize Organization

1ds = self.tcex.datastore("organization", "myDnsData")

Get

1response = ds.get(rid="one")

Add

1response = ds.add(rid="one", data={"one": 1})

Add (dynamic id)

1response = ds.add(rid=None, data={"one": 1})

Put

1response = ds.put(rid="one", data={"one": 1})

Delete

1response = ds.delete(rid="one")

Exit

Set exit message

1self.exit_message = f"Created {indicator_count} indicators."

Set exit code

1# set the exit code and allow App to continue to process
2self.tcex.playbook.exit_code = 1

Exit with error

1# exit the App immediately with the provided exit message
2self.tcex.playbook.exit(code=1, msg="Failed to add indicators to Owner.")

General

Action Method

1@IterateOnArg(arg="input_arg")
2@OnException(exit_msg="Failed to run "do something" operation.")
3@OnSuccess(exit_msg="Successfully ran "do something" operation.")
4@Output(attribute="return_outputs")
5def do_action(self, input_arg):
6    """Perform an action on interator_input and append return value to self.return_outputs."""
7    return input_arg

Get variable type

1var_type = self.tcex.playbook.variable_type(variable=self.args.input)

Logging

Debug

1self.tcex.log.debug("debug logging")

Info

1self.tcex.log.info("info logging")

Warning

1self.tcex.log.warning("warning logging")

Error

1self.tcex.log.error("error logging")

Metrics

Add Metrics

1metrics = self.tcex.metric(name="My Metric", description="Indicator Count", data_type="Sum", interval="Daily", keyed=False)
2metrics.add(value=42, date="2008-12-12T12:12:12")

Add Keyed Metrics

1metrics = self.tcex.metric(name="My Metric By Owner", description="Indicator Count by Owner", data_type="Sum", interval="Daily", keyed=True)
2metrics.add_keyed(value=42, key="MyOrg", date="2008-12-12T12:12:12", return_value=True)

Notifications

Send to Recipients

1notification = self.tcex.notification()
2notification.recipients(notification_type="My notification", recipients="[email protected]", priority="High")
3status = notification.send(message="High alert send to recipients.")

Sent to Organization

1notification = self.tcex.notification()
2notification.org(notification_type="My notification", priority="High")
3status = notification.send(message="High alert send to organization.")

Threat Intelligence

Get Group by Id

1parameters = {
2    "includes": ["additional", "attributes", "labels", "tags"]
3}
4ti = self.tcex.ti.group(group_type="Adversary", owner="MyOrg", unique_id=416)
5response = ti.single(params=parameters)

Get Groups

1parameters = {
2    "includes": ["additional", "attributes", "labels", "tags"]
3}
4groups = self.tcex.ti.group(group_type="Adversary", owner="MyOrg")
5for group in groups.many(params=parameters):
6    self.tcex.log.debug(f"group: {group}")

Get Tags

1for tag in ti.tags():
2    self.tcex.log.debug(f"tag: {tag}")

Get Attributes

1for attribute in ti.attributes():
2    self.tcex.log.debug(f"attribute: {attribute}")

Get Associations

1for association in ti.indicator_associations():
2    self.tcex.log.debug(f"association: {association}")

Create Group

1ti = self.tcex.ti.group(group_type="Campaign", name="camp-3", owner="MyOrg", first_seen="2019-04-02")
2response = ti.create()

Add Tag

1response = ti.add_tag(name="Crimeware")

Add Attribute

1response = ti.add_attribute(attribute_type="Description", attribute_value="Example Description.")

Add Security Label

1response = ti.add_label(label="TLP:GREEN")

Add Association

1group_assoc = self.tcex.ti.group(group_type="Campaign", unique_id=417)
2response = ti.add_association(target=group_assoc)

Update Group

1ti = self.tcex.ti.group(group_type="Campaign", first_seen="2019-04-03", unique_id=417)
2response = ti.update()

Delete Group

1ti = self.tcex.ti.group(group_type="Campaign", unique_id=419)
2response = ti.delete()

Get Indicatory by Value

1parameters = {
2    "includes": ["additional", "attributes", "labels", "tags"]
3}
4ti = self.tcex.ti.indicator(indicator_type="Address", owner="MyOrg", unique_id="127.0.0.1")
5response = ti.single(params=parameters)

Get Indicators

1parameters = {
2    "includes": ["additional", "attributes", "labels", "tags"]
3}
4indicators = self.tcex.ti.indicator(indicator_type="Address", owner="MyOrg")
5for indicator in indicators.many(params=parameters):
6    self.tcex.log.debug(f"indicator: {indicator}")

Create Indicator

1ti = self.tcex.ti.indicator(indicator_type="Address", owner="MyOrg", ip="12.13.14.15")
2response = ti.create()