Batch Module¶
batch.batch¶
ThreatConnect Batch Import Module.
-
class
tcex.batch.batch.
Batch
(tcex, owner, action=None, attribute_write_type=None, halt_on_error=True, playbook_triggers_enabled=None)[source]¶ Bases:
object
ThreatConnect Batch Import Module
-
_gen_indicator_method
(name, custom_class, value_count)[source]¶ Dynamically generate custom Indicator methods.
Parameters: - name (str) – The name of the method.
- custom_class (object) – The class to add.
- value_count (int) – The number of value parameters to support.
-
_group
(group_data)[source]¶ Return previously stored group or new group.
Parameters: group_data (dict|obj) – An Group dict or instance of Group object. Returns: The new Group dict/object or the previously stored dict/object. Return type: dict|obj
-
_indicator
(indicator_data)[source]¶ Return previously stored indicator or new indicator.
Parameters: indicator_data (dict|obj) – An Indicator dict or instance of Indicator object. Returns: The new Indicator dict/object or the previously stored dict/object. Return type: dict|obj
-
action
¶ Return batch action.
-
add_group
(group_data)[source]¶ Add a group to Batch Job.
{ "name": "Example Incident", "type": "Incident", "attribute": [{ "type": "Description", "displayed": false, "value": "Example Description" }], "xid": "e336e2dd-5dfb-48cd-a33a-f8809e83e904", "associatedGroupXid": [ "e336e2dd-5dfb-48cd-a33a-f8809e83e904:58", ], "tag": [{ "name": "China" }] }
Parameters: group_data (dict) – The full Group data including attributes, labels, tags, and associations.
-
add_indicator
(indicator_data)[source]¶ Add an indicator to Batch Job.
{ "type": "File", "rating": 5.00, "confidence": 50, "summary": "53c3609411c83f363e051d455ade78a7 : 57a49b478310e4313c54c0fee46e4d70a73dd580 : db31cb2a748b7e0046d8c97a32a7eb4efde32a0593e5dbd58e07a3b4ae6bf3d7", "associatedGroups": [ { "groupXid": "e336e2dd-5dfb-48cd-a33a-f8809e83e904" } ], "attribute": [{ "type": "Source", "displayed": true, "value": "Malware Analysis provided by external AMA." }], "fileOccurrence": [{ "fileName": "drop1.exe", "date": "2017-03-03T18:00:00-06:00" }], "tag": [{ "name": "China" }], "xid": "e336e2dd-5dfb-48cd-a33a-f8809e83e904:170139" }
Parameters: indicator_data (dict) – The Full Indicator data including attributes, labels, tags, and associations.
-
address
(ip, **kwargs)[source]¶ Add Address data to Batch object.
Parameters: - ip (str) – The value for this Indicator.
- confidence (str, kwargs) – The threat confidence for this Indicator.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- last_modified (str, kwargs) – The date timestamp the Indicator was last modified.
- rating (str, kwargs) – The threat rating for this Indicator.
- xid (str, kwargs) – The external id for this Indicator.
Returns: An instance of Address.
Return type: obj
-
adversary
(name, **kwargs)[source]¶ Add Adversary data to Batch object.
Parameters: - name (str) – The name for this Group.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- xid (str, kwargs) – The external id for this Group.
Returns: An instance of Adversary.
Return type: obj
-
asn
(as_number, **kwargs)[source]¶ Add ASN data to Batch object.
Parameters: - as_number (str) – The value for this Indicator.
- confidence (str, kwargs) – The threat confidence for this Indicator.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- last_modified (str, kwargs) – The date timestamp the Indicator was last modified.
- rating (str, kwargs) – The threat rating for this Indicator.
- xid (str, kwargs) – The external id for this Indicator.
Returns: An instance of ASN.
Return type: obj
-
attribute_write_type
¶ Return batch attribute write type.
-
campaign
(name, **kwargs)[source]¶ Add Campaign data to Batch object.
Parameters: - name (str) – The name for this Group.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- first_seen (str, kwargs) – The first seen datetime expression for this Group.
- xid (str, kwargs) – The external id for this Group.
Returns: An instance of Campaign.
Return type: obj
-
cidr
(block, **kwargs)[source]¶ Add CIDR data to Batch object.
Parameters: - block (str) – The value for this Indicator.
- confidence (str, kwargs) – The threat confidence for this Indicator.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- last_modified (str, kwargs) – The date timestamp the Indicator was last modified.
- rating (str, kwargs) – The threat rating for this Indicator.
- xid (str, kwargs) – The external id for this Indicator.
Returns: An instance of CIDR.
Return type: obj
-
data
¶ Return the batch data to be sent to the ThreatConnect API.
Processing Order: * Process groups in memory up to max batch size. * Process groups in shelf to max batch size. * Process indicators in memory up to max batch size. * Process indicators in shelf up to max batch size.
This method will remove the group/indicator from memory and/or shelf.
-
data_group_association
(xid)[source]¶ Return group dict array following all associations.
Parameters: xid (str) – The xid of the group to retrieve associations. Returns: A list of group dicts. Return type: list
-
data_group_type
(group_data)[source]¶ Return dict representation of group data.
Parameters: group_data (dict|obj) – The group data dict or object. Returns: The group data in dict format. Return type: dict
-
data_groups
(groups, entity_count)[source]¶ Process Group data.
Parameters: groups (list) – The list of groups to process. Returns: A list of groups including associations Return type: list
-
debug
¶ Return debug setting
-
document
(name, file_name, **kwargs)[source]¶ Add Document data to Batch object.
Parameters: - name (str) – The name for this Group.
- file_name (str) – The name for the attached file for this Group.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- file_content (str;method, kwargs) – The file contents or callback method to retrieve file content.
- malware (bool, kwargs) – If true the file is considered malware.
- password (bool, kwargs) – If malware is true a password for the zip archive is
- xid (str, kwargs) – The external id for this Group.
Returns: An instance of Document.
Return type: obj
-
email
(name, subject, header, body, **kwargs)[source]¶ Add Email data to Batch object.
Parameters: - name (str) – The name for this Group.
- subject (str) – The subject for this Email.
- header (str) – The header for this Email.
- body (str) – The body for this Email.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- from_addr (str, kwargs) – The from address for this Email.
- to_addr (str, kwargs) – The to address for this Email.
- xid (str, kwargs) – The external id for this Group.
Returns: An instance of Email.
Return type: obj
-
email_address
(address, **kwargs)[source]¶ Add Email Address data to Batch object.
Parameters: - address (str) – The value for this Indicator.
- confidence (str, kwargs) – The threat confidence for this Indicator.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- last_modified (str, kwargs) – The date timestamp the Indicator was last modified.
- rating (str, kwargs) – The threat rating for this Indicator.
- xid (str, kwargs) – The external id for this Indicator.
Returns: An instance of EmailAddress.
Return type: obj
-
error_codes
¶ Static list of Batch error codes and short description
-
errors
(batch_id, halt_on_error=True)[source]¶ Retrieve Batch errors to ThreatConnect API.
[{ "errorReason": "Incident incident-001 has an invalid status.", "errorSource": "incident-001 is not valid." }, { "errorReason": "Incident incident-002 has an invalid status.", "errorSource":"incident-002 is not valid." }]
Parameters: - batch_id (str) – The ID returned from the ThreatConnect API for the current batch job.
- (bool, default (halt_on_error) – True): If True any exception will raise an error.
-
event
(name, **kwargs)[source]¶ Add Event data to Batch object.
Parameters: - name (str) – The name for this Group.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- event_date (str, kwargs) – The event datetime expression for this Group.
- status (str, kwargs) – The status for this Group.
- xid (str, kwargs) – The external id for this Group.
Returns: An instance of Event.
Return type: obj
-
file
(md5=None, sha1=None, sha256=None, **kwargs)[source]¶ Add File data to Batch object.
Note
A least one file hash value must be specified.
Parameters: - md5 (str, optional) – The md5 value for this Indicator.
- sha1 (str, optional) – The sha1 value for this Indicator.
- sha256 (str, optional) – The sha256 value for this Indicator.
- confidence (str, kwargs) – The threat confidence for this Indicator.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- last_modified (str, kwargs) – The date timestamp the Indicator was last modified.
- rating (str, kwargs) – The threat rating for this Indicator.
- size (str, kwargs) – The file size for this Indicator.
- xid (str, kwargs) – The external id for this Indicator.
Returns: An instance of File.
Return type: obj
-
file_len
¶ Return the number of current indicators.
-
file_merge_mode
(value)[source]¶ Set the file merge mode for the entire batch job.
Parameters: value (str) – A value of Distribute or Merge.
-
files
¶ Return dictionary containing all of the file content or callbacks.
-
static
generate_xid
(identifier=None)[source]¶ Generate xid from provided identifiers.
Important
If no identifier is provided a unique xid will be returned, but it will not be reproducible. If a list of identifiers are provided they must be in the same order to generate a reproducible xid.
Parameters: identifier (list|str) – Optional string value(s) to be used to make a unique and reproducible xid.
-
group
(group_type, name, **kwargs)[source]¶ Add Group data to Batch object.
Parameters: - group_type (str) – The ThreatConnect define Group type.
- name (str) – The name for this Group.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- xid (str, kwargs) – The external id for this Group.
Returns: An instance of Group.
Return type: obj
-
group_len
¶ Return the number of current groups.
-
group_shelf_fqfn
¶ Return groups shelf fully qualified filename.
For testing/debugging a previous shelf file can be copied into the tc_temp_path directory instead of creating a new shelf file.
-
groups
¶ Return dictionary of all Groups data.
-
groups_shelf
¶ Return dictionary of all Groups data.
-
halt_on_batch_error
¶ Return halt on batch error value.
-
halt_on_error
¶ Return batch halt on error setting.
-
halt_on_file_error
¶ Return halt on file post error value.
-
halt_on_poll_error
¶ Return halt on poll error value.
-
hash_collision_mode
(value)[source]¶ Set the file hash collision mode for the entire batch job.
Parameters: value (str) – A value of Split, IgnoreIncoming, IgnoreExisting, FavorIncoming, and FavorExisting.
-
host
(hostname, **kwargs)[source]¶ Add Email Address data to Batch object.
Parameters: - hostname (str) – The value for this Indicator.
- confidence (str, kwargs) – The threat confidence for this Indicator.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- dns_active (bool, kwargs) – If True DNS active is enabled for this indicator.
- last_modified (str, kwargs) – The date timestamp the Indicator was last modified.
- rating (str, kwargs) – The threat rating for this Indicator.
- whois_active (bool, kwargs) – If True WhoIs active is enabled for this indicator.
- xid (str, kwargs) – The external id for this Indicator.
Returns: An instance of Host.
Return type: obj
-
incident
(name, **kwargs)[source]¶ Add Incident data to Batch object.
Parameters: - name (str) – The name for this Group.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- event_date (str, kwargs) – The event datetime expression for this Group.
- status (str, kwargs) – The status for this Group.
- xid (str, kwargs) – The external id for this Group.
Returns: An instance of Incident.
Return type: obj
-
indicator
(indicator_type, summary, **kwargs)[source]¶ Add Indicator data to Batch object.
Parameters: - indicator_type (str) – The ThreatConnect define Indicator type.
- summary (str) – The value for this Indicator.
- confidence (str, kwargs) – The threat confidence for this Indicator.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- last_modified (str, kwargs) – The date timestamp the Indicator was last modified.
- rating (str, kwargs) – The threat rating for this Indicator.
- xid (str, kwargs) – The external id for this Indicator.
Returns: An instance of Indicator.
Return type: obj
-
indicator_len
¶ Return the number of current indicators.
-
indicator_shelf_fqfn
¶ Return indicator shelf fully qualified filename.
For testing/debugging a previous shelf file can be copied into the tc_temp_path directory instead of creating a new shelf file.
-
indicators
¶ Return dictionary of all Indicator data.
-
indicators_shelf
¶ Return dictionary of all Indicator data.
-
intrusion_set
(name, **kwargs)[source]¶ Add Intrusion Set data to Batch object.
Parameters: - name (str) – The name for this Group.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- xid (str, kwargs) – The external id for this Group.
Returns: An instance of IntrusionSet.
Return type: obj
-
mutex
(mutex, **kwargs)[source]¶ Add Mutex data to Batch object.
Parameters: - mutex (str) – The value for this Indicator.
- confidence (str, kwargs) – The threat confidence for this Indicator.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- last_modified (str, kwargs) – The date timestamp the Indicator was last modified.
- rating (str, kwargs) – The threat rating for this Indicator.
- xid (str, kwargs) – The external id for this Indicator.
Returns: An instance of Mutex.
Return type: obj
-
poll
(batch_id, retry_seconds=None, back_off=None, timeout=None, halt_on_error=True)[source]¶ Poll Batch status to ThreatConnect API.
{ "status": "Success", "data": { "batchStatus": { "id":3505, "status":"Completed", "errorCount":0, "successCount":0, "unprocessCount":0 } } }
Parameters: - batch_id (str) – The ID returned from the ThreatConnect API for the current batch job.
- retry_seconds (int) – The base number of seconds used for retries when job is not completed.
- back_off (float) – A multiplier to use for backing off on each poll attempt when job has not completed.
- timeout (int, optional) – The number of seconds before the poll should timeout.
- (bool, default (halt_on_error) – True): If True any exception will raise an error.
Returns: The batch status returned from the ThreatConnect API.
Return type: dict
-
poll_timeout
¶ Return current poll timeout value.
-
registry_key
(key_name, value_name, value_type, **kwargs)[source]¶ Add Registry Key data to Batch object.
Parameters: - key_name (str) – The key_name value for this Indicator.
- value_name (str) – The value_name value for this Indicator.
- value_type (str) – The value_type value for this Indicator.
- confidence (str, kwargs) – The threat confidence for this Indicator.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- last_modified (str, kwargs) – The date timestamp the Indicator was last modified.
- rating (str, kwargs) – The threat rating for this Indicator.
- xid (str, kwargs) – The external id for this Indicator.
Returns: An instance of Registry Key.
Return type: obj
-
report
(name, **kwargs)[source]¶ Add Report data to Batch object.
Parameters: - name (str) – The name for this Group.
- file_name (str) – The name for the attached file for this Group.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- file_content (str;method, kwargs) – The file contents or callback method to retrieve file content.
- publish_date (str, kwargs) – The publish datetime expression for this Group.
- xid (str, kwargs) – The external id for this Group.
Returns: An instance of Report.
Return type: obj
-
save
(resource)[source]¶ Save group|indicator dict or object to shelve.
Best effort to save group/indicator data to disk. If for any reason the save fails the data will still be accessible from list in memory.
Parameters: resource (dict|obj) – The Group or Indicator dict or object.
-
saved_groups
¶ Return True if saved group files exits, else False.
-
saved_indicators
¶ Return True if saved indicators files exits, else False.
-
saved_xids
¶ Return previously saved xids.
-
settings
¶ Return batch job settings.
-
signature
(name, file_name, file_type, file_text, **kwargs)[source]¶ Add Signature data to Batch object.
Valid file_types: + Snort ® + Suricata + YARA + ClamAV ® + OpenIOC + CybOX ™ + Bro + Regex + SPL - Splunk ® Search Processing Language
Parameters: - name (str) – The name for this Group.
- file_name (str) – The name for the attached signature for this Group.
- file_type (str) – The signature type for this Group.
- file_text (str) – The signature content for this Group.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- xid (str, kwargs) – The external id for this Group.
Returns: An instance of Signature.
Return type: obj
-
submit
(poll=True, errors=True, process_files=True, halt_on_error=True)[source]¶ Submit Batch request to ThreatConnect API.
By default this method will submit the job request and data and if the size of the data is below the value synchronousBatchSaveLimit set in System Setting it will process the request synchronously and return the batch status. If the size of the batch is greater than the value set the batch job will be queued. Errors are not retrieve automatically and need to be enabled.
If any of the submit, poll, or error methods fail the entire submit will halt at the point of failure. The behavior can be changed by setting halt_on_error to False.
Each of these methods can also be called on their own for greater control of the submit process.
Parameters: - (bool, default (halt_on_error) – True): Poll for status.
- (bool, default – True): Retrieve any batch errors (only if poll is True).
- (bool, default – True): Send any document or report attachments to the API.
- (bool, default – True): If True any exception will raise an error.
- Returns.
- dict: The Batch Status from the ThreatConnect API.
-
submit_all
(poll=True, errors=True, process_files=True, halt_on_error=True)[source]¶ Submit Batch request to ThreatConnect API.
By default this method will submit the job request and data and if the size of the data is below the value synchronousBatchSaveLimit set in System Setting it will process the request synchronously and return the batch status. If the size of the batch is greater than the value set the batch job will be queued. Errors are not retrieve automatically and need to be enabled.
If any of the submit, poll, or error methods fail the entire submit will halt at the point of failure. The behavior can be changed by setting halt_on_error to False.
Each of these methods can also be called on their own for greater control of the submit process.
Parameters: - (bool, default (halt_on_error) – True): Poll for status.
- (bool, default – True): Retrieve any batch errors (only if poll is True).
- (bool, default – True): Send any document or report attachments to the API.
- (bool, default – True): If True any exception will raise an error.
- Returns.
- dict: The Batch Status from the ThreatConnect API.
-
submit_create_and_upload
(halt_on_error=True)[source]¶ Submit Batch request to ThreatConnect API.
- Returns.
- dict: The Batch Status from the ThreatConnect API.
-
submit_data
(batch_id, halt_on_error=True)[source]¶ Submit Batch request to ThreatConnect API. :param batch_id: The batch id of the current job. :type batch_id: string
-
submit_file_content
(method, url, data, headers, params, halt_on_error=True)[source]¶ Submit File Content for Documents and Reports to ThreatConnect API.
Parameters: - method (str) – The HTTP method for the request (POST, PUT).
- url (str) – The URL for the request.
- data (str;bytes;file) – The body (data) for the request.
- headers (dict) – The headers for the request.
- params (dict) – The query string parameters for the request.
- (bool, default (halt_on_error) – True): If True any exception will raise an error.
Returns: The response from the request.
Return type: requests.models.Response
-
submit_files
(halt_on_error=True)[source]¶ Submit Files for Documents and Reports to ThreatConnect API.
Critical Errors
- There is insufficient document storage allocated to this account.
Parameters: (bool, default (halt_on_error) – True): If True any exception will raise an error. Returns: The upload status for each xid. Return type: dict
-
threat
(name, **kwargs)[source]¶ Add Threat data to Batch object
Parameters: - name (str) – The name for this Group.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- xid (str, kwargs) – The external id for this Group.
Returns: An instance of Threat.
Return type: obj
-
url
(text, **kwargs)[source]¶ Add URL Address data to Batch object.
Parameters: - text (str) – The value for this Indicator.
- confidence (str, kwargs) – The threat confidence for this Indicator.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- last_modified (str, kwargs) – The date timestamp the Indicator was last modified.
- rating (str, kwargs) – The threat rating for this Indicator.
- xid (str, kwargs) – The external id for this Indicator.
Returns: An instance of URL.
Return type: obj
-
user_agent
(text, **kwargs)[source]¶ Add User Agent data to Batch object
Parameters: - text (str) – The value for this Indicator.
- confidence (str, kwargs) – The threat confidence for this Indicator.
- date_added (str, kwargs) – The date timestamp the Indicator was created.
- last_modified (str, kwargs) – The date timestamp the Indicator was last modified.
- rating (str, kwargs) – The threat rating for this Indicator.
- xid (str, kwargs) – The external id for this Indicator.
Returns: An instance of UserAgent.
Return type: obj
-
batch.attribute¶
ThreatConnect Batch Import Module
-
class
tcex.batch.attribute.
Attribute
(attr_type, attr_value, displayed=False, source=None, formatter=None)[source]¶ Bases:
object
ThreatConnect Batch Attribute Object
-
data
¶ Return Attribute data.
-
displayed
¶ Return Attribute displayed.
-
source
¶ Return Attribute source.
-
type
¶ Return attribute value.
-
valid
¶ Return valid value.
-
value
¶ Return attribute value.
-
batch.group¶
ThreatConnect Batch Import Module
-
class
tcex.batch.group.
Adversary
(name, **kwargs)[source]¶ Bases:
tcex.batch.group.Group
ThreatConnect Batch Adversary Object
-
class
tcex.batch.group.
Campaign
(name, **kwargs)[source]¶ Bases:
tcex.batch.group.Group
ThreatConnect Batch Campaign Object
-
first_seen
¶ Return Document first seen.
-
-
class
tcex.batch.group.
Document
(name, file_name, **kwargs)[source]¶ Bases:
tcex.batch.group.Group
ThreatConnect Batch Document Object
-
file_content
¶ Return Group files.
-
file_data
¶ Return Group files.
-
malware
¶ Return Document malware.
-
password
¶ Return Document password.
-
-
class
tcex.batch.group.
Email
(name, subject, header, body, **kwargs)[source]¶ Bases:
tcex.batch.group.Group
ThreatConnect Batch Email Object
-
from_addr
¶ Return Email to.
-
score
¶ Return Email to.
-
to_addr
¶ Return Email to.
-
-
class
tcex.batch.group.
Event
(name, **kwargs)[source]¶ Bases:
tcex.batch.group.Group
ThreatConnect Batch Event Object
-
event_date
¶ Return the Events “event date” value.
-
status
¶ Return the Events status value.
-
-
class
tcex.batch.group.
Group
(group_type, name, **kwargs)[source]¶ Bases:
object
ThreatConnect Batch Group Object
-
add_file
(filename, file_content)[source]¶ Add a file for Document and Report types.
Example:
document = tcex.batch.group('Document', 'My Document') document.add_file('my_file.txt', 'my contents')
Parameters: - filename (str) – The name of the file.
- file_content (bytes|method|str) – The contents of the file or callback to get contents.
-
add_key_value
(key, value)[source]¶ Add custom field to Group object.
Note
The key must be the exact name required by the batch schema.
Example:
document = tcex.batch.group('Document', 'My Document') document.add_key_value('fileName', 'something.pdf')
Parameters: - key (str) – The field key to add to the JSON batch data.
- value (str) – The field value to add to the JSON batch data.
-
association
(group_xid)[source]¶ Add association using xid value.
Parameters: group_xid (str) – The external id of the Group to associate.
-
attribute
(attr_type, attr_value, displayed=False, source=None, unique=True, formatter=None)[source]¶ Return instance of Attribute
- unique:
- False - Attribute type:value can be duplicated.
- ‘Type’ - Attribute type has to be unique (e.g., only 1 Description Attribute).
- True - Attribute type:value combo must be unique.
Parameters: - attr_type (str) – The ThreatConnect defined attribute type.
- attr_value (str) – The value for this attribute.
- (bool, default (displayed) – false): If True the supported attribute will be marked for display.
- source (str, optional) – The source value for this attribute.
- unique (bool|string, optional) – Control attribute creation.
- formatter (method, optional) – A method that takes a single attribute value and returns a single formatted value.
Returns: An instance of Attribute.
Return type: obj
-
data
¶ Return Group data.
-
date_added
¶ Return Group dateAdded.
-
file_data
¶ Return Group file (only supported for Document and Report).
-
name
¶ Return Group name.
-
processed
¶ Return processed value.
Note
Processed value indicates that a group with this xid has already been processed.
-
security_label
(name, description=None, color=None)[source]¶ Return instance of SecurityLabel.
Note
The provided security label will be create if it doesn’t exist. If the security label already exists nothing will be changed.
Parameters: - name (str) – The value for this security label.
- description (str) – A description for this security label.
- color (str) – A color (hex value) for this security label.
Returns: An instance of SecurityLabel.
Return type: obj
-
tag
(name, formatter=None)[source]¶ Return instance of Tag.
Parameters: - name (str) – The value for this tag.
- formatter (method, optional) – A method that take a tag value and returns a formatted tag.
Returns: An instance of Tag.
Return type: obj
-
type
¶ Return Group type.
-
xid
¶ Return Group xid.
-
-
class
tcex.batch.group.
Incident
(name, **kwargs)[source]¶ Bases:
tcex.batch.group.Group
ThreatConnect Batch Incident Object
-
event_date
¶ Return Incident event date.
-
status
¶ Return Incident status.
-
-
class
tcex.batch.group.
IntrusionSet
(name, **kwargs)[source]¶ Bases:
tcex.batch.group.Group
ThreatConnect Batch Adversary Object
-
class
tcex.batch.group.
Report
(name, **kwargs)[source]¶ Bases:
tcex.batch.group.Group
ThreatConnect Batch Report Object
-
file_content
¶ Return Group files.
-
file_data
¶ Return Group files.
-
publish_date
¶ Return Report publish date.
-
-
class
tcex.batch.group.
Signature
(name, file_name, file_type, file_text, **kwargs)[source]¶ Bases:
tcex.batch.group.Group
ThreatConnect Batch Signature Object
-
class
tcex.batch.group.
Threat
(name, **kwargs)[source]¶ Bases:
tcex.batch.group.Group
ThreatConnect Batch Threat Object
batch.indicator¶
ThreatConnect Batch Import Module
-
class
tcex.batch.indicator.
ASN
(as_number, **kwargs)[source]¶ Bases:
tcex.batch.indicator.Indicator
ThreatConnect Batch ASN Object.
-
class
tcex.batch.indicator.
Address
(ip, **kwargs)[source]¶ Bases:
tcex.batch.indicator.Indicator
ThreatConnect Batch Address Object
-
class
tcex.batch.indicator.
CIDR
(block, **kwargs)[source]¶ Bases:
tcex.batch.indicator.Indicator
ThreatConnect Batch CIDR Object
-
class
tcex.batch.indicator.
EmailAddress
(address, **kwargs)[source]¶ Bases:
tcex.batch.indicator.Indicator
ThreatConnect Batch EmailAddress Object
-
class
tcex.batch.indicator.
File
(md5=None, sha1=None, sha256=None, **kwargs)[source]¶ Bases:
tcex.batch.indicator.Indicator
ThreatConnect Batch File Object
-
md5
¶ Return Indicator md5.
-
sha1
¶ Return Indicator sha1.
-
sha256
¶ Return Indicator sha256.
-
size
¶ Return Indicator size.
-
-
class
tcex.batch.indicator.
FileAction
(parent_xid, relationship)[source]¶ Bases:
object
ThreatConnect Batch FileAction Object
-
data
¶ Return File Occurrence data.
-
-
class
tcex.batch.indicator.
FileOccurrence
(file_name=None, path=None, date=None)[source]¶ Bases:
object
ThreatConnect Batch FileAction Object.
-
data
¶ Return File Occurrence data.
-
date
¶ Return File Occurrence date.
-
file_name
¶ Return File Occurrence file name.
-
path
¶ Return File Occurrence path.
-
-
class
tcex.batch.indicator.
Host
(hostname, **kwargs)[source]¶ Bases:
tcex.batch.indicator.Indicator
ThreatConnect Batch Host Object
-
dns_active
¶ Return Indicator dns active.
-
whois_active
¶ Return Indicator whois active.
-
-
class
tcex.batch.indicator.
Indicator
(indicator_type, summary, **kwargs)[source]¶ Bases:
object
ThreatConnect Batch Indicator Object
-
active
¶ Return Indicator active.
-
add_key_value
(key, value)[source]¶ Add custom field to Indicator object.
Note
The key must be the exact name required by the batch schema.
Example:
file_hash = tcex.batch.file('File', '1d878cdc391461e392678ba3fc9f6f32') file_hash.add_key_value('size', '1024')
Parameters: - key (str) – The field key to add to the JSON batch data.
- value (str) – The field value to add to the JSON batch data.
-
association
(group_xid)[source]¶ Add association using xid value.
Parameters: group_xid (str) – The external id of the Group to associate.
-
attribute
(attr_type, attr_value, displayed=False, source=None, unique=True, formatter=None)[source]¶ Return instance of Attribute
- unique:
- False - Attribute type:value can be duplicated.
- Type - Attribute type has to be unique (e.g., only 1 Description Attribute).
- True - Attribute type:value combo must be unique.
Parameters: - attr_type (str) – The ThreatConnect defined attribute type.
- attr_value (str) – The value for this attribute.
- (bool, default (displayed) – false): If True the supported attribute will be marked for display.
- source (str, optional) – The source value for this attribute.
- unique (bool|string, optional) – Control attribute creation.
- formatter (method, optional) – A method that takes a single attribute value and returns a single formatted value.
Returns: An instance of Attribute.
Return type: obj
-
static
build_summary
(val1=None, val2=None, val3=None)[source]¶ Build the Indicator summary using available values.
-
confidence
¶ Return Indicator confidence.
-
data
¶ Return Indicator data.
-
date_added
¶ Return Indicator dateAdded.
-
last_modified
¶ Return Indicator lastModified.
-
occurrence
(file_name=None, path=None, date=None)[source]¶ Add a file Occurrence.
Parameters: - file_name (str, optional) – The file name for this occurrence.
- path (str, optional) – The file path for this occurrence.
- date (str, optional) – The datetime expression for this occurrence.
Returns: An instance of Occurrence.
Return type: obj
-
private_flag
¶ Return Indicator private flag.
-
rating
¶ Return Indicator rating.
-
security_label
(name, description=None, color=None)[source]¶ Return instance of SecurityLabel.
Note
The provided security label will be create if it doesn’t exist. If the security label already exists nothing will be changed.
Parameters: - name (str) – The value for this security label.
- description (str) – A description for this security label.
- color (str) – A color (hex value) for this security label.
Returns: An instance of SecurityLabel.
Return type: obj
-
summary
¶ Return Indicator summary.
-
tag
(name, formatter=None)[source]¶ Return instance of Tag.
Parameters: - name (str) – The value for this tag.
- formatter (method, optional) – A method that take a tag value and returns a formatted tag.
Returns: An instance of Tag.
Return type: obj
-
type
¶ Return Group type.
-
xid
¶ Return Group xid.
-
-
class
tcex.batch.indicator.
Mutex
(mutex, **kwargs)[source]¶ Bases:
tcex.batch.indicator.Indicator
ThreatConnect Batch Mutex Object
-
class
tcex.batch.indicator.
RegistryKey
(key_name, value_name, value_type, **kwargs)[source]¶ Bases:
tcex.batch.indicator.Indicator
ThreatConnect Batch Registry Key Object
-
class
tcex.batch.indicator.
URL
(text, **kwargs)[source]¶ Bases:
tcex.batch.indicator.Indicator
ThreatConnect Batch URL Object
-
class
tcex.batch.indicator.
UserAgent
(text, **kwargs)[source]¶ Bases:
tcex.batch.indicator.Indicator
ThreatConnect Batch User Agent Object
batch.security_label¶
ThreatConnect SecurityLabel Object