tcex.tcex_resources module

TcEx Framework Resource Module

class tcex.tcex_resources.Address(tcex)[source]

Bases: tcex.tcex_resources.Indicator

Address Resource Class

This resource class will return indicators of type Address (ipv4 and/or ipv6). To filter on specific indicators use the indicator or resource_id methods provided in the parent Class.

indicator(data)[source]

Update the request URI to include the Indicator for specific indicator retrieval.

Overload to handle formatting of ipv6 addresses

Parameters:data (string) – The indicator value
class tcex.tcex_resources.Adversary(tcex)[source]

Bases: tcex.tcex_resources.Group

Adversary Resource Class

This resource class will return groups of type Adversary. To filter on specific groups use the group_id or resource_id methods provided in the parent class.

pdf(resource_id)[source]

Update the request URI to get the pdf for this resource.

Parameters:resource_id (integer) – The group id.
class tcex.tcex_resources.Batch(tcex)[source]

Bases: tcex.tcex_resources.Resource

Batch Resource Class

batch_id(batch_id)[source]

The ID of the batch job used to push data and/or retrieve status.

Parameters:batch_id (integer) – The id of the batch job.
errors(batch_id)[source]

Update the URI to retrieve errors for a batch job.

Parameters:batch_id (integer) – The id of the batch job.
class tcex.tcex_resources.Bulk(tcex)[source]

Bases: tcex.tcex_resources.Indicator

Bulk Resource Class

This resource class will return bulk status or bulk indicators via the Bulk API endpoint. The base URL will return a status of bulk generation (see example below), while the /csv and /json endpoints will return the indicator is the selected format.

Base response:

{
    "status": "Success",
    "data": {
        "bulkStatus": {
            "name": "Acme Corp",
            "csvEnabled": false,
            "jsonEnabled": true,
            "nextRun": "2016-12-07T00:00:00Z",
            "lastRun": "2016-12-06T00:04:33Z",
            "status": "Complete"
        }
    }
}
csv(ondemand=False)[source]

Update request URI to return CSV data.

For onDemand bulk generation to work it must first be enabled in the ThreatConnect platform under System settings.

Parameters:ondemand (boolean) – Enable on demand bulk generation.
json(ondemand=False)[source]

Update request URI to return JSON data.

For onDemand bulk generation to work it must first be enabled in the ThreatConnect platform under System settings.

Parameters:ondemand (boolean) – Enable on demand bulk generation.
class tcex.tcex_resources.Campaign(tcex)[source]

Bases: tcex.tcex_resources.Group

Campaign Resource Class

This resource class will return groups of type Campaign. To filter on specific groups use the group_id or resource_id methods provided in the parent class.

pdf(resource_id)[source]

Update the request URI to get the pdf for this resource.

Parameters:resource_id (integer) – The group id.
class tcex.tcex_resources.CustomMetric(tcex)[source]

Bases: tcex.tcex_resources.Resource

Custom Metric Class

HTTP Method API Endpoint URI’s
GET /v2/customMetrics
POST /v2/customMetrics
{
  "name": "My Custom Metric",
  "dataType": "Sum",
  "interval": "Hourly",
  "keyedValues": true,
  "description": "A sum of all occurrences per Indicator Source"
}

This resource class will return or create custom metrics.

data(resource_value, return_value=False)[source]

Alias for metric_name method

HTTP Method API Endpoint URI’s
POST /v2/customMetrics/{id}|{name}/data

Example

The weight value is optional.

{
  "value": 1,
  "weight": 1,
}

Keyed Example

The weight value is optional.

{
  "value": 1,
  "weight": 1,
  "name": "src1"
}
Parameters:resource_name (string) – The metric name.
metric_id(resource_id)[source]

Update the request URI to include the Metric Id for specific retrieval.

HTTP Method API Endpoint URI’s
GET /v2/customMetrics/{id}
PUT /v2/customMetrics/{id}
Parameters:resource_id (string) – The metric id.
metric_name(resource_name)[source]

Update the request URI to include the Metric Name for specific retrieval.

HTTP Method API Endpoint URI’s
GET /v2/customMetrics/{name}
PUT /v2/customMetrics/{name}
Parameters:resource_name (string) – The metric name.
resource_id(resource_id)[source]

Alias for metric_id method

Parameters:resource_id (string) – The metric id.
resource_name(resource_name)[source]

Alias for metric_name method

Parameters:resource_name (string) – The metric name.
class tcex.tcex_resources.DataStore(tcex)[source]

Bases: object

DataStore Class

This resource class will return DataStore.

_request(domain, type_name, search_command, db_method, body=None)[source]

Make the API request for a Data Store CRUD operation

Parameters:
  • domain (string) – One of ‘local’, ‘organization’, or ‘system’.
  • type_name (string) – This is a free form index type name. The ThreatConnect API will use this resource verbatim.
  • search_command (string) – Search command to pass to ES.
  • db_method (string) – The DB method ‘DELETE’, ‘GET’, ‘POST’, or ‘PUT’
  • body (dict) – JSON body
add_payload(key, val, append=True)[source]

Add a key value pair to payload for this request.

Note

For _search you can pass a search argument. (e.g. _search?summary=1.1.1.1).

Parameters:
  • key (string) – The payload key
  • val (string) – The payload value
  • append (bool) – Indicates whether the value should be appended or overwritten.
create(domain, type_name, search_command, body)[source]

Create entry in ThreatConnect Data Store

Parameters:
  • domain (string) – One of ‘local’, ‘organization’, or ‘system’.
  • type_name (string) – This is a free form index type name. The ThreatConnect API will use this resource verbatim.
  • search_command (string) – Search command to pass to ES.
  • body (str) – JSON serialized data.
delete(domain, type_name, search_command)[source]

Delete entry in ThreatConnect Data Store

Parameters:
  • domain (string) – One of ‘local’, ‘organization’, or ‘system’.
  • type_name (string) – This is a free form index type name. The ThreatConnect API will use this resource verbatim.
  • search_command (string) – Search command to pass to ES.
read(domain, type_name, search_command, body=None)[source]

Read entry in ThreatConnect Data Store

Parameters:
  • domain (string) – One of ‘local’, ‘organization’, or ‘system’.
  • type_name (string) – This is a free form index type name. The ThreatConnect API will use this resource verbatim.
  • search_command (string) – Search command to pass to ES.
  • body (str) – JSON body
update(domain, type_name, search_command, body)[source]

Update entry in ThreatConnect Data Store

Parameters:
  • domain (string) – One of ‘local’, ‘organization’, or ‘system’.
  • type_name (string) – This is a free form index type name. The ThreatConnect API will use this resource verbatim.
  • search_command (string) – Search command to pass to ES.
  • body (str) – JSON body
class tcex.tcex_resources.Document(tcex)[source]

Bases: tcex.tcex_resources.Group

Document Resource Class

This resource class will return groups of type Document. To filter on specific groups use the group_id or resource_id methods provided in the parent class.

download(resource_id)[source]

Update the request URI to download the document for this resource.

Parameters:resource_id (integer) – The group id.
upload(resource_id, data)[source]

Update the request URI to upload the a document to this resource.

Parameters:
  • resource_id (integer) – The group id.
  • data (any) – The raw data to upload.
class tcex.tcex_resources.Email(tcex)[source]

Bases: tcex.tcex_resources.Group

Email Resource Class

This resource class will return groups of type Email. To filter on specific groups use the group_id or resource_id methods provided in the parent class.

class tcex.tcex_resources.EmailAddress(tcex)[source]

Bases: tcex.tcex_resources.Indicator

EmailAddress Resource Class

This resource class will return indicators of type Email. To filter on specific indicators use the indicator or resource_id methods provided in the parent Class.

class tcex.tcex_resources.Event(tcex)[source]

Bases: tcex.tcex_resources.Group

Event Resource Class

This resource class will return groups of type Event. To filter on specific groups use the group_id or resource_id methods provided in the parent class.

pdf(resource_id)[source]

Update the request URI to get the pdf for this resource.

Parameters:resource_id (integer) – The group id.
class tcex.tcex_resources.File(tcex)[source]

Bases: tcex.tcex_resources.Indicator

File Resource Class

This resource class will return indicators of type File (e.g md5, sha1, sha256). To filter on specific indicators use the indicator or resource_id methods provided in the parent Class.

file_action(action_name, association_resource=None)[source]

File action pivot for this resource.

Example Endpoints URI’s

Method API Endpoint URI’s
{base} /v2/indicators/files/{uniqueId}/actions/{actionName}
GET {base}/indicators
GET {base}/indicators/{type}
DELETE {base}/indicators/{type}/indicator
POST {base}/indicators/{type}/indicator
Name API Branch Indicator Type Associated with File
File Archive /archive File
File Drop /drop File
File Traffic /traffic Address, Host, URL
File Mutex /mutex Mutex
File Registry Key /registryKey Registry Key
File User Agent /userAgent User Agent
File DNS Query /dnsQuery Host
Parameters:
  • action_name (string) – The name of the action as defined by ThreatConnect.
  • association_resource (object) – An instance of Resource for an Indicator or sub type.
static get_first_hash(hash_string)[source]

Return first non None hash from string.

md5 : sha1 : sha256

Parameters:hash_string – (string): The string with delimited hash values.
indicator(data)[source]

Update the request URI to include the Indicator for specific indicator retrieval.

Parameters:data (string) – The indicator value
static indicator_body(indicators)[source]

Generate the appropriate dictionary content for POST of an File indicator

Parameters:indicators (list) – A list of one or more hash value(s).
occurrence(indicator=None)[source]

Update the URI to retrieve file occurrences for the provided indicator.

Parameters:indicator (string) – The indicator to retrieve file occurrences.
summary(indicator_data)[source]

Return a summary value for any given indicator type.

class tcex.tcex_resources.Group(tcex)[source]

Bases: tcex.tcex_resources.Resource

Group Resource Class

This resource class is the base for all groups and will return groups of all types. For specific group types use the child class of the type required.

group_id(resource_id)[source]

Update the request URI to include the Group ID for specific group retrieval.

Parameters:resource_id (string) – The group id.
resource_id(resource_id)[source]

Alias for group_id method

Parameters:resource_id (string) – The group id.
class tcex.tcex_resources.Host(tcex)[source]

Bases: tcex.tcex_resources.Indicator

Host Resource Class

This resource class will return indicators of type Host. To filter on specific indicators use the indicator or resource_id methods provided in the parent Class.

resolution(indicator=None)[source]

Update the URI to retrieve host resolutions for the provided indicator.

Parameters:indicator (string) – The indicator to retrieve resolutions.
class tcex.tcex_resources.Incident(tcex)[source]

Bases: tcex.tcex_resources.Group

Incident Resource Class

This resource class will return groups of type Incident. To filter on specific groups use the group_id or resource_id methods provided in the parent class.

event_date(date)[source]

Incident Event Date.

Attention

Not implemented at this time

Parameters:date – The event date in ISO 8601 format.
pdf(resource_id)[source]

Update the request URI to get the pdf for this resource.

Parameters:resource_id (integer) – The group id.
class tcex.tcex_resources.Indicator(tcex)[source]

Bases: tcex.tcex_resources.Resource

Indicator Resource Class

This resource class is the base for all indicators and will return indicators of all types. For specific indicator types use the child class of the type required. Custom indicator types are supported dynamically and are not defined here.

deleted()[source]

Update the request URI to include the deleted endpoint.

entity_body(data)[source]

Alias to indicator_body() method.

Parameters:data (list) – A list of appropriate indicators for the Indicator Type.
Returns:Dictionary containing the indicator part of the body.
Return type:(dict)
false_positive()[source]

Report indicator False Positive

indicator(data)[source]

Update the request URI to include the Indicator for specific indicator retrieval.

Parameters:data (string) – The indicator value
indicator_body(indicators)[source]

Generate the appropriate dictionary content for POST of a single indicator.

For an Address indicator a list with a single IP Address and for File indicators a list of 1 up to 3 hash values. Custom indicators fields have to be in the correct order (e.g. field 1, field 2, field 3 as defined in the UI).

Parameters:indicators (list) – A list of appropriate indicators for the Indicator Type.
Returns:Dictionary containing the indicator part of the body.
Return type:(dict)
indicators(indicator_data)[source]

Generator for indicator values.

Some indicator such as Files (hashes) and Custom Indicators can have multiple indicator values (e.g. md5, sha1, sha256). This method provides a generator to iterate over all indicator values.

Both the summary field and the individual indicator fields (e.g. md5, sha1, sha256) are supported.

For indicators that have only one value such as ip or hostName the generator will only return the one result.

1
2
3
4
# the individual indicator JSON from the API
for i in resource.indicators(indicator_data):
    print(i.get('type'))  # md5, sha1, sha256, etc
    print(i.get('value'))  # hash or custom indicator value

Warning

This method could break for custom indicators that have ” : ” in the value of the indicator while using the summary field.

Note

For /v2/indicators and /v2/indicators/bulk/json API endpoints only one hash is returned for a file Indicator even if there are multiple in the platform. If all hashes are required the /v2/indicators/files or /v2/indicators/files/<hash> endpoints will provide all hashes.

Parameters:indicator_data (dict) – The indicator dictionary.
Returns:A dict containing the indicator type and value.
Return type:(dictionary)
observation_count()[source]

Retrieve indicator observation count

observations()[source]

Report indicator observations

observed(date_observed=None)[source]

Retrieve indicator observations count for top 10

resource_id(data)[source]

Alias for indicator method.

The resource id for an indicator in this class is the indicator value and not the actual indicator id stored in ThreatConnect.

Parameters:data (string) – The indicator value.
summary(indicator_data)[source]

Return a summary value for any given indicator type.

class tcex.tcex_resources.Intrusion_Set(tcex)[source]

Bases: tcex.tcex_resources.Group

Intrusion Set Resource Class

This resource class will return groups of type Intrusion Set. To filter on specific groups use the group_id or resource_id methods provided in the parent class.

pdf(resource_id)[source]

Update the request URI to get the pdf for this resource.

Parameters:resource_id (integer) – The group id.
class tcex.tcex_resources.Notification(tcex)[source]

Bases: tcex.tcex_resources.Resource

Custom Notification Class

HTTP Method API Endpoint URI’s
POST /v2/notifications
{
    "notificationType": "App Success",
    "priority": "High",
    "message": "App worked just fine.",
    "isOrganization": false,
    "recipients": "opsTeam@threatconnect.com"
}

This resource class will create notifications.

class tcex.tcex_resources.Owner(tcex)[source]

Bases: tcex.tcex_resources.Resource

Owner Class

This resource class will return Owners.

owner_id(resource_id)[source]

Update the request URI to include the Owner Id for specific retrieval.

Parameters:resource_id (string) – The owner id.
resource_id(resource_id)[source]

Alias for owner_id method

Parameters:resource_id (string) – The owner id.
class tcex.tcex_resources.Report(tcex)[source]

Bases: tcex.tcex_resources.Group

Report Resource Class

This resource class will return groups of type Report. To filter on specific groups use the group_id or resource_id methods provided in the parent class.

download(resource_id)[source]

Update the request URI to download the report for this resource.

Parameters:resource_id (integer) – The group id.
upload(resource_id, data)[source]

Update the request URI to upload the a report to this resource.

Parameters:
  • resource_id (integer) – The group id.
  • data (any) – The raw data to upload.
class tcex.tcex_resources.Resource(tcex)[source]

Bases: object

Common settings for All ThreatConnect API Endpoints

__iter__()[source]

Add iterator to Resource Object

__next__()[source]

Add next interator to Resource Object

__str__()[source]

A printable string for this resource.

Returns:A printable string with Class data.
Return type:(str)
_apply_filters()[source]

Apply any filters added to the resource.

_request_bulk(response)[source]
_request_process(response)[source]
_request_process_json(response)[source]

Handle response data of type JSON

Returns:The data from the download (string): The status of the download
Return type:(string)
_request_process_json_bulk(response_data)[source]

Handle bulk JSON response

Returns:The response data (string): The response status
Return type:(string)
_request_process_json_standard(response_data)[source]

Handle JSON response

This should be the most common response from the ThreatConnect API.

Returns:The response data (string): The response status
Return type:(string)
_request_process_json_status(response_data)[source]

Handle JSON response with no “data” entity

Returns:The response data (string): The response status
Return type:(string)
_request_process_octet(response)[source]

Handle Document download.

Returns:The data from the download (string): The status of the download
Return type:(string)
_request_process_text(response)[source]

Handle Signature download.

Returns:The data from the download (string): The status of the download
Return type:(string)
add_filter(name, operator, value)[source]

Add ThreatConnect API Filter for this resource request.

External Reference:
https://docs.threatconnect.com
Parameters:
  • name (string) – The filter field name.
  • operator (string) – The filter comparison operator.
  • value (string) – The filter value.
add_payload(key, val, append=False)[source]

Add a key value pair to payload for this request.

Note

For _search you can pass a search argument. (e.g. _search?summary=1.1.1.1).

Parameters:
  • key (string) – The payload key
  • val (string) – The payload value
  • append (bool) – Indicate whether the value should be appended
api_branch

The ThreatConnect API branch for this resource.

Returns:The addresses endpoint from /v2/indicators/addresses/.
Return type:(str)
api_branch_base

The ThreatConnect API branch base (parent branch) for this resource.

Returns:
The indicators endpoint from /v2/indicators or
/v2/indicators/addresses.
Return type:(str)
api_entity

The ThreatConnect API entity for this resource.

Returns:The address JSON entity from JSON response to /v2/indicators/addresses.
Return type:(str)
api_uri

The ThreatConnect API URI for this resource.

Returns:The API URI endpoint /v2/indicators/addresses.
Return type:(string)
association_custom(association_name, association_resource=None)[source]

Custom Indicator association for this resource with resource value.

Example Endpoints URI’s

HTTP API Endpoint URI’s
{base} /v2/indicators/{indicatorType}/{uniqueId}/associations/{associationName}
GET {base}/indicators
GET {base}/indicators/{indicatorType}
DELETE {base}/indicators/{indicatorType}/{value}
POST {base}/indicators/{indicatorType}/{value}
Parameters:
  • association_name (string) – The name of the custom association as defined in the UI.
  • association_resource (object) – An instance of Resource for an Indicator or sub type.
association_pivot(association_resource)[source]

Pivot point on association for this resource.

This method will return all resources (group, indicators, task, victims, etc) for this resource that are associated with the provided resource.

Example Endpoints URI’s

METHOD API Endpoint URI’s
GET /v2/groups/{pivot resourceType}/{pivot uniqueId}/{resourceType}
GET /v2/groups/{pivot resourceType}/{pivot uniqueId}/{resourceType}/{uniqueId}
POST /v2/groups/{pivot resourceType}/{pivot uniqueId}/{resourceType}/{uniqueId}
GET /v2/indicators/{pivot resourceType}/{pivot uniqueId}/{resourceType}
GET /v2/indicators/{pivot resourceType}/{pivot uniqueId}/{resourceType}/{uniqueId}
POST /v2/indicator/{pivot resourceType}/{pivot uniqueId}/{resourceType}/{uniqueId}
Parameters:resource_api_branch (string) – The resource pivot api branch including resource id.
associations(association_resource)[source]

Retrieve Association for this resource of the type in association_resource.

This method will return all resources (group, indicators, task, victims, etc) for this resource that are associated with the provided association resource_type.

Example Endpoints URI’s

Method API Endpoint URI’s
{base} /v2/{resourceClass}/{resourceType}/{resourceId}
GET {base}/{assoc resourceClass}/{assoc resourceType}
POST {base}/{assoc resourceClass}/{assoc resourceType}/{assoc resourceId}
DELETE {base}/{assoc resourceClass}/{assoc resourceType}/{assoc resourceId}
  • resourceClass - Groups/Indicators
  • resourceType - Adversary, Incident, etc / Address, EmailAddress, etc
  • resourceId - Group Id / Indicator Value
Parameters:association_resource (Resource Instance) – A resource object with optional resource_id.
Returns:A copy of this resource instance cleaned and updated for associations.
Return type:(instance)
attributes(resource_id=None)[source]

Attribute endpoint for this resource with optional attribute id.

This method will set the resource endpoint for working with Attributes. The HTTP GET method will return all attributes applied to this resource or if a resource id (attribute id) is provided it will return the provided attribute if exists on this resource. An attribute can be added to this resource using the HTTP POST method and passing a JSON body containing the attribute type and attribute value. Using the HTTP PUT method with a provided resource id an attribute can be updated. The HTTP DELETE method will remove the provided attribute from this resource.

Example Endpoints URI’s

HTTP Method API Endpoint URI’s
GET /v2/groups/{resourceType}/{uniqueId}/attributes
GET /v2/groups/{resourceType}/{uniqueId}/attributes/{resourceId}
DELETE /v2/groups/{resourceType}/{uniqueId}/attributes/{resourceId}
POST /v2/groups/{resourceType}/{uniqueId}/attributes
PUT /v2/groups/{resourceType}/{uniqueId}/attributes/{resourceId}
Parameters:resource_id (Optional [string]) – The resource id (attribute id).
body

The body for this resource request.

Returns:The HTTP request body.
Return type:(any)
case_preference

String value for Custom Indicators case preference

Returns:Either lower, upper or case sensitive.
Return type:(string)
content_type

The Content-Type header value for this resource request.

copy()[source]

Return a “clean” copy of this instance.

Returns:A clean copy of this instance.
Return type:(instance)
copy_reset()[source]

Reset values after instance has been copied

custom

Boolean value for Custom Indicators

Returns:True if the Indicator is a Custom Type.
Return type:(boolean)
group_pivot(group_resource)[source]

Pivot point on groups for this resource.

This method will return all resources (indicators, tasks, victims, etc) for this resource that are associated with the provided resource id (indicator value).

Example Endpoints URI’s

Method API Endpoint URI’s
GET /v2/groups/{resourceType}/{resourceId}/indicators/{resourceType}
GET /v2/groups/{resourceType}/{resourceId}/indicators/{resourceType}/{uniqueId}
GET /v2/groups/{resourceType}/{resourceId}/tasks/
GET /v2/groups/{resourceType}/{resourceId}/tasks/{uniqueId}
GET /v2/groups/{resourceType}/{resourceId}/victims/
GET /v2/groups/{resourceType}/{resourceId}/victims/{uniqueId}
Parameters:group_resource (Resource Instance) – A resource object with optional resource_id.
Returns:A copy of this resource instance cleaned and updated for group associations.
Return type:(instance)
http_method

The HTTP Method for this resource request.

Returns:The HTTP request method (GET, POST, etc.)
Return type:(string)
indicator_pivot(indicator_resource)[source]

Pivot point on indicators for this resource.

This method will return all resources (groups, tasks, victims, etc) for this resource that are associated with the provided resource id (indicator value).

Example Endpoints URI’s

Method API Endpoint URI’s
GET /v2/indicators/{resourceType}/{resourceId}/groups/{resourceType}
GET /v2/indicators/{resourceType}/{resourceId}/groups/{resourceType}/{uniqueId}
GET /v2/indicators/{resourceType}/{resourceId}/tasks/
GET /v2/indicators/{resourceType}/{resourceId}/tasks/{uniqueId}
GET /v2/indicators/{resourceType}/{resourceId}/victims/
GET /v2/indicators/{resourceType}/{resourceId}/victims/{uniqueId}
Parameters:
  • resource_type (string) – The resource pivot resource type (indicator type).
  • resource_id (integer) – The resource pivot id (indicator value).
name

The name value for this resource.

Returns:The name of the Resource Type (e.g. Indicator, Task, etc.)
Return type:(str)
next()

Add next interator to Resource Object

owner

The Owner payload value for this resource request.

Returns:The ThreatConnect owner name set during request.
Return type:(str)
paginate()[source]

Paginate results from ThreatConnect API

Attention

This method will be deprecated in a future release.

Returns:Resource Data
Return type:(dictionary)
parent

The parent object name for this resource.

Returns:
The API endpoint parent value (e.g. Indicator for Address or Group
for Adversary.)
Return type:(str)
parsable

Boolean value for Custom Indicators parsable setting.

Returns:True if the Custom Indicator is parsable.
Return type:(boolean)
request()[source]

Send the request to the API.

This method will send the request to the API. It will try to handle all the types of responses and provide the relevant data when possible. Some basic error detection and handling is implemented, but not all failure cases will get caught.

Returns:Response/Results data.
Return type:(dictionary)
request_entity

The temporary entity name used for the request.

The request entity starts as the resource api_entity and changes depending on the pivot resource. This value is reset after the request() method is called.

Returns:The entity field in the API results data.
Return type:(str)
request_uri

The temporary uri used for the request.

The request uri starts as the resource api_uri and changes depending on the pivot resource. This value is reset after the request() method is called.

Returns:The requests API URI.
Return type:(str)
result_count

Boolean for API pagination when there are previous results to retrieve.

Returns:The number of results a paginated API call will return.
Return type:(int)
result_limit

Return the ThreatConnect API query parameter for the number of results.

Returns:The limit of results to return during pagination.
Return type:(int)
security_label_pivot(security_label_resource)[source]

Pivot point on security labels for this resource.

This method will return all resources (group, indicators, task, victims, etc) for this resource that have the provided security label applied.

Example Endpoints URI’s

HTTP Method API Endpoint URI’s
GET /v2/securityLabels/{resourceId}/groups/{resourceType}
GET /v2/securityLabels/{resourceId}/groups/{resourceType}/{uniqueId}
GET /v2/securityLabels/{resourceId}/indicators/{resourceType}
GET /v2/securityLabels/{resourceId}/indicators/{resourceType}/{uniqueId}
Parameters:resource_id (string) – The resource pivot id (security label name).
security_labels(resource_id=None)[source]

Security Label endpoint for this resource with optional label name.

This method will set the resource endpoint for working with Security Labels. The HTTP GET method will return all security labels applied to this resource or if a resource id (security label name) is provided it will return the provided security label if it has been applied, which could be useful to verify a security label is applied. The provided resource_id (security label name) can be applied to this resource using the HTTP POST method. The HTTP DELETE method will remove the provided security label from this resource.

Example Endpoints URI’s

HTTP Method API Endpoint URI’s
GET /v2/{resourceType}/{uniqueId}/securityLabels
GET /v2/{resourceType}/{uniqueId}/securityLabels/{resourceId}
DELETE /v2/{resourceType}/{uniqueId}/securityLabels/{resourceId}
POST /v2/{resourceType}/{uniqueId}/securityLabels/{resourceId}
Parameters:resource_id (Optional [string]) – The resource id (security label name).
tag_pivot(tag_resource)[source]

Pivot point on tags for this resource.

This method will return all resources (group, indicators, task, victims, etc) for this resource that have the provided tag applied.

Example Endpoints URI’s

HTTP Method API Endpoint URI’s
GET /v2/tags/{resourceId}/groups/{resourceType}
GET /v2/tags/{resourceId}/groups/{resourceType}/{uniqueId}
GET /v2/tags/{resourceId}/indicators/{resourceType}
GET /v2/tags/{resourceId}/indicators/{resourceType}/{uniqueId}
POST /v2/tags/{resourceId}/groups/{resourceType}/{uniqueId}
POST /v2/tags/{resourceId}/indicators/{resourceType}/{uniqueId}
Parameters:resource_id (string) – The resource pivot id (tag name).
tags(resource_id=None)[source]

Tag endpoint for this resource with optional tag name.

This method will set the resource endpoint for working with Tags. The HTTP GET method will return all tags applied to this resource or if a resource id (tag name) is provided it will return the provided tag if it has been applied, which could be useful to verify a tag is applied. The provided resource_id (tag) can be applied to this resource using the HTTP POST method. The HTTP DELETE method will remove the provided tag from this resource.

Example Endpoints URI’s

HTTP Method API Endpoint URI’s
GET /v2/groups/{resourceType}/{uniqueId}/tags
GET /v2/groups/{resourceType}/{uniqueId}/tags/{resourceId}
GET /v2/indicators/{resourceType}/{uniqueId}/tags
GET /v2/indicators/{resourceType}/{uniqueId}/tags/{resourceId}
DELETE /v2/groups/{resourceType}/{uniqueId}/tags/{resourceId}
DELETE /v2/indicators/{resourceType}/{uniqueId}/tags/{resourceId}
POST /v2/groups/{resourceType}/{uniqueId}/tags/{resourceId}
POST /v2/indicators/{resourceType}/{uniqueId}/tags/{resourceId}
Parameters:resource_id (Optional [string]) – The resource id (tag name).
task_pivot(task_resource)[source]

Pivot point on Tasks for this resource.

This method will return all resources (group, indicators, victims, etc) for this resource that are associated with the provided task id.

Example Endpoints URI’s

HTTP Method API Endpoint URI’s
GET /v2/tasks/{resourceId}/groups/{resourceType}
GET /v2/tasks/{resourceId}/groups/{resourceType}/{uniqueId}
GET /v2/tasks/{resourceId}/indicators/{resourceType}
GET /v2/tasks/{resourceId}/indicators/{resourceType}/{uniqueId}
Parameters:resource_id (integer) – The resource pivot id (task id).
value_fields

The value fields for this resource.

Returns:
The fields in the response JSON that have the key value (e.g. [‘md5’,
’sha1’, ‘sha256’] or [‘ip’]).
Return type:(list)
victim_assets(asset_type=None, asset_id=None)[source]

Victim Asset endpoint for this resource with optional asset type.

This method will set the resource endpoint for working with Victim Assets. The HTTP GET method will return all Victim Assets associated with this resource or if a asset type is provided it will return the provided asset type if it has been associated. The provided asset type can be associated to this resource using the HTTP POST method. The HTTP DELETE method will remove the provided tag from this resource.

Example Endpoints URI’s

Method API Endpoint URI’s
GET /v2/groups/{resourceType}/{uniqueId}/victimAssets
GET /v2/groups/{resourceType}/{uniqueId}/victimAssets/{assetType}
GET /v2/groups/{resourceType}/{uniqueId}/victimAssets/{assetType}/{resourceId}
GET /v2/indicators/{resourceType}/{uniqueId}/victimAssets
GET /v2/indicators/{resourceType}/{uniqueId}/victimAssets/{assetType}
GET /v2/indicators/{resourceType}/{uniqueId}/victimAssets/{assetType}/{resourceId}
GET /v2/victim/{uniqueId}/victimAssets/{assetType}
GET /v2/victim/{uniqueId}/victimAssets/{assetType}/{resourceId}
DELETE /v2/groups/{resourceType}/{uniqueId}/victimAssets/{assetType}/{resourceId}
POST /v2/groups/{resourceType}/{uniqueId}/victimAssets/{assetType}/{resourceId}
Parameters:
  • asset_type (Optional [string]) – The asset type.
  • asset_id (Optional [string]) – The asset id.
victim_pivot(victim_resource)[source]

Pivot point on Victims for this resource.

This method will return all resources (group, indicators, task, etc) for this resource that are associated with the provided victim id.

Example Endpoints URI’s

HTTP Method API Endpoint URI’s
GET /v2/victims/{resourceId}/groups/{resourceType}
GET /v2/victims/{resourceId}/groups/{resourceType}/{uniqueId}
GET /v2/victims/{resourceId}/indicators/{resourceType}
GET /v2/victims/{resourceId}/indicators/{resourceType}/{uniqueId}
Parameters:resource_id (integer) – The resource pivot id (victim id).
victims(victim_resource)[source]

Pivot point on Victims for this resource.

This method will return all resources (group, indicators, task, etc) for this resource that are associated with the provided victim id.

Example Endpoints URI’s

HTTP Method API Endpoint URI’s
GET /v2/{resourceId}/groups/{resourceType}/{uniqueId}/victims
GET /v2/{resourceId}/groups/{resourceType}/{uniqueId}/victims/{victimId}
GET /v2/{resourceId}/indicators/{resourceType}/{uniqueId}/victims
GET /v2/{resourceId}/indicators/{resourceType}/{uniqueId}/victims/{victimId}
DELETE /v2/{resourceId}/groups/{resourceType}/{uniqueId}/victims/{victimId}
POST /v2/{resourceId}/groups/{resourceType}/{uniqueId}/victims/{victimId}
Parameters:resource_id (integer) – The resource pivot id (victim id).
class tcex.tcex_resources.SecurityLabel(tcex)[source]

Bases: tcex.tcex_resources.Resource

Security Label Class

This resource class will return Security Labels.

label(resource_id)[source]

Update the request URI to include the Security Label for specific retrieval.

Parameters:resource_id (string) – The security label.
resource_id(resource_id)[source]

Alias for label method

The resource id is the security label name.

Parameters:resource_id (string) – The security label.
class tcex.tcex_resources.Signature(tcex)[source]

Bases: tcex.tcex_resources.Group

Signature Resource Class

This resource class will return groups of type Signature. To filter on specific groups use the group_id or resource_id methods provided in the parent class.

download(resource_id)[source]

Update the request URI to download the document for this resource.

Parameters:resource_id (integer) – The group id.
pdf(resource_id)[source]

Update the request URI to get the pdf for this resource.

Parameters:resource_id (integer) – The group id.
class tcex.tcex_resources.Tag(tcex)[source]

Bases: tcex.tcex_resources.Resource

Tag Class

This resource class will return Tags.

resource_id(resource_id)[source]

Alias for tag

The resource id is the tag name.

Parameters:resource_id (string) – The tag name.
tag(resource_id)[source]

Update the request URI to include the Tag for specific retrieval.

Parameters:resource_id (string) – The tag name.
class tcex.tcex_resources.Task(tcex)[source]

Bases: tcex.tcex_resources.Resource

Task Class

This resource class will return Tasks.

assignees(assignee=None, resource_id=None)[source]

Add an assignee to a Task

GET: /v2/tasks/{uniqueId}/assignees GET: /v2/tasks/{uniqueId}/assignees/{assigneeId} POST: /v2/tasks/{uniqueId}/assignees/{assigneeId} DELETE: /v2/tasks/{uniqueId}/assignees/{assigneeId}

Parameters:
  • assignee (Optional [string]) – The assignee name.
  • resource_id (Optional [string]) – The task ID.
escalatees(escalatee=None, resource_id=None)[source]

Add an escalatee to a Task

GET: /v2/tasks/{uniqueId}/escalatees GET: /v2/tasks/{uniqueId}/escalatees/{escalateeId} POST: /v2/tasks/{uniqueId}/escalatees/{escalateeId} DELETE: /v2/tasks/{uniqueId}/escalatees/{escalateeId}

Parameters:
  • escalatee (Optional [string]) – The escalatee name.
  • resource_id (Optional [string]) – The task ID.
pdf(resource_id)[source]

Update the request URI to get the pdf for this resource.

Parameters:resource_id (integer) – The group id.
resource_id(resource_id)[source]

Alias for task_id method

The resource id is the task id.

Parameters:resource_id (string) – The task id.
task_id(resource_id)[source]

Update the request URI to include the Task Id for specific retrieval.

Parameters:resource_id (string) – The task id.
class tcex.tcex_resources.Threat(tcex)[source]

Bases: tcex.tcex_resources.Group

Threat Resource Class

This resource class will return groups of type Threat. To filter on specific groups use the group_id or resource_id methods provided in the parent class.

pdf(resource_id)[source]

Update the request URI to get the pdf for this resource.

Parameters:resource_id (integer) – The group id.
class tcex.tcex_resources.URL(tcex)[source]

Bases: tcex.tcex_resources.Indicator

URL Resource Class

This resource class will return indicators of type URL. To filter on specific indicators use the indicator or resource_id methods provided in the parent Class.

class tcex.tcex_resources.Victim(tcex)[source]

Bases: tcex.tcex_resources.Resource

Victim Class

This resource class will return Victims.

resource_id(resource_id)[source]

Alias for victim_id method

The resource id is the victim id.

Parameters:resource_id (string) – The victim id.
victim_id(resource_id)[source]

Update the request URI to include the Victim Id for specific retrieval.

Parameters:resource_id (string) – The victim id.
tcex.tcex_resources.class_factory(name, base_class, class_dict)[source]

Internal method for dynamically building Custom Indicator classes.