Source code for bloxone.b1td

#!/usr/local/bin/python3
# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4
'''
------------------------------------------------------------------------

 Description:

 BloxOne Threat Defence API Wrapper Class and Helpers

 Author: Chris Marrison

 Date Last Updated: 20211203

 Todo:

 Copyright (c) 2020-2021 Chris Marrison / Infoblox

 Redistribution and use in source and binary forms,
 with or without modification, are permitted provided
 that the following conditions are met:

 1. Redistributions of source code must retain the above copyright
 notice, this list of conditions and the following disclaimer.

 2. Redistributions in binary form must reproduce the above copyright
 notice, this list of conditions and the following disclaimer in the
 documentation and/or other materials provided with the distribution.

 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.

------------------------------------------------------------------------
'''
__version__ = '0.3.3'
__author__ = 'Chris Marrison'
__author_email__ = 'chris@infoblox.com'

import bloxone
import logging
import datetime
import json


# b1td class
[docs]class b1td(bloxone.b1): ''' BloxOne ThreatDefence API Wrapper Covers TIDE and Dossier ''' # Generic Methods
[docs] def get(self, objpath, **params): ''' Generic get object wrapper for TIDE data objects Parameters: objpath (str): Swagger object path action (str): Optional object action Returns: response object: Requests response object ''' # Build url url = self.tide_url + objpath url = self._add_params(url, **params) logging.debug("URL: {}".format(url)) response = self._apiget(url) return response
[docs] def post(self, objpath, body=""): ''' Generic create object wrapper for ddi objects Parameters: objpath (str): Swagger object path body (str): JSON formatted data payload Returns: response object: Requests response object ''' # Build url url = self.ddi_url + objpath # Make API Call response = self._apipost(url, body) return response
# *** Helper Methods ***
[docs] def threat_classes(self, **params): ''' Get list of threat classes Parameters: Returns: response object: Requests response object ''' # Local Variables objpath = '/data/threat_classes' # Build url url = self.tide_url + objpath # Make API Call response = self._apiget(url) return response
[docs] def threat_properties(self, threatclass="", **params): ''' Get list of threat properties Parameters: threatclass (str): Threat Class Returns: response object: Requests response object ''' # Local Variables objpath = '/data/properties' # Build url url = self.tide_url + objpath if threatclass: url = url + '?class=' + threatclass # Make API Call response = self._apiget(url) return response
[docs] def threat_counts(self): ''' Query Infoblox TIDE for active threat counts Returns: response object: Requests response object ''' # Build URL url = self.tide_url + '/data/threat/counts' # Make API Call response = self._apiget(url) return response
[docs] def historical_threat_counts(self): ''' Query Infoblox TIDE for historical threat counts Returns: response object: Requests response object ''' # Build URL url = self.tide_url + '/data/threat/counts/historical' # Make API Call response = self._apiget(url) return response
[docs] def default_ttl(self): ''' ''' url = self.tide_url + '/data/default/ttl' response = self._apiget(url) return response
[docs] def querytide(self, datatype, query, **params): ''' Query Infoblox TIDE for all avaialble threat data related to query. Parameters: datatype (str): "host", "ip" or "url" query (str): query data Returns: response object: Requests response object ''' objpath = '/data/threats/' # Build URL url = self.tide_url + objpath url = url + datatype + '?' + datatype + '=' + query url = self._add_params(url, first_param=False, **params) # Make API Call response = self._apiget(url) return response
[docs] def querytideactive(self, datatype, query, **params): ''' Query Infoblox TIDE for "active" threat data i.e. threat data that has not expired at time of call Parameters: datatype (str): "host", "ip" or "url" query (str): query data Returns: response object: Requests response object ''' objpath = '/data/threats/' now = datetime.datetime.now() # Build URL url = self.tide_url + objpath url = url + datatype + '?' + datatype + '=' + query url = url + '&expiration=' + now.strftime('%Y-%m-%dT%H:%M:%SZ') url = self._add_params(url, first_param=False, **params) # Make API Call response = self._apiget(url) return response
[docs] def querytidestate(self, datatype, query, **params): ''' Query Infoblox TIDE State Tables for specific query Parameters: datatype (str): "host", "ip" or "url" query (str): query data Returns: response object: Requests response object ''' objpath = '/data/threats/state/' # Build URL url = self.tide_url + objpath url = url + datatype + '?' + datatype + '=' + query url = self._add_params(url, first_param=False, **params) # Make API Call response = self._apiget(url) return response
[docs] def tideactivefeed(self, datatype, profile="", threatclass="", threatproperty="", **params ): ''' Bulk "active" threat intel download from Infoblox TIDE state tables for specified datatype. Parameters: datatype (str): "host", "ip" or "url" profile (str, optional): Data provider threatclass (str, optional): tide data class threatproperty (str, optional): tide data property Returns: response object: Requests response object ''' objpath = '/data/threats/state/' # Build URL url = self.tide_url + objpath url = url + datatype if profile or threatclass or threatproperty: url = url + '?' if profile: url = url + '&profile=' + profile if threatclass: url = url + '&class=' + threatclass if threatproperty: url = url + '&property=' + threatproperty url = self._add_params(url, first_param=False, **params) else: url = self._add_params(url, **params) # Make API Call response = self._apiget(url) return response
[docs] def tidedatafeed(self, datatype, profile="", threatclass="", threatproperty="", **params): ''' Bulk threat intel download from Infoblox TIDE for specified datatype. Please use wisely. Parameters: datatype (str): "host", "ip" or "url" profile (str, optional): Data provider threatclass (str, optional): tide data class threatproperty (str, optional): tide data property Returns: response object: Requests response object ''' objpath = '/data/threats/' # Build URL url = self.tide_url + objpath url = url + datatype if profile or threatclass or threatproperty: url = url + '?' if profile: url = url + '&profile=' + profile if threatclass: url = url + '&class=' + threatclass if threatproperty: url = url + '&property=' + threatproperty url = self._add_params(url, first_param=False, **params) else: url = self._add_params(url, **params) # Make API Call response = self._apiget(url) return response
# ** Dossier Methods **
[docs] def dossier_sources(self): ''' Get Sources for Dossier Returns: response object: Requests response object ''' url = self.dossier_url + '/sources' response = self._apiget(url) return response
[docs] def dossier_target_sources(self, type='host'): ''' Get supported target types for Dossier Parameters: type (str): target type Returns: response object: Request response object ''' url = self.dossier_url + '/sources/target/' + type response = self._apiget(url) return response
[docs] def dossier_target_types(self): ''' Get supported target types for Dossier Returns: response object: Request response object ''' url = self.dossier_url + '/targets' response = self._apiget(url) return response
[docs] def dossierquery(self, query, type="host", sources="all", wait=True): ''' Simple Dossier Query Parameters: query (str or list): single query or list of same type type (str): "host", "ip" or "url" sources (str): set of sources or "all" Returns: response object: Requests response object ''' if isinstance(wait, bool) and wait: wait = 'true' else: wait = 'false' url = self.dossier_url + '/jobs?wait=' + wait # Create body if sources == "all": response = self.dossier_target_sources(type=type) if response.status_code in self.return_codes_ok: sources = [] for source in response.json().keys(): if response.json()[source]: sources.append(source) logging.debug("Sources retrieved: {}".format(sources)) else: sources = ['atp', 'activity', 'dns', 'geo', 'pdns', 'ptr', 'rwhois', 'whopis', 'inforank', 'rpz_feeds', 'ssl_cert', 'infoblox_web_cat', 'custom_lists', 'whitelist'] logging.debug("Failed to retrieve sources, using " + "limited list {}".format(sources)) else: if not isinstance(sources, list): source_list = [] source_list.append(sources) sources = source_list # Check for group of queries if isinstance(query, list): body = {"target": {"group": {"type": type, "sources": sources, "targets": query } } } else: body = {"target": {"one": {"type": type, "sources": sources, "target": query } } } body = json.dumps(body) logging.debug(f'Body: {body}') response = self._apipost(url, body) return response
# *** threat enrichment
[docs] def threat_actor(self, name): ''' Get Threat Actor details Parameters: name(str): Name of Threat Actor Returns: response object: Requests response object ''' url = self.threat_enrichment_url + '/threat_actor/lookup?name=' + name response = self._apiget(url) return response
[docs] def expand_mitre_vector(self, mitre): ''' Expand MITRE Vector details Parameters: mitre(str): MITRE Vector Returns: response object: Requests response object ''' url = self.threat_enrichment_url + '/mitre/lookup' body = '"' + mitre + '"' logging.debug("URL: {}, Body: {}".format(url,body)) response = self._apipost(url, body) return response
[docs] def get_countries(self): ''' Get Countries and Country Code Data Parameters: None Returns: response object: Requests response object ''' url = self.tide_url + '/data/set/countries' logging.debug("URL: {}".format(url)) return self._apiget(url)
[docs] def get_country_isocode(self, country=""): ''' Get ISO Code for specified country Parameters: country (str): Name of Country Returns: isocode (str): ISO Code of Country or None if no match ''' isocode = '' response = self.get_countries() if response.status_code in self.return_codes_ok: country_codes = response.json()['country'] country_record = next((c for c in country_codes if c['name'].casefold() == country.casefold()), {} ) isocode = country_record.get('iso_code') else: logging.error(f'Unable to retrieve country list') isocode = None return isocode
[docs] def get_country_ips(self, country='', **params): ''' Get IPs for specified countries or complete dataset Parameters: country: Country or Country Code to retrieve Returns: response object: Requests response object Raises: CountryISOCodeNotFound ''' iso_code = '' url = self.tide_url + '/data/set/countryip' if country: if len(country) == 2: # Assume country isocode iso_code = country else: # Assume country name iso_code = self.get_country_isocode(country=country) if iso_code: url = self._add_params(url, first_param=True, country=iso_code) else: raise self.CountryISOCodeNotFound(f'No match for country: {country}') return self._apiget(url)