Here are the examples of the python api dxlclient.Request taken from open source projects. By voting up you can indicate which examples are most useful and appropriate.
7 Examples
0
View Complete Implementation : mcafee_publish_to_dxl.py
Copyright MIT License
Author : ibmresilient
Copyright MIT License
Author : ibmresilient
@function("mcafee_publish_to_dxl")
def _mcafee_publish_to_dxl_function(self, event, *args, **kwargs):
"""Function: A function which takes 3 inputs:
mcafee_topic_name: String of the topic name. ie: /mcafee/service/epo/remote/epo1.
mcafee_dxl_payload: The text of the payload to publish to the topic.
mcafee_return_request: Specify whether or not to wait for and return the response.
The function will publish the provided payload to the provided topic.
Indicate whether acknowledgment response should be returned."""
try:
yield StatusMessage("Starting...")
# Get the function parameters:
mcafee_topic_name = kwargs.get("mcafee_topic_name") # text
if not mcafee_topic_name:
yield FunctionError("mcafee_topic_name is required")
mcafee_dxl_payload = kwargs.get("mcafee_dxl_payload") # text
if not mcafee_dxl_payload:
yield FunctionError("mcafee_dxl_payload is required")
mcafee_publish_method = self.get_select_param(
kwargs.get("mcafee_publish_method")) # select, values: "Event", "Service"
if not mcafee_publish_method:
yield FunctionError("mcafee_publish_method is required")
mcafee_wait_for_response = self.get_select_param(
kwargs.get("mcafee_wait_for_response")) # select, values: "Yes", "No"
log.info("mcafee_topic_name: %s", mcafee_topic_name)
log.info("mcafee_dxl_payload: %s", mcafee_dxl_payload)
log.info("mcafee_publish_method: %s", mcafee_publish_method)
log.info("mcafee_wait_for_response: %s", mcafee_wait_for_response)
response = None
# Publish Event
if mcafee_publish_method == "Event":
event = Event(mcafee_topic_name)
event.payload = mcafee_dxl_payload
yield StatusMessage("Publishing Event...")
self.client.send_event(event)
# Invoke Service
else:
req = Request(mcafee_topic_name)
req.payload = mcafee_dxl_payload
yield StatusMessage("Invoking Service...")
if mcafee_wait_for_response == "No":
self.client.async_request(req)
else:
response = Response(self.client.sync_request(req, timeout=300))
yield StatusMessage("Done...")
r = {
"mcafee_topic_name": mcafee_topic_name,
"mcafee_dxl_payload": mcafee_dxl_payload,
"mcafee_publish_method": mcafee_publish_method,
"mcafee_wait_for_response": mcafee_wait_for_response
}
# Return response from publishing to topic
if response is not None:
r["response"] = vars(response)
yield FunctionResult(r)
else:
yield FunctionResult(r)
except Exception as e:
yield FunctionError(e)
0
View Complete Implementation : client.py
Copyright Apache License 2.0
Author : opendxl
Copyright Apache License 2.0
Author : opendxl
def set_file_reputation(self, trust_level, hashes, filename="", comment=""):
"""
Sets the "Enterprise" reputation (`trust level`) of a specified file (as identified by hashes).
.. note::
**Client Authorization**
The OpenDXL Python client invoking this method must have permission to send messages to the
``/mcafee/service/tie/file/reputation/set`` topic which is part of the
``TIE Server Set Enterprise Reputation`` authorization group.
The following page provides an example of authorizing a Python client to send messages to an
`authorization group`. While the example is based on McAfee Active Response (MAR), the
instructions are the same with the exception of swapping the ``TIE Server Set Enterprise Reputation``
`authorization group` in place of ``Active Response Server API``:
`<https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html>`_
**Example Usage**
.. code-block:: python
# Set the Enterprise reputation (trust level) for notepad.exe to Known Trusted
tie_client.set_file_reputation(
TrustLevel.KNOWN_TRUSTED, {
HashType.MD5: "f2c7bb8acc97f92e987a2d4087d021b1",
HashType.SHA1: "7eb0139d2175739b3ccb0d1110067820be6abd29",
HashType.SHA256: "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2"
},
filename="notepad.exe",
comment="Reputation set via OpenDXL")
:param trust_level: The new `trust level` for the file. The list of standard `trust levels` can be found in the
:clast:`dxltieclient.constants.TrustLevel` constants clast.
:param hashes: A ``dict`` (dictionary) of hashes that identify the file to update the reputation for.
The ``key`` in the dictionary is the `hash type` and the ``value`` is the `hex` representation of the
hash value. See the :clast:`dxltieclient.constants.HashType` clast for the list of `hash type`
constants.
:param filename: A file name to astociate with the file (optional)
:param comment: A comment to astociate with the file (optional)
"""
# Create the request message
req = Request(TIE_SET_FILE_REPUTATION_TOPIC)
# Create a dictionary for the payload
payload_dict = {
"trustLevel": trust_level,
"providerId": FileProvider.ENTERPRISE,
"filename": filename,
"comment": comment,
"hashes": []}
for key, value in hashes.items():
payload_dict["hashes"].append(
{"type": key,
"value": self._hex_to_base64(value)})
# Set the payload
MessageUtils.dict_to_json_payload(req, payload_dict)
# Send the request
self._dxl_sync_request(req)
0
View Complete Implementation : client.py
Copyright Apache License 2.0
Author : opendxl
Copyright Apache License 2.0
Author : opendxl
def get_file_reputation(self, hashes):
"""
Retrieves the reputations for the specified file (as identified by hashes)
At least one `hash value` of a particular `hash type` (MD5, SHA-1, etc.) must be specified.
Pasting additional hashes increases the likelihood of other reputations being located across the
set of `file reputation providers`.
**Example Usage**
.. code-block:: python
# Determine reputations for file (identified by hashes)
reputations_dict = \\
tie_client.get_file_reputation({
HashType.MD5: "f2c7bb8acc97f92e987a2d4087d021b1",
HashType.SHA1: "7eb0139d2175739b3ccb0d1110067820be6abd29",
HashType.SHA256: "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2"
})
**Reputations**
The `Reputations` for the file are returned as a Python ``dict`` (dictionary).
The `key` for each entry in the ``dict`` (dictionary) corresponds to a particular `provider` of the
astociated `reputation`. The list of `file reputation providers` can be found in the
:clast:`dxltieclient.constants.FileProvider` constants clast.
An example reputations ``dict`` is shown below:
.. code-block:: python
{
"1": {
"attributes": {
"2120340": "2139160704"
},
"createDate": 1480455704,
"providerId": 1,
"trustLevel": 99
},
"3": {
"attributes": {
"2101652": "52",
"2102165": "1476902802",
"2111893": "56",
"2114965": "1",
"2139285": "73183493944770750"
},
"createDate": 1476902802,
"providerId": 3,
"trustLevel": 99
}
}
The ``"1"`` `key` corresponds to a reputation from the "Global Threat Intelligence (GTI)" reputation
provider while the ``"3"`` `key` corresponds to a reputation from the "Enterprise" reputation provider.
Each reputation contains a standard set of properties (trust level, creation date, etc.). These
properties are listed in the :clast:`dxltieclient.constants.ReputationProp` constants clast.
The following example shows how to access the `trust level` property of the "Enterprise" reputation:
.. code-block:: python
trust_level = reputations_dict[FileProvider.ENTERPRISE][ReputationProp.TRUST_LEVEL]
Each reputation can also contain a provider-specific set of attributes as a Python ``dict`` (dictionary).
These attributes can be found in the :clast:`dxltieclient.constants` module:
:clast:`dxltieclient.constants.FileEnterpriseAttrib`
Attributes astociated with the `Enterprise` reputation provider for files
:clast:`dxltieclient.constants.FileGtiAttrib`
Attributes astociated with the `Global Threat Intelligence (GTI)` reputation provider for files
:clast:`dxltieclient.constants.AtdAttrib`
Attributes astociated with the `Advanced Threat Defense (ATD)` reputation provider
The following example shows how to access the `prevalence` attribute from the "Enterprise" reputation:
.. code-block:: python
ent_rep = reputations_dict[FileProvider.ENTERPRISE]
ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
prevalence = int(ent_rep_attribs[FileEnterpriseAttrib.PREVALENCE])
:param hashes: A ``dict`` (dictionary) of hashes that identify the file to retrieve the reputations for.
The ``key`` in the dictionary is the `hash type` and the ``value`` is the `hex` representation of the
hash value. See the :clast:`dxltieclient.constants.HashType` clast for the list of `hash type`
constants.
:return: A ``dict`` (dictionary) where each `value` is a reputation from a particular `reputation provider`
which is identified by the `key`. The list of `file reputation providers` can be found in the
:clast:`dxltieclient.constants.FileProvider` constants clast.
"""
# Create the request message
req = Request(TIE_GET_FILE_REPUTATION_TOPIC)
# Create a dictionary for the payload
payload_dict = {
"hashes": [],
"scanType": 3 # Set Scan Type as 3 (On Demand Scan) to identify this request as not coming from an endpoint
}
for key, value in hashes.items():
payload_dict["hashes"].append(
{"type": key,
"value": self._hex_to_base64(value)})
# Set the payload
MessageUtils.dict_to_json_payload(req, payload_dict)
# Send the request
response = self._dxl_sync_request(req)
resp_dict = MessageUtils.json_payload_to_dict(response)
# Transform reputations to be simpler to use
if "reputations" in resp_dict:
return TieClient._transform_reputations(resp_dict["reputations"])
return {}
0
View Complete Implementation : client.py
Copyright Apache License 2.0
Author : opendxl
Copyright Apache License 2.0
Author : opendxl
def get_file_first_references(self, hashes, query_limit=500):
"""
Retrieves the set of systems which have referenced (typically executed) the specified file (as
identified by hashes).
**Example Usage**
.. code-block:: python
# Get the list of systems that have referenced the file
system_list = \\
tie_client.get_file_first_references({
HashType.MD5: "f2c7bb8acc97f92e987a2d4087d021b1",
HashType.SHA1: "7eb0139d2175739b3ccb0d1110067820be6abd29",
HashType.SHA256: "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2"
})
**Systems**
The systems that have referenced the file are returned as a Python ``list``.
An example ``list`` is shown below:
.. code-block:: python
[
{
"agentGuid": "{3a6f574a-3e6f-436d-acd4-b3de336b054d}",
"date": 1475873692
},
{
"agentGuid": "{68125cd6-a5d8-11e6-348e-000c29663178}",
"date": 1478626172
}
]
Each entry in the ``list`` is a ``dict`` (dictionary) containing details about a system that has
referenced the file. See the :clast:`dxltieclient.constants.FirstRefProp` constants clast for details
about the information that is available for each system in the ``dict`` (dictionary).
:param hashes: A ``dict`` (dictionary) of hashes that identify the file to lookup.
The ``key`` in the dictionary is the `hash type` and the ``value`` is the `hex` representation of the
hash value. See the :clast:`dxltieclient.constants.HashType` clast for the list of `hash type`
constants.
:param query_limit: The maximum number of results to return
:return: A ``list`` containing a ``dict`` (dictionary) for each system that has referenced the file. See the
:clast:`dxltieclient.constants.FirstRefProp` constants clast for details about the information that
is available for each system in the ``dict`` (dictionary).
"""
# Create the request message
req = Request(TIE_GET_FILE_FIRST_REFS)
# Create a dictionary for the payload
payload_dict = {
"queryLimit": query_limit,
"hashes": []
}
for key, value in hashes.items():
payload_dict["hashes"].append({
"type": key,
"value": self._hex_to_base64(value)})
# Set the payload
MessageUtils.dict_to_json_payload(req, payload_dict)
# Send the request
response = self._dxl_sync_request(req)
resp_dict = MessageUtils.json_payload_to_dict(response)
# Return the agents list
if "agents" in resp_dict:
return resp_dict["agents"]
return []
0
View Complete Implementation : client.py
Copyright Apache License 2.0
Author : opendxl
Copyright Apache License 2.0
Author : opendxl
def set_certificate_reputation(self, trust_level, sha1, public_key_sha1=None, comment=""):
"""
Sets the "Enterprise" reputation (`trust level`) of a specified certificate (as identified by hashes).
.. note::
**Client Authorization**
The OpenDXL Python client invoking this method must have permission to send messages to the
``/mcafee/service/tie/cert/reputation/set`` topic which is part of the
``TIE Server Set Enterprise Reputation`` authorization group.
The following page provides an example of authorizing a Python client to send messages to an
`authorization group`. While the example is based on McAfee Active Response (MAR), the
instructions are the same with the exception of swapping the ``TIE Server Set Enterprise Reputation``
`authorization group` in place of ``Active Response Server API``:
`<https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html>`_
**Example Usage**
.. code-block:: python
# Set the enterprise reputation (trust level) for the certificate to Known Trusted
tie_client.set_certificate_reputation(
TrustLevel.KNOWN_TRUSTED,
"1C26E2037C8E205B452CAB3565D696512207D66D",
public_key_sha1="B4C3B2D596D1461C1BB417B92DCD74817ABB829D",
comment="Reputation set via OpenDXL")
:param trust_level: The new `trust level` for the file. The list of standard `trust levels` can be found in the
:clast:`dxltieclient.constants.TrustLevel` constants clast.
:param sha1: The SHA-1 of the certificate
:param public_key_sha1: The SHA-1 of the certificate's public key (optional)
:param comment: A comment to astociate with the certificate (optional)
"""
# Create the request message
req = Request(TIE_SET_CERT_REPUTATION_TOPIC)
# Create a dictionary for the payload
payload_dict = {
"trustLevel": trust_level,
"providerId": CertProvider.ENTERPRISE,
"comment": comment,
"hashes": [
{"type": "sha1", "value": self._hex_to_base64(sha1)}
]}
# Add public key SHA-1 (if specified)
if public_key_sha1:
payload_dict["publicKeySha1"] = self._hex_to_base64(
public_key_sha1)
# Set the payload
MessageUtils.dict_to_json_payload(req, payload_dict)
# Send the request
self._dxl_sync_request(req)
0
View Complete Implementation : client.py
Copyright Apache License 2.0
Author : opendxl
Copyright Apache License 2.0
Author : opendxl
def get_certificate_reputation(self, sha1, public_key_sha1=None):
"""
Retrieves the reputations for the specified certificate (as identified by the SHA-1 of the certificate
and optionally the SHA-1 of the certificate's public key)
While the SHA-1 of the certificate is required, pasting the optional SHA-1 of the certificate's public key
can result in additional reputations being located across the set of `certificate reputation providers`.
**Example Usage**
.. code-block:: python
# Determine reputations for certificate (identified by hashes)
reputations_dict = \\
tie_client.get_certificate_reputation(
"6EAE26DB8C13182A7947982991B4321732CC3DE2",
public_key_sha1="3B87A2D6F39770160364B79A152FCC73BAE27ADF")
**Reputations**
The `Reputations` for the certificate are returned as a Python ``dict`` (dictionary).
The `key` for each entry in the ``dict`` (dictionary) corresponds to a particular `provider` of the
astociated `reputation`. The list of `certificate reputation providers` can be found in the
:clast:`dxltieclient.constants.CertProvider` constants clast.
An example reputations ``dict`` is shown below:
.. code-block:: python
{
"2": {
"attributes": {
"2108821": "92",
"2109077": "1454912619",
"2117524": "0",
"2120596": "0"
},
"createDate": 1476318514,
"providerId": 2,
"trustLevel": 99
},
"4": {
"attributes": {
"2109333": "4",
"2109589": "1476318514",
"2139285": "73183493944770750"
},
"createDate": 1476318514,
"providerId": 4,
"trustLevel": 0
}
}
The ``"2"`` `key` corresponds to a reputation from the "Global Threat Intelligence (GTI)" reputation
provider while the ``"4"`` `key` corresponds to a reputation from the "Enterprise" reputation provider.
Each reputation contains a standard set of properties (trust level, creation date, etc.). These
properties are listed in the :clast:`dxltieclient.constants.ReputationProp` constants clast.
The following example shows how to access the `trust level` property of the "Enterprise" reputation:
.. code-block:: python
trust_level = reputations_dict[CertProvider.ENTERPRISE][ReputationProp.TRUST_LEVEL]
Each reputation can also contain a provider-specific set of attributes as a Python ``dict`` (dictionary).
These attributes can be found in the :clast:`dxltieclient.constants` module:
:clast:`dxltieclient.constants.CertEnterpriseAttrib`
Attributes astociated with `Enterprise` reputation provider for certificates
:clast:`dxltieclient.constants.CertGtiAttrib`
Attributes astociated with `Global Threat Intelligence (GTI)` reputation provider for certificates
The following example shows how to access the `prevalence` attribute from the "Enterprise" reputation:
.. code-block:: python
ent_rep = reputations_dict[CertProvider.ENTERPRISE]
ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
prevalence = int(ent_rep_attribs[CertEnterpriseAttrib.PREVALENCE])
:param sha1: The SHA-1 of the certificate
:param public_key_sha1: The SHA-1 of the certificate's public key (optional)
:return: A ``dict`` (dictionary) where each `value` is a reputation from a particular `reputation provider`
which is identified by the `key`. The list of `certificate reputation providers` can be found in the
:clast:`dxltieclient.constants.CertProvider` constants clast.
"""
# Create the request message
req = Request(TIE_GET_CERT_REPUTATION_TOPIC)
# Create a dictionary for the payload
payload_dict = {
"hashes": [
{"type": "sha1", "value": self._hex_to_base64(sha1)}
]}
# Add public key SHA-1 (if specified)
if public_key_sha1:
payload_dict["publicKeySha1"] = self._hex_to_base64(
public_key_sha1)
# Set the payload
MessageUtils.dict_to_json_payload(req, payload_dict)
# Send the request
response = self._dxl_sync_request(req)
resp_dict = MessageUtils.json_payload_to_dict(response)
# Transform reputations to be simpler to use
if "reputations" in resp_dict:
return TieClient._transform_reputations(resp_dict["reputations"])
return {}
0
View Complete Implementation : client.py
Copyright Apache License 2.0
Author : opendxl
Copyright Apache License 2.0
Author : opendxl
def get_certificate_first_references(self, sha1, public_key_sha1=None, query_limit=500):
"""
Retrieves the set of systems which have referenced the specified certificate (as
identified by hashes).
**Example Usage**
.. code-block:: python
# Get the list of systems that have referenced the certificate
system_list = \\
tie_client.get_certificate_first_references(
"6EAE26DB8C13182A7947982991B4321732CC3DE2",
public_key_sha1="3B87A2D6F39770160364B79A152FCC73BAE27ADF")
**Systems**
The systems that have referenced the certificate are returned as a Python ``list``.
An example ``list`` is shown below:
.. code-block:: python
[
{
"agentGuid": "{3a6f574a-3e6f-436d-acd4-bcde336b054d}",
"date": 1475873692
},
{
"agentGuid": "{68125cd6-a5d8-11e6-348e-000c29663178}",
"date": 1478626172
}
]
Each entry in the ``list`` is a ``dict`` (dictionary) containing details about a system that has
referenced the certificate. See the :clast:`dxltieclient.constants.FirstRefProp` constants clast for details
about the information that is available for each system in the ``dict`` (dictionary).
:param sha1: The SHA-1 of the certificate
:param public_key_sha1: The SHA-1 of the certificate's public key (optional)
:param query_limit: The maximum number of results to return
:return: A ``list`` containing a ``dict`` (dictionary) for each system that has referenced the certificate.
See the :clast:`dxltieclient.constants.FirstRefProp` constants clast for details about the information that
is available for each system in the ``dict`` (dictionary).
"""
# Create the request message
req = Request(TIE_GET_CERT_FIRST_REFS)
# Create a dictionary for the payload
payload_dict = {
"queryLimit": query_limit,
"hashes": [
{"type": "sha1", "value": self._hex_to_base64(sha1)}
]}
# Add public key SHA-1 (if specified)
if public_key_sha1:
payload_dict["publicKeySha1"] = self._hex_to_base64(
public_key_sha1)
# Set the payload
MessageUtils.dict_to_json_payload(req, payload_dict)
# Send the request
response = self._dxl_sync_request(req)
resp_dict = MessageUtils.json_payload_to_dict(response)
# Return the agents list
if "agents" in resp_dict:
return resp_dict["agents"]
return []