dxlclient.Request - python examples

Here are the examples of the python api dxlclient.Request taken from open source projects. By voting up you can indicate which examples are most useful and appropriate.

7 Examples 7

0 View Complete Implementation : mcafee_publish_to_dxl.py
Copyright MIT License
Author : ibmresilient
    @function("mcafee_publish_to_dxl")
    def _mcafee_publish_to_dxl_function(self, event, *args, **kwargs):
        """Function: A function which takes 3 inputs:

        mcafee_topic_name: String of the topic name. ie: /mcafee/service/epo/remote/epo1.
        mcafee_dxl_payload: The text of the payload to publish to the topic.
        mcafee_return_request: Specify whether or not to wait for and return the response.


        The function will publish the provided payload to the provided topic.
        Indicate whether acknowledgment response should be returned."""
        try:
            yield StatusMessage("Starting...")
            # Get the function parameters:
            mcafee_topic_name = kwargs.get("mcafee_topic_name")  # text
            if not mcafee_topic_name:
                yield FunctionError("mcafee_topic_name is required")
            mcafee_dxl_payload = kwargs.get("mcafee_dxl_payload")  # text
            if not mcafee_dxl_payload:
                yield FunctionError("mcafee_dxl_payload is required")
            mcafee_publish_method = self.get_select_param(
                kwargs.get("mcafee_publish_method"))  # select, values: "Event", "Service"
            if not mcafee_publish_method:
                yield FunctionError("mcafee_publish_method is required")
            mcafee_wait_for_response = self.get_select_param(
                kwargs.get("mcafee_wait_for_response"))  # select, values: "Yes", "No"

            log.info("mcafee_topic_name: %s", mcafee_topic_name)
            log.info("mcafee_dxl_payload: %s", mcafee_dxl_payload)
            log.info("mcafee_publish_method: %s", mcafee_publish_method)
            log.info("mcafee_wait_for_response: %s", mcafee_wait_for_response)

            response = None

            # Publish Event
            if mcafee_publish_method == "Event":
                event = Event(mcafee_topic_name)
                event.payload = mcafee_dxl_payload
                yield StatusMessage("Publishing Event...")
                self.client.send_event(event)

            # Invoke Service
            else:
                req = Request(mcafee_topic_name)
                req.payload = mcafee_dxl_payload
                yield StatusMessage("Invoking Service...")

                if mcafee_wait_for_response == "No":
                    self.client.async_request(req)
                else:
                    response = Response(self.client.sync_request(req, timeout=300))

            yield StatusMessage("Done...")
            r = {
                "mcafee_topic_name": mcafee_topic_name,
                "mcafee_dxl_payload": mcafee_dxl_payload,
                "mcafee_publish_method": mcafee_publish_method,
                "mcafee_wait_for_response": mcafee_wait_for_response
            }

            # Return response from publishing to topic
            if response is not None:
                r["response"] = vars(response)
                yield FunctionResult(r)
            else:
                yield FunctionResult(r)
        except Exception as e:
            yield FunctionError(e)

0 View Complete Implementation : client.py
Copyright Apache License 2.0
Author : opendxl
    def set_file_reputation(self, trust_level, hashes, filename="", comment=""):
        """
        Sets the "Enterprise" reputation  (`trust level`) of a specified file (as identified by hashes).

        .. note::

            **Client Authorization**

            The OpenDXL Python client invoking this method must have permission to send messages to the
            ``/mcafee/service/tie/file/reputation/set`` topic which is part of the
            ``TIE Server Set Enterprise Reputation`` authorization group.

            The following page provides an example of authorizing a Python client to send messages to an
            `authorization group`. While the example is based on McAfee Active Response (MAR), the
            instructions are the same with the exception of swapping the ``TIE Server Set Enterprise Reputation``
            `authorization group` in place of ``Active Response Server API``:

            `<https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html>`_

        **Example Usage**

            .. code-block:: python

                # Set the Enterprise reputation (trust level) for notepad.exe to Known Trusted
               tie_client.set_file_reputation(
                    TrustLevel.KNOWN_TRUSTED, {
                        HashType.MD5: "f2c7bb8acc97f92e987a2d4087d021b1",
                        HashType.SHA1: "7eb0139d2175739b3ccb0d1110067820be6abd29",
                        HashType.SHA256: "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2"
                    },
                    filename="notepad.exe",
                    comment="Reputation set via OpenDXL")

        :param trust_level: The new `trust level` for the file. The list of standard `trust levels` can be found in the
            :clast:`dxltieclient.constants.TrustLevel` constants clast.
        :param hashes: A ``dict`` (dictionary) of hashes that identify the file to update the reputation for.
            The ``key`` in the dictionary is the `hash type` and the ``value`` is the `hex` representation of the
            hash value. See the :clast:`dxltieclient.constants.HashType` clast for the list of `hash type`
            constants.
        :param filename: A file name to astociate with the file (optional)
        :param comment: A comment to astociate with the file (optional)
        """
        # Create the request message
        req = Request(TIE_SET_FILE_REPUTATION_TOPIC)

        # Create a dictionary for the payload
        payload_dict = {
            "trustLevel": trust_level,
            "providerId": FileProvider.ENTERPRISE,
            "filename": filename,
            "comment": comment,
            "hashes": []}

        for key, value in hashes.items():
            payload_dict["hashes"].append(
                {"type": key,
                 "value": self._hex_to_base64(value)})

        # Set the payload
        MessageUtils.dict_to_json_payload(req, payload_dict)

        # Send the request
        self._dxl_sync_request(req)

0 View Complete Implementation : client.py
Copyright Apache License 2.0
Author : opendxl
    def get_file_reputation(self, hashes):
        """
        Retrieves the reputations for the specified file (as identified by hashes)

        At least one `hash value` of a particular `hash type` (MD5, SHA-1, etc.) must be specified.
        Pasting additional hashes increases the likelihood of other reputations being located across the
        set of `file reputation providers`.

        **Example Usage**

            .. code-block:: python

                # Determine reputations for file (identified by hashes)
                reputations_dict = \\
                    tie_client.get_file_reputation({
                        HashType.MD5: "f2c7bb8acc97f92e987a2d4087d021b1",
                        HashType.SHA1: "7eb0139d2175739b3ccb0d1110067820be6abd29",
                        HashType.SHA256: "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2"
                    })

        **Reputations**

            The `Reputations` for the file are returned as a Python ``dict`` (dictionary).

            The `key` for each entry in the ``dict`` (dictionary) corresponds to a particular `provider` of the
            astociated `reputation`. The list of `file reputation providers` can be found in the
            :clast:`dxltieclient.constants.FileProvider` constants clast.

            An example reputations ``dict`` is shown below:

            .. code-block:: python

                {
                    "1": {
                        "attributes": {
                            "2120340": "2139160704"
                        },
                        "createDate": 1480455704,
                        "providerId": 1,
                        "trustLevel": 99
                    },
                    "3": {
                        "attributes": {
                            "2101652": "52",
                            "2102165": "1476902802",
                            "2111893": "56",
                            "2114965": "1",
                            "2139285": "73183493944770750"
                        },
                        "createDate": 1476902802,
                        "providerId": 3,
                        "trustLevel": 99
                    }
                }

            The ``"1"`` `key` corresponds to a reputation from the "Global Threat Intelligence (GTI)" reputation
            provider while the ``"3"`` `key` corresponds to a reputation from the "Enterprise" reputation provider.

            Each reputation contains a standard set of properties (trust level, creation date, etc.). These
            properties are listed in the :clast:`dxltieclient.constants.ReputationProp` constants clast.

            The following example shows how to access the `trust level` property of the "Enterprise" reputation:

            .. code-block:: python

                trust_level = reputations_dict[FileProvider.ENTERPRISE][ReputationProp.TRUST_LEVEL]

            Each reputation can also contain a provider-specific set of attributes as a Python ``dict`` (dictionary).
            These attributes can be found in the :clast:`dxltieclient.constants` module:

                :clast:`dxltieclient.constants.FileEnterpriseAttrib`
                    Attributes astociated with the `Enterprise` reputation provider for files
                :clast:`dxltieclient.constants.FileGtiAttrib`
                    Attributes astociated with the `Global Threat Intelligence (GTI)` reputation provider for files
                :clast:`dxltieclient.constants.AtdAttrib`
                    Attributes astociated with the `Advanced Threat Defense (ATD)` reputation provider

            The following example shows how to access the `prevalence` attribute from the "Enterprise" reputation:

            .. code-block:: python

                ent_rep = reputations_dict[FileProvider.ENTERPRISE]
                ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
                prevalence = int(ent_rep_attribs[FileEnterpriseAttrib.PREVALENCE])

        :param hashes: A ``dict`` (dictionary) of hashes that identify the file to retrieve the reputations for.
            The ``key`` in the dictionary is the `hash type` and the ``value`` is the `hex` representation of the
            hash value. See the :clast:`dxltieclient.constants.HashType` clast for the list of `hash type`
            constants.
        :return: A ``dict`` (dictionary) where each `value` is a reputation from a particular `reputation provider`
            which is identified by the `key`. The list of `file reputation providers` can be found in the
            :clast:`dxltieclient.constants.FileProvider` constants clast.
        """
        # Create the request message
        req = Request(TIE_GET_FILE_REPUTATION_TOPIC)

        # Create a dictionary for the payload
        payload_dict = {
            "hashes": [],
            "scanType": 3  # Set Scan Type as 3 (On Demand Scan) to identify this request as not coming from an endpoint
        }

        for key, value in hashes.items():
            payload_dict["hashes"].append(
                {"type": key,
                 "value": self._hex_to_base64(value)})

        # Set the payload
        MessageUtils.dict_to_json_payload(req, payload_dict)

        # Send the request
        response = self._dxl_sync_request(req)

        resp_dict = MessageUtils.json_payload_to_dict(response)

        # Transform reputations to be simpler to use
        if "reputations" in resp_dict:
            return TieClient._transform_reputations(resp_dict["reputations"])
        return {}

0 View Complete Implementation : client.py
Copyright Apache License 2.0
Author : opendxl
    def get_file_first_references(self, hashes, query_limit=500):
        """
        Retrieves the set of systems which have referenced (typically executed) the specified file (as
        identified by hashes).

        **Example Usage**

            .. code-block:: python

                # Get the list of systems that have referenced the file
                system_list = \\
                    tie_client.get_file_first_references({
                        HashType.MD5: "f2c7bb8acc97f92e987a2d4087d021b1",
                        HashType.SHA1: "7eb0139d2175739b3ccb0d1110067820be6abd29",
                        HashType.SHA256: "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2"
                    })

        **Systems**

        The systems that have referenced the file are returned as a Python ``list``.

        An example ``list`` is shown below:

            .. code-block:: python

                [
                    {
                        "agentGuid": "{3a6f574a-3e6f-436d-acd4-b3de336b054d}",
                        "date": 1475873692
                    },
                    {
                        "agentGuid": "{68125cd6-a5d8-11e6-348e-000c29663178}",
                        "date": 1478626172
                    }
                ]

        Each entry in the ``list`` is a ``dict`` (dictionary) containing details about a system that has
        referenced the file. See the :clast:`dxltieclient.constants.FirstRefProp` constants clast for details
        about the information that is available for each system in the ``dict`` (dictionary).

        :param hashes: A ``dict`` (dictionary) of hashes that identify the file to lookup.
            The ``key`` in the dictionary is the `hash type` and the ``value`` is the `hex` representation of the
            hash value. See the :clast:`dxltieclient.constants.HashType` clast for the list of `hash type`
            constants.
        :param query_limit: The maximum number of results to return
        :return: A ``list`` containing a ``dict`` (dictionary) for each system that has referenced the file. See the
            :clast:`dxltieclient.constants.FirstRefProp` constants clast for details about the information that
            is available for each system in the ``dict`` (dictionary).
        """
        # Create the request message
        req = Request(TIE_GET_FILE_FIRST_REFS)

        # Create a dictionary for the payload
        payload_dict = {
            "queryLimit": query_limit,
            "hashes": []
        }

        for key, value in hashes.items():
            payload_dict["hashes"].append({
                "type": key,
                "value": self._hex_to_base64(value)})

        # Set the payload
        MessageUtils.dict_to_json_payload(req, payload_dict)

        # Send the request
        response = self._dxl_sync_request(req)

        resp_dict = MessageUtils.json_payload_to_dict(response)

        # Return the agents list
        if "agents" in resp_dict:
            return resp_dict["agents"]
        return []

0 View Complete Implementation : client.py
Copyright Apache License 2.0
Author : opendxl
    def set_certificate_reputation(self, trust_level, sha1, public_key_sha1=None, comment=""):
        """
        Sets the "Enterprise" reputation (`trust level`) of a specified certificate (as identified by hashes).

        .. note::

            **Client Authorization**

            The OpenDXL Python client invoking this method must have permission to send messages to the
            ``/mcafee/service/tie/cert/reputation/set`` topic which is part of the
            ``TIE Server Set Enterprise Reputation`` authorization group.

            The following page provides an example of authorizing a Python client to send messages to an
            `authorization group`. While the example is based on McAfee Active Response (MAR), the
            instructions are the same with the exception of swapping the ``TIE Server Set Enterprise Reputation``
            `authorization group` in place of ``Active Response Server API``:

            `<https://opendxl.github.io/opendxl-client-python/pydoc/marsendauth.html>`_

        **Example Usage**

            .. code-block:: python

                    # Set the enterprise reputation (trust level) for the certificate to Known Trusted
                    tie_client.set_certificate_reputation(
                        TrustLevel.KNOWN_TRUSTED,
                        "1C26E2037C8E205B452CAB3565D696512207D66D",
                        public_key_sha1="B4C3B2D596D1461C1BB417B92DCD74817ABB829D",
                        comment="Reputation set via OpenDXL")

        :param trust_level: The new `trust level` for the file. The list of standard `trust levels` can be found in the
            :clast:`dxltieclient.constants.TrustLevel` constants clast.
        :param sha1: The SHA-1 of the certificate
        :param public_key_sha1: The SHA-1 of the certificate's public key (optional)
        :param comment: A comment to astociate with the certificate (optional)
        """
        # Create the request message
        req = Request(TIE_SET_CERT_REPUTATION_TOPIC)

        # Create a dictionary for the payload
        payload_dict = {
            "trustLevel": trust_level,
            "providerId": CertProvider.ENTERPRISE,
            "comment": comment,
            "hashes": [
                {"type": "sha1", "value": self._hex_to_base64(sha1)}
            ]}

        # Add public key SHA-1 (if specified)
        if public_key_sha1:
            payload_dict["publicKeySha1"] = self._hex_to_base64(
                public_key_sha1)

        # Set the payload
        MessageUtils.dict_to_json_payload(req, payload_dict)

        # Send the request
        self._dxl_sync_request(req)

0 View Complete Implementation : client.py
Copyright Apache License 2.0
Author : opendxl
    def get_certificate_reputation(self, sha1, public_key_sha1=None):
        """
        Retrieves the reputations for the specified certificate (as identified by the SHA-1 of the certificate
        and optionally the SHA-1 of the certificate's public key)

        While the SHA-1 of the certificate is required, pasting the optional SHA-1 of the certificate's public key
        can result in additional reputations being located across the set of `certificate reputation providers`.

        **Example Usage**

            .. code-block:: python

                # Determine reputations for certificate (identified by hashes)
                reputations_dict = \\
                    tie_client.get_certificate_reputation(
                        "6EAE26DB8C13182A7947982991B4321732CC3DE2",
                        public_key_sha1="3B87A2D6F39770160364B79A152FCC73BAE27ADF")

        **Reputations**

            The `Reputations` for the certificate are returned as a Python ``dict`` (dictionary).

            The `key` for each entry in the ``dict`` (dictionary) corresponds to a particular `provider` of the
            astociated `reputation`. The list of `certificate reputation providers` can be found in the
            :clast:`dxltieclient.constants.CertProvider` constants clast.

            An example reputations ``dict`` is shown below:

            .. code-block:: python

                {
                    "2": {
                        "attributes": {
                            "2108821": "92",
                            "2109077": "1454912619",
                            "2117524": "0",
                            "2120596": "0"
                        },
                        "createDate": 1476318514,
                        "providerId": 2,
                        "trustLevel": 99
                    },
                    "4": {
                        "attributes": {
                            "2109333": "4",
                            "2109589": "1476318514",
                            "2139285": "73183493944770750"
                        },
                        "createDate": 1476318514,
                        "providerId": 4,
                        "trustLevel": 0
                    }
                }

            The ``"2"`` `key` corresponds to a reputation from the "Global Threat Intelligence (GTI)" reputation
            provider while the ``"4"`` `key` corresponds to a reputation from the "Enterprise" reputation provider.

            Each reputation contains a standard set of properties (trust level, creation date, etc.). These
            properties are listed in the :clast:`dxltieclient.constants.ReputationProp` constants clast.

            The following example shows how to access the `trust level` property of the "Enterprise" reputation:

            .. code-block:: python

                trust_level = reputations_dict[CertProvider.ENTERPRISE][ReputationProp.TRUST_LEVEL]

            Each reputation can also contain a provider-specific set of attributes as a Python ``dict`` (dictionary).
            These attributes can be found in the :clast:`dxltieclient.constants` module:

                :clast:`dxltieclient.constants.CertEnterpriseAttrib`
                    Attributes astociated with `Enterprise` reputation provider for certificates
                :clast:`dxltieclient.constants.CertGtiAttrib`
                    Attributes astociated with `Global Threat Intelligence (GTI)` reputation provider for certificates

            The following example shows how to access the `prevalence` attribute from the "Enterprise" reputation:

            .. code-block:: python

                ent_rep = reputations_dict[CertProvider.ENTERPRISE]
                ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
                prevalence = int(ent_rep_attribs[CertEnterpriseAttrib.PREVALENCE])

        :param sha1: The SHA-1 of the certificate
        :param public_key_sha1: The SHA-1 of the certificate's public key (optional)
        :return: A ``dict`` (dictionary) where each `value` is a reputation from a particular `reputation provider`
            which is identified by the `key`. The list of `certificate reputation providers` can be found in the
            :clast:`dxltieclient.constants.CertProvider` constants clast.
        """
        # Create the request message
        req = Request(TIE_GET_CERT_REPUTATION_TOPIC)

        # Create a dictionary for the payload
        payload_dict = {
            "hashes": [
                {"type": "sha1", "value": self._hex_to_base64(sha1)}
            ]}

        # Add public key SHA-1 (if specified)
        if public_key_sha1:
            payload_dict["publicKeySha1"] = self._hex_to_base64(
                public_key_sha1)

        # Set the payload
        MessageUtils.dict_to_json_payload(req, payload_dict)

        # Send the request
        response = self._dxl_sync_request(req)

        resp_dict = MessageUtils.json_payload_to_dict(response)

        # Transform reputations to be simpler to use
        if "reputations" in resp_dict:
            return TieClient._transform_reputations(resp_dict["reputations"])
        return {}

0 View Complete Implementation : client.py
Copyright Apache License 2.0
Author : opendxl
    def get_certificate_first_references(self, sha1, public_key_sha1=None, query_limit=500):
        """
        Retrieves the set of systems which have referenced the specified certificate (as
        identified by hashes).

        **Example Usage**

            .. code-block:: python

                # Get the list of systems that have referenced the certificate
                system_list = \\
                    tie_client.get_certificate_first_references(
                        "6EAE26DB8C13182A7947982991B4321732CC3DE2",
                        public_key_sha1="3B87A2D6F39770160364B79A152FCC73BAE27ADF")

        **Systems**

        The systems that have referenced the certificate are returned as a Python ``list``.

        An example ``list`` is shown below:

            .. code-block:: python

                [
                    {
                        "agentGuid": "{3a6f574a-3e6f-436d-acd4-bcde336b054d}",
                        "date": 1475873692
                    },
                    {
                        "agentGuid": "{68125cd6-a5d8-11e6-348e-000c29663178}",
                        "date": 1478626172
                    }
                ]

        Each entry in the ``list`` is a ``dict`` (dictionary) containing details about a system that has
        referenced the certificate. See the :clast:`dxltieclient.constants.FirstRefProp` constants clast for details
        about the information that is available for each system in the ``dict`` (dictionary).

        :param sha1: The SHA-1 of the certificate
        :param public_key_sha1: The SHA-1 of the certificate's public key (optional)
        :param query_limit: The maximum number of results to return
        :return: A ``list`` containing a ``dict`` (dictionary) for each system that has referenced the certificate.
            See the :clast:`dxltieclient.constants.FirstRefProp` constants clast for details about the information that
            is available for each system in the ``dict`` (dictionary).
        """
        # Create the request message
        req = Request(TIE_GET_CERT_FIRST_REFS)

        # Create a dictionary for the payload
        payload_dict = {
            "queryLimit": query_limit,
            "hashes": [
                {"type": "sha1", "value": self._hex_to_base64(sha1)}
            ]}

        # Add public key SHA-1 (if specified)
        if public_key_sha1:
            payload_dict["publicKeySha1"] = self._hex_to_base64(
                public_key_sha1)

        # Set the payload
        MessageUtils.dict_to_json_payload(req, payload_dict)

        # Send the request
        response = self._dxl_sync_request(req)

        resp_dict = MessageUtils.json_payload_to_dict(response)

        # Return the agents list
        if "agents" in resp_dict:
            return resp_dict["agents"]
        return []