bizone_ti library provides the capability to work with API of the BI.ZONE Threat Intelligence.
There are four possibilities for getting an IOC:
-
via common_id;
Description: Direct search for particular IoC.
Raw request to TI: Example -
via v;
Description: Search by string.
Raw request to TI: Example -
via s;
Description: Search by string in several fields depends on the IoC type.
Raw request to TI: Exampleđź“ť Usually searching with
skey contains multiple responses. If you need more than one response better useGet multiple IOCs. -
via ss.
Description: Search by substring.
Raw request to TI: Exampleđź“ť Usually searching with
sskey contains multiple responses. If you need more than one response better useGet multiple IOCs.
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
ioc_type = types.IoCTypes.fqdn # also can use str 'fqdn'
# via common_id
# Most common way to search
received_ioc = bizone_ti.IoCManager(object_type=ioc_type).getone(
common_id='ti_common_id',
sort='desc',
removed_filter='not-removed',
ignore_timeout=True,
other_sources=False,
false_positive=False
)
# via v
# Most common way to search
received_ioc = bizone_ti.IoCManager(object_type=ioc_type).getone(
v='domain.example',
category=["Phishing"],
sources=["some_source"],
confidence=75,
severity=50,
tags=["phishing"],
download_from=1619527873,
download_to=1736464784,
limit=200,
cursor=None,
sort='desc',
removed_filter='not-removed',
ignore_timeout=True,
other_sources=False,
false_positive=False
)
# via s
# This search key usually returns multiple responses.
# If you use 'getone', it will return first response from the TI.
received_ioc = bizone_ti.IoCManager(object_type=ioc_type).getone(
s='domain.example',
category=["Phishing"],
sources=["some_source"],
confidence=75,
severity=50,
tags=["phishing"],
download_from=1619527873,
download_to=1736464784,
limit=200,
cursor=None,
sort='desc',
removed_filter='not-removed',
ignore_timeout=True,
other_sources=False,
false_positive=False
)
# via ss
# This search key usually returns multiple responses.
# If you use 'getone', it will return first response from the TI.
received_ioc = bizone_ti.IoCManager(object_type=ioc_type).getone(
ss='domain.example',
category=["Phishing"],
sources=["some_source"],
confidence=75,
severity=50,
tags=["phishing"],
download_from=1619527873,
download_to=1736464784,
limit=200,
cursor=None,
sort='desc',
removed_filter='not-removed',
ignore_timeout=True,
other_sources=False,
false_positive=False
)received_ioc is an instance of one of the supported IoCEntity types or NoneType.
There are five possibilities for getting several IOCs:
-
via common_id;
Description: Direct search for particular IoC.
Raw request to TI: Example -
via v;
Description: Search by string.
Raw request to TI: Example -
via s;
Description: Search by string in several fields depends on the IoC type.
Raw request to TI: Example -
via ss.
Description: Search by substring.
Raw request to TI: Example -
via only filters (good for searching all IoCs that match search filters).
đź“ť See usage of common_id, v, s and ss at Get first (one) IOC
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
ioc_type = types.IoCTypes.fqdn # also can use str 'fqdn'
received_iocs = bizone_ti.IoCManager(object_type=ioc_type).get(
category=["Phishing"],
sources=["some_source"],
confidence=70,
severity=50,
tags=["phishing"],
download_from=1619527873,
download_to=1736464784,
limit=200,
cursor=None,
sort='desc',
removed_filter='not-removed',
ignore_timeout=True,
other_sources=False,
false_positive=False
)received_iocs is instance of bizone_ti.api.response.ResponseGenerator.
Each item of received_iocs is an instance of one of the supported IoCEntity types.
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
new_ioc_data = {
"value": "new_domain.example",
"services": [],
"user_viewed": True,
"hidden": True,
"mitre_phases": [],
"industry": ["Other"],
"removed": True,
"original_value": "new_domain.example",
"ips": [],
"risk_score": 0,
"threat_name": [],
"removed_manually": True,
"source": "test",
"tlp": "green",
"tti_organization": "",
"description": "test description",
"tags": [],
"confidence": 0,
"kc_phases": [],
"details": {},
"category": ["Other"],
"ttl": 0,
"first_seen": 0,
"last_seen": 0,
"false_positive": True,
}
ioc_type = types.IoCTypes.fqdn # also can use str 'fqdn'
response = bizone_ti.IoCManager(
object_type=ioc_type).add(
data=new_ioc_data,
take_screen=True,
return_result=True,
rewrite=False,
convert_2_ti_object=True)response type is ti_response.Response.
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
ioc_type = types.IoCTypes.fqdn # also can use str 'fqdn'
status_code, response = bizone_ti.IoCManager(object_type=ioc_type).delete(
value=new_ioc.value, source=data.source
)status_code type is int.
response type is dict.
There are two possibilities for getting linking objects (IOCs, groups, etc.) to an IOC:
- via IoCManager;
- via IoCEntity (IoCFQDNEntity, IoCIPv4Entity,IoCFileEntity, IoCIPv6Entity, IoCURLEntity).
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
ioc_type = types.IoCTypes.fqdn # also can use str 'fqdn'
linked_to_ioc = bizone_ti.IoCManager(object_type=ioc_type).linked(
common_id=entity_id,
cursor=None,
limit=200,
removed=False # unfortunately, doesn't work at TI
)linked_to_ioc type is ti_reponse.ResponseGenerator.
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
ioc_type = types.IoCTypes.fqdn # also can use str 'fqdn'
# ioc is an instance of one of the supported IoCEntity types.
ioc = bizone_ti.IoCManager(object_type=ioc_type).getone(
v='some_domain.example'
)
linked_to_ioc = ioc.linked(
cursor=None,
limit=200,
removed=False # unfortunately, doesn't work at TI
)linked_to_ioc type is ti_reponse.ResponseGenerator.
There are two possibilities for linking objects (IOCs, groups, etc.) to an IOC:
- via IoCManager;
- via IoCEntity (IoCFQDNEntity, IoCIPv4Entity,IoCFileEntity, IoCIPv6Entity, IoCURLEntity).
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
ioc_type = types.IoCTypes.fqdn # also can use str 'fqdn'
result = bizone_ti.IoCManager(
object_type=ioc_type).make_link(
common_id='ti_common_id', # common_id ioc
object_ids=['ti_group_type:ti_group_id',
'ti_group_type:ti_group_id_1',
'ti_ioc_type:ti_common_id']) # ioc_type:common_idresult type is ti_reponse.Response.
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
ioc_type = types.IoCTypes.fqdn # also can use str 'fqdn'
# ioc is instance of IoCEntities
ioc = bizone_ti.IoCManager(object_type=ioc_type).getone(v='some domain')
result = ioc.make_link(
object_ids=['ti_group_type:ti_group_id',
'ti_group_type:ti_group_id_1',
'ti_ioc_type:ti_common_id']) # ioc_type:common_idresult type is ti_reponse.Response.
There are two possibilities for unlinking objects (IOCs, groups, etc.) from an IOC:
- via IoCManager;
- via IoCEntity (IoCFQDNEntity, IoCIPv4Entity,IoCFileEntity, IoCIPv6Entity, IoCURLEntity).
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
ioc_type = types.IoCTypes.fqdn # also can use str 'fqdn'
result = bizone_ti.IoCManager(
object_type=ioc_type).unlink(
common_id='ti_common_id', # common_id ioc
object_ids=['ti_group_type:ti_group_id',
'ti_group_type:ti_group_id_1',
'ti_ioc_type:ti_common_id']) # ioc_type:common_idresult type is ti_reponse.Response.
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
ioc_type = types.IoCTypes.fqdn # also can use str 'fqdn'
# ioc is instance of IoCEntities
ioc = bizone_ti.IoCManager(object_type=ioc_type).getone(v='some_domain')
result = ioc.unlink(
object_ids=['ti_group_type:ti_group_id',
'ti_group_type:ti_group_id_1',
'ti_ioc_type:ti_common_id']) # ioc_type:common_idresult type is ti_reponse.Response.
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
ioc_type = types.IoCTypes.fqdn # also can use str 'fqdn'
amount_iocs_fqdn = bizone_ti.IoCManager(object_type=ioc_type).count()amount_iocs_fqdn type is int.
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
ioc_type = types.IoCTypes.fqdn # also can use str 'fqdn'
existed_iocs = bizone_ti.IoCManager(object_type=ioc_type).exist(
sources=['test_ti_source'],
values=['ioc_value_1', 'ioc_value_2'],
return_absent=False,
removed_filter="not-removed"
)existed_iocs type is list of strings or None.
đź“ť For group objects, only vulnerability, malware, tool, adversary, and general types are supported.
There are four possibilities for getting a group:
-
via group_id;
Description: Direct search for particular group.
Raw request to TI: Raw Request -
via v;
Description: Search by string.
Raw request to TI: Raw Request -
via s;
Description: Search by string in several fields depends on the group type.
Raw request to TI: Raw Requestđź“ť Usually searching with
sskey contains multiple responses. If you need more than one response better useGet multiple groups. -
via ss.
Description: Search by substring.
Raw request to TI: Raw Requestđź“ť Usually searching with
sskey contains multiple responses. If you need more than one response better useGet multiple groups.
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
# group_type can also be str (expl: group_type = 'vulnerability')
group_type = types.GroupTypes.vulnerability
# via group_id
# Most common way to search
received_group = bizone_ti.GroupManager(object_type=group_type).getone(
group_id='ti_group_id', # group id vulnerability:ti_group_id
ignore_timeout=True,
removed_filter='not-removed',
sort='asc',
other_sources=True
)
# via v
# Most common way to search
received_group = bizone_ti.GroupManager(object_type=group_type).getone(
v='CVE-0000-00000',
category=["Phishing", "Fraud"],
sources=["test_ti_source"],
severity=80,
tags=["malware"],
download_from=1619527873,
download_to=1619627890,
limit=200,
cursor=None,
sort='desc',
removed_filter='not-removed',
ignore_timeout=True,
other_sources=False,
)
# via s
# This search key usually returns multiple responses.
# If you use 'getone', it will return first response from the TI.
received_group = bizone_ti.GroupManager(object_type=group_type).getone(
s='CVE-0000-00000',
category=["Phishing", "Fraud"],
sources=["test_ti_source"],
severity=80,
tags=["malware"],
download_from=1619527873,
download_to=1619627890,
limit=200,
cursor=None,
sort='desc',
removed_filter='not-removed',
ignore_timeout=True,
other_sources=False,
)
# via ss
# This search key usually returns multiple responses.
# If you use 'getone', it will return first response from the TI.
received_group = bizone_ti.GroupManager(object_type=group_type).getone(
ss='CVE-0000-00000',
category=["Phishing", "Fraud"],
sources=["test_ti_source"],
severity=80,
tags=["malware"],
download_from=1619527873,
download_to=1619627890,
limit=200,
cursor=None,
sort='desc',
removed_filter='not-removed',
ignore_timeout=True,
other_sources=False,
)received_group is an instance of one of the supported
GroupEntity types or NoneType.
đź“ť For group objects supports only vulnerability, malware, tool, adversary, general types.
There are five possibilities for getting several groups:
-
via group_id;
Description: Direct search for particular group.
Raw request to TI: Exampleđź“ť Searching with
group_idkey contains one response. Better useGet first (one) group. -
via v;
Description: Search by string.
Raw request to TI: Exampleđź“ť Searching with
vkey contains one response. Better useGet first (one) group. -
via s;
Description: Search by string in several fields depends on the group type.
Raw request to TI: Example -
via ss.
Description: Search by substring.
Raw request to TI: Example -
via only filters (good for searching all groups that match search filters).
đź“ť See usage of common_id, v, s and ss at Get first (one) group.
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http sessiononly filters
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
# group_type can also be str (expl: group_type = 'adversary')
group_type = types.GroupTypes.adversary
# Search only with filters
received_groups = bizone_ti.GroupManager(object_type=group_type).get(
sources=["test"],
tags=["Other"],
download_from=1519527873,
download_to=1619627890,
limit=200,
cursor=None,
sort='desc',
removed_filter='not-removed',
ignore_timeout=True,
other_sources=False,
)received_groups is instance of bizone_ti.api.response.ResponseGenerator.
đź“ť For group objects supports only vulnerability, malware, tool, adversary, general types.
import uuid
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
# group_type can also be str (expl: group_type = 'adversary')
group_type = types.GroupTypes.adversary
new_adversary_group = {
"aliases": [],
"services": [],
"name": str(uuid.uuid4()),
"user_viewed": False,
"geo": [],
"threat_level": "",
"removed": True,
"date": 0,
"details": {},
"removed_manually": False,
"mitre_attack": [],
"source": "test",
"active_since": "",
"tlp": "green",
"victims": [],
"motivation_type": [],
"state": "new",
"description": "test description",
"tags": [],
"hidden": True,
"tools": [],
"industry": ["Other"],
"origin_country": [],
"ttps": [],
}
response = bizone_ti.GroupManager(object_type=group_type).add(
data=new_adversary_group,
convert_2_ti_object=True,
)response is instance of ti_response.Response.
đź“ť For group objects supports only vulnerability, malware, tool, adversary, general types.
There are two possibilities for getting linked objects (IOCs, groups, etc.) from a group
-
via GroupManager;
-
via GroupEntity (GroupAdversaryEntity, GroupGeneralEntity, GroupToolEntity, GroupMalwareEntity, GroupVulnerabilityEntity).
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
# group_type can also be str (expl: group_type = 'tool')
group_type = types.GroupTypes.tool
response = bizone_ti.GroupManager(object_type=group_type).linked(
group_id='ti_group_id', # group.id is tool:ti_group_id
cursor='',
limit=100,
removed=False, # unfortunately, doesn't work at TI
)response is instance of ti_reponse.ResponseGenerator.
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
# group_type can also be str (expl: group_type = 'tool')
group_type = types.GroupTypes.tool
# The group is an instance of one of the supported GroupEntity types.
group = bizone_ti.GroupManager(object_type=group_type).getone(
group_id='ti_group_id' # group id is tool:ti_group_id
)
response = group.linked(
cursor='',
limit=100,
removed=False, # unfortunately, doesn't work at TI
)response is instance of ti_reponse.ResponseGenerator.
đź“ť For group objects supports only vulnerability, malware, tool, adversary, general types.
There are two possibilities for linking objects (IOCs, groups, etc.) to a group
-
via GroupManager;
-
via GroupEntity (GroupAdversaryEntity, GroupGeneralEntity, GroupToolEntity, GroupMalwareEntity, GroupVulnerabilityEntity).
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
# group_type can also be str (expl: group_type = 'tool')
group_type = types.GroupTypes.tool
response = bizone_ti.GroupManager(object_type=group_type).make_link(
group_id='ti_group_id', # group.id is tool:ti_group_id
object_ids=["ioc_type:ti_common_id", "ioc_type:ti_common_id_1"]
)response is instance of ti_reponse.Response.
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
# group_type can also be str (expl: group_type = 'tool')
group_type = types.GroupTypes.tool
# The group is an instance of one of the supported GroupEntity types.
group = bizone_ti.GroupManager(object_type=group_type).getone(
group_id='ti_group_id') # group.id is tool:ti_group_id
response = group.make_link(
object_ids=["ioc_type:ti_common_id", "ioc_type:ti_common_id_1"]
)response is instance of ti_reponse.Response.
đź“ť For group objects supports only vulnerability, malware, tool, adversary, general types.
There are two possibilities for unlinking objects (IOCs, groups, etc.): from a group
-
via GroupManager;
-
via GroupEntity (GroupAdversaryEntity, GroupGeneralEntity, GroupToolEntity, GroupMalwareEntity, GroupVulnerabilityEntity).
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
# group_type can also be str (expl: group_type = 'tool')
group_type = types.GroupTypes.tool
response = bizone_ti.GroupManager(object_type=group_type).unlink(
group_id='ti_group_id', # group.id is tool:ti_group_id
object_ids=["ioc_type:ti_common_id", "ioc_type:ti_common_id_1"]
)response is instance of ti_reponse.Response.
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
# group_type can also be str (expl: group_type = 'tool')
group_type = types.GroupTypes.tool
# The group is an instance of one of the supported GroupEntity types.
group = bizone_ti.GroupManager(object_type=group_type).getone(
group_id='ti_group_id') # group.id is tool:ti_group_id
response = group.unlink(
object_ids=["ioc_type:ti_common_id",
"ioc_type:ti_common_id_1"]
)response is instance of ti_reponse.Response.
Direct Query (DQ) provides a HTTP interface for creating requests to the TI, including GET, POST, PATCH, PUT, and DELETE methods. Using DQ, you can construct any request to the TI as desired, but you won't receive object representations of the TI objects.
đź“ť Before using DQ, you need to set it up. For this purpose, you can use either bizone_ti.setup.DirectQueryConfig or bizone_ti.setup.TILibConfig. Warning: the configuration set with bizone_ti.setup.DirectQueryConfig will take priority over bizone_ti.setup.TILibConfig.
An examples how to use the Direct Query:
import bizone_ti
from bizone_ti import setup
from bizone_ti.dm.common import types
ioc_type = types.IoCTypes.url
common_id = "ti_common_id"
# Setup ti_url and api_key
ti_url = ''
api_key = ''
# setup api url and api key with DirectQueryConfig or TILibConfig
bizone_ti.setup.DirectQueryConfig.setup(ti_url=ti_url, api_key=api_key)
dq = bizone_ti.DirectQueryManager()
status_code, dq_response = dq.get(
uri='/'.join([
ti_url,
ioc_type.value,
common_id]
),
headers=None,
params=None,
)dq_response variable type is dict.
The dq_response variable contains the raw response from the TI.
status_code variable type is int.
import bizone_ti
from bizone_ti.api import response
from bizone_ti.dm.common import types
ioc_type = types.IoCTypes.url
params_for_dq_request = {
"q": '(!false_positive&(source=="some_ti_source"))',
"ignore-timeout": True,
"removed-filter": "not-removed",
"sort": "asc",
"other_sources": False,
"limit": 10,
}
# Setup ti_url and api_key
ti_url = ''
api_key = ''
bizone_ti.setup.DirectQueryConfig.setup(ti_url=ti_url, api_key=api_key)
dq = bizone_ti.DirectQueryManager()
status_code, dq_response = dq.get(
uri='/'.join([
ti_url,
ioc_type.value]
),
headers=None,
params=params_for_dq_request
)dq_response variable type is dict.
The dq_response variable contains the raw response from the TI.
import bizone_ti
from bizone_ti.api import response
from bizone_ti.dm.common import types
ioc_type = types.IoCTypes.url
new_ioc = {
"value": "http://url.url",
"services": [],
"user_viewed": True,
"hidden": True,
"mitre_phases": [],
"industry": ["Other"],
"removed": True,
"original_value": "http://url.url.test",
"ips": [],
"risk_score": 0,
"threat_name": [],
"source": "test",
"tlp": "green",
"tti_organization": "",
"description": "test description",
"tags": ["test"],
"confidence": 0,
"kc_phases": [],
"details": {},
"category": ["Other"],
"ttl": 0,
"first_seen": 0,
"last_seen": 0,
"false_positive": True,
}
# Setup ti_url and api_key
ti_url = ''
api_key = ''
bizone_ti.setup.DirectQueryConfig.setup(ti_url=ti_url, api_key=api_key)
dq = bizone_ti.DirectQueryManager()
status_code, dq_response = dq.post(
uri='/'.join([
ti_url,
ioc_type.value,
'add']),
headers=None,
params=None,
json=[new_ioc])dq_response variable type is dict.
The dq_response variable contains the raw response from the TI.
status_code variable type is int.
import bizone_ti
from bizone_ti.api import response
from bizone_ti.dm.common import types
group_type = types.GroupTypes.vulnerability
group_id = "ti_group_id"
# Setup ti_url and api_key
ti_url = ''
api_key = ''
bizone_ti.setup.DirectQueryConfig.setup(ti_url=ti_url, api_key=api_key)
dq = bizone_ti.DirectQueryManager()
status_code, dq_response = dq.patch(
uri='/'.join([ti_url, group_type.value, group_id]),
params=None,
headers=None,
json={
"description": "new test description."
}
)dq_response variable type is dict.
The dq_response variable contains the raw response from the TI.
status_code variable type is int.
import bizone_ti
from bizone_ti.api import response
from bizone_ti.dm.common import types
group_type = types.GroupTypes.vulnerability
group_id = "ti_group_id"
# Setup ti_url and api_key
ti_url = ''
api_key = ''
bizone_ti.setup.DirectQueryConfig.setup(ti_url=ti_url, api_key=api_key)
dq = bizone_ti.DirectQueryManager()
status_code, dq_response = dq.delete(
uri='/'.join([ti_url, group_type.value, group_id]),
params=None,
headers=None,
json=None
)dq_response variable type is str.
The dq_response variable contains the raw response from the TI.
status_code variable type is int.
A short examples of how to use the library.
import logging
import bizone_ti
from bizone_ti.dm.common import types
logger = logging.getLogger(__name__)
handler = logging.StreamHandler()
formatter = logging.Formatter(
'%(asctime)s %(name)s %(levelname)s %(message)s')
handler.setFormatter(formatter)
logger.setLevel(logging.INFO)
logger.addHandler(handler)
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
IOC_TYPE_2_MANAGER_MAP = {
'file': bizone_ti.IoCManager(object_type='file'),
'url': bizone_ti.IoCManager(object_type='url'),
'ipv4': bizone_ti.IoCManager(object_type='ipv4'),
'fqdn': bizone_ti.IoCManager(object_type='fqdn')
}
filters = {
"download_from": 5000,
"sources": [
"test_ti_source",
]
}
for ioc_type, ioc_manager in IOC_TYPE_2_MANAGER_MAP.items():
try:
logger.info('Start download iocs type %s', ioc_type)
iocs_generator = ioc_manager.get(
**filters
)
for ioc in iocs_generator:
logger.info('Find ioc %s', ioc.value)
except Exception as e:
logger.warning('HTTP error %s. Continue with next ioc_type', str(e))
import itertools
import bizone_ti
from bizone_ti.dm.common import types
ti_url = '' # ti url
api_key = '' # your api key
# setup http session
bizone_ti.setup.TIHTTPSessionConfig.setup(
http_proxy='', # set necessary http proxy
https_proxy='' # set necessary https proxy
)
# setup lib
bizone_ti.setup.TILibConfig.setup(ti_url=ti_url, api_key=api_key)
received_iocs = bizone_ti.IoCManager(object_type='url').get(sort='desc')
received_iocs.setup(pages_per_download=1)
top_iocs = list(itertools.islice(received_iocs, 100))
import bizone_ti
from bizone_ti.api import response
from bizone_ti.dm.common import types
group_type = types.GroupTypes.vulnerability
group_id = "ti_group_id"
# Setup ti_url and api_key
ti_url = ''
api_key = ''
bizone_ti.setup.DirectQueryConfig.setup(ti_url=ti_url, api_key=api_key)
dq = bizone_ti.DirectQueryManager()
status_code, dq_response = dq.get(
'/'.join([ti_url, group_type.value, group_id, 'files']),
)
dq_response variable type is list.
The dq_response variable contains the raw response from the TI.
status_code variable type is int.
import bizone_ti
from bizone_ti.api import response
from bizone_ti.dm.common import types
group_type = types.GroupTypes.adversary
group_id = "ti_group_id"
bytes_str = b'some_binary_data'
# Setup ti_url and api_key
ti_url = ''
api_key = ''
bizone_ti.setup.DirectQueryConfig.setup(ti_url=ti_url, api_key=api_key)
dq = bizone_ti.DirectQueryManager()
status_code, dq_response_upload = dq.post(
uri='/'.join(
[ti_url, 'files', 'upload']),
json={
"entities":
[
{"entity":"ti_group_type",
"id":"ti_group_id"}
],
"metadata":
{"file_name":"file_name.txt",
"content_type":"text/plain",
"description": "some description"}
}
)
status_code, dq_response = dq.post(
uri=dq_response_upload["upload_url"],
json=bytes_str
)
dq_response_upload variable type is dict.
The dq_response_upload variable contains the raw response from the TI.
dq_response variable type is empty.
The dq_response variable contains the raw response from the TI.
status_code variable type is int.