Is there no way to do the comparison of the indicator in front of the system without downloading every time 5000 indicators in json format and so on? #631

NSH531 · 2022-04-28T06:10:37Z

NSH531
Apr 28, 2022

** Describe the bug **
No way to make the comparison between the indicators and the system on the server side?
To Reproduce
Steps to reproduce the behavior.
** Expected Behavior **
Charging 5000 indicators at a time
** Environment (please fill in the following information): **
Operating system: WIN 10

Python: 3.9
FalconPy: 0.7.1

** More context **

Attached is code:

falcon = falconpy.APIHarness(client_id="blah", client_secret="BLAH")

        BODY = {
        "ids": [indic]
        }
        x1q=[indic]
        response3 = falcon.command("QueryIntelIndicatorEntities",
                          limit=5000,
                          offset=5000*n,
                          filter=f"indicator:{x1q}"
                                                    )

        li=[]       
        x=y.conn()["body"]
        x1=x["resources"]

        for i in x1:

            cond=(indic == i["indicator"])
            
            li.append(cond)
            if(cond):
                return "<h1 style='font-family:Cursive;' color='#008080'>found "+indic+"</h1>"
            elif (n>2000):
                return str(n)
        return y.conn1(indic,n=n+1)

    @app.route("/logon",methods =["GET"])
    def LOGON():
        X="""
                <FORM action="/batch" method="get" >indicator

            <textarea  type="textarea" rows="4" cols="50" name="indicator" id="indicator"></textarea ><HR>
        <InpuT TYPE=SUBMIT>
        </FORM>
        """
        return X
        
    

    def i1ter(i):
        t=[]
        for ix in  i:
            t.append(ix)
        return (str(t))

    @app.route("/batch")
    def b():
                form =request.form
                axis="<br>"
                asx=0
                i = request.args.get('indicator')
                i=i.split("\r")
                j=[]
                j.append(i[0])          
                for t in i[1:]:
                    t=t.split("\n")[1]
                    j.append(t)    

                for x in j:
                    axis=axis+y.conn1(x,asx)
                    axis=axis+"<br>"
                return  axis

    @app.route("/indicators/",methods=["POST","GET"])
    def conn():


        falcon = falconpy.APIHarness(client_id="BLAH",                    client_secret="blah"
                    )

        
        response3 = falcon.command("QueryIntelIndicatorEntities",
                          limit=500
                                                    )

       # response = falcon.command("GetIntelIndicatorEntities", body=BODY)
       # response_ioc=falcon.command("indicator_get_v1",ids=indic)              
        #resp=""
        #for i in response:
         #   resp=resp+i+"<hr>"
            
        
        li=[]
        #response1 = falcon.command("GetIntelReportPDF", id=indic)
        jsonStr = json.dumps(response3)
      
        return(response3)

netanel

Answered by jshcodes

Apr 28, 2022

Hi @NSH531 -

If you format the indicators you have to match the expected format (example: hash_md5_da36586c60acce187c1a4b3f5f61e603) you would be able to feed these straight to the GetIntelIndicatorEntities operation. What's nice about this solution, is you'll get a separate JSON branch for just errors (i.e. Indicators that are not found.)

This operation supports a maximum of 1000 IDs in this scenario.

Example

from falconpy import APIHarness

falcon = APIHarness(client_id="ID HERE", client_secret="SECRET HERE"))

INDICATORS_TO_FIND = ['hash_md5_67f27c919fcf3a9db09bbcfef0cb1f1b',
                      'hash_md5_da36586c60acce187c1wontexist',
                      'hash_md5_thisonewontexi…

View full answer

jshcodes · 2022-04-28T15:28:46Z

jshcodes
Apr 28, 2022
Maintainer

Hi @NSH531 -

If you format the indicators you have to match the expected format (example: hash_md5_da36586c60acce187c1a4b3f5f61e603) you would be able to feed these straight to the GetIntelIndicatorEntities operation. What's nice about this solution, is you'll get a separate JSON branch for just errors (i.e. Indicators that are not found.)

This operation supports a maximum of 1000 IDs in this scenario.

Example

from falconpy import APIHarness

falcon = APIHarness(client_id="ID HERE", client_secret="SECRET HERE"))

INDICATORS_TO_FIND = ['hash_md5_67f27c919fcf3a9db09bbcfef0cb1f1b',
                      'hash_md5_da36586c60acce187c1wontexist',
                      'hash_md5_thisonewontexisteither'
                      ]

results = falcon.command("GetIntelIndicatorEntities", body={"ids": INDICATORS_TO_FIND})

Which should give you a result somewhere along the lines of:

{
    "meta": {
        "query_time": 0.003758646,
        "pagination": {
            "offset": 0,
            "limit": 1,
            "total": 1
        },
        "powered_by": "msa-api",
        "trace_id": "8c90726e-ae72-492f-a084-b11934f32876"
    },
    "resources": [
        {
            "id": "hash_md5_67f27c919fcf3a9db09bbcfef0cb1f1b",
            "indicator": "67f27c919fcf3a9db09bbcfef0cb1f1b",
            "type": "hash_md5",
            "deleted": false,
            "published_date": 1649214283,
            "last_updated": 1649328871,
            "reports": [],
            "actors": [],
            "malware_families": [
                "XORDDoS"
            ],
            "kill_chains": [],
            "ip_address_types": [],
            "domain_types": [],
            "malicious_confidence": "high",
            "_marker": "1649328871d9d3cbe639cee4d2299ecd1510ba7103",
            "labels": [
                {
                    "name": "MaliciousConfidence/High",
                    "created_on": 1649214283,
                    "last_valid_on": 1649328871
                },
                {
                    "name": "Malware/XORDDoS",
                    "created_on": 1649214286,
                    "last_valid_on": 1649214286
                }
            ],
            "relations": [
                {
                    "id": "hash_sha256_e68f5b862c78b2248d112b9b291cd582ef0bd7afe71be3130e8eb6f025e8be16",
                    "indicator": "e68f5b862c78b2248d112b9b291cd582ef0bd7afe71be3130e8eb6f025e8be16",
                    "type": "hash_sha256",
                    "created_date": 1649214283,
                    "last_valid_date": 1649214283
                },
                {
                    "id": "hash_sha1_1baeefc03b77ea0279b51d5a3e5d333cc6b3139a",
                    "indicator": "1baeefc03b77ea0279b51d5a3e5d333cc6b3139a",
                    "type": "hash_sha1",
                    "created_date": 1649214283,
                    "last_valid_date": 1649214283
                }
            ],
            "targets": [],
            "threat_types": [],
            "vulnerabilities": []
        }
    ],
    "errors": [
        {
            "code": 404,
            "message": "Not Found",
            "id": "hash_md5_da36586c60acce187c1wontexist"
        },
        {
            "code": 404,
            "message": "Not Found",
            "id": "hash_md5_thisonewontexisteither"
        }
    ]
}

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Is there no way to do the comparison of the indicator in front of the system without downloading every time 5000 indicators in json format and so on? #631

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Is there no way to do the comparison of the indicator in front of the system without downloading every time 5000 indicators in json format and so on? #631

NSH531 Apr 28, 2022

Example

Replies: 1 comment

jshcodes Apr 28, 2022 Maintainer

Example

NSH531
Apr 28, 2022

jshcodes
Apr 28, 2022
Maintainer