msticpy.context.tiproviders.http_provider module

HTTP TI Provider base.

Input can be a single IoC observable or a pandas DataFrame containing multiple observables. Processing may require a an API key and processing performance may be limited to a specific number of requests per minute for the account type that you have.

class msticpy.context.tiproviders.http_provider.HttpTIProvider(**kwargs)

Bases: TIProvider, ABC

HTTP API Lookup provider base class.

Initialize a new instance of the class.

property ioc_query_defs: Dict[str, Any]

Return current dictionary of IoC query/request definitions.

Returns

IoC query/request definitions keyed by IoCType

Return type

Dict[str, Any]

classmethod is_known_type(ioc_type: str) → bool

Return True if this a known IoC Type.

Parameters

ioc_type (str) – IoCType string to test

Returns

True if known type.

Return type

bool

is_supported_type(ioc_type: Union[str, IoCType]) → bool

Return True if the passed type is supported.

Parameters

ioc_type (Union[str, IoCType]) – IoC type name or instance

Returns

True if supported.

Return type

bool

lookup_ioc(ioc: str, ioc_type: str = None, query_type: str = None, **kwargs) → LookupResult

Lookup a single item.

Parameters

• ioc (str) – Item value to lookup

• ioc_type (str, optional) – The Type of the value to lookup, by default None (type will be inferred)

• query_type (str, optional) – Specify the data subtype to be queried, by default None. If not specified the default record type for the item_value will be returned.

Returns

The lookup result: result - Positive/Negative, details - Lookup Details (or status if failure), raw_result - Raw Response reference - URL of the item

Return type

LookupResult

Raises

NotImplementedError – If attempting to use an HTTP method or authentication protocol that is not supported.

Notes

Note: this method uses memoization (lru_cache) to cache results for a particular observable to try avoid repeated network calls for the same item.

lookup_iocs(data: Union[DataFrame, Dict[str, str], Iterable[str]], obs_col: Optional[str] = None, ioc_type_col: Optional[str] = None, query_type: Optional[str] = None, **kwargs) → DataFrame

Lookup collection of IoC observables.

Parameters

• data (Union[pd.DataFrame, Dict[str, str], Iterable[str]]) – Data input in one of three formats: 1. Pandas dataframe (you must supply the column name in obs_col parameter) 2. Dict of observable, IoCType 3. Iterable of observables - IoCTypes will be inferred

• obs_col (str, optional) – DataFrame column to use for observables, by default None

• ioc_type_col (str, optional) – DataFrame column to use for IoCTypes, by default None

• query_type (str, optional) – Specify the data subtype to be queried, by default None. If not specified the default record type for the IoC type will be returned.

Returns

DataFrame of results.

Return type

pd.DataFrame

async lookup_iocs_async(data: Union[DataFrame, Dict[str, str], Iterable[str]], obs_col: Optional[str] = None, ioc_type_col: Optional[str] = None, query_type: Optional[str] = None, **kwargs) → DataFrame

Lookup collection of IoC observables.

Parameters

• data (Union[pd.DataFrame, Dict[str, str], Iterable[str]]) – Data input in one of three formats: 1. Pandas dataframe (you must supply the column name in obs_col parameter) 2. Dict of observable, IoCType 3. Iterable of observables - IoCTypes will be inferred

• obs_col (str, optional) – DataFrame column to use for observables, by default None

• ioc_type_col (str, optional) – DataFrame column to use for IoCTypes, by default None

• query_type (str, optional) – Specify the data subtype to be queried, by default None. If not specified the default record type for the IoC type will be returned.

Returns

DataFrame of results.

Return type

pd.DataFrame

property name: str

Return the name of the provider.

abstract parse_results(response: LookupResult) → Tuple[bool, ResultSeverity, Any]

Return the details of the response.

Parameters

response (LookupResult) – The returned data response

Returns

bool = positive or negative hit ResultSeverity = enumeration of severity Object with match details

Return type

Tuple[bool, ResultSeverity, Any]

static resolve_ioc_type(observable: str) → str

Return IoCType determined by IoCExtract.

Parameters

observable (str) – IoC observable string

Returns

IoC Type (or unknown if type could not be determined)

Return type

str

property supported_types: List[str]

Return list of supported IoC types for this provider.

Returns

List of supported type names

Return type

List[str]

classmethod usage()

Print usage of provider.

class msticpy.context.tiproviders.http_provider.IoCLookupParams(path: str = '', verb: str = 'GET', full_url: bool = False, headers: Dict[str, str] = _Nothing.NOTHING, params: Dict[str, str] = _Nothing.NOTHING, data: Dict[str, str] = _Nothing.NOTHING, auth_type: str = '', auth_str: List[str] = _Nothing.NOTHING, sub_type: str = '')

Bases: object

IoC HTTP Lookup Params definition.

Method generated by attrs for class IoCLookupParams.

auth_str: List[str]

auth_type: str

data: Dict[str, str]

full_url: bool

headers: Dict[str, str]

params: Dict[str, str]

path: str

sub_type: str

verb: str