Script utilities, programming snippets, and configs for using the ThreatConnect API and analysis.
Solving intel, implementation, and data quality problems commonly encountered in ThreatConnect data. TC documentation (as with many vendor documentation) does not necessarily provide many higher-level examples of how to use the API to solve actual TI, data quality problems.
Some inconsistencies in the TcEx python API interface that I aim to address or at least document in this project:
-
items
.many()returns a more generic, accessible data object -
.single()for getting a specific indicator or group returns a response object that has to be accessed by one of the following pythonrequestsobject properties:response.textresponse.json()
-
Specific indicators can be accessed either by
ti.indicator(with a unique_idor
ti.<indicator_type>with an<indicator_type>=keyword argthe keyword arg should be consistent
Handle potential network exception on retrieving items with .many():
try:
for group in groups.many(params=parameters):
#print(group)
# Do stuff here
except Exception as e:
print("Error retrieving from TC API: ", repr(e))# handle connection timeout, conn errors from requests module
try:
response = ti.create()
except requests.exceptions.ConnectionError as e:
print("Error creating object in TC:", e) # handle stupid tcex 2.0.x keyword arg change
# https://github.com/ThreatConnect-Inc/tcex/issues/122
if tcex.__version__ < "2.0":
ti = tc.ti.indicator(indicator_type='URL', owner=owner, url=indicator) # , confidence=confidence, rating=threat_rating)
else:
ti = tc.ti.indicator(indicator_type='URL', owner=owner, text=indicator) # , confidence=confidence, rating=threat_rating)
try:
response = ti.create()
except requests.exceptions.ConnectionError as e:
print("Error creating TC URL", e)