Python API Module for Threat Response APIs.
- Local
pip install --upgrade .
pip show threatresponse
- GitHub
pip install --upgrade git+https://github.com/CiscoSecurity/tr-05-api-module.git[@branch_name_or_release_version]
pip show threatresponse
- PyPi
pip install --upgrade threatresponse[==release_version]
pip show threatresponse
from threatresponse import ThreatResponse
client = ThreatResponse(
client_id='<YOUR TR CLIENT ID>', # required
client_password='<YOUR TR CLIENT PASSWORD>', # required
region='<YOUR TR REGION>', # optional
logger=<SOME LOGGER INSTANCE>, # optional
proxy='<SOME PROXY URL>', # optional
)
client_id
andclient_password
credentials must be taken from an existing API client for accessing the Cisco Threat Response APIs. The official documentation on how to create such a client can be found here. Make sure to properly set some scopes which will grant the client different (ideally minimum) privileges.region
must be one of:''
or'us'
(default),'eu'
,'apjc'
. Other regions are not supported yet.logger
must be an (already configured) instance of the built-inlogging.Logger
class (or one of its descendants).timeout
must be a number (int
orfloat
) meaning the default amount of time (in seconds) to wait for the server to send data before giving up and raising an exception. Can be overwritten by explicitly specifyingtimeout
on each call to any endpoint.proxy
must be a URL in the format:http[s]://[username[:password]@]host[:port]
.
- Inspect
Inspect allows to find an observable in a concrete string.
response = client.inspect.inspect({'content': 'example.com'})
- Observe
Observe returns summary for an observable.
response = client.enrich.observe.observables(
[{'type': 'sha256', 'value': '8A32950CD96C5EF88F9DCBB66A08F59A7E8D8E5FECCDE9E115FBAA46D9AF88F9'}]
)
- Deliberate
Deliberate returns judgments based on added modules.
response = client.enrich.deliberate.observables(
[{'type': 'sha256', 'value': '8A32950CD96C5EF88F9DCBB66A08F59A7E8D8E5FECCDE9E115FBAA46D9AF88F9'}]
)
For your convenience, we have made some predefined commands that you can use.
- Verdicts
Verdicts returns verdicts from all modules if the modules are configured. Accepts multiple observables.
response = client.commands.verdict(
'string with observables ("8A32950CD96C5EF88F9DCBB66A08F59A7E8D8E5FECCDE9E115FBAA46D9AF88F9, cisco.com")'
)
- Targets
Targets returns all available targets if the modules are configured. Accepts multiple observables.
response = client.commands.targets(
'string with observables ("8A32950CD96C5EF88F9DCBB66A08F59A7E8D8E5FECCDE9E115FBAA46D9AF88F9, cisco.com")'
)
Switch between .private_intel
and .global_intel
if necessary.
actor = client.private_intel.actor
Available methods:
- actor.post()
- actor.get()
- actor.put()
- actor.delete()
- actor.external_id()
- actor.search()
attack_pattern = client.private_intel.attack_pattern
Available methods:
- attack_pattern.post()
- attack_pattern.get()
- attack_pattern.put()
- attack_pattern.delete()
- attack_pattern.external_id()
- attack_pattern.search()
bulk = client.private_intel.bulk
Available methods:
- bulk.post()
- bulk.get()
bundle = client.private_intel.bundle
Available methods:
- bundle.export.post()
- bundle.export.get()
- bundle.import_.post()
campaign = client.private_intel.campaign
Available methods:
- campaign.post()
- campaign.get()
- campaign.put()
- campaign.delete()
- campaign.external_id()
- campaign.search()
casebook = client.private_intel.casebook
Available methods:
- casebook.post()
- casebook.get()
- casebook.put()
- casebook.delete()
- casebook.external_id()
- casebook.search()
- casebook.observables()
- casebook.texts()
- casebook.bundle()
- casebook.pathc()
coa = client.private_intel.coa
Available methods:
- coa.post()
- coa.get()
- coa.put()
- coa.delete()
- coa.external_id()
- coa.search()
data_table = client.private_intel.data_table
Available methods:
- data_table.post()
- data_table.get()
- data_table.delete()
- data_table.external_id()
enrich = client.enrich
Available methods:
- enrich.health()
- enrich.deliberate.observables()
- enrich.observe.observables()
- enrich.refer.observables()
event = client.private_intel.event
Available methods:
- event.history()
- event.search()
- event.get()
- event.delete()
feedback = client.private_intel.feedback
Available methods:
- feedback.post()
- feedback.get()
- feedback.delete()
- feedback.external_id()
- feedback.get(_id)
graph = client.private_intel.graphql
Available methods:
- graphql.post()
incident = client.private_intel.incident
Available methods:
- incident.post()
- incident.get()
- incident.put()
- incident.delete()
- incident.external_id()
- incident.search()
- incident.link()
- incident.status()
- incident.sightings.incidents()
- incident.patch()
indicator = client.private_intel.indicator
Available methods:
- indicator.post()
- indicator.get()
- indicator.put()
- indicator.delete()
- indicator.external_id()
- indicator.search()
- indicator.judgements.indicators()
- indicator.sightings.indicators()
inspect = client.inspect
Available methods:
- inspect.inspect()
investigation = client.private_intel.investigation
Available methods:
- investigation.post()
- investigation.get()
- investigation.put()
- investigation.delete()
- investigation.external_id()
- investigation.search()
judgment = client.private_intel.judgment
Available methods:
- judgment.post()
- judgment.get()
- judgment.put()
- judgment.delete()
- judgment.external_id()
- judgment.search()
- judgment.judgments()
malware = client.private_intel.malware
Available methods:
- malware.post()
- malware.get()
- malware.put()
- malware.delete()
- malware.external_id()
- malware.search()
metrics = client.private_intel.metrics
Available methods:
- metrics.get()
properties = client.private_intel.properties
Available methods:
- properties.get()
relationship = client.private_intel.relationship
Available methods:
- relationship.post()
- relationship.get()
- relationship.put()
- relationship.delete()
- relationship.external_id()
- relationship.search()
response = client.response
Available methods:
- response.respond.observables()
- response.respond.trigger()
sighting = client.private_intel.sighting
Available methods:
- sighting.post()
- sighting.get()
- sighting.put()
- sighting.delete()
- sighting.external_id()
- sighting.search()
- sighting.sightings()
status = client.private_intel.status
Available methods:
- status.get()
tool = client.private_intel.tool
Available methods:
- tool.post()
- tool.get()
- tool.put()
- tool.delete()
- tool.external_id()
- tool.search()
verdict = client.private_intel.verdict
Available methods:
- verdict.get()
version = client.private_intel.version
Available methods:
- version.get()
vulnerability = client.private_intel.vulnerability
Available methods:
- vulnerability.post()
- vulnerability.get()
- vulnerability.put()
- vulnerability.delete()
- vulnerability.external_id()
- vulnerability.search()
weakness = client.private_intel.weakness
Available methods:
- weakness.post()
- weakness.get()
- weakness.put()
- weakness.delete()
- weakness.external_id()
- weakness.search()