-
Notifications
You must be signed in to change notification settings - Fork 0
/
TA-abusech.aob_meta
1 lines (1 loc) · 18.3 KB
/
TA-abusech.aob_meta
1
{"basic_builder": {"appname": "TA-abusech", "friendly_name": "Add-on for AbuseCH", "version": "1.0.1", "author": "Maksym Varnakov", "description": "Collection of modular inputs to fetch data from AbuseCH MalwareBazaar, URLhaus, and ThreatFox", "theme": "#65A637", "large_icon": "iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAAAAXNSR0IArs4c6QAACVhJREFUeF7tmgtwFdUZx39nd28eRAKiiBAwhgBBRKyCQKmt2KJGeVQIsQ0UDUQsClWpGiuKvDFgsFArtEqhdkbATPDRUqGMtY5FaxQdX6g1hQZLWiQ8okmE3Lu7p3PO3psXAQJ3mM7Qc5LMfezu2XN+5//9z/dlVkgpJaYdk4AwgI6vDgPoBNFjABlA8RmsUZBRkFFQfASMguLjZzzIKMgoKD4CRkHx8TMeZBRkFBQfAaOg+PgZDzIKMgqKj4BRUHz8jAcZBRkFxUfAKCg+fsaD/v8UJPEQ2B74AizAsyQ24pSkdMYpSCLxkZTvreafuyvIHnIZIE4RD5xhgBQcgYXL67uq+PCDD5l64zXYUihGRzcpcX1w7GOrq02AYk83NO1GrVSwMupd45FWx6HPBJ9A8urSQP4SpFC/usWuVecFTWIhtCLUsaZ3id2/6XW6Yyl039t37uGtj3cwY+R10ZsG923GSnrcu/ZFivPHgqVmErtH47vjAgoe/IhNX0+tySyi0xBSf9cI0W6YngYiwfMjeqLCskGoCatu1Wh9/WrZTvPVVddEadj6NIlQ3cbIaVoKW5MhqZn7Eiz7aEDqkBaRi1DeZPtYONRjkTF+CrtLf61cC+F62LaDFI0heQJAHjurathZVcX3Lu6NHRVwsLi+vsGrO8qxpIVQk0Xg+GEGZvWkfVKiHhQevPr3nSQntuPy9K4kRln4UrJrfzU7/13FiEuzsLWsJDX1Lh+Vf84RaeH7Et9y6ZiSyBW9LtSrsLemlvd278XRsgsWL2IJHBnhajVG0QogtbYSao5EKKuoJDUhmf5p55GYKOh6YwEvLZ1DrQsXdE6lZ+eOzVR2fEC+x5AZD/P2rgqKJuVQOHFso91Jn0O+xTk35AVh4EcQwsFPCJE//EoWTxxHl67nagV1yptMVrde/H7+TDqntNN8PSFZtuGPzFrzDPVb1+tQ9X2fCfMe48XtH+K7YYSvVJJA7x7n89GaYt3Xc2+9Tc7s5ShBeUSw1Y+UdHAkX2x+FiXoo0IsYMmkFavIHjiIbskJXN4/i7OSk2g/roCSwmnU1cOmN97g6Qfuwmo0g+Ob9P4IdB71Q2wczu3cnsqnV2HHIqgJoNdWFjMoM013O3nWI5Rs38HmZbO49pJ+bQZkS5+Kmnoycqcxd9J45kwYrScVtmHPwRrSO7VHhVsMUG6/DDYsX9gQdSrcQuqTUl4LD/KsINT7TLmb8rXLAp+QllZK93FTqdz4FBEBI++dx0vFs3Gk1WAlx1SQh2Tk/Yt4f3cl6anteHfvl5Q+dDtjBqtt09IhFlPQ31YWMSTzAvB9dh2MkDlhMi8sns3oQScBiAgbt73H+AUrKcofy303jcKzJVKGSZDJaj5aHTFAYwZcyAuPLtSTtGQEpINvCaxWTFrbk/Dod8tMyp4sJjXRwQq2CLrlTuc/JU9oQNfft5iXl8wK7hXzt9afMJPsqa6lf8FPGXZRFsV3FHDxlBk8kHcji27O0RupcswYoFFDv0WnlGSqDuzns+pD1NbVsmXh/VxyYY+2KwiXfV9L0r4/iXZdOtK7fQo3D7+KW264gQ4pTrATNQHUvUNHvjvoUqRyb/trfpJ9DVf06xvskFaLXUzP1uOFd8qZt3o1TkhQNHUywwf0JSPnx3xe+hRh4TLmnoVsKZ6LKzwcHcTHyoMkPPSbdSwq+RNz8q5jbv4EMifexmHXouzxRfToco7efQ75QntQ9/O7khSyiCDZ80UVV/bMZE3hNNLTukQBTSGrW2YzD3KVB63fxINr12kPUusppOCVT3dR+Is1fFEboXL/PoR7mNtzRvDolFtIDoUaFNQuMYHu3c7BlYIEz+Gx23K5esg3SGolxJQcwkK5mQt+qEGNapGPCIskvb9IwkKQoKNUmX+goWYhpiTnS5e6r8PkLfkVL7/xJgdeWk9KgkXZxxUMm/kgW1Ys5tq+F+iEIgZo05KHuSw9jUj4CK9+/Am3Fq3iiv4X8fqyOVrGaTcVcH7XHvxh7t2kdegY1a/LPatLWb7hecJ/flYPRm/pajv24P3Kzyn75B8s3bCFfdUHtZFmDx3UAGhk33TWzLsfKVS426Se5eCEQoRay4Ma4yWQoWp6i9Xx2SR3afo+mkI0DbFgo/YorzzERQV3kjv0ctY/PBNpWVRX15ExcRqJtmTfi880C7FtK4sYmtlDf2d5kk5jJvOVV0d4y/M6MjLG30pVrU/p/OlkDx4QpJa+Ta+86ew++CWRresb6iblbWrSngLmRxhRuJBXdvyLJ27N4Y5xIxsAjR6QTmnxAh3uIXW2Hryj56zetpooNs+22vTpKJOWKrtcXcKKjZuo2PAU3VMTwHLwfY8HfvccS9dt5M1fLmFI7x4NHjQn/0f0Oq+TXpvXK3bzZMkm7s25nqLbJiB8wYZtZeQtXsHYb3+T8YMv1Qb/6aFaFqxZx/TR1/L4jHyEJ9n81nb21HukuvU6r6pxQyx99nn2H65j6/xCBvbp2QBoSPfO3DUhFykdPNvF8gU/GDEMp7VtPprjtolIi5NaAJLUITg7ezwjBg/juVl3kZSkeg8SiY1/fZOCR59k+CVZlM7/GQfUNpmdi+uEgqzYh3a4LJ6aT372NXQ4KzFaMMATGzcze+06ql1PqzxBSkYO7Meqwjs57+wOKjGm5C+vcfMjy6l3koNhSsgI2fx22Ty+0ycDT3hs2fYOY+b+HN9WW000tfZ9EvE4sLWUlNMJSKvU84kIS5UmOCKMj40VdXTPlxwRQntFohvGSwg1VMo6olXVoXyEsE75Vfoea6rciFgh/U04WpMlq3JDNFZgnufhWaFgOaL2oF99ieJRjyBBwhEBCmHsEXh1jivVeP3oNi9OU4hpj1KY1J9K/lv7N0Hz0rXlY/qx4lWBalZB68+xEjPov2WL9aWOBlVgY/IXFJmBS7Ycl/a0aNEbK4pPmwedSpyejmuO3k/aeBcJEeHzwWf7KPv0PaaNydZgg9zt5Fub/t1x8t3+D6/QqYKkrLyK7Z+8y4xR2brgVdX7qbQzElBESL76MsyBw9X06dIFhAsGUKM+jp/6nZyOzjwFndz8T3i2AXQCRAaQAXTCKDruCUZBRkFGQfERMAqKj5/xIKMgo6D4CBgFxcfPeJBRkFFQfASMguLjZzzIKMgoKD4CRkHx8TMeZBRkFBQfAaOg+PgZDzoBv/8CIv0jdEp5SA4AAAAASUVORK5CYII=", "small_icon": "iVBORw0KGgoAAAANSUhEUgAAACQAAAAkCAYAAADhAJiYAAAAAXNSR0IArs4c6QAAA0lJREFUWEftln9sTWcYxz/ve85tI8xGlLuxrp0hmPZasmQWIizqGkvKsLQVVCOI0i0lS9gyJhWJVaxXsGRNWj9aP2IkI8j8MVm2NfMjilYM0VBEhEa6GnXOeeU99+y2TWOHPzT+OOfm3Nw8z/u+9/t+3uf7nCOUUoqX6BKBIJ/TCAj5lWtAKCDkR8AvH9RQQMiPgF++62pIOTQJyasoJOKpujoL0s/+xHgLMLDd73jQ8ZaSDiipEEokxuucwIsBSqh2swz65y7hxs4YKLClg4HE+tdCdjOR3rqdBD0GQvqNRAiUY2NJPQ2kF3MshSPANMBWem1ByNuA5W3GxMFG6v91b+k4GFIwIKeIxqoyN9qsBD0k/FV3iciwQSR7a3QUpHVE53AmtorMwekumZ6f5DPlgwx+rjnHPwfK+fPvK7SIJLKGpFLfeJPV2/ZSvaIIc9Is8j6M0GwncWBVIUZ0Jh+NzKB39x5kDR/CvGkfJwRt3HeQz6dOBsPmt/oG9h+vYf2iWRiacPv3oeO1l7jT0sTskg08OFSNjSA1p5AzW9YQXbOZP0pXcvLC5U6Cti+bS/LUJdzauZE+r72CSQgjOp1j675hRFqYPj1TwFAJQZVHf2HieyMIp4Q5UX+R6t9Ps6EgR9dFR0FiwkzU0T2k5hdztbLUPdXwjIWUFxeQV/I9pypj3Ll9NyHo/LVGvt2+j6qvirh57z4Fa7/j1wvXeXywwhVUtjif9JT+REdF3ANsOzKNwoJHJiR7xeMdt0tI/25qeciY4tXUbSnhp5paGm7dpmhalLTcpVzfUUb063Vkj8pk/LuZRBYs58HhbSyIVTD09b4UZk9CJZmELJCTc7GPVGFGp3N2cynDBr7lOkHIdoKebrI4Ie2OY7UXeSfcl7f79XIlf7F1B+vn57H8x92AxejBaXw6brSb27R7P3XNrQxIgpWzP+Pho1aWVexFSJPsyFDGv5/Bl1vLaRXd3PGR9DeYmzW2jZCfoLidtV/0J379537X8tpNbe7uaH9vrA7qJhFqPzveB9xboXgzdymNVbH/7Y1d1xhtSMubT8OuH3QjeI7G6NfbX3C+6wg940YCQX6gAkIBIT8CfvmghgJCfgT88i9dDT0BP4SjpLzwIJcAAAAASUVORK5CYII=", "visible": true, "tab_version": "4.2.0", "tab_build_no": "0", "build_no": 3}, "data_input_builder": {"datainputs": [{"index": "default", "sourcetype": "abusech:urlhausurl", "interval": "1800", "use_external_validation": true, "streaming_mode_xml": true, "name": "abusech_urlhausurl", "title": "AbuseCH URLhaus URLs", "description": "", "type": "customized", "parameters": [{"name": "note_about_collect_interval", "label": "Note about Collect Interval", "help_string": "Collect interval should be more than 5 minutes to avoid IP block but less than 3 days due to API limitations", "required": false, "format_type": "checkbox", "default_value": true, "type": "checkbox", "value": true}], "data_inputs_options": [{"type": "customized_var", "name": "note_about_collect_interval", "title": "Note about Collect Interval", "description": "Collect interval should be more than 5 minutes to avoid IP block but less than 3 days due to API limitations", "required_on_edit": false, "required_on_create": false, "format_type": "checkbox", "default_value": true}], "code": "# encoding = utf-8\n\nimport json\nimport time\nfrom datetime import datetime\n\n\ndef validate_input(helper, definition):\n interval = definition.parameters.get(\"interval\")\n interval = int(interval)\n if interval < 5*60 or interval > 3*24*60*60:\n raise ValueError(\"Collect interval must be within 5 minutes and 3 days\")\n\n\ndef collect_events(helper, ew):\n loglevel = helper.get_log_level()\n helper.set_log_level(loglevel)\n run_time = time.time()\n\n url_base = \"https://urlhaus-api.abuse.ch\"\n url_endpoint = \"/v1/urls/recent/\"\n check_point_key = helper.get_input_stanza_names()\n\n is_proxy = False\n if helper.get_proxy():\n is_proxy = True\n\n start_time = None\n last_ran = helper.get_check_point(check_point_key)\n if not last_ran:\n start_time = datetime.fromtimestamp(0)\n helper.log_info(\"Fetching URLhaus URLs for the last 3 days\")\n else:\n start_time = datetime.fromtimestamp(last_ran)\n helper.log_info(f\"Fetching URLhaus URLs since {start_time} UTC\")\n\n url = url_base + url_endpoint\n resp = helper.send_http_request(\n url,\n \"GET\",\n parameters=None,\n payload=None,\n headers=None,\n timeout=30,\n verify=False,\n use_proxy=is_proxy,\n )\n resp.raise_for_status()\n respdata = resp.json()[\"urls\"]\n\n helper.log_info(f\"Parsing {len(respdata)} URLhaus URLs events\")\n for event in respdata:\n ioc_time = datetime.strptime(event[\"date_added\"], \"%Y-%m-%d %H:%M:%S UTC\")\n if ioc_time < start_time:\n continue\n\n e = helper.new_event(\n data=json.dumps(event),\n source=helper.get_input_type(),\n index=helper.get_output_index(),\n sourcetype=helper.get_sourcetype(),\n done=True,\n )\n ew.write_event(e)\n\n helper.save_check_point(check_point_key, run_time)\n", "customized_options": [{"name": "note_about_collect_interval", "value": true}], "uuid": "421988764d0a474b83761110ca703679", "sample_count": 0}, {"index": "default", "sourcetype": "abusech:threatfox", "interval": "1800", "use_external_validation": true, "streaming_mode_xml": true, "name": "abusech_threatfox", "title": "AbuseCH ThreatFox", "description": "", "type": "customized", "parameters": [{"required": false, "name": "note_about_collect_interval", "label": "Note about Collect Interval", "default_value": true, "help_string": "Collect interval should be more than 5 minutes to avoid IP block but less than 3 days due to API limitations", "type": "checkbox", "format_type": "checkbox", "value": true}], "data_inputs_options": [{"type": "customized_var", "name": "note_about_collect_interval", "title": "Note about Collect Interval", "description": "Collect interval should be more than 5 minutes to avoid IP block but less than 3 days due to API limitations", "required_on_edit": false, "required_on_create": false, "format_type": "checkbox", "default_value": true}], "customized_options": [{"name": "note_about_collect_interval", "value": true}], "code": "# encoding = utf-8\n\nimport json\nimport time\nfrom datetime import datetime\n\n\ndef validate_input(helper, definition):\n interval = definition.parameters.get(\"interval\")\n interval = int(interval)\n if interval < 5*60 or interval > 3*24*60*60:\n raise ValueError(\"Collect interval must be within 5 minutes and 3 days\")\n\n\ndef collect_events(helper, ew):\n loglevel = helper.get_log_level()\n helper.set_log_level(loglevel)\n run_time = time.time()\n\n url_base = \"https://threatfox-api.abuse.ch\"\n url_endpoint = \"/api/v1/\"\n check_point_key = helper.get_input_stanza_names()\n is_proxy = False\n if helper.get_proxy():\n is_proxy = True\n\n fetch_days = 3\n start_time = None\n last_ran = helper.get_check_point(check_point_key)\n if not last_ran:\n start_time = datetime.fromtimestamp(0)\n helper.log_info(f\"Fetching ThreatFox data for the last {fetch_days} days\")\n else:\n start_time = datetime.fromtimestamp(last_ran)\n helper.log_info(f\"Fetching ThreatFox data since {start_time} UTC\")\n\n body = {}\n body[\"days\"] = fetch_days\n body[\"query\"] = \"get_iocs\"\n headers = {\"Content-Type\": \"application/json\"}\n url = url_base + url_endpoint\n resp = helper.send_http_request(\n url,\n \"POST\",\n parameters=None,\n payload=json.dumps(body),\n headers=headers,\n timeout=30,\n verify=False,\n use_proxy=is_proxy,\n )\n resp.raise_for_status()\n respdata = resp.json()[\"data\"]\n\n helper.log_info(f\"Parsing {len(respdata)} ThreatFox events\")\n for event in respdata:\n ioc_time = datetime.strptime(event[\"first_seen\"], \"%Y-%m-%d %H:%M:%S UTC\")\n if ioc_time < start_time:\n continue\n\n e = helper.new_event(\n data=json.dumps(event),\n source=helper.get_input_type(),\n index=helper.get_output_index(),\n sourcetype=helper.get_sourcetype(),\n done=True,\n )\n ew.write_event(e)\n \n helper.save_check_point(check_point_key, run_time)\n", "uuid": "f2c24ace879d42bda9949a67ab6ae384", "sample_count": "574"}, {"index": "default", "sourcetype": "abusech:urlhauspayload", "interval": "1800", "use_external_validation": true, "streaming_mode_xml": true, "name": "abusech_urlhauspayload", "title": "AbuseCH URLhaus Payloads", "description": "", "type": "customized", "parameters": [{"name": "note_about_collect_interval", "label": "Note about Collect Interval", "help_string": "Collect interval should be more than 5 minutes to avoid IP block but less than 3 days due to API limitations", "required": false, "format_type": "checkbox", "default_value": true, "type": "checkbox", "value": true}], "data_inputs_options": [{"type": "customized_var", "name": "note_about_collect_interval", "title": "Note about Collect Interval", "description": "Collect interval should be more than 5 minutes to avoid IP block but less than 3 days due to API limitations", "required_on_edit": false, "required_on_create": false, "format_type": "checkbox", "default_value": true}], "code": "# encoding = utf-8\n\nimport json\nimport time\nfrom datetime import datetime\n\n\ndef validate_input(helper, definition):\n interval = definition.parameters.get(\"interval\")\n interval = int(interval)\n if interval < 5*60 or interval > 3*24*60*60:\n raise ValueError(\"Collect interval must be within 5 minutes and 3 days\")\n\ndef collect_events(helper, ew):\n loglevel = helper.get_log_level()\n helper.set_log_level(loglevel)\n run_time = time.time()\n\n url_base = \"https://urlhaus-api.abuse.ch\"\n url_endpoint = \"/v1/payloads/recent/\"\n check_point_key = helper.get_input_stanza_names()\n\n is_proxy = False\n if helper.get_proxy():\n is_proxy = True\n\n start_time = None\n last_ran = helper.get_check_point(check_point_key)\n if not last_ran:\n start_time = datetime.fromtimestamp(0)\n helper.log_info(\"Fetching URLhaus Payloads for the last 3 days\")\n else:\n start_time = datetime.fromtimestamp(last_ran)\n helper.log_info(f\"Fetching URLhaus Payloads since {start_time} UTC\")\n\n headers = {\"Content-Type\": \"application/json\"}\n url = url_base + url_endpoint\n resp = helper.send_http_request(\n url,\n \"GET\",\n parameters=None,\n payload=None,\n headers=None,\n timeout=30,\n verify=False,\n use_proxy=is_proxy,\n )\n resp.raise_for_status()\n respdata = resp.json()[\"payloads\"]\n\n helper.log_info(f\"Parsing {len(respdata)} URLhaus Payloads events\")\n for event in respdata:\n ioc_time = datetime.strptime(event[\"firstseen\"], \"%Y-%m-%d %H:%M:%S\")\n if ioc_time < start_time:\n continue\n\n e = helper.new_event(\n data=json.dumps(event),\n source=helper.get_input_type(),\n index=helper.get_output_index(),\n sourcetype=helper.get_sourcetype(),\n done=True,\n )\n ew.write_event(e)\n\n helper.save_check_point(check_point_key, run_time)\n", "customized_options": [{"name": "note_about_collect_interval", "value": true}], "uuid": "bea1c4c55b5d45e68df98aa7c46b3c85", "sample_count": 0}, {"index": "default", "sourcetype": "abusech:malwarebazaar", "interval": "1800", "use_external_validation": true, "streaming_mode_xml": true, "name": "abusech_malwarebazaar", "title": "AbuseCH MalwareBazaar", "description": "", "type": "customized", "parameters": [{"name": "note_about_collect_interval", "label": "Note about Collect Interval", "help_string": "Collect interval should be more than 5 minutes to avoid IP block and less than 60 minutes due to MalwareBazaar API limitations", "required": false, "format_type": "checkbox", "default_value": true, "type": "checkbox", "value": true}], "data_inputs_options": [{"type": "customized_var", "name": "note_about_collect_interval", "title": "Note about Collect Interval", "description": "Collect interval should be more than 5 minutes to avoid IP block and less than 60 minutes due to MalwareBazaar API limitations", "required_on_edit": false, "required_on_create": false, "format_type": "checkbox", "default_value": true}], "code": "# encoding = utf-8\n\nimport json\nimport time\nfrom datetime import datetime\n\n\ndef validate_input(helper, definition):\n interval = definition.parameters.get(\"interval\")\n interval = int(interval)\n if interval < 5*60 or interval > 60*60:\n raise ValueError(\"Collect interval must be within 5 and 60 minutes\")\n\n\ndef collect_events(helper, ew):\n loglevel = helper.get_log_level()\n helper.set_log_level(loglevel)\n run_time = time.time()\n\n url_base = \"https://mb-api.abuse.ch\"\n url_endpoint = \"/api/v1/\"\n check_point_key = helper.get_input_stanza_names()\n\n is_proxy = False\n if helper.get_proxy():\n is_proxy = True\n\n start_time = None\n last_ran = helper.get_check_point(check_point_key)\n if not last_ran:\n start_time = datetime.fromtimestamp(0)\n helper.log_info(\"Fetching MalwareBazaar data for the last 60 minutes\")\n else:\n start_time = datetime.fromtimestamp(last_ran)\n helper.log_info(f\"Fetching MalwareBazaar data since {start_time} UTC\")\n\n headers = {\"Content-Type\": \"application/x-www-form-urlencoded\"}\n body = \"selector=time&query=get_recent\"\n url = url_base + url_endpoint\n resp = helper.send_http_request(\n url,\n \"POST\",\n parameters=None,\n payload=body,\n headers=headers,\n timeout=30,\n verify=False,\n use_proxy=is_proxy,\n )\n resp.raise_for_status()\n respdata = resp.json()[\"data\"]\n\n helper.log_info(f\"Parsing {len(respdata)} MalwareBazaar events\")\n for event in respdata:\n ioc_time = datetime.strptime(event[\"first_seen\"], \"%Y-%m-%d %H:%M:%S\")\n if ioc_time < start_time:\n continue\n\n e = helper.new_event(\n data=json.dumps(event),\n source=helper.get_input_type(),\n index=helper.get_output_index(),\n sourcetype=helper.get_sourcetype(),\n done=True,\n )\n ew.write_event(e)\n\n helper.save_check_point(check_point_key, run_time)\n", "customized_options": [{"name": "note_about_collect_interval", "value": true}], "uuid": "8ba340be11064a9daf262f595e1f63a7", "sample_count": 0}]}, "field_extraction_builder": {"abusech:threatfox": {"data_format": "json"}, "abusech:urlhauspayload": {"data_format": "json"}, "abusech:urlhausurl": {"data_format": "json"}, "abusech:malwarebazaar": {"data_format": "json"}}, "global_settings_builder": {"global_settings": {"proxy_settings": {"proxy_type": "http"}, "log_settings": {"log_level": "DEBUG"}}}, "sourcetype_builder": {"abusech:threatfox": {"metadata": {"event_count": 0, "data_input_name": "abusech_threatfox", "extractions_count": 0, "cims_count": 0}}, "abusech:urlhausurl": {"metadata": {"event_count": 0, "data_input_name": "abusech_urlhausurl", "extractions_count": 0, "cims_count": 0}}, "abusech:urlhauspayload": {"metadata": {"event_count": 0, "data_input_name": "abusech_urlhauspayload", "extractions_count": 0, "cims_count": 0}}, "abusech:malwarebazaar": {"metadata": {"event_count": 0, "data_input_name": "abusech_malwarebazaar", "extractions_count": 0, "cims_count": 0}}}, "validation": {"validators": ["best_practice_validation", "data_model_mapping_validation", "field_extract_validation", "app_cert_validation"], "status": "job_finished", "validation_id": "v_1728425071_80", "progress": 1.0}}