|
| 1 | +{ |
| 2 | + "cells": [ |
| 3 | + { |
| 4 | + "cell_type": "markdown", |
| 5 | + "source": [ |
| 6 | + "# TAXII Feed Data Filtering\n", |
| 7 | + "This notebook demonstrates useful ways of filtering out specific malware indicator data from the ReversingLabs TAXII Feed collections.\n", |
| 8 | + "Currently, our TAXII Feed as a STIX object feed for our Ransomware Indicators Feed and our Flexible Intel Feeds service." |
| 9 | + ], |
| 10 | + "metadata": { |
| 11 | + "collapsed": false |
| 12 | + }, |
| 13 | + "id": "2783b37f79b1d18e" |
| 14 | + }, |
| 15 | + { |
| 16 | + "cell_type": "markdown", |
| 17 | + "source": [ |
| 18 | + "### Used Spectra Intelligence classes\n", |
| 19 | + "- **TAXIIFeed**\n", |
| 20 | + "\n", |
| 21 | + "### Credentials\n", |
| 22 | + "Credentials are loaded from a local file instead of being written here in plain text.\n", |
| 23 | + "To learn how to creat the credentials file, see the **Storing and using the credentials** section in the [README file](./README.md)" |
| 24 | + ], |
| 25 | + "metadata": { |
| 26 | + "collapsed": false |
| 27 | + }, |
| 28 | + "id": "6d0652bd818ab8b5" |
| 29 | + }, |
| 30 | + { |
| 31 | + "cell_type": "code", |
| 32 | + "execution_count": 20, |
| 33 | + "outputs": [], |
| 34 | + "source": [ |
| 35 | + "import json\n", |
| 36 | + "from datetime import datetime, timedelta\n", |
| 37 | + "from ReversingLabs.SDK.ticloud import TAXIIFeed\n", |
| 38 | + "\n", |
| 39 | + "\n", |
| 40 | + "CREDENTIALS = json.load(open(\"credentials.json\"))\n", |
| 41 | + "USERNAME = CREDENTIALS.get(\"ticloud\").get(\"username\")\n", |
| 42 | + "PASSWORD = CREDENTIALS.get(\"ticloud\").get(\"password\")\n", |
| 43 | + "USER_AGENT = json.load(open('../user_agent.json'))[\"user_agent\"]\n", |
| 44 | + "\n", |
| 45 | + "\n", |
| 46 | + "taxii = TAXIIFeed(\n", |
| 47 | + " host=\"https://data.reversinglabs.com\",\n", |
| 48 | + " username=USERNAME,\n", |
| 49 | + " password=PASSWORD,\n", |
| 50 | + " user_agent=USER_AGENT\n", |
| 51 | + ")" |
| 52 | + ], |
| 53 | + "metadata": { |
| 54 | + "collapsed": false, |
| 55 | + "ExecuteTime": { |
| 56 | + "end_time": "2025-06-18T22:38:53.663257084Z", |
| 57 | + "start_time": "2025-06-18T22:38:53.656988541Z" |
| 58 | + } |
| 59 | + }, |
| 60 | + "id": "1ff824581216504c" |
| 61 | + }, |
| 62 | + { |
| 63 | + "cell_type": "markdown", |
| 64 | + "source": [ |
| 65 | + "## Latest CobaltStrike indicators with high confidence from Ransomware Feed data\n", |
| 66 | + "We will now fetch Ransomware Feed data from the last 30 days of time and filter out CobaltStrike indicators with confidence level of 80 or more." |
| 67 | + ], |
| 68 | + "metadata": { |
| 69 | + "collapsed": false |
| 70 | + }, |
| 71 | + "id": "a1665c06982f4851" |
| 72 | + }, |
| 73 | + { |
| 74 | + "cell_type": "code", |
| 75 | + "execution_count": null, |
| 76 | + "outputs": [], |
| 77 | + "source": [ |
| 78 | + "discovery_response = taxii.discovery_info()\n", |
| 79 | + "print(discovery_response.text)" |
| 80 | + ], |
| 81 | + "metadata": { |
| 82 | + "collapsed": false |
| 83 | + }, |
| 84 | + "id": "5c12386779237dbe" |
| 85 | + }, |
| 86 | + { |
| 87 | + "cell_type": "markdown", |
| 88 | + "source": [ |
| 89 | + "The response output of the `discovery_info` method will list the API roots to which your username has access.\n", |
| 90 | + "In this example, we will work with the `ransomware-api-root` API root which holds full Ransomware Indicators Feed data. You can also work with the lite version of that data found in the `ransomware-lite` API root." |
| 91 | + ], |
| 92 | + "metadata": { |
| 93 | + "collapsed": false |
| 94 | + }, |
| 95 | + "id": "c9859e96580b9c27" |
| 96 | + }, |
| 97 | + { |
| 98 | + "cell_type": "code", |
| 99 | + "execution_count": null, |
| 100 | + "outputs": [], |
| 101 | + "source": [ |
| 102 | + "api_root_info = taxii.api_root_info(\"ransomware-api-root\")\n", |
| 103 | + "print(api_root_info.text)\n", |
| 104 | + "\n", |
| 105 | + "collection_info = taxii.collections_info(\"ransomware-api-root\")\n", |
| 106 | + "print(collection_info.text)" |
| 107 | + ], |
| 108 | + "metadata": { |
| 109 | + "collapsed": false |
| 110 | + }, |
| 111 | + "id": "a3499cd9d3ab3b8e" |
| 112 | + }, |
| 113 | + { |
| 114 | + "cell_type": "markdown", |
| 115 | + "source": [ |
| 116 | + "Now that we see that our `ransomware-api-root` holds a collection with the id `f0997a32-b823-562d-9856-c754ac5e1159`, we can use that collection for fetching STIX data.\n", |
| 117 | + "We will set `max_results` to 500 to limit our data output because 30 days of data can be a lot.\n", |
| 118 | + "You can always adjust the starting date and the maximum number of returned results.\n", |
| 119 | + "\n", |
| 120 | + "The printed-out results will give us indicators from our Ransomware Indicators Feed for CobaltStrike activity with a confidence rating of 80 and higher." |
| 121 | + ], |
| 122 | + "metadata": { |
| 123 | + "collapsed": false |
| 124 | + }, |
| 125 | + "id": "869d3c6152bd0a45" |
| 126 | + }, |
| 127 | + { |
| 128 | + "cell_type": "code", |
| 129 | + "execution_count": null, |
| 130 | + "outputs": [], |
| 131 | + "source": [ |
| 132 | + "time_now = datetime.now()\n", |
| 133 | + "requested_time = (time_now - timedelta(days=30)).strftime(\"%Y-%m-%dT%H:%M:%SZ\")\n", |
| 134 | + "\n", |
| 135 | + "response = taxii.get_objects_aggregated(\n", |
| 136 | + " api_root=\"ransomware-api-root\",\n", |
| 137 | + " collection_id=\"f0997a32-b823-562d-9856-c754ac5e1159\",\n", |
| 138 | + " added_after=requested_time,\n", |
| 139 | + " stix_types=\"indicator\",\n", |
| 140 | + " labels=[\"CobaltStrike\"],\n", |
| 141 | + " confidence=\">=80\",\n", |
| 142 | + " max_results=500\n", |
| 143 | + ")\n", |
| 144 | + "\n", |
| 145 | + "print(response)" |
| 146 | + ], |
| 147 | + "metadata": { |
| 148 | + "collapsed": false |
| 149 | + }, |
| 150 | + "id": "f3ebab41a59c7e0d" |
| 151 | + }, |
| 152 | + { |
| 153 | + "cell_type": "markdown", |
| 154 | + "source": [ |
| 155 | + "## Latest CobaltStrike objects with high confidence from Flexible Intel Feeds data\n", |
| 156 | + "We will now apply the same filtering criteria to get CobaltStrike-related data generated by our Flexible Intel Feeds service. The Flexible Intel Feeds service also creates other types of STIX objects, besides indicators.\n", |
| 157 | + "\n", |
| 158 | + "**NOTE**: The Flexible Intel Feeds is an on-demand indicator processing service and it creates a private collection for each specific user. You will have to replace the `collection_id` with the id of your own FIF collection." |
| 159 | + ], |
| 160 | + "metadata": { |
| 161 | + "collapsed": false |
| 162 | + }, |
| 163 | + "id": "47e33db0668d789c" |
| 164 | + }, |
| 165 | + { |
| 166 | + "cell_type": "code", |
| 167 | + "execution_count": null, |
| 168 | + "outputs": [], |
| 169 | + "source": [ |
| 170 | + "time_now = datetime.now()\n", |
| 171 | + "requested_time = (time_now - timedelta(days=30)).strftime(\"%Y-%m-%dT%H:%M:%SZ\")\n", |
| 172 | + "\n", |
| 173 | + "response = taxii.get_objects_aggregated(\n", |
| 174 | + " api_root=\"flexible-intel-feeds\",\n", |
| 175 | + " collection_id=\"your-collection-id-here\",\n", |
| 176 | + " added_after=requested_time,\n", |
| 177 | + " stix_types=[\"indicator\", \"url\", \"file\", \"domain-name\", \"ipv4-addr\"],\n", |
| 178 | + " labels=[\"CobaltStrike\"],\n", |
| 179 | + " confidence=\">=80\",\n", |
| 180 | + " max_results=500\n", |
| 181 | + ")\n", |
| 182 | + "\n", |
| 183 | + "print(response)" |
| 184 | + ], |
| 185 | + "metadata": { |
| 186 | + "collapsed": false |
| 187 | + }, |
| 188 | + "id": "600c616adf02bbbd" |
| 189 | + }, |
| 190 | + { |
| 191 | + "cell_type": "markdown", |
| 192 | + "source": [ |
| 193 | + "## Latest Phishing domains with high confidence from Flexible Intel Feeds data\n" |
| 194 | + ], |
| 195 | + "metadata": { |
| 196 | + "collapsed": false |
| 197 | + }, |
| 198 | + "id": "647656132bb4209d" |
| 199 | + }, |
| 200 | + { |
| 201 | + "cell_type": "code", |
| 202 | + "execution_count": null, |
| 203 | + "outputs": [], |
| 204 | + "source": [ |
| 205 | + "time_now = datetime.now()\n", |
| 206 | + "requested_time = (time_now - timedelta(days=30)).strftime(\"%Y-%m-%dT%H:%M:%SZ\")\n", |
| 207 | + "\n", |
| 208 | + "response = taxii.get_objects_aggregated(\n", |
| 209 | + " api_root=\"flexible-intel-feeds\",\n", |
| 210 | + " collection_id=\"your-collection-id-here\",\n", |
| 211 | + " added_after=requested_time,\n", |
| 212 | + " stix_types=\"domain-name\",\n", |
| 213 | + " labels=[\"Phishing\"],\n", |
| 214 | + " confidence=\">=80\",\n", |
| 215 | + " max_results=500\n", |
| 216 | + ")\n", |
| 217 | + "\n", |
| 218 | + "print(response)" |
| 219 | + ], |
| 220 | + "metadata": { |
| 221 | + "collapsed": false |
| 222 | + }, |
| 223 | + "id": "ac2a6e3ea41f3ba4" |
| 224 | + }, |
| 225 | + { |
| 226 | + "cell_type": "markdown", |
| 227 | + "source": [ |
| 228 | + "## Latest Trojan malware data with high confidence from Ransomware Indicators Feed data" |
| 229 | + ], |
| 230 | + "metadata": { |
| 231 | + "collapsed": false |
| 232 | + }, |
| 233 | + "id": "b13f3603c9e87f49" |
| 234 | + }, |
| 235 | + { |
| 236 | + "cell_type": "code", |
| 237 | + "execution_count": null, |
| 238 | + "outputs": [], |
| 239 | + "source": [ |
| 240 | + "time_now = datetime.now()\n", |
| 241 | + "requested_time = (time_now - timedelta(days=30)).strftime(\"%Y-%m-%dT%H:%M:%SZ\")\n", |
| 242 | + "\n", |
| 243 | + "response = taxii.get_objects_aggregated(\n", |
| 244 | + " api_root=\"ransomware-api-root\",\n", |
| 245 | + " collection_id=\"f0997a32-b823-562d-9856-c754ac5e1159\",\n", |
| 246 | + " added_after=requested_time,\n", |
| 247 | + " stix_types=\"indicator\",\n", |
| 248 | + " labels=[\"Trojan\", \"PE/Exe\"],\n", |
| 249 | + " confidence=\">=80\",\n", |
| 250 | + " max_results=500\n", |
| 251 | + ")\n", |
| 252 | + "\n", |
| 253 | + "print(response)" |
| 254 | + ], |
| 255 | + "metadata": { |
| 256 | + "collapsed": false |
| 257 | + }, |
| 258 | + "id": "2b05ea3ea36fe86f" |
| 259 | + }, |
| 260 | + { |
| 261 | + "cell_type": "markdown", |
| 262 | + "source": [ |
| 263 | + "## Searching for a specific file in Flexible Intel Feeds using its SHA-1\n", |
| 264 | + "We can also filter out files by their SHA-1 hash used in the STIX object's `name` field. \n", |
| 265 | + "Edit the `name` argument with your desired SHA-1 hash." |
| 266 | + ], |
| 267 | + "metadata": { |
| 268 | + "collapsed": false |
| 269 | + }, |
| 270 | + "id": "6914bd6d9fa764ba" |
| 271 | + }, |
| 272 | + { |
| 273 | + "cell_type": "code", |
| 274 | + "execution_count": null, |
| 275 | + "outputs": [], |
| 276 | + "source": [ |
| 277 | + "time_now = datetime.now()\n", |
| 278 | + "requested_time = (time_now - timedelta(days=30)).strftime(\"%Y-%m-%dT%H:%M:%SZ\")\n", |
| 279 | + "\n", |
| 280 | + "response = taxii.get_objects_aggregated(\n", |
| 281 | + " api_root=\"flexible-intel-feeds\",\n", |
| 282 | + " collection_id=\"your-collection-id-here\",\n", |
| 283 | + " added_after=requested_time,\n", |
| 284 | + " stix_types=\"file\",\n", |
| 285 | + " confidence=\">=80\",\n", |
| 286 | + " name=\"example-sha1-hash-here\"\n", |
| 287 | + ")\n", |
| 288 | + "\n", |
| 289 | + "print(response)" |
| 290 | + ], |
| 291 | + "metadata": { |
| 292 | + "collapsed": false |
| 293 | + }, |
| 294 | + "id": "23f685b6c01891b6" |
| 295 | + }, |
| 296 | + { |
| 297 | + "cell_type": "markdown", |
| 298 | + "source": [ |
| 299 | + "## Searching for a specific object by its ID\n", |
| 300 | + "Another way to search for a specific object is by using its `id` field. \n", |
| 301 | + "For this usecase we will be utilizing the `get_objects` method because we don't need automated paging. This request targets and returns only one specific object matched by its `id` field." |
| 302 | + ], |
| 303 | + "metadata": { |
| 304 | + "collapsed": false |
| 305 | + }, |
| 306 | + "id": "eb2f943d1e5eed16" |
| 307 | + }, |
| 308 | + { |
| 309 | + "cell_type": "code", |
| 310 | + "execution_count": null, |
| 311 | + "outputs": [], |
| 312 | + "source": [ |
| 313 | + "time_now = datetime.now()\n", |
| 314 | + "requested_time = (time_now - timedelta(days=30)).strftime(\"%Y-%m-%dT%H:%M:%SZ\")\n", |
| 315 | + "\n", |
| 316 | + "response = taxii.get_objects(\n", |
| 317 | + " api_root=\"ransomware-api-root\",\n", |
| 318 | + " collection_id=\"f0997a32-b823-562d-9856-c754ac5e1159\",\n", |
| 319 | + " added_after=requested_time,\n", |
| 320 | + " match_id=\"indicator--65dae84d-f2ce-5db3-a4ae-2540c2258a24\"\n", |
| 321 | + ")\n", |
| 322 | + "\n", |
| 323 | + "print(response.text)" |
| 324 | + ], |
| 325 | + "metadata": { |
| 326 | + "collapsed": false |
| 327 | + }, |
| 328 | + "id": "b516a09d8ed478bb" |
| 329 | + }, |
| 330 | + { |
| 331 | + "cell_type": "markdown", |
| 332 | + "source": [], |
| 333 | + "metadata": { |
| 334 | + "collapsed": false |
| 335 | + }, |
| 336 | + "id": "cbc14b54d4a6942b" |
| 337 | + }, |
| 338 | + { |
| 339 | + "cell_type": "markdown", |
| 340 | + "source": [], |
| 341 | + "metadata": { |
| 342 | + "collapsed": false |
| 343 | + }, |
| 344 | + "id": "23ccefdc4b305460" |
| 345 | + } |
| 346 | + ], |
| 347 | + "metadata": { |
| 348 | + "kernelspec": { |
| 349 | + "display_name": "Python 3", |
| 350 | + "language": "python", |
| 351 | + "name": "python3" |
| 352 | + }, |
| 353 | + "language_info": { |
| 354 | + "codemirror_mode": { |
| 355 | + "name": "ipython", |
| 356 | + "version": 2 |
| 357 | + }, |
| 358 | + "file_extension": ".py", |
| 359 | + "mimetype": "text/x-python", |
| 360 | + "name": "python", |
| 361 | + "nbconvert_exporter": "python", |
| 362 | + "pygments_lexer": "ipython2", |
| 363 | + "version": "2.7.6" |
| 364 | + } |
| 365 | + }, |
| 366 | + "nbformat": 4, |
| 367 | + "nbformat_minor": 5 |
| 368 | +} |
0 commit comments