intelmq.bots.parsers.microsoft package¶
Submodules¶
intelmq.bots.parsers.microsoft.parser_bingmurls module¶
Parses BingMURLs data in JSON format.
-
intelmq.bots.parsers.microsoft.parser_bingmurls.
BOT
¶ alias of
intelmq.bots.parsers.microsoft.parser_bingmurls.MicrosoftBingMurlsParserBot
-
class
intelmq.bots.parsers.microsoft.parser_bingmurls.
MicrosoftBingMurlsParserBot
(bot_id: str, start: bool = False, sighup_event=None, disable_multithreading: Optional[bool] = None)¶ Bases:
intelmq.lib.bot.ParserBot
Parse JSON data from Microsoft’s Bing Malicious URLs list
-
parse
(report: intelmq.lib.message.Report)¶ A basic JSON parser. Assumes a list of objects as input to be yield.
-
parse_line
(line, report)¶ A generator which can yield one or more messages contained in line.
Report has the full message, thus you can access some metadata. Override for your use.
-
recover_line
(line: dict)¶ Reverse of “parse” for single lines.
Recovers a fully functional report with only the problematic line by concatenating all strings in “self.tempdata” with “line” with LF newlines. Works fine for most text files.
- lineOptional[str], optional
The currently process line which should be transferred into it’s original appearance. As fallback, “self._current_line” is used if available (depending on self.parse). The default is None.
- ValueError
If neither the parameter “line” nor the member “self._current_line” is available.
- str
The reconstructed raw data.
-
intelmq.bots.parsers.microsoft.parser_ctip module¶
Parses CTIP data in JSON format.
Key indicatorexpirationdatetime is ignored, meaning is unknown.
There are two different variants of data 1. Interflow format: JSON format, MAPPING 2. Azure format: JSON stream format, a short example structure:
“DataFeed”: “CTIP-Infected”, “SourcedFrom”: “SinkHoleMessage|SensorMessage””, “DateTimeReceivedUtc”: nt time “DateTimeReceivedUtcTxt”: human readable “Malware”: “ThreatCode”: “B67-SS-TINBA”, “ThreatConfidence”: “High|Medium|Low|Informational”, -> 100/50/20/10 “TotalEncounters”: 3, “TLP”: “Amber”, “SourceIp”: “SourcePort”: “DestinationIp”: “DestinationPort”: “TargetIp”: Deprecated, so we gonne ignore it “TargetPort”: Deprecated, so we gonne ignore it “SourceIpInfo”: {
“SourceIpAsnNumber”: “SourceIpAsnOrgName”: “SourceIpCountryCode”: “SourceIpRegion”: “SourceIpCity” “SourceIpPostalCode” “SourceIpLatitude” “SourceIpLongitude” “SourceIpMetroCode” “SourceIpAreaCode” “SourceIpConnectionType”
}, “HttpInfo”: {
“HttpHost”: “”, “HttpRequest”: “”, “HttpMethod”: “”, “HttpReferrer”: “”, “HttpUserAgent”: “”, “HttpVersion”: “”
}, “CustomInfo”: {
“CustomField1”: “”, “CustomField2”: “”, “CustomField3”: “”, “CustomField4”: “”, “CustomField5”: “”
}, “Payload”: base64 encoded json
}
-
intelmq.bots.parsers.microsoft.parser_ctip.
BOT
¶ alias of
intelmq.bots.parsers.microsoft.parser_ctip.MicrosoftCTIPParserBot
-
class
intelmq.bots.parsers.microsoft.parser_ctip.
MicrosoftCTIPParserBot
(bot_id: str, start: bool = False, sighup_event=None, disable_multithreading: Optional[bool] = None)¶ Bases:
intelmq.lib.bot.ParserBot
Parse JSON data from Microsoft’s CTIP program
-
parse
(report)¶ A generator yielding the single elements of the data.
Comments, headers etc. can be processed here. Data needed by self.parse_line can be saved in self.tempdata (list).
Default parser yields stripped lines. Override for your use or use an existing parser, e.g.:
parse = ParserBot.parse_csv
- You should do that for recovering lines too.
recover_line = ParserBot.recover_line_csv
-
parse_azure
(line, report)¶
-
parse_interflow
(line, report)¶
-
parse_line
(line, report)¶ A generator which can yield one or more messages contained in line.
Report has the full message, thus you can access some metadata. Override for your use.
-