yeti-platform / pyeti Goto Github PK

Python bindings for Yeti's API

License: Apache License 2.0

Python 100.00%

infosec threatintel threat-sharing threat-hunting enrichment api python intelligence

pyeti's Introduction

pyeti-python3

Pyeti-Python (pyeti) is the bundle uses to interface with the YETI API. This is the new package that can be installed directly with pip. Pyeti-python allows you to extract data from YETI such as specific observables (malware, IP, domains...). It can be used to plug in your own tool and enrich your Threat Intelligence feed with Yeti.

Getting Started

To install it you can clone the repo and run the following command:

poetry install

You can also install it with pip:

pip install yeti-python

Once installed the first thing to do is to get your API key from the Yeti interface.

Then you can configure your script with the following information to test the connection:

server="<IPofYETI>"
key="<APIKEY>"
tag="<NameoftheObservable>" # example: 'lokibot'

api = pyeti.YetiApi(url="http://%s:5000/api/" % server, api_key=key)
request = api.observable_search(tags=tag, count=50)

Testing

You can run tests from the root directory by running:

To test client api python of yeti setup a pyeti.conf in folder tests.

In pyeti.conf

[yeti]
url = http://127.0.0.1:5000/api
api_key = your_api_key

cd tests
python test_observables.py

Note that most tests require a full running install of Yeti on localhost:5000.

Use cases

First thing is to import the library and instantiate a client.

import pyeti, json    # json is only used for pretty printing in the examples below 
api = pyeti.YetiApi(url="http://localhost:5000/api/")

If you are using a self signed cert on your yeti instance you can set the verify_ssl parameter to True to ignore warnings. Otherwise all ssl connections are verified by default.

import pyeti, json    # json is only used for pretty printing in the examples below 
api = pyeti.YetiApi(url="http://localhost:5000/api/", verify_ssl=False)

Adding observables

results = api.observable_add("google.com", ['google'])
print(json.dumps(results, indent=4, sort_keys=True))

Bulk add

results = api.observable_bulk_add(["google.com", "bing.com", "yahoo.com"])
print(len(results))
3
print(json.dumps(results[1], indent=4, sort_keys=True))

Get a single observable

results = api.observable_add("google.com")
print(results['id'])
info = api.observable_details(results['id'])
print(json.dumps(info, indent=4, sort_keys=True))

Search for observables

api.observable_add("search-domain.com")
result = api.observable_search(value="search-dom[a-z]+", regex=True)
print(json.dumps(result, indent=4, sort_keys=True))

Add observables

result = api.observable_file_add("/tmp/hello.txt", tags=['benign'])
print(json.dumps(result, indent=4, sort_keys=True))
# Get file contents
api.observable_file_contents(objectid="594fff86bf365e6270f8914b")
'Hello!\n'
api.observable_file_contents(filehash="e134ced312b3511d88943d57ccd70c83") # you can also use any hash computed above
'Hello!\n'

License

This project is licensed under the Apache License - see the LICENSE.md file for details

pyeti's People

Contributors

Stargazers

Watchers

Forkers

kaddioui rmjjoseibm gregcopenhaver threathive denysv mytts dekoder fr0gger rootbsd cybercercher armbiant bongoknight

pyeti's Issues

`observable_add` doesn't raise any exception and just returns `None`

result = self.api.observable_add(value=obs_value)

This would just return None and there is no way I can catch the exception Couldn't guess observable type as it's just logged.

Migrate to Python3

This lib is simple and the migration shouldn't be too difficult.

Please attach a license

Can you attach a license to this repo please? Thanks!

http://localhost:5000/api/entity/ not working as expected

I have tried to add entity using both pyet and curl -POST but neither of them worked. I am able to get_entity but if I add the function entity_add with the required parameters ( name, description & tags) - it doesnt work. Moreover, As one of your suggestions in one of the issues - that, this will add an entity but to add sub-object ( malware, threat actor etc) _cls needs to be set manually. Can you please explain this in bit detail?

The function that I added

def entity_add(self,name,description,tags=None, source="API"):

    if tags is None:
        tages = []
    json = {

        "name": name,
                    "description": description,
        "tags": tags,
        "source": source
    }
    return self._make_post('entity/', json=json)

When I call this function - I get followin error

results = api.entity_add("malware","malwaredescription",['tags1'])
ERROR:root:An error occurred (500): http://localhost:5000/api/entity/

Same way, when I tried to add with curl

$$$curl -d '{"value":"malware","tags":['a','b']}' -H "Content-type: application/json" -X POST http://localhost:5000/api/entity/

<title>400 Bad Request</title> h1Bad Requesth1

The browser (or proxy) sent a request that this server could not understand.

$$$curl -d '{"value":"malware"}' -H "Content-type: application/json" -X POST http://localhost:5000/api/entity/

<title>500 Internal Server Error</title> h1Internal Server Error

The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

Another Try using Curl

entity.json
{
"value":"malwre"
"tags":['a','b']
}

$$$$curl -d "@entity.json" -H "Content-type: application/json" -X POST http://localhost:5000/api/entity/

<title>400 Bad Request</title> h1Bad Request

The browser (or proxy) sent a request that this server could not understand.

Can you please help ?

Python client from OpenAPI spec

Tried add entity_add functionality but not working.

I am trying to add more functionality to the YetiApi class.
When I tried the get entity it worked, but for adding a entity it gives error

ERROR:root:An error occurred (500):

Any pointers towards this would be welcome, There was no documentation of json values of entity object so I did a get entity and used similar json object in entity_add

Following are my functions added to api.py

    def entity_details(self, id):
        """Get details on an entity.
        Args:
            id: A string representing the entity's ObjectID

        Returns:
            JSON representation of the requested entity
        """
        return self._make_get("entity/{}".format(id))

    def entity_add(self, name,etype,description,aliases=[], tags=[],context={},source="API"):
        """Add an entity to the dataset

        Args:
            name: the name of entity
            etype: type of entity ('Actor','TTP' etc)
            description: description of Entity
            tags: An array of strings representing tags
            context: A dictionary object with context information
            source: A string representing the source of the data. Defaults to
                   "API".

        Returns:
            JSON representation of the created observable.
        """
        json = {
            'description':description,
            'tags':tags,
            'aliases':aliases,
            'type':etype,
            'name':name,
            'context':context,
            'source':source
        }

        return self._make_post('entity/', json=json)

Pull data from YETI

Can anyone share a working example of yeti api that pulls data from Yeti.

I don't know what arguments to be where can i find them in my local hosted yeti.

Sharing Screenshots would be more helpful.