Enricher
- pydantic model AccountMeta
Show JSON schema
{ "title": "AccountMeta", "type": "object", "properties": { "account_login": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Account Login" }, "user_id": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "User Id" } } }
- field account_login: str | None = None
- field user_id: str | None = None
- pydantic model FileMeta
Show JSON schema
{ "title": "FileMeta", "type": "object", "properties": { "filename": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Filename" }, "sha256": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Sha256" } } }
- field filename: str | None = None
- field sha256: str | None = None
- pydantic model ProcessMeta
Show JSON schema
{ "$defs": { "AccountMeta": { "properties": { "account_login": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Account Login" }, "user_id": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "User Id" } }, "title": "AccountMeta", "type": "object" }, "FileMeta": { "properties": { "filename": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Filename" }, "sha256": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Sha256" } }, "title": "FileMeta", "type": "object" }, "ProcessMeta": { "properties": { "pid": { "anyOf": [ { "type": "integer" }, { "type": "null" } ], "default": null, "title": "Pid" }, "cwd": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Cwd" }, "command_line": { "title": "Command Line", "type": "string" }, "creator": { "anyOf": [ { "$ref": "#/$defs/AccountMeta" }, { "type": "null" } ], "default": null }, "image": { "anyOf": [ { "$ref": "#/$defs/FileMeta" }, { "type": "null" } ], "default": null }, "parent": { "anyOf": [ { "$ref": "#/$defs/ProcessMeta" }, { "type": "null" } ], "default": null } }, "required": [ "command_line" ], "title": "ProcessMeta", "type": "object" } }, "allOf": [ { "$ref": "#/$defs/ProcessMeta" } ] }
- Fields:
- field command_line: str [Required]
- field creator: AccountMeta | None = None
- field cwd: str | None = None
- field parent: ProcessMeta | None = None
- field pid: int | None = None
- pydantic model Enricher
Show JSON schema
{ "title": "Enricher", "type": "object", "properties": { "helper": { "default": null, "title": "Helper" }, "config": { "$ref": "#/$defs/EnrichmentConfig" }, "stix": { "$ref": "#/$defs/StixHelper" }, "tools": { "default": null, "title": "Tools" } }, "$defs": { "EnrichmentConfig": { "additionalProperties": false, "description": "This configuration dictates how the connector should enrich incidents with\nobservables and other entities", "properties": { "types": { "default": [ "vulnerability", "url", "ipv4-addr", "user-agent", "software", "file", "tool", "network-traffic", "ipv6-addr", "user-account", "windows-registry-key", "attack-pattern", "domain-name", "directory", "process", "mac-addr", "email-addr" ], "items": { "$ref": "#/$defs/EntityType" }, "title": "Enrichment types", "type": "array", "uniqueItems": true }, "filename_behaviour": { "default": [ "create-dir", "remove-path" ], "items": { "$ref": "#/$defs/FilenameBehaviour" }, "title": "Filename Behaviour", "type": "array", "uniqueItems": true }, "enrich_urls_without_host": { "default": false, "title": "Enrich Urls Without Host", "type": "boolean" } }, "title": "EnrichmentConfig", "type": "object" }, "EntityType": { "description": "Entity types to enrich\n\nSee :doc:`enrichment` for details.", "enum": [ "user-account", "attack-pattern", "directory", "domain-name", "email-addr", "file", "ipv4-addr", "ipv6-addr", "mac-addr", "network-traffic", "process", "windows-registry-key", "software", "tool", "url", "user-agent", "vulnerability" ], "title": "EntityType", "type": "string" }, "FilenameBehaviour": { "enum": [ "create-dir", "remove-path" ], "title": "FilenameBehaviour", "type": "string" }, "StixHelper": { "description": "Helper class to simplify creation of STIX entities", "properties": { "common_properties": { "default": {}, "title": "Common Properties", "type": "object" }, "sco_labels": { "default": [], "items": { "type": "string" }, "title": "Sco Labels", "type": "array" }, "filename_behaviour": { "default": [ "create-dir" ], "items": { "$ref": "#/$defs/FilenameBehaviour" }, "title": "Filename Behaviour", "type": "array", "uniqueItems": true } }, "title": "StixHelper", "type": "object" } }, "required": [ "config", "stix" ] }
- Config:
arbitrary_types_allowed: bool = True
- Fields:
- field config: EnrichmentConfig [Required]
- field helper: OpenCTIConnectorHelper [Required]
- field stix: StixHelper [Required]
- field tools: list[stix2.Tool] = []
- create_enrichment_obs_from_search(*, incident: Incident, alerts: list[dict], sco_type: str, fields: list[str], validator: Callable[[Any], bool] | None = None, transform: Callable[[Any], list[tuple[Any, dict[str, Any]]]] | None = None)
- create_enrichment_obs_from_search_context(*, incident: Incident, alerts: list[dict], sco_type, SCO: Any, property_field_map: dict[str, dict[str, list[str]]], properties_validator: Callable[[dict[str, Any]], bool] | None = None)
- create_process(*, meta: ProcessMeta, incident: Incident | None = None, alert: dict | None = None)
- enrich_addrs(*, incident: Incident, alerts: list[dict], proto: Literal['IPv4-Addr', 'IPv6-Addr'])
- enrich_dirs(*, incident: Incident, alerts: list[dict])
- enrich_domains(*, incident: Incident, alerts: list[dict])
- enrich_email_addrs(*, incident: Incident, alerts: list[dict])
- enrich_files(*, incident: Incident, alerts: list[dict])
- enrich_incident(*, incident: Incident, alerts: list[dict])
- enrich_incident_mitre(*, incident: Incident, alerts: list[dict])
- enrich_incident_tool(*, incident: Incident, alerts: list[dict])
- enrich_macs(*, incident: Incident, alerts: list[dict])
- enrich_processes(*, incident: Incident, alerts: list[dict])
- enrich_processes_auditd(*, incident: Incident, alerts: list[dict])
- enrich_processes_sysmon(*, incident: Incident, alerts: list[dict])
- enrich_reg_keys(*, incident: Incident, alerts: list[dict])
- enrich_software(*, incident: Incident, alerts: list[dict])
- enrich_traffic(*, incident: Incident, alerts: list[dict])
- enrich_urls(*, incident: Incident, alerts: list[dict])
- enrich_user_agents(*, incident: Incident, alerts: list[dict])
- enrich_vulnerabilities(*, incident: Incident, alerts: list[dict]) Sighting]
- fetch_tools()
- software_ref_from_vuln_alert(alert: Mapping) str | None