intelmq.bots.parsers.microsoft package

Submodules

intelmq.bots.parsers.microsoft.parser_bingmurls module

Parses BingMURLs data in JSON format.

intelmq.bots.parsers.microsoft.parser_bingmurls.BOT

alias of intelmq.bots.parsers.microsoft.parser_bingmurls.MicrosoftBingMurlsParserBot

class intelmq.bots.parsers.microsoft.parser_bingmurls.MicrosoftBingMurlsParserBot(bot_id: str, start: bool = False, sighup_event=None, disable_multithreading: bool = None)

Bases: intelmq.lib.bot.ParserBot

Parse JSON data from Microsoft’s Bing Malicious URLs list

parse(report: intelmq.lib.message.Report)

A basic JSON parser. Assumes a list of objects as input to be yield.

parse_line(line, report)
recover_line(line: dict)

intelmq.bots.parsers.microsoft.parser_ctip module

Parses CTIP data in JSON format.

Key indicatorexpirationdatetime is ignored, meaning is unknown.

There are two different variants of data

  • Interflow format: JSON format, MAPPING

  • Azure format: JSON stream format, a short example structure:

    {
      "DataFeed": "CTIP-Infected",
      "SourcedFrom": "SinkHoleMessage|SensorMessage"",
      "DateTimeReceivedUtc": nt time
      "DateTimeReceivedUtcTxt": human readable
      "Malware":
      "ThreatCode": "B67-SS-TINBA",
      "ThreatConfidence": "High|Medium|Low|Informational", -> 100/50/20/10
      "TotalEncounters": 3,
      "TLP": "Amber",
      "SourceIp":
      "SourcePort":
      "DestinationIp":
      "DestinationPort":
      "TargetIp": Deprecated, so we gonne ignore it
      "TargetPort": Deprecated, so we gonne ignore it
      "SourceIpInfo": {
        "SourceIpAsnNumber":
        "SourceIpAsnOrgName":
        "SourceIpCountryCode":
        "SourceIpRegion":
        "SourceIpCity"
        "SourceIpPostalCode"
        "SourceIpLatitude"
        "SourceIpLongitude"
        "SourceIpMetroCode"
        "SourceIpAreaCode"
        "SourceIpConnectionType"
      },
      "HttpInfo": {
        "HttpHost": "",
        "HttpRequest": "",
        "HttpMethod": "",
        "HttpReferrer": "",
        "HttpUserAgent": "",
        "HttpVersion": ""
      },
      "CustomInfo": {
        "CustomField1": "",
        "CustomField2": "",
        "CustomField3": "",
        "CustomField4": "",
        "CustomField5": ""
      },
      "Payload": base64 encoded json with meaningful dictionary keys or JSON-string with numbered dictionary keys
    }
    
intelmq.bots.parsers.microsoft.parser_ctip.BOT

alias of intelmq.bots.parsers.microsoft.parser_ctip.MicrosoftCTIPParserBot

class intelmq.bots.parsers.microsoft.parser_ctip.MicrosoftCTIPParserBot(bot_id: str, start: bool = False, sighup_event=None, disable_multithreading: bool = None)

Bases: intelmq.lib.bot.ParserBot

Parse JSON data from Microsoft’s CTIP program

overwrite = True
parse(report)
parse_azure(line, report)
parse_interflow(line: dict, report)
parse_line(line, report)

Module contents