iflow-mcp-m507_ai-soc-agent 1.0.0__py3-none-any.whl

src/integrations/cti/local_tip/local_tip_client.py

@@ -0,0 +1,90 @@
+"""
+Local TIP (Threat Intelligence Platform) implementation of CTI client.
+
+This client provides hash lookup capabilities via the local TIP API.
+"""
+
+from __future__ import annotations
+
+from typing import Any, Dict, Optional
+
+from ....core.config import SamiConfig
+from ....core.errors import IntegrationError
+from ....core.logging import get_logger
+from .local_tip_http import LocalTipHttpClient
+
+
+logger = get_logger("sami.integrations.cti.local_tip.client")
+
+
+class LocalTipCTIClient:
+    """
+    CTI client backed by Local TIP.
+    
+    Provides threat intelligence lookup capabilities for hashes.
+    """
+
+    def __init__(self, http_client: LocalTipHttpClient) -> None:
+        """
+        Initialize the Local TIP CTI client.
+        
+        Args:
+            http_client: HTTP client for making API requests
+        """
+        self._http = http_client
+
+    @classmethod
+    def from_config(cls, config: SamiConfig) -> "LocalTipCTIClient":
+        """
+        Factory to construct a client from SamiConfig.
+        
+        Args:
+            config: SamiConfig instance with CTI configuration
+            
+        Returns:
+            LocalTipCTIClient instance
+            
+        Raises:
+            IntegrationError: If CTI configuration is not set
+        """
+        if not config.cti:
+            raise IntegrationError("CTI configuration is not set in SamiConfig")
+        
+        if config.cti.cti_type != "local_tip":
+            raise IntegrationError(
+                f"CTI type '{config.cti.cti_type}' is not supported. Only 'local_tip' is supported."
+            )
+
+        http_client = LocalTipHttpClient(
+            base_url=config.cti.base_url,
+            timeout_seconds=config.cti.timeout_seconds,
+            verify_ssl=config.cti.verify_ssl,
+        )
+        return cls(http_client=http_client)
+
+    def lookup_hash(self, hash_value: str) -> Dict[str, Any]:
+        """
+        Look up a hash in the threat intelligence platform.
+        
+        Args:
+            hash_value: The hash value to look up (MD5, SHA1, SHA256, SHA512)
+            
+        Returns:
+            Dictionary containing hash intelligence information
+            
+        Raises:
+            IntegrationError: If lookup fails
+        """
+        try:
+            result = self._http.lookup_hash(hash_value)
+            
+            if result is None:
+                raise IntegrationError(f"Hash lookup returned no result for {hash_value[:16]}...")
+            
+            return result
+        except Exception as e:
+            logger.exception(f"Error looking up hash {hash_value[:16]}...: {e}")
+            if isinstance(e, IntegrationError):
+                raise
+            raise IntegrationError(f"Failed to lookup hash: {e}") from e
+

src/integrations/cti/local_tip/local_tip_http.py

@@ -0,0 +1,110 @@
+"""
+Low-level HTTP client for Local TIP (Threat Intelligence Platform).
+
+This module handles HTTP requests to the local TIP API for hash lookups.
+"""
+
+from __future__ import annotations
+
+import json
+from typing import Any, Dict, Optional
+
+import requests
+
+from ....core.errors import IntegrationError
+from ....core.logging import get_logger
+
+
+logger = get_logger("sami.integrations.cti.local_tip.http")
+
+
+class LocalTipHttpClient:
+    """
+    HTTP client for Local TIP API.
+    
+    Handles hash lookups via POST /hashes endpoint.
+    """
+
+    def __init__(
+        self,
+        base_url: str,
+        timeout_seconds: int = 30,
+        verify_ssl: bool = True,
+    ) -> None:
+        """
+        Initialize the Local TIP HTTP client.
+        
+        Args:
+            base_url: Base URL of the TIP API (e.g., "http://10.10.10.95:8084")
+            timeout_seconds: Request timeout in seconds
+            verify_ssl: Whether to verify SSL certificates
+        """
+        self.base_url = base_url.rstrip("/")
+        self.timeout_seconds = timeout_seconds
+        self.verify_ssl = verify_ssl
+
+    def _headers(self) -> Dict[str, str]:
+        """Build request headers."""
+        return {
+            "Content-Type": "application/json",
+            "Accept": "application/json",
+        }
+
+    def lookup_hash(self, hash_value: str) -> Optional[Dict[str, Any]]:
+        """
+        Look up a hash via the API endpoint.
+        
+        Uses POST /hashes which acts as an upsert - returns existing hash or creates new one.
+        
+        Args:
+            hash_value: The hash value to look up (MD5, SHA1, SHA256, SHA512)
+            
+        Returns:
+            Dictionary containing hash information, or None if lookup failed
+            
+        Raises:
+            IntegrationError: If the API request fails
+        """
+        url = f"{self.base_url}/hashes"
+        payload = {"value": hash_value.strip()}
+        
+        try:
+            logger.debug(f"Looking up hash: {hash_value[:16]}... (POST {url})")
+            
+            response = requests.post(
+                url,
+                json=payload,
+                headers=self._headers(),
+                timeout=self.timeout_seconds,
+                verify=self.verify_ssl,
+            )
+            
+            response.raise_for_status()
+            result = response.json()
+            
+            logger.debug(f"Hash lookup successful for {hash_value[:16]}...")
+            return result
+            
+        except requests.exceptions.Timeout as e:
+            logger.error(f"Timeout looking up hash {hash_value[:16]}...: {e}")
+            raise IntegrationError(f"Timeout looking up hash: {e}") from e
+        except requests.exceptions.RequestException as e:
+            logger.error(f"API request failed for hash {hash_value[:16]}...: {e}")
+            
+            # Try to extract error details from response
+            error_detail = None
+            if hasattr(e, "response") and e.response is not None:
+                try:
+                    error_detail = e.response.json()
+                    if "detail" in error_detail:
+                        error_detail = error_detail["detail"]
+                except Exception:
+                    if e.response.text:
+                        error_detail = e.response.text[:200]
+            
+            error_msg = f"API request failed: {e}"
+            if error_detail:
+                error_msg += f" - {error_detail}"
+            
+            raise IntegrationError(error_msg) from e
+

src/integrations/cti/opencti/__init__.py

@@ -0,0 +1,10 @@
+"""
+OpenCTI (Open Cyber Threat Intelligence Platform) integration.
+
+This module provides integration with OpenCTI for hash lookups and threat intelligence.
+"""
+
+from .opencti_client import OpenCTIClient
+
+__all__ = ["OpenCTIClient"]
+

src/integrations/cti/opencti/opencti_client.py

@@ -0,0 +1,101 @@
+"""
+OpenCTI (Open Cyber Threat Intelligence Platform) implementation of CTI client.
+
+This client provides hash lookup capabilities via the OpenCTI GraphQL API.
+"""
+
+from __future__ import annotations
+
+from typing import Any, Dict, Optional
+
+from ....core.config import SamiConfig
+from ....core.errors import IntegrationError
+from ....core.logging import get_logger
+from .opencti_http import OpenCTIHttpClient
+
+
+logger = get_logger("sami.integrations.cti.opencti.client")
+
+
+class OpenCTIClient:
+    """
+    CTI client backed by OpenCTI.
+    
+    Provides threat intelligence lookup capabilities for hashes.
+    """
+
+    def __init__(self, http_client: OpenCTIHttpClient) -> None:
+        """
+        Initialize the OpenCTI CTI client.
+        
+        Args:
+            http_client: HTTP client for making API requests
+        """
+        self._http = http_client
+
+    @classmethod
+    def from_config(cls, config: SamiConfig) -> "OpenCTIClient":
+        """
+        Factory to construct a client from SamiConfig.
+        
+        Args:
+            config: SamiConfig instance with CTI configuration
+            
+        Returns:
+            OpenCTIClient instance
+            
+        Raises:
+            IntegrationError: If CTI configuration is not set or invalid
+        """
+        if not config.cti:
+            raise IntegrationError("CTI configuration is not set in SamiConfig")
+        
+        if config.cti.cti_type != "opencti":
+            raise IntegrationError(
+                f"CTI type '{config.cti.cti_type}' is not supported. Only 'opencti' is supported."
+            )
+        
+        if not config.cti.api_key:
+            raise IntegrationError("OpenCTI requires an API key. Set 'api_key' in CTI configuration.")
+
+        http_client = OpenCTIHttpClient(
+            base_url=config.cti.base_url,
+            api_key=config.cti.api_key,
+            timeout_seconds=config.cti.timeout_seconds,
+            verify_ssl=config.cti.verify_ssl,
+        )
+        return cls(http_client=http_client)
+
+    def lookup_hash(self, hash_value: str) -> Dict[str, Any]:
+        """
+        Look up a hash in the threat intelligence platform.
+        
+        Args:
+            hash_value: The hash value to look up (MD5, SHA1, SHA256, SHA512)
+            
+        Returns:
+            Dictionary containing hash intelligence information
+            
+        Raises:
+            IntegrationError: If lookup fails
+        """
+        try:
+            result = self._http.lookup_hash(hash_value)
+            
+            if result is None:
+                # Return a structured response even when hash is not found
+                return {
+                    "value": hash_value.strip(),
+                    "found": False,
+                    "indicators": [],
+                }
+            
+            # Add found flag
+            result["found"] = True
+            return result
+        except Exception as e:
+            logger.exception(f"Error looking up hash {hash_value[:16]}...: {e}")
+            if isinstance(e, IntegrationError):
+                raise
+            raise IntegrationError(f"Failed to lookup hash: {e}") from e
+