...
Ensure that you’ve installed and are using a Python 3.6 interpreter. This is important to ensure that you match the oldest version of Python used in the ThreatConnect Platform. Python 3.6.8 is recommended.
Install the latest version of the tcex module:
Code Block pip3 install 'tcex[development]'
Create a project directory on your system.
NOTE: If you’re using an IDE, do not initialize this directory with your IDE until after you’ve initialized it with the appropriate template in the next step. Otherwise, you’ll receive an error that the directory is not empty.
Change directories into the project directory and prepare a template:
Code Block tcinit --template job_batch
Modify the code in app.py. Specifically, your code belongs in the App.run() method.
Ensure that your other project configuration files are up-to-date:
install.json - See this link for reference on this file. Most default values can remain. Key points:
Ensure that your displayName is configured properly per our guidelines.
Ensure that each of your input parameters are defined properly.
tcex.json - Key points:
Ensure that the package > app_name is version of your package name without spaces. Use the _ to substitute for spaces.
For TcEx v1: The package > app_version field will be appended to the package name and doesn’t actually reflect the version embedded in the project.
Any files you add to the project for development but that should not be shipped in the deliverable should be added to the package > excludes array.
args.py - Key Points:
Each argument you add to your app should be included here. You do not need to add any of the pre-defined arguments such as tc_log_level.
requirements.txt - Key Points:
Each package you require for any portion of your app should be specified here.
Prepare the project libraries from the project directory:
Code Block tclib
Prepare a run profile/script to test your code. Use the following parameters for your profile/script:
Execute the run.py with the working directory of your project.
Use the following arguments:
--tc_api_path- Set this tohttps://<instance URL>/apiIf you’re using the PartnerStage environment, this would be
https://partnerstage.threatconnect.com/api.If you’re using the ThreatConnect Public Cloud (you access the UI using
https://app.threatconnect.com), this would behttps://api.threatconnect.com/.
--api_access_id- Set this to your API Access ID--api_secret_key- Set this to your API Secret KeyIf you run this from a
bashorzshcommand-line, you must single-quote your API Secret Key or it will not work properly (you will get an API 400 response code saying it can’t find the indicator types).If you run this in PyCharm using a run profile, you must double-quote your API Secret Key or it may produce unexpected results inside the interpreter.
--tc_log_path- Set this to.to generate the app.log in your working directorySpecify another directory if you desire. All of the exceptions will be captured in this log and will not be printed to the screen.
--tc_log_level- Set this toDEBUGfor your testing purposes--tc_owner- Set this to the name of your Source in PartnerStage. This is typically going to be<Organization> Sourceas the name. If your company name is SecuLast, this would beSecuLast Source.This value is only for testing purposes. In the Production environment, you’ll accept a configurable name here in your project (configuration provided in the template).
Execute testing against your project to ensure that your code works properly against the description in your Solution Design as well as the guidelines for your integration type.
Ensure that your project is stored in your code repository.
Package the application using ‘tcpackage’. The output will be in ./target by default (a .tcx file).
TCEX Sample Project
Creating a brand new ThreatConnect Job can be overwhelming at first glance and so the Technology Partners Team has created a sample project for reference.
Sample Project Link: https://github.com/ThreatConnect-Inc/threatconnect-jobs/tree/master/apps/Malc0de%20Threat%20Intelligence
The sample project has a .tcx file which will contain the integration itself and a .pdf which is the user guide.
The .tcx file is really just a zip file with out special extension. Uncompress it with your preferred zip tool. Inside the .tcx file you will see the following files:
| Code Block |
|---|
__main__.py
app_lib.py (Applib class)
app.py (This is the file where most of the app code will reside)
args.py (Arguments to be passed to the app)
install.json (JSON file that configures the app for the ThreatConnect platform)
job_app.py (JobApp class)
lib_3.6.8
lib_latest
Malc0de_Threat_Intelligence_Feed.json (Feed deployer job file which is used to deploy the app through feed deployer)
README.md
requirements.txt (Python library requirements)
run.py (Run file for the app) |
app.py
This sample project will showcase how to utilize many of the common features of the batch module. The main file that most of the code for an integration usually resides in is app.py. The app.py file shown in the sample project will display how to implement certain features of the batch module as shown below:
Setting the owner of indicators/groups:
app.py line 284
Setting indicator threat rating and confidence:
app.py line 288-289
Logging to the app log file using different log levels:
app.py line 294,309
Setting an exit message and how to exit the app:
app.py line 317-318
Getting the current UTC iso8601 time:
app.py line 336-338
Generating a unique XID:
app.py line 340
Creating a group:
app.py line 341
Adding an attribute to a group:
app.py line 342-347
Submitting all indicators/groups to the platform using batch:
app.py line 363-364
Batch Error handling example:
app.py line 362-395
Creating an indicator:
app.py line 411
Adding attributes to an indicator :
app.py line 427
Associating indicators to a threat group:
app.py line 431