Function to get all available data about an indicator in ThreatConnect.

indicator_complete_info.py

def get_complete_indicator_data(indicator_object):
    """Function to get all available data about an indicator."""
    # start off with the basic indicator information
    indicator_data = indicator_object.json
    
    # remove the description attribute of the json as we will this more completely later
    del indicator_data['description']

    indicator_data['associated_groups'] = list()
    indicator_data['associated_indicators'] = list()
    indicator_data['associated_indicators'] = list()
    indicator_data['attributes'] = list()
    indicator_data['security_labels'] = list()
    indicator_data['tags'] = list()

    # COPY INFORMATION ABOUT THE INDICATOR ITSELF
    indicator_data['indicator'] = indicator_object.indicator
    indicator_data['resource_type'] = str(indicator_object.resource_type).lower()
    
    # RENAME THE CONFIDENCE AND THREAT RATINGS
    indicator_data['confidence_rating'] = indicator_data.pop('confidence')
    indicator_data['threat_rating'] = indicator_data.pop('rating')

    # COPY INDICATOR TAGS
    indicator_object.load_tags()

    for tag in indicator_object.tags:
        indicator_data['tags'].append(tag.name)

    # COPY INDICATOR ATTRIBUTES
    indicator_object.load_attributes()

    for attribute in indicator_object.attributes:
        attribute_data = {
            'date_added': attribute.date_added,
            'displayed': attribute.displayed,
            'id': attribute.id,
            'last_modified': attribute.last_modified,
            'security_labels': list(),
            'type': attribute.type,
            'value': attribute.value,
        }

        # keep track of attribute's security labels... currently, this will throw an error when trying to retrieve the security labels of attributes on URL indicators (see: https://github.com/ThreatConnect-Inc/threatconnect-python/issues/45)
        attribute.load_security_labels()
        attribute_data['security_labels'] = attribute.security_labels

        indicator_data['attributes'].append(attribute_data)

    # COPY INDICATOR SECURITY LABELS
    # indicator_object.load_security_label()

    # for security_label in indicator_object.security_labels:
    #     indicator_data['security_labels'].append(security_label.name)

    # COPY INDICATOR GROUP ASSOCIATIONS
    for group in indicator_object.group_associations:
        indicator_data['associated_groups'].append(group.id)

    # COPY INDICATOR INDICATOR ASSOCIATIONS
    for indicator in indicator_object.indicator_associations:
        indicator_data['associated_indicators'].append(indicator.indicator)

    # COPY FILE INDICATOR FILE SIZE AND FILE OCCURRENCES 
    if "files" in str(indicator_object.resource_type).lower():
        # add file size
        indicator_data['file_size'] = indicator_object.size

        # add file occurrences
        indicator_data['file_occurrences'] = list()
        indicator_object.load_file_occurrence()

        for file_occurrence in indicator_object.file_occurrences:
            file_occurrence_data = {
                'date': file_occurrence.date,
                'file_name': file_occurrence.file_name,
                'id': file_occurrence.id,
                'path': file_occurrence.path,
            }

            indicator_data['file_occurrences'].append(file_occurrence_data)

    # COPY HOST INDICATOR DNS RESOLUTIONS
    if "hosts" in str(indicator_object.resource_type).lower():
        indicator_data['dns_resolutions'] = list()
        indicator_object.load_dns_resolutions()

        for dns_resolution in indicator_object.dns_resolutions:
            dns_resolution_data = {
                'ip': dns_resolution.ip,
                'owner_name': dns_resolution.owner_name,
                'resolution_date': dns_resolution.resolution_date,
                'weblink': dns_resolution.weblink,
            }

            indicator_data['dns_resolutions'].append(dns_resolution_data)

    return indicator_data