Basic Get Reputation Example

This sample demonstrates invoking the McAfee Threat Intelligence Exchange (TIE) DXL service to retrieve the reputation of files (as identified by their hashes).

This is the same sample that is available in the OpenDXL Python SDK (see Threat Intelligence Exchange (TIE) File Reputation Sample), but has been refactored to use the McAfee Threat Intelligence Exchange (TIE) DXL client library.

The majority of the sample code is shown below:

Sample Code

# Create the client
with DxlClient(config) as client:

    # Connect to the fabric
    client.connect()

    # Create the McAfee Threat Intelligence Exchange (TIE) client
    tie_client = TieClient(client)

    #
    # Request and display reputation for notepad.exe
    #
    reputations_dict = \
        tie_client.get_file_reputation({
            HashType.MD5: "f2c7bb8acc97f92e987a2d4087d021b1",
            HashType.SHA1: "7eb0139d2175739b3ccb0d1110067820be6abd29",
            HashType.SHA256: "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2"
        })
    print("Notepad.exe reputations:")
    print(MessageUtils.dict_to_json(reputations_dict, True) + "\n")

    #
    # Request and display reputation for EICAR
    #
    reputations_dict = \
        tie_client.get_file_reputation({
            HashType.MD5: "44d88612fea8a8f36de82e1278abb02f",
            HashType.SHA1: "3395856ce81f2b7382dee72602f798b642f14140",
            HashType.SHA256: "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
        })
    print("EICAR reputations:")
    print(MessageUtils.dict_to_json(reputations_dict, True))

Once a connection is established to the DXL fabric, a TieClient instance is created which will be used to communicate with the TIE DXL services.

For each file whose reputations are retrieved, a call is made to the get_file_reputation() method of the TieClient instance along with the hash values that are used to identify the file.

The reputations that are received for each file are printed by converting the response dict (dictionary) to JSON.

Output

The output should appear similar to the following:

Notepad.exe reputations:
{
    "1": {
        "attributes": {
            "2120340": "2139160704"
        },
        "createDate": 1480455704,
        "providerId": 1,
        "trustLevel": 99
    },
    "3": {
        "attributes": {
            "2101652": "232",
            "2102165": "1476902802",
            "2111893": "241",
            "2114965": "4",
            "2139285": "73183493944770750"
        },
        "createDate": 1476902802,
        "providerId": 3,
        "trustLevel": 99
    }
}

EICAR reputations:
{
    "1": {
        "attributes": {
            "2120340": "2139162632"
        },
        "createDate": 1480616574,
        "providerId": 1,
        "trustLevel": 1
    },
    "3": {
        "attributes": {
            "2101652": "119",
            "2102165": "1476902803",
            "2111893": "242",
            "2114965": "0",
            "2139285": "73183493944770750"
        },
        "createDate": 1476902803,
        "providerId": 3,
        "trustLevel": 0
    }
}

The sample outputs the file reputation for two files.

The key for each entry in the dict (dictionary) corresponds to a particular provider of the associated reputation. The list of file reputation providers can be found in the FileProvider constants class.

The first file queried in the TIE service is “notepad.exe”. The McAfee Global Threat Intelligence (GTI) service is identified in the results as "providerId" : 1. The trust level associated with the GTI response ("trustLevel": 99) indicates that the file is known good.

The second file queried in the TIE service is the “EICAR Standard Anti-Virus Test File”. The trust level associated with the GTI response ("trustLevel": 1) indicates that the file is known bad.

See the TrustLevel constants class for the list of standard trust levels.