-
Notifications
You must be signed in to change notification settings - Fork 8
Basic Reputation Change Callback Example
This sample demonstrates registering a ReputationChangeCallback with the
DXL fabric to receive reputation change events sent by the McAfee Threat Intelligence Exchange (TIE) DXL service
when the reputation of a file or certificate changes.
The majority of the sample code is shown below:
class MyReputationChangeCallback(ReputationChangeCallback):
"""
My reputation change callback
"""
def on_reputation_change(self, rep_change_dict, original_event):
# Display the DXL topic that the event was received on
print("Reputation change on topic: " + original_event.destination_topic)
# Dump the dictionary
print(MessageUtils.dict_to_json(rep_change_dict, True))
# Create the client
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
# Create reputation change callback
rep_change_callback = MyReputationChangeCallback()
# Register callbacks with client to receive both file and certificate reputation change events
tie_client.add_file_reputation_change_callback(rep_change_callback)
tie_client.add_certificate_reputation_change_callback(rep_change_callback)
# Wait forever
print("Waiting for reputation change events...")
while True:
time.sleep(60)A derived class from ReputationChangeCallback is defined which overrides the on_reputation_change method to handle
reputation change events. When a reputation change event occurs this method will display the topic that the event was received on and dump the reputation change details.
Once a connection is established to the DXL fabric, a TieClient instance is created.
An instance of the derived callback is constructed and registered with both the add_file_reputation_change_callback and add_certificate_reputation_change_callback methods to receive file and certificate reputation change events.
When a reputation change event is received the output should appear similar to the following:
Reputation change on topic: /mcafee/event/tie/file/repchange/broadcast
{
"hashes": {
"md5": "f2c7bb8acc97f92e987a2d4087d01221",
"sha1": "7eb0139d2175739b3ccb0d1110067820be6abd2b"
},
"newReputations": {
"1": {
"attributes": {
"2120340": "0"
},
"createDate": 1480551590,
"providerId": 1,
"trustLevel": 0
},
"3": {
"attributes": {
"2101652": "0",
"2102165": "1480551374",
"2111893": "244",
"2114965": "1",
"2139285": "73183493944770750"
},
"createDate": 1480551374,
"providerId": 3,
"trustLevel": 99
}
},
"oldReputations": {
"1": {
"attributes": {
"2120340": "0"
},
"createDate": 1480551590,
"providerId": 1,
"trustLevel": 0
},
"3": {
"attributes": {
"2101652": "0",
"2102165": "1480551374",
"2111893": "244",
"2114965": "1",
"2139285": "73183493944770750"
},
"createDate": 1480551374,
"providerId": 3,
"trustLevel": 0
}
},
"updateTime": 1481222923
}The first line displays the DXL topic that the event was received on. In this particular case it is,
"/mcafee/event/tie/file/repchange/broadcast", which indicates that this is a file reputation change event.
The reputation change information is separated into 4 distinct sections:
Hash values
A dict (dictionary) of hashes that identify the file or certificate whose reputation has changed.
New reputations
The new Reputations for the file or certificate whose reputation has changed as a Python dict (dictionary).
Old reputations
The previous Reputations for the file or certificate whose reputation has changed as a Python dict (dictionary).
Change time
The time the reputation change occurred.
McAfee Threat Intelligence Exchange (TIE) Python Client Library
SDK Modules
Examples
- Basic
- Advanced
- Service Invocations