Skip to content

Threat Maps

Introduction

The ThreatMapMgr class in the threat_maps module enables you to search for and retrieve enterprise threat maps. Currently this includes:

  • Malware
  • Actors

See the API Reference for internal details of the module.

Examples

Warning

The following examples demonstrate how to use this module. Be sure to add appropriate error handling as needed; all possible errors for each method or function are listed in the API Reference page.

Additionally, you must configure the RF_TOKEN environment variable before getting started. For instructions, see Learn.

1: Fetch all available threat maps

This example uses the fetch_available_maps method to fetch all threat maps available to an organization, including any sub-organization threat maps.

1
2
3
4
5
6
7
from psengine.threat_maps import ThreatMapMgr

mgr = ThreatMapMgr()
threat_maps = mgr.fetch_available_maps()

for threat_map in threat_maps:
    print(threat_map.name)

2: Search for threat actor by name

In this example, we use the search_threat_actor method to find threat actors by name. We set the name to the target entity name and limit the results with max_results.

1
2
3
4
5
6
7
8
9
from psengine.threat_maps import ThreatMapMgr

mgr = ThreatMapMgr()
actors = mgr.search_threat_actor(
    name='Lazarus', max_results=10
)

for actor in actors:
    print(actor)

The code will output:

1
2
3
4
ID: QCwdoU Name: Lazarus Group, Common Names: Diamond Sleet, Cyber Warfare Guidance Unit
ID: TyZBlf Name: Lazarus
ID: idrp3c Name: Fancy Lazarus
ID: sMJUDp Name: lazaruscore

3: Fetch malware threat map with categories and filter by scores

This example assumes that you have the malware category IDs from the fetch_entity_categories method. We use the fetch_map method to fetch the primary organization's malware threat map. By setting map_type to malware, we fetch the malware threat map only. To further narrow the results to those related to Rootkit and Linux Malware categories, we use the category IDs: ["0fK7b", "RTkDB2"]. Once the map is returned we then filter for targeted entities based on opportunity and prevalence score. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
from psengine.threat_maps import ThreatMapMgr

mgr = ThreatMapMgr()
malware_map = mgr.fetch_map(
    map_type='malware', categories=['0fK7b', 'RTkDB2']
)

for malware in malware_map.threat_map:
    if (
        malware.opportunity >= 65
        and malware.prevalence >= 65
    ):
        print(malware)