Yeti objects

Yeti relies on several objects, which are defined here.

Observables

class core.observables.Observable(*args, **values)[source]

Base class for Observables in Yeti

Observables describe elements that can be seen in investigations, incidents, reports, intelligence, etc. They are usually technical data about specific threats or actors.

value

The observable’s technical value (the observed URL, hostname, IP address...)

sources

An array of strings that define how the observable was inserted

description

A free-text description of the observable

context

A JSON object providing extra information as to why the observable was added. Context can be added trough the API or through Feeds

tags

An array of core.observables.tag.ObservableTag objects

last_analyses

An array of JSON objects indicating the last analysis time for a particular analytics

created

Creation date

last_tagged

Date when a given observable was last tagged

exclude_fields

Fields to be excluded from automatic form creation

add_context(context, replace_source=None)[source]

Adds context to an Observable.

“Context” is represented by a JSON object (or Python dict()) that will be added to the Observable’s context set. Context should provide information on why the Observable has been added to the database.

Context can be any information, but it needs to have a source key that can point the analyst to the source of the context.

Parameters:
  • context – a JSON object representing the context to be added.
  • replace_source – If defined, contexts having a source attribute set to replace_source will be deleted before insert
Returns:

A fresh instance of the Observable as it exists in the database.

add_source(source)[source]

Adds a source to the observable instance

Parameters:source – a string to add to the array of sources.
classmethod add_text(text, tags=[])[source]

Adds and returns an observable for a given string.

Parameters:text – the text that will be used to add an Observable from.
Returns:A saved Observable instance.
static change_all_tags(old_tags, new_tag)[source]

Changes tags on all observables

Parameters:
  • old_tags – A string or array of strings representing tag names to change
  • new_tag – The new tag name by which all old_tags should be replaced
classmethod get_form(klass)[source]

Gets the appropriate form for a given obseravble

get_tags(fresh=True)[source]

Returns an array of strings containing an observables’ fresh tags names.

Parameters:fresh – set to False to also include non-fresh tags in the result
Returns:Array of strings containing an observables’ fresh tags names.
static guess_type(string)[source]

Tries to guess the type of observable given a string.

Parameters:string – The string that will be used to guess the observable type from.
Returns:An observable Class.
Raises:ObservableValidationError if no type could be guessed.
remove_context(context)[source]

Removes Context from an observable.

Parameters:context – a JSON object representing the context to be removed.
Returns:A fresh instance of the Observable as it exists in the database.
tag(new_tags, strict=False, expiration=None)[source]

Tags an observable.

An observable can be tagged to add more information as to what it represents.

Parameters:
  • new_tags – An array of strings to tag the observable with.
  • strict – Set to True to replace all existing tags with the new_tags.
  • expiration – Timedelta field after which the Tag will not be considered fresh anymore.
Returns:

A fresh Observable instance as reloaded from the database.

Feeds

class core.feed.Feed(*args, **values)[source]

Base class for Feeds. All feeds must inherit from this.

Feeds describe the way Yeti automatically collects and processes data.

frequency

Required. A timedelta variable defining the frequency at which a feed is to be ran. Example: timedelta(hours=1)

name

Required. The feed’s name. Must be the same as the class name. Example: "ZeusTrackerConfigs"

source

Required if working with helpers. This designates URL on which to fetch the data. Example: "https://zeustracker.abuse.ch/monitor.php?urlfeed=configs"

description

Required. Bref feed description. Example: "This feed shows the latest 50 ZeuS config URLs."

Note

These attributes must be defined in every class inheriting from Feed as the key - value items of a default_values attribute. See Creating feeds for more details

analyze(line)[source]

Function responsible for processing the line / data unit passed on by the update function.

Raises:NotImplementedError if no function has been implemented.
parse_xml(data, main_node, children)[source]

Helper function used to parse XML. See core.feed.Feed.update_xml() for details

update()[source]

Function responsible for retreiving the data for a feed and calling the analyze function on its data, typically one line at a time.

Helper functions may be called to facilitate parsing of common data formats.

Raises:NotImplementedError if no function has been implemented.
update_csv(delimiter=u';', quotechar=u"'", headers={}, auth=None)[source]

Helper function. Performs an HTTP request on source and treats the response as an CSV file, yielding a dict for each parsed line.

Parameters:
  • delimiter – A string delimiting fields in the CSV. Default is ;.
  • quotechar – A string used to know when to ignore delimiters / carriage returns. Default is '.
  • headers – Optional headers to be added to the HTTP request.
  • auth – Username / password tuple to be sent along with the HTTP request.
Returns:

Yields arrays of UTF-8 strings that correspond to each comma separated field

update_json(headers={}, auth=None)[source]

Helper function. Performs an HTTP request on source and parses the response JSON, returning a Python dict object.

Parameters:
  • headers – Optional headers to be added to the HTTP request.
  • auth – Username / password tuple to be sent along with the HTTP request.
Returns:

Python dict object representing the response JSON.

update_lines(headers={}, auth=None)[source]

Helper function. Performs an HTTP request on source and treats each line of the response separately.

Parameters:
  • headers – Optional headers to be added to the HTTP request.
  • auth – Username / password tuple to be sent along with the HTTP request.
Returns:

Yields string lines from the HTTP response.

update_xml(main_node, children, headers={}, auth=None)[source]

Helper function. Performs an HTTP request on source and treats the response as an XML object, yielding a dict for each parsed element.

The XML must have a main_node, and an array of children. For example:

<main_node>
    <child1></child1>
    <child1></child2>
    <child1></child3>
</main_node>
Parameters:
  • main_node – A string defining the parent node that delimitates a dict to be yielded.
  • children – An array of strings defining the children of the parent node. These will be the keys of the dict.
  • headers – Optional headers to be added to the HTTP request.
  • auth – Username / password tuple to be sent along with the HTTP request.
Returns:

Yields Python dictionary objects. The dicitonary keys are the strings specified in the children array.