verity471 1.0.0

Official Python SDK for the Verity471 API. Features query validation, instantiated object models, and native STIX mapping

Verity471

The official Python SDK for the Verity471 API.

The client abstracts low-level API concerns by performing automatic query and payload validation and exposing a clean, typed interface to Verity471 data.

It also bridges the gap to standard CTI workflows by providing built-in STIX mapping for supported data items, allowing easier integration with threat intelligence platforms.

API bindings are generated via OpenAPI Generator, with manual extensions for validation and STIX support.

• API version: 1.0.0

  • creds: 1.0.0
  • girs: 1.0.0
  • indicators: 1.0.0
  • malware: 1.0.0
  • reports: 1.0.0
  • sources: 1.0.0

• Package version: 1.0.0

• Generator version: 7.19.0

• Build package: org.openapitools.codegen.languages.PythonClientCodegen

Requirements.

Python >= 3.10

Installation

Install from PyPI (recommended)

pip install verity471

This installs the core SDK without optional STIX support.

Optional features

STIX support:

pip install "verity471[stix]"

Development and test dependencies:

pip install "verity471[test]"

Both extras can be installed together:

pip install "verity471[stix,test]"

Install from GitHub

You can also install the SDK directly from the Git repository:

pip install git+ssh://git@github.com/intel471/verity471-python.git

With extras:

pip install "git+ssh://git@github.com/intel471/verity471-python.git#egg=verity471[stix,test]"

Getting Started

Please follow the installation procedure and then run the following:

import verity471
from verity471.rest import ApiException
from pprint import pprint

# Defining the host is optional and defaults to https://api.intel471.cloud
# See configuration.py for a list of all supported configuration parameters.
configuration = verity471.Configuration(
    host = "https://api.intel471.cloud"
)

# The client must configure the authentication and authorization parameters
# in accordance with the API server security policy.
# Examples for each auth method are provided below, use the example that
# satisfies your auth use case.

# Configure HTTP basic authorization: basicAuth
configuration = verity471.Configuration(
    username = os.environ["USERNAME"],
    password = os.environ["PASSWORD"]
)


# Enter a context with an instance of the API client
with verity471.ApiClient(configuration) as api_client:

    # Create an instance of the API class
    api_instance = verity471.IndicatorsApi(api_client)

    threat_type = 'malware' # str | Search indicators by threat type
    malware_family_name = 'trickbot' # str | Search indicators by malware family
    var_from = 1767225600000 # int | Search from specific date (UNIX timestamp in milliseconds)
    size = 10 # int | Number from 1 to 1000 (default to 1000)

    try:
        # Indicators stream
        api_response = api_instance.get_indicators_stream(threat_type=threat_type, malware_family_name=malware_family_name, var_from=var_from, size=size)
        print("The response of IndicatorsApi->get_indicators_stream:\n")
        pprint(api_response)
    except ApiException as e:
        print("Exception when calling IndicatorsApi->get_indicators_stream: %s\n" % e)

Serialization

Each call to an API instance returns a structure composed of Python objects. The response can be serialized into one of the common formats, if needed.

Python dict

To convert the response into a Python dict, call the to_dict() method on the response object.

serialized = api_response.to_dict()

STIX format

Note
STIX support requires optional dependencies.
Install with:

pip install "verity471[stix]"

To convert the response into the STIX format (v2.1), call the to_stix() method on the response object. This method converts the API response into the corresponding STIX objects and returns them wrapped in a Bundle object (from stix2 package). The Bundle object can be serialized into a JSON string using its serialize() method.

bundle = api_response.to_stix()
json_repr = bundle.serialize()

Some responses can be augmented with additional data obtained via extra API calls. This applies only to report-related stream endpoints.

Stream endpoints are designed for search. When a report is large, the returned payload may be truncated: inline images are always removed, and in some cases entire fields are omitted. When fields are omitted, the is_truncated flag is set to true. As a result, the streamed representation may not contain the full report content.

If an instance of verity471.verity_stix.STIXMapperSettings is passed to the to_stix() method with the report_full_content flag set to True, the mapper will issue additional API calls to retrieve the full representation of each truncated report referenced in the stream results. This allows to execute a stream (search) endpoint and serialize it into STIX while still obtaining complete report data.

The STIXMapperSettings instance must be initialized with the verity471 package and an initialized api_client.

For the complete list of available settings, see the implementation of the STIXMapperSettings class in verity471/verity_stix/init.py.

import verity471
from verity471.verity_stix import STIXMapperSettings

configuration = verity471.Configuration(...)

with verity471.ApiClient(configuration) as api_client:
    api_instance = verity471.ReportsApi(api_client)
    api_response = api_instance.get_reports_info_stream(size=1)
    mapper_settings = STIXMapperSettings(
        verity471,
        api_client,
        report_full_content=True
    )
    bundle = api_response.to_stix(mapper_settings)

If the objects returned by the endpoint for some reason can't be mapped into STIX format, EmptyBundle exception will be raised.

At the moment following API methods provide the response in STIX format:

Client's class/method	API endpoint	Produced outcome
IndicatorsApi.get_indicators_stream	/indicators/stream	Indicator and Malware SDOs related using Relationship object; URL, IPv4Address, File, DomainName or EmailAddress Observable related with the Indicator SDO using Relationship object
IndicatorsApi.get_indicator_by_id	/indicators/{id}
ReportsApi.get_reports_breach_alert_stream	/reports/breach-alert/stream	Report SDOs with related entities/victims via object_refs (Identity/Org, Malware, ThreatActor, Vulnerability and observables like URL, DomainName, IPv4Address, IPv6Address, EmailAddress, AutonomousSystem, File, UserAccount, CryptocurrencyWallet)
ReportsApi.get_reports_breach_alert_id	/reports/breach-alert/{id}
ReportsApi.get_reports_fintel_stream	/reports/fintel/stream
ReportsApi.get_reports_fintel_id	/reports/fintel/{id}
ReportsApi.get_reports_geopol_stream	/reports/geopol/stream
ReportsApi.get_reports_geopol_id	/reports/geopol/{id}
ReportsApi.get_reports_info_stream	/reports/info/stream
ReportsApi.get_reports_info_id	/reports/info/{id}
ReportsApi.get_reports_malware_stream	/reports/malware/stream
ReportsApi.get_reports_malware_id	/reports/malware/{id}
ReportsApi.get_reports_spot_stream	/reports/spot/stream
ReportsApi.get_reports_spot_id	/reports/spot/{id}
ReportsApi.get_reports_vulnerability_stream	/reports/vulnerability/stream	Vulnerability SDOs
ReportsApi.get_reports_vulnerability_id	/reports/vulnerability/{id}

Empty cells inherit the value from the previous row.

Documentation for API Endpoints

All URIs are relative to https://api.intel471.cloud

Class	Method	HTTP request	Description
CredentialsApi	get_credential_sets_accessed_urls_stream	GET /integrations/creds/v1/credential-sets/accessed-urls/stream	Credential set accessed url stream
CredentialsApi	get_credential_sets_id	GET /integrations/creds/v1/credential-sets/{id}	Get credential set by ID
CredentialsApi	get_credential_sets_stream	GET /integrations/creds/v1/credential-sets/stream	Credential set stream
CredentialsApi	get_credentials_id	GET /integrations/creds/v1/credentials/{id}	Get credential by ID
CredentialsApi	get_credentials_occurrences_id	GET /integrations/creds/v1/credentials/occurrences/{id}	Get credential occurrence by ID
CredentialsApi	get_credentials_occurrences_stream	GET /integrations/creds/v1/credentials/occurrences/stream	Credential occurrence stream
CredentialsApi	get_credentials_stream	GET /integrations/creds/v1/credentials/stream	Credential stream
EventsApi	get_event_by_id	GET /integrations/malware-intel/v1/events/{id}	Get event by id
EventsApi	get_events_stream	GET /integrations/malware-intel/v1/events/stream	Stream malware events using a cursor
GIRsApi	get_list_of_girs_in_a_hierarchical_structure	GET /integrations/girs/v1/girs/tree
IndicatorsApi	get_indicator_by_id	GET /integrations/indicators/v1/indicators/{id}	Get indicator by id
IndicatorsApi	get_indicators_stream	GET /integrations/indicators/v1/indicators/stream	Stream indicators using a cursor
MalwareApi	get_malware_family_by_id	GET /integrations/malware-intel/v1/malware/{id}	Get malware family details by id
MalwareApi	get_malware_list	GET /integrations/malware-intel/v1/malware	Get list of malware families.
ReportsApi	get_reports_breach_alert_id	GET /integrations/intel-report/v1/reports/breach-alert/{id}	Get a breach alert report details
ReportsApi	get_reports_breach_alert_stream	GET /integrations/intel-report/v1/reports/breach-alert/stream	Get all breach alert reports (stream)
ReportsApi	get_reports_fintel_id	GET /integrations/intel-report/v1/reports/fintel/{id}	Get a fintel report details
ReportsApi	get_reports_fintel_stream	GET /integrations/intel-report/v1/reports/fintel/stream	Get all fintel reports (stream)
ReportsApi	get_reports_geopol_id	GET /integrations/intel-report/v1/reports/geopol/{id}	Get a geopol report details
ReportsApi	get_reports_geopol_stream	GET /integrations/intel-report/v1/reports/geopol/stream	Get all geopol reports (stream)
ReportsApi	get_reports_info_id	GET /integrations/intel-report/v1/reports/info/{id}	Get an info report details
ReportsApi	get_reports_info_stream	GET /integrations/intel-report/v1/reports/info/stream	Get all info reports (stream)
ReportsApi	get_reports_malware_id	GET /integrations/intel-report/v1/reports/malware/{id}	Get a malware report details
ReportsApi	get_reports_malware_stream	GET /integrations/intel-report/v1/reports/malware/stream	Get all malware reports (stream)
ReportsApi	get_reports_spot_id	GET /integrations/intel-report/v1/reports/spot/{id}	Get a spot report details
ReportsApi	get_reports_spot_stream	GET /integrations/intel-report/v1/reports/spot/stream	Get all spot reports (stream)
ReportsApi	get_reports_stream	GET /integrations/intel-report/v1/reports/stream	Get all reports (stream)
ReportsApi	get_reports_vulnerability_id	GET /integrations/intel-report/v1/reports/vulnerability/{id}	Get a vulnerability report details
ReportsApi	get_reports_vulnerability_stream	GET /integrations/intel-report/v1/reports/vulnerability/stream	Get all vulnerabilities reports (stream)
SourcesApi	get_data_leak_sites_file_listings_id	GET /integrations/sources/v1/data-leak-sites/file-listings/{id}	Get a data leak site file listing content
SourcesApi	get_data_leak_sites_posts_stream	GET /integrations/sources/v1/data-leak-sites/posts/stream	Get data leak sites posts (stream)
SourcesApi	get_forums_posts_post_id	GET /integrations/sources/v1/forums/posts/{post_id}	Get a forum post by id
SourcesApi	get_forums_posts_stream	GET /integrations/sources/v1/forums/posts/stream	Get forums posts (stream)
SourcesApi	get_forums_private_messages_private_message_id	GET /integrations/sources/v1/forums/private-messages/{private_message_id}	Get a private message by id
SourcesApi	get_forums_private_messages_stream	GET /integrations/sources/v1/forums/private-messages/stream	Get forums private messages (stream)
SourcesApi	get_messaging_services_messages_message_id	GET /integrations/sources/v1/messaging-services/messages/{message_id}	Get a chat message by id
SourcesApi	get_messaging_services_messages_stream	GET /integrations/sources/v1/messaging-services/messages/stream	Get chat messages (stream)

Documentation For Models

• Activity
• ActivityLocation
• ActivityResponse
• ActorSubjectOfReport
• AdmiraltyCode
• AllMalwareProfiles
• Assessment
• AttachmentClassification
• AttachmentData
• AuthorActor1
• BadRequest
• BotSettings
• BreachAlertByIdResponse
• BreachAlertResponse
• BreachAlertsResponseStream
• ChatMessageStream
• ChatMessagesStreamingPage
• ChatRoomMessageStream
• ChatServerTypeStream
• Classification
• ClassificationResponse
• Confidence
• ConfidenceLevel
• Conflict
• ControllerUrl
• CountryProfileResponse
• CredCredentialSetResponse
• CredDataResponse
• CredPasswordComplexityResponse
• CredPasswordResponse
• CredSetAccessedUrlDataResponse
• CredSetDataResponse
• CredSetStatisticsResponse
• CredStatisticsResponse
• CredentialOccurrenceCredResponse
• CredentialOccurrenceDataResponse
• CredentialSource
• CveSource
• Cvss
• DataLeakSiteFileListingUrl
• DataLeakSitePost1
• DataLeakSitePostItem
• DataLeakSitePostThread
• DataLeakSitePostWebsite
• DataLeakSitePostsStreamingPage
• Encryption
• Entities
• EntityItem
• ErrorResponse
• ErrorResponseGirs
• EventController
• EventData
• EventTag
• EventsStream
• ExploitStatus
• File
• FintelReportSubType
• FintelReportsResponseStream
• FintelResponse
• Forbidden
• ForumsPostsStreamingPage
• ForumsPrivateMessagesStreamingPage
• ForumsResponse1
• GIR
• GeoIp
• GeopolReportDetailsResponse
• GeopolReportSubType
• GeopolReportsResponseStream
• GetCredOccurrenceResponse
• GetCredOccurrenceResponseStream
• GetCredResponse
• GetCredResponseStream
• GetCredSetAccessedUrlResponse
• GetCredSetAccessedUrlResponseStream
• GetCredSetResponse
• GetCredSetResponseStream
• GirTree
• GirsResponse
• GirsTreeResponse
• Highlight
• IndicatorData
• IndicatorsStream
• Industries
• InfoReportResponse
• InfoReportsResponseStream
• InfoStealerResponseOption
• InfoStealerResponseSet
• IntegrationsEvent
• IntegrationsIndicator
• IntelligenceEstimateResponse
• InterestLevel
• InternalServerError
• Ipv4
• IspData
• KillChainPhase
• Link
• Link1
• Links
• Location
• Malware
• MalwareFamily
• MalwareReportResponse
• MalwareReportsResponseStream
• Motivation
• NotFound
• PatchStatus
• Poc
• PostDetails1
• PostResponse1
• PrivateMessageDetails1
• PrivateMessageResponse1
• ProcessingStatus
• RecipientDomain
• Redirect
• ReportAttachment
• ReportContent
• ReportLocation
• ReportResponseStream
• ReportType
• ReportingStatus
• ReportsVictimResponse
• Revocation
• RiskLevel
• RoomStream
• SecurityAssessment
• ServerStream
• Settings
• SignificantActivity
• SimplifiedMalwareProfile
• SourcesLinks
• SourcesResponse
• SpotReportResponse
• SpotReportsResponseStream
• SubForumResponse1
• Template
• TensionPointResponse
• ThreadResponse1
• Threat
• ThreatData
• ThreatInfo
• ThreatRating
• TranslationStatus
• Trigger
• Unauthorized
• VictimResponse
• VulnerabilitiesReportDetailsResponse
• VulnerabilitiesReportDetailsResponseStream
• VulnerabilitiesReportsResponseStream
• VulnerabilityStatus
• YaraData

Documentation For Authorization

Authentication schemes defined for the API:

basicAuth

• Type: HTTP basic authentication

Author

Intel 471 Inc.