def dotransform(request, response, config):
# NW REST API Query and results
ip_entity = request.value
diff = nwmodule.nwtime(config['netwitness/days'])
field_name = 'risk.warning'
where_clause = '(time=%s) && ip.dst=%s' % (diff, ip_entity)
json_data = json.loads(nwmodule.nwValue(0, 0, 250, field_name, 'application/json', where_clause))
threat_list = []
for d in json_data['results']['fields']:
if d['value'] not in threat_list:
response += NWThreat(
d['value'].decode('ascii'),
ip=ip_entity,
metaid1=d['id1'],
metaid2=d['id2'],
type_=d['type'],
count=d['count'],
weight=d['count']
)
threat_list.append(d['value'])
return response
def dotransform(request, response):
nwmodule.nw_http_auth()
# NW REST API Query and results
risk_name = request.value
diff = nwmodule.nwtime(config['netwitness/days'])
if 'ip' in request.fields:
ip_entity = request.fields['ip']
where_clause = '(time=%s) && risk.warning="%s" && ip.src=%s || ip.dst=%s' % (diff, risk_name, ip_entity, ip_entity)
else:
where_clause = '(time=%s) && risk.warning="%s"' % (diff, risk_name)
field_name = 'client'
json_data = json.loads(nwmodule.nwValue(0, 0, 10, field_name, 'application/json', where_clause))
ip_list = []
for d in json_data['results']['fields']:
if d['value'] not in ip_list:
response += NWUserAgent(
d['value'].decode('ascii'),
metaid1=d['id1'],
metaid2=d['id2'],
type_=d['type'],
count=d['count']
)
ip_list.append(d['value'])
return response
def dotransform(request, response):
nwmodule.nw_http_auth()
# NW REST API Query and results
ip_entity = request.value
diff = nwmodule.nwtime(config['netwitness/days'])
field_name = 'filetype'
where_clause = '(time=%s) && ip.src=%s || ip.dst=%s' % (diff, ip_entity, ip_entity)
json_data = json.loads(nwmodule.nwValue(0, 0, 25, field_name, 'application/json', where_clause))
file_list = []
for d in json_data['results']['fields']:
if d['value'] not in file_list:
response += NWFiletype(
d['value'].decode('ascii'),
ip=ip_entity,
metaid1=d['id1'],
metaid2=d['id2'],
type_=d['type'],
count=d['count']
)
file_list.append(d['value'])
return response
def dotransform(request, response, config):
# NW REST API Query and results
risk_name = request.value
diff = nwmodule.nwtime(config['netwitness/days'])
if 'ip' in request.fields:
ip = request.fields['ip']
where_clause = '(time=%s) && risk.warning="%s" && (ip.src=%s || ip.dst=%s)' % (diff, risk_name, ip, ip)
else:
where_clause = '(time=%s) && risk.warning="%s"' % (diff, risk_name)
field_name = 'filename'
json_data = json.loads(nwmodule.nwValue(0, 0, 250, field_name, 'application/json', where_clause))
file_list = []
for d in json_data['results']['fields']:
if d['value'] not in file_list:
response += NWFilename(
d['value'].decode('ascii'),
riskname = risk_name,
metaid1=d['id1'],
metaid2=d['id2'],
type_=d['type'],
count=d['count'],
weight=d['count']
)
file_list.append(d['value'])
return response
def dotransform(request, response, config):
# NW REST API Query and results
file_type = request.value
diff = nwmodule.nwtime(config['netwitness/days'])
field_name = 'filename'
where_clause = '(time=%s) && filetype="%s"' % (diff, file_type)
json_data = json.loads(nwmodule.nwValue(0, 0, 250, field_name, 'application/json', where_clause))
file_list = []
for d in json_data['results']['fields']:
if d['value'] not in file_list:
response += NWFilename(
d['value'].decode('ascii'),
filetype=file_type,
metaid1=d['id1'],
metaid2=d['id2'],
type_=d['type'],
count=d['count'],
weight=d['count']
)
file_list.append(d['value'])
return response
def dotransform(request, response, config):
# NW REST API Query and results
ip_entity = request.value
diff = nwmodule.nwtime(config['netwitness/days'])
field_name = 'alias.host'
where_clause = '(time=%s) && (ip.src=%s || ip.dst=%s)' % (diff, ip_entity, ip_entity)
json_data = json.loads(nwmodule.nwValue(0, 0, 250, field_name, 'application/json', where_clause))
host_list = []
for d in json_data['results']['fields']:
if d['value'] not in host_list:
response += Domain(d['value'].decode('ascii'), weight=d['count'])
return response
