def dotransform(request, response, config): # NW REST API Query and results ip_entity = request.value diff = nwmodule.nwtime(config['netwitness/days']) field_name = 'risk.warning' where_clause = '(time=%s) && ip.dst=%s' % (diff, ip_entity) json_data = json.loads(nwmodule.nwValue(0, 0, 250, field_name, 'application/json', where_clause)) threat_list = [] for d in json_data['results']['fields']: if d['value'] not in threat_list: response += NWThreat( d['value'].decode('ascii'), ip=ip_entity, metaid1=d['id1'], metaid2=d['id2'], type_=d['type'], count=d['count'], weight=d['count'] ) threat_list.append(d['value']) return response
def dotransform(request, response): nwmodule.nw_http_auth() # NW REST API Query and results risk_name = request.value diff = nwmodule.nwtime(config['netwitness/days']) if 'ip' in request.fields: ip_entity = request.fields['ip'] where_clause = '(time=%s) && risk.warning="%s" && ip.src=%s || ip.dst=%s' % (diff, risk_name, ip_entity, ip_entity) else: where_clause = '(time=%s) && risk.warning="%s"' % (diff, risk_name) field_name = 'client' json_data = json.loads(nwmodule.nwValue(0, 0, 10, field_name, 'application/json', where_clause)) ip_list = [] for d in json_data['results']['fields']: if d['value'] not in ip_list: response += NWUserAgent( d['value'].decode('ascii'), metaid1=d['id1'], metaid2=d['id2'], type_=d['type'], count=d['count'] ) ip_list.append(d['value']) return response
def dotransform(request, response): nwmodule.nw_http_auth() # NW REST API Query and results ip_entity = request.value diff = nwmodule.nwtime(config['netwitness/days']) field_name = 'filetype' where_clause = '(time=%s) && ip.src=%s || ip.dst=%s' % (diff, ip_entity, ip_entity) json_data = json.loads(nwmodule.nwValue(0, 0, 25, field_name, 'application/json', where_clause)) file_list = [] for d in json_data['results']['fields']: if d['value'] not in file_list: response += NWFiletype( d['value'].decode('ascii'), ip=ip_entity, metaid1=d['id1'], metaid2=d['id2'], type_=d['type'], count=d['count'] ) file_list.append(d['value']) return response
def dotransform(request, response, config): # NW REST API Query and results risk_name = request.value diff = nwmodule.nwtime(config['netwitness/days']) if 'ip' in request.fields: ip = request.fields['ip'] where_clause = '(time=%s) && risk.warning="%s" && (ip.src=%s || ip.dst=%s)' % (diff, risk_name, ip, ip) else: where_clause = '(time=%s) && risk.warning="%s"' % (diff, risk_name) field_name = 'filename' json_data = json.loads(nwmodule.nwValue(0, 0, 250, field_name, 'application/json', where_clause)) file_list = [] for d in json_data['results']['fields']: if d['value'] not in file_list: response += NWFilename( d['value'].decode('ascii'), riskname = risk_name, metaid1=d['id1'], metaid2=d['id2'], type_=d['type'], count=d['count'], weight=d['count'] ) file_list.append(d['value']) return response
def dotransform(request, response, config): # NW REST API Query and results file_type = request.value diff = nwmodule.nwtime(config['netwitness/days']) field_name = 'filename' where_clause = '(time=%s) && filetype="%s"' % (diff, file_type) json_data = json.loads(nwmodule.nwValue(0, 0, 250, field_name, 'application/json', where_clause)) file_list = [] for d in json_data['results']['fields']: if d['value'] not in file_list: response += NWFilename( d['value'].decode('ascii'), filetype=file_type, metaid1=d['id1'], metaid2=d['id2'], type_=d['type'], count=d['count'], weight=d['count'] ) file_list.append(d['value']) return response
def dotransform(request, response, config): # NW REST API Query and results ip_entity = request.value diff = nwmodule.nwtime(config['netwitness/days']) field_name = 'alias.host' where_clause = '(time=%s) && (ip.src=%s || ip.dst=%s)' % (diff, ip_entity, ip_entity) json_data = json.loads(nwmodule.nwValue(0, 0, 250, field_name, 'application/json', where_clause)) host_list = [] for d in json_data['results']['fields']: if d['value'] not in host_list: response += Domain(d['value'].decode('ascii'), weight=d['count']) return response