def bot_scan_backend(community, redis, consumer_name, api_key):
    session = requests.Session()
    api = PolyswarmAPI(api_key, community=community)
    consumer = EventConsumer(['scan-requests'], 'bot-scan-backend',
                             consumer_name, get_walrus_db(redis), ScanRequest)
    producer = EventProducer('scan-results', get_walrus_db(redis))

    waiter = ResultWaiter(api, producer)

    with ThreadPoolExecutor() as pool:
        for event in consumer.iter_events():
            try:
                event = ScanRequest()
                if event.artifact_type == 'FILE':
                    stream = session.get(event.uri, stream=True).raw
                    result = api.submit(stream)
                elif event.artifact_type == 'URL':
                    result = api.submit(
                        event.uri, artifact_type=resources.ArtifactType.URL)
                else:
                    logger.warning(
                        'Unsupported artifact type %s, maybe update this backend',
                        event.artifact_type)
                    continue
                future = pool.submit(waiter.wait_for_result, result.id,
                                     event.context)

            except Exception as e:
                logger.exception('Exception occurred processing event %s: %s',
                                 event, e)
 def __init__(self, apikey):
     self.polyswarm_api = PolyswarmAPI(apikey)
     self.alert_output = {}
     self.alert_output['integration'] = INTEGRATION_NAME
     self.alert_output['polyswarm'] = {}
     self.alert_output['polyswarm']['found'] = 0
     self.alert_output['polyswarm']['malicious'] = 0
Beispiel #3
0
    def __init__(self):
        self.config = {}  # type: Dict[str,str]
        self.config['polyswarm_api_key'] = demisto.params().get('api_key')
        self.config['base_url'] = demisto.params().get('base_url')
        self.config['polyswarm_community'] = demisto.params().get('polyswarm_community')

        self.polyswarm_api = PolyswarmAPI(key=self.config['polyswarm_api_key'],
                                          uri=self.config['base_url'])
Beispiel #4
0
def ruleset(test, name='test'):
    values = []
    values.append(
        resources.YaraRuleset(
            {
                'account_id':
                '1',
                'created':
                '2019-11-13T16:27:45.013226',
                'deleted':
                False,
                'description':
                None,
                'id':
                '67713199207380968',
                'modified':
                '2019-11-13T16:27:45.013226',
                'name':
                name,
                'yara':
                'rule eicar_av_test {\n    /*\n       Per standard, match only if entire file is EICAR string plus optional trailing whitespace.\n       The raw EICAR string to be matched is:\n       X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*\n    */\n\n    meta:\n        description = "This is a standard AV test, intended to verify that BinaryAlert is working correctly."\n        author = "Austin Byers | Airbnb CSIRT"\n        reference = "http://www.eicar.org/86-0-Intended-use.html"\n\n    strings:\n        $eicar_regex = /^X5O!P%@AP\\[4\\\\PZX54\\(P\\^\\)7CC\\)7\\}\\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\\$H\\+H\\*\\s*$/\n\n    condition:\n        all of them\n}\n\nrule eicar_substring_test {\n    /*\n       More generic - match just the embedded EICAR string (e.g. in packed executables, PDFs, etc)\n    */\n\n    meta:\n        description = "Standard AV test, checking for an EICAR substring"\n        author = "Austin Byers | Airbnb CSIRT"\n\n    strings:\n        $eicar_substring = "$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!"\n\n    condition:\n        all of them\n}'
            },
            api=PolyswarmAPI(test.test_api_key,
                             uri=test.api_url,
                             community='gamma'),
        ))
    return values
def PolySwarmURL(url):
    polyswarm = PolyswarmAPI(key=POLYAPI)
    try:
        poly = (r'"' + url + r'"')
        metaresults = polyswarm.search_by_metadata("strings.urls:" + url)
        for y in metaresults:
            if (y.sha256):
                if (str(y.scan.get('detections',
                                   {}).get('malicious'))) != 'None':
                    print("Polyswarm: Malicious")
                    return 1
                else:
                    print("Polyswarm: Not Malicious")
                    return 0
    except Exception:
        print("Polyswarm API Quota reached.")
        return 0
Beispiel #6
0
def local_artifacts(test, path, files):
    file_paths = [os.path.join(path, file_name) for file_name in files]
    api = PolyswarmAPI(test.test_api_key, uri=test.api_url, community='gamma')
    values = [
        resources.LocalArtifact.from_path(api, full_path)
        for full_path in file_paths
    ]
    return values
Beispiel #7
0
    def each_with_type(self, target, file_type):
        self.results = dict()

        poly = PolyswarmAPI(key=self.api_key)

        if file_type == 'url' or file_type == 'msg' or file_type == 'eml':
            pass
        else:
            positives = 0
            total = 0
            sha256 = None
            if file_type == "hash":
                sha256 = target.lower()
            else:
                sha256 = hashlib.sha256(open(target, 'r').read()).hexdigest()
                try:
                    response = poly.search(sha256)
                    self.results['scans'] = list()
                    for result in response:
                        if result.assertions:
                            for assertion in result.assertions:
                                if assertion.verdict:
                                    self.results['scans'].append({'av': assertion.author_name, 'veredict': 'Malware'})
                                    positives += 1
                                total += 1

                            self.results['total'] = "{0}/{1}".format(positives, total)
                            self.results['positives'] = positives
                            self.results['PolyScore'] = result.polyscore
                            self.results['permalink'] = result.permalink
                            self.results['message'] = "Hash found"
                            return True
                        else:
                            return False
                except NoResultsException:
                    return False
                except Exception as error:
                    return False
Beispiel #8
0
def artifact_archives(test):
    values = []
    values.append(
        resources.ArtifactArchive(
            {
                'id': '1',
                'community': 'gamma',
                'created': '2019-11-14T16:30:00.888191',
                'uri': 's3/malicious'
            },
            api=PolyswarmAPI(test.test_api_key,
                             uri=test.api_url,
                             community='gamma'),
        ))
    return values
Beispiel #9
0
def hunts(test):
    values = []
    values.append(
        resources.Hunt(
            {
                'active': True,
                'created': '2019-11-13T16:27:45.013226',
                'id': '61210404295535902',
                'status': 'SUCCESS'
            },
            api=PolyswarmAPI(test.test_api_key,
                             uri=test.api_url,
                             community='gamma'),
        ))
    return values
Beispiel #10
0
 def __init__(self, *args, **kwargs):
     super(BaseTestCase, self).__init__(*args, **kwargs)
     self.test_runner = CliRunner()
     self.test_captured_output_file = '/tmp/output.txt'
     self.api_url = 'https://api.polyswarm.network/v2'
     self.test_api_key = '11111111111111111111111111111111'
     self.community = 'lima'
     self.api = PolyswarmAPI(self.test_api_key, community=self.community)
     self.test_hash_value = '275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f'
     self.test_query = '_exists_:lief.libraries'
     self.test_submission_uuid = '49091542211453596'
     self.test_hunt_id = '63433636835291189'
     self.test_since = '2880'
     self.test_eicar = b'X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
     self.test_s3_file_url = 'http://minio:9000/'\
                             'testing/testing/files/27/5a/02/'\
                             '275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f?'\
                             'response-content-disposition=attachment%3B%20filename%3Dtesting%2F'\
                             'files%2F27%2F5a%2F02%'\
                             '2F275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f&'\
                             'response-content-type=application%2Foctet-stream&'\
                             'AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE'\
                             '&Signature=VLCdYUh8skB6cRqo7RUfGrycsKo%3D&Expires=1573768889'
Beispiel #11
0
class PolyswarmConnector():
    def __init__(self):
        self.config = {}  # type: Dict[str,str]
        self.config['polyswarm_api_key'] = demisto.params().get('api_key')
        self.config['base_url'] = demisto.params().get('base_url')
        self.config['polyswarm_community'] = demisto.params().get('polyswarm_community')

        self.polyswarm_api = PolyswarmAPI(key=self.config['polyswarm_api_key'],
                                          uri=self.config['base_url'])

    def _get_results(self,
                     object_name: str,
                     title: str,
                     total_scans: int,
                     positives: int,
                     permalink: str,
                     artifact: str,
                     indicator: object) -> object:

        results = {'Scan_UUID': artifact,
                   'Total': str(total_scans),
                   'Positives': str(positives),
                   'Permalink': permalink,
                   'Artifact': artifact}

        readable_output = tableToMarkdown(title,
                                          results)
        return CommandResults(
            readable_output=readable_output,
            outputs_prefix=f'PolySwarm.{object_name}',
            outputs_key_field='Scan_UUID',
            outputs=results,
            indicator=indicator,  # type: ignore
            ignore_auto_extract=True)

    def test_connectivity(self) -> bool:
        EICAR_HASH = '131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267'  # guardrails-disable-line

        try:
            results = self.polyswarm_api.search(EICAR_HASH)
            for result in results:
                if result.failed:
                    return False
        except Exception:
            return False

        return True

    def get_score(self,
                  polyscore) -> int:

        if float(polyscore) < 0.2:
            return Common.DBotScore.GOOD
        elif 0.2 <= float(polyscore) < 0.7:
            return Common.DBotScore.SUSPICIOUS
        else:  # polyscore is >= 0.7
            return Common.DBotScore.BAD

    def return_hash_results(self,
                            results: list,
                            title: str,
                            error_msg: str) -> object:

        # default values
        total_scans: int = 0
        positives: int = 0
        md5: str = ''
        sha256: str = ''
        sha1: str = ''
        polyscore: int = 0

        for result in results:
            if result.failed:
                return_error(error_msg)

            if not result.assertions:
                return_error('Run Rescan for this hash')

            # iterate for getting positives and total_scan number
            for assertion in result.assertions:
                if assertion.verdict:
                    positives += 1
                total_scans += 1

            demisto.debug('Positives: {positives} - Total Scans: {total_scans}'.
                          format(positives=positives, total_scans=total_scans))

            md5 = result.md5
            sha256 = result.sha256
            sha1 = result.sha1

            polyscore = result.polyscore

        dbot_score = Common.DBotScore(indicator=md5,
                                      indicator_type=DBotScoreType.FILE,
                                      integration_name='PolySwarm',
                                      score=self.get_score(polyscore))

        indicator = Common.File(md5=md5,
                                sha1=sha1,
                                sha256=sha256,
                                dbot_score=dbot_score)

        return self._get_results('File', title, total_scans,
                                 positives, result.permalink,
                                 sha256, indicator)

    def file_reputation(self,
                        hashes: list) -> object:
        command_results = []

        artifacts = argToList(hashes)

        for artifact in artifacts:
            title = 'PolySwarm File Reputation for Hash: %s' % artifact

            demisto.debug(f'[file_reputation] {title}')

            try:
                results = self.polyswarm_api.search(artifact)

            except Exception as err:
                return_error('{ERROR_ENDPOINT}{err}'.
                             format(ERROR_ENDPOINT=ERROR_ENDPOINT,
                                    err=err))

            error_msg = 'Error fetching results. Please try again.'

            command_results.append(self.return_hash_results(results,
                                                            title,
                                                            error_msg))
        return command_results

    def detonate_file(self, entry_id: dict) -> object:
        title = 'PolySwarm File Detonation for Entry ID: %s' % entry_id

        demisto.debug(f'[detonate_file] {title}')

        try:
            file_info = demisto.getFilePath(entry_id)
        except Exception:
            return_error(f'File not found - EntryID: {entry_id}')

        try:
            demisto.debug(f'Submit file: {file_info}')
            instance = self.polyswarm_api.submit(file_info['path'],
                                                 artifact_name=file_info['name'])
            result = self.polyswarm_api.wait_for(instance)

        except Exception as err:
            return_error('{ERROR_ENDPOINT}{err}'.
                         format(ERROR_ENDPOINT=ERROR_ENDPOINT,
                                err=err))

        error_msg = 'Error submitting File.'

        return self.return_hash_results([result],
                                        title,
                                        error_msg)

    def rescan_file(self,
                    hashes: list) -> object:
        command_results = []

        artifacts = argToList(hashes)

        for artifact in artifacts:
            title = 'PolySwarm Rescan for Hash: %s' % artifact

            demisto.debug(f'[rescan_file] {title}')

            try:
                instance = self.polyswarm_api.rescan(artifact)
                result = self.polyswarm_api.wait_for(instance)

            except Exception as err:
                return_error('{ERROR_ENDPOINT}{err}'.
                             format(ERROR_ENDPOINT=ERROR_ENDPOINT,
                                    err=err))

            error_msg = 'Error rescaning File.'

            command_results.append(self.return_hash_results([result],
                                                            title,
                                                            error_msg))
        return command_results

    def get_file(self, hash_file: str):
        demisto.debug(f'[get_file] Hash: {hash_file}')

        handle_file = io.BytesIO()

        try:
            self.polyswarm_api.download_to_handle(hash_file,
                                                  handle_file)
            return fileResult(hash_file, handle_file.getvalue())
        except Exception as err:
            return_error('{ERROR_ENDPOINT}{err}'.
                         format(ERROR_ENDPOINT=ERROR_ENDPOINT,
                                err=err))

    def url_reputation(self,
                       param: dict,
                       artifact_type: str) -> list:

        command_results = []

        artifacts = argToList(param[artifact_type])

        for artifact in artifacts:
            title = 'PolySwarm %s Reputation for: %s' % (artifact_type.upper(),
                                                         artifact)

            demisto.debug(f'[url_reputation] {title}')

            # default values
            total_scans = 0
            positives = 0
            polyscore = 0

            # IP validation
            if artifact_type == 'ip':
                try:
                    socket.inet_aton(artifact)
                except socket.error:
                    return_error('Invalid IP Address: {ip}'.
                                 format(ip=artifact))

            try:
                # PolySwarm API: URL, IP and Domain are artifact_type='url'
                instance = self.polyswarm_api.submit(artifact,
                                                     artifact_type='url')
                result = self.polyswarm_api.wait_for(instance)

                if result.failed:
                    return demisto.results('Error submitting URL.')

                # iterate for getting positives and total_scan number
                for assertion in result.assertions:
                    if assertion.verdict:
                        positives += 1
                    total_scans += 1

                polyscore = result.polyscore

            except Exception as err:
                return_error('{ERROR_ENDPOINT}{err}'.
                             format(ERROR_ENDPOINT=ERROR_ENDPOINT,
                                    err=err))

            if artifact_type == 'ip':
                object_name = 'IP'
                dbot_score_type = DBotScoreType.IP
            elif artifact_type == 'url':
                object_name = 'URL'
                dbot_score_type = DBotScoreType.URL
            elif artifact_type == 'domain':
                object_name = 'Domain'
                dbot_score_type = DBotScoreType.DOMAIN

            dbot_score = Common.DBotScore(indicator=artifact,
                                          indicator_type=dbot_score_type,
                                          integration_name='PolySwarm',
                                          score=self.get_score(polyscore))

            indicator = None
            if artifact_type == 'ip':
                indicator = Common.IP(ip=artifact,
                                      dbot_score=dbot_score)
            elif artifact_type == 'url':
                indicator = Common.URL(url=artifact,
                                       dbot_score=dbot_score)  # type: ignore
            elif artifact_type == 'domain':
                indicator = Common.Domain(domain=artifact,
                                          dbot_score=dbot_score)  # type: ignore

            results = self._get_results(object_name, title, total_scans,
                                        positives, result.permalink,
                                        artifact, indicator)
            command_results.append(results)

        return command_results

    def get_report(self,
                   hashes: list) -> object:
        """
            UUID is equal to Hash.
        """
        title = 'PolySwarm Report for UUID: %s' % hashes

        demisto.debug(f'[get_report] {title}')

        return self.file_reputation(hashes)
Beispiel #12
0
def instances(test):
    values = []
    values.append(
        resources.ArtifactInstance(
            {
                'account_id':
                '1',
                'artifact_id':
                '11611818710765483',
                'assertions': [{
                    'author': '0x05328f171b8c1463eaFDACCA478D9EE6a1d923F8',
                    'author_name': 'eicar',
                    'bid': '1000000000000000000',
                    'engine': {
                        'description': 'eicar',
                        'name': 'eicar',
                        'tags': []
                    },
                    'mask': True,
                    'metadata': {
                        'malware_family': 'Eicar Test File',
                        'scanner': {
                            'environment': {
                                'architecture': 'x86_64',
                                'operating_system': 'Linux'
                            }
                        }
                    },
                    'verdict': True
                }],
                'community':
                'gamma',
                'country':
                '',
                'created':
                '2019-11-07T19:18:00.265903',
                'extended_type':
                'EICAR virus test files',
                'polyscore':
                0.5,
                'failed':
                False,
                'filename':
                '275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f',
                'first_seen':
                '2019-11-01T21:33:53.292099',
                'id':
                49091542211453596,
                'last_seen':
                '2019-11-07T16:18:00.269290',
                'last_scanned':
                '2019-11-07T16:18:00.269290',
                'md5':
                '44d88612fea8a8f36de82e1278abb02f',
                'metadata':
                None,
                'mimetype':
                'text/plain',
                'result':
                True,
                's3_file_name':
                'testing/files/27/5a/02/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f',
                'sha1':
                '3395856ce81f2b7382dee72602f798b642f14140',
                'sha256':
                '275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f',
                'size':
                68,
                'type':
                'FILE',
                'votes': [{
                    'arbiter': '0xF870491ea0F53F67846Eecb57855284D8270284D',
                    'vote': True
                }],
                'window_closed':
                True
            },
            api=PolyswarmAPI(test.test_api_key,
                             uri=test.api_url,
                             community='gamma'),
        ))
    return values
Beispiel #13
0
def metadata(test):
    values = []
    values.append(
        resources.Metadata(
            {
                'artifact': {
                    'created':
                    '2020-01-14T17:48:55.854940+00:00',
                    'id':
                    19021969312842541,
                    'md5':
                    '44d88612fea8a8f36de82e1278abb02f',
                    'sha1':
                    '3395856ce81f2b7382dee72602f798b642f14140',
                    'sha256':
                    '275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f',
                },
                'hash': {
                    'sha3_256':
                    '8b4c4e204a8a039198e292d2291f4c451d80e4c38bf0cc04ad3841fea8755bd8',
                    'sha3_512':
                    'a20290c6ebf01dc5182bb57718250f61ab11b418466714632a7d1474a02849641f7b78e4093e19ad12fdbedbe02f3bec4ca3ec3235557e82ab5ac02d061e7007',
                    'sha512':
                    'cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab',
                    'ssdeep':
                    '3:a+JraNvsgzsVqSwHq9:tJuOgzsko',
                    'ssdeep_chunk':
                    'a+JraNvsgzsVqSwHq9',
                    'ssdeep_chunk_size':
                    3,
                    'ssdeep_double_chunk':
                    'tJuOgzsko',
                    'tlsh':
                    '41a022003b0eee2ba20b00200032e8b00808020e2ce00a3820a020b8c83308803ec228',
                    'tlsh_quartiles': [
                        '0:0', '1:0', '2:0', '3:0', '4:0', '5:3', '6:2', '7:3',
                        '8:0', '9:0', '10:3', '11:2', '12:3', '13:2', '14:3',
                        '15:2', '16:0', '17:2', '18:2', '19:3', '20:2', '21:2',
                        '22:0', '23:2', '24:0', '25:0', '26:2', '27:3', '28:0',
                        '29:0', '30:0', '31:0', '32:0', '33:2', '34:0', '35:0',
                        '36:0', '37:0', '38:0', '39:0', '40:0', '41:3', '42:0',
                        '43:2', '44:3', '45:2', '46:2', '47:0', '48:2', '49:3',
                        '50:0', '51:0', '52:0', '53:0', '54:2', '55:0', '56:0',
                        '57:0', '58:2', '59:0', '60:0', '61:0', '62:0', '63:2',
                        '64:0', '65:0', '66:3', '67:2', '68:0', '69:2', '70:3',
                        '71:0', '72:3', '73:2', '74:0', '75:0', '76:0', '77:0',
                        '78:2', '79:2', '80:0', '81:3', '82:2', '83:0', '84:0',
                        '85:2', '86:0', '87:0', '88:2', '89:2', '90:0', '91:0',
                        '92:0', '93:2', '94:0', '95:0', '96:2', '97:3', '98:2',
                        '99:0', '100:3', '101:0', '102:2', '103:0', '104:0',
                        '105:3', '106:0', '107:3', '108:0', '109:0', '110:2',
                        '111:0', '112:2', '113:0', '114:0', '115:0', '116:0',
                        '117:3', '118:3', '119:2', '120:3', '121:0', '122:0',
                        '123:2', '124:0', '125:2', '126:2', '127:0'
                    ],
                    'tlsh_quartiles_minimum_match':
                    32
                },
                'scan': {
                    'countries': [],
                    'detections': {
                        'malicious': 100,
                        'benign': 2,
                        'total': 102
                    },
                    'filename': [
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious', 'malicious', 'malicious',
                        'malicious', 'malicious'
                    ],
                    'first_scan': {
                        'created': '2020-01-14T17:48:55.854940+00:00',
                        'artifact_instance_id': 67493245269173378,
                        'eicar': {
                            'assertion': 'malicious',
                            'metadata': {
                                'malware_family': 'Eicar Test File',
                                'scanner': {
                                    'environment': {
                                        'architecture': 'x86_64',
                                        'operating_system': 'Linux'
                                    }
                                }
                            }
                        }
                    },
                    'first_seen':
                    '2020-01-14T17:48:55.854940+00:00',
                    'last_seen':
                    '2020-01-16T20:41:30.953689+00:00',
                    'latest_scan': {
                        'created': '2020-01-16T20:41:30.953689+00:00',
                        'artifact_instance_id': 67608711919932715,
                        'eicar': {
                            'assertion': 'malicious',
                            'metadata': {
                                'malware_family': 'Eicar Test File',
                                'scanner': {
                                    'environment': {
                                        'architecture': 'x86_64',
                                        'operating_system': 'Linux'
                                    }
                                }
                            }
                        }
                    },
                    'mimetype': {
                        'extended': 'EICAR virus test files',
                        'mime': 'text/plain'
                    }
                },
                'strings': {
                    'domains': [],
                    'ipv4': [],
                    'ipv6': [],
                    'urls': []
                }
            },
            api=PolyswarmAPI(test.test_api_key,
                             uri=test.api_url,
                             community='gamma'),
        ))
    return values
class PolySwarm:
    def __init__(self, apikey):
        self.polyswarm_api = PolyswarmAPI(apikey)
        self.alert_output = {}
        self.alert_output['integration'] = INTEGRATION_NAME
        self.alert_output['polyswarm'] = {}
        self.alert_output['polyswarm']['found'] = 0
        self.alert_output['polyswarm']['malicious'] = 0

    def create_output(self, key, value):
        self.alert_output['polyswarm'][key] = value

    def return_output(self):
        return self.alert_output

    def search_hash(self, hash):
        try:
            Print.debug(f'PolySwarm Search Hash: {hash}')

            results = self.polyswarm_api.search(hash.lower().strip())

            for artifact in results:
                if artifact.failed:
                    msg = 'Failed to get result.'
                    Print.debug(msg)
                    self.create_output('error', "1")
                    self.create_output('description', msg)
                    return

                self.alert_output['polyswarm']['found'] = 1

                if not artifact.assertions:
                    msg = 'This artifact has not been scanned. Initiate a Scan on the artifact to get scan results."'
                    Print.debug(msg)
                    self.create_output('total', 0)
                    self.create_output('positives', 0)
                    self.create_output('description', msg)
                    return

                Print.debug('Got artifact results')

                # all assertion responses from engines
                all_assertions = artifact.assertions

                # malicious only assertions from engines
                malicious_detections = artifact.json['detections']['malicious']
                self.create_output('positives', malicious_detections)

                # total engines asserting
                total = artifact.json['detections']['total']
                self.create_output('total', total)

                # a score between 0.0 and 1.0 indicating malintent
                self.create_output('polyscore', artifact.polyscore)

                if malicious_detections:
                    for assertion in all_assertions:
                        # output only by malicious ones
                        if assertion.verdict:
                            self.create_output(
                                f'microengine.{assertion.engine_name}.verdict',
                                'maliciuos')
                            if assertion.metadata.get('malware_family'):
                                self.create_output(
                                    f'microengine.{assertion.engine_name}.malware_family',
                                    assertion.metadata.get('malware_family'))

                            self.alert_output['polyswarm']['malicious'] = 1

                if OUTPUT_METADATA:
                    for h, h_val in artifact.metadata.hash.items():
                        self.create_output(f'metadata.hash.{str(h)}',
                                           str(h_val))

                self.create_output('sha1', artifact.sha1)
                self.create_output('sha256', artifact.sha256)
                self.create_output('md5', artifact.md5)
                self.create_output('mimetype', artifact.mimetype)
                self.create_output('extended_type', artifact.extended_type)
                self.create_output('permalink', artifact.permalink)

        except api_exceptions.NoResultsException:
            self.create_output('description',
                               'The request returned no results.')

        except Exception as e:
            self.create_output('error', "1")
            self.create_output('description', str(e))

            traceback.print_exc()
            Print.error(f'Uncaught exception {traceback.print_exc()}')