class Times(odm.Model): completed = odm.Optional( odm.Date(store=False), description="Date at which the submission finished scanning") submitted = odm.Date( default="NOW", description="Date at which the submission started scanning")
class Submission(odm.Model): archive_ts = odm.Date(store=False) # Archiving timestamp classification = odm.Classification() # Classification of the submission error_count = odm.Integer() # Total number of errors in the submission errors = odm.List(odm.Keyword(), store=False) # List of error keys expiry_ts = odm.Optional(odm.Date(store=False)) # Expiry timestamp file_count = odm.Integer() # Total number of files in the submission files: List[File] = odm.List( odm.Compound(File)) # List of files that were originally submitted max_score = odm.Integer() # Maximum score of all the files in the scan metadata = odm.FlattenedObject( store=False) # Metadata associated to the submission params: SubmissionParams = odm.Compound( SubmissionParams) # Submission detail blocs results: List[str] = odm.List(odm.Keyword(), store=False) # List of result keys sid = odm.UUID(copyto="__text__") # Submission ID state = odm.Enum(values=SUBMISSION_STATES) # Status of the submission times = odm.Compound(Times, default={}) # Timing bloc verdict = odm.Compound(Verdict, default={}) # Verdict timing def is_submit(self): return self.state == 'submitted' def is_complete(self): return self.state == 'completed' def is_initial(self): return self.is_submit() and not self.params.psid
class Alert(odm.Model): alert_id = odm.Keyword(copyto="__text__") # ID of the alert al = odm.Compound(ALResults) # Assemblyline result block archive_ts = odm.Date(store=False) # Archiving timestamp attack = odm.Compound(Attack) # Attack result block classification = odm.Classification() # Classification of the alert expiry_ts = odm.Optional(odm.Date(store=False)) # Expiry timestamp extended_scan = odm.Enum(values=EXTENDED_SCAN_VALUES, store=False) # Status of the extended scan file = odm.Compound(File) # File block filtered = odm.Boolean(default=False) # Are the alert result filtered heuristic = odm.Compound(Heuristic) # Heuristic result block label = odm.List(odm.Keyword(), copyto="__text__", default=[]) # List of labels applied to the alert metadata = odm.FlattenedObject( default={}, store=False) # Metadata submitted with the file owner = odm.Optional(odm.Keyword()) # Owner of the alert priority = odm.Optional( odm.Enum(values=PRIORITIES)) # Priority applied to the alert reporting_ts = odm.Date() # Time at which the alert was created sid = odm.UUID(store=False) # ID of the submission related to this alert status = odm.Optional( odm.Enum(values=STATUSES)) # Status applied to the alert ts = odm.Date() # Timestamp at which the file was submitted type = odm.Keyword() # Type of alert verdict = odm.Compound(Verdict, default={}) # Verdict timing
class Certificate(odm.Model): @odm.model(index=True, store=False) class RSA_Info(odm.Model): d_param = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) e_param = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) n_param = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) p_param = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) q_param = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) version = odm.Optional(odm.Integer()) subject = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) issuer = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) serial_number = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) key_size = odm.Optional(odm.Integer()) key_type = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) key_usage = odm.Optional(odm.List(odm.EmptyableKeyword(copyto="__text__"))) certificate_policies = odm.Optional( odm.List(odm.EmptyableKeyword(copyto="__text__"))) ext_key_usage = odm.Optional( odm.List(odm.EmptyableKeyword(copyto="__text__"))) valid_from = odm.Optional(odm.Date()) valid_to = odm.Optional(odm.Date()) signature = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) signature_algorithm = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) is_trusted = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) raw_hex = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) rsa_info = odm.Optional(odm.Compound(RSA_Info))
class Statistics(odm.Model): count = odm.Integer(default=0) min = odm.Integer(default=0) max = odm.Integer(default=0) avg = odm.Integer(default=0) sum = odm.Integer(default=0) first_hit = odm.Optional(odm.Date()) last_hit = odm.Optional(odm.Date())
class Statistics(odm.Model): count = odm.Integer(default=0, description="Count of statistical hits") min = odm.Integer(default=0, description="Minimum value of all stastical hits") max = odm.Integer(default=0, description="Maximum value of all stastical hits") avg = odm.Integer(default=0, description="Anerage of all stastical hits") sum = odm.Integer(default=0, description="Sum of all stastical hits") first_hit = odm.Optional(odm.Date(), description="Date of first hit of statistic") last_hit = odm.Optional(odm.Date(), description="Date of last hit of statistic")
class Signature(odm.Model): classification = odm.Classification(store=True, default=Classification.UNRESTRICTED) data = odm.Text(index=False, store=False) last_modified = odm.Date(default="NOW") name = odm.Keyword(copyto="__text__") order = odm.Integer(default=1, store=False) revision = odm.Keyword(default="1") signature_id = odm.Optional(odm.Keyword()) source = odm.Keyword() state_change_date = odm.Optional(odm.Date(store=False)) state_change_user = odm.Optional(odm.Keyword(store=False)) status = odm.Enum(values=RULE_STATUSES, copyto="__text__") type = odm.Keyword(copyto="__text__")
class Result(odm.Model): archive_ts = odm.Date(store=False) # Archiving timestamp classification = odm.Classification( ) # Aggregate classification for the result created = odm.Date( default="NOW") # Date at which the result object got created expiry_ts = odm.Optional(odm.Date(store=False)) # Expiry time stamp response: ResponseBody = odm.Compound( ResponseBody) # The body of the response from the service result: ResultBody = odm.Compound(ResultBody, default={}) # The result body sha256 = odm.SHA256( store=False) # SHA256 of the file the result object relates to drop_file = odm.Boolean( default=False) # Do not pass to other stages after this run def build_key(self, service_tool_version=None, task=None): return self.help_build_key(self.sha256, self.response.service_name, self.response.service_version, self.is_empty(), service_tool_version=service_tool_version, task=task) @staticmethod def help_build_key(sha256, service_name, service_version, is_empty, service_tool_version=None, task=None): key_list = [ sha256, service_name.replace('.', '_'), f"v{service_version.replace('.', '_')}", f"c{generate_conf_key(service_tool_version=service_tool_version, task=task)}", ] if is_empty: key_list.append("e") return '.'.join(key_list) def is_empty(self): if len(self.response.extracted) == 0 and \ len(self.response.supplementary) == 0 and \ len(self.result.sections) == 0 and \ self.result.score == 0: return True return False
class Current(odm.Model): """The current assignment for a service worker""" status: str = odm.Enum(values=STATUSES, default='INITIALIZING') # Status of the client task: Opt[Task] = odm.Optional(odm.Compound(Task)) task_timeout: Opt[datetime] = odm.Optional( odm.Date()) # Time the task was assigned to the client
class ALResults(odm.Model): # Assemblyline result block attrib = odm.List(odm.Keyword(), default=[], copyto="__text__") # List of attribution av = odm.List(odm.Keyword(), default=[], store=True, copyto="__text__") # List of AV hits behavior = odm.List(odm.Keyword(), default=[], copyto="__text__") # List of behaviors for the alert domain = odm.List(odm.Domain(), default=[], copyto="__text__") # List of all domains domain_dynamic = odm.List( odm.Domain(), default=[]) # List of domains found during dynamic analysis domain_static = odm.List( odm.Domain(), default=[]) # List of domains foudn during static analysis ip = odm.List(odm.IP(), default=[], copyto="__text__") # List of all IPs ip_dynamic = odm.List( odm.IP(), default=[]) # List of IPs found during dynamic analysis ip_static = odm.List( odm.IP(), default=[]) # List of IPs found during static analysis request_end_time = odm.Date( index=False) # End time of the Assemblyline submission score = odm.Integer(store=True) # Maximum score found in the submission yara = odm.List(odm.Keyword(), default=[], copyto="__text__") # List of yara hits
class SubmissionSummary(odm.Model): classification = odm.Classification(default=Classification.UNRESTRICTED) # Classification of the cache filtered = odm.Boolean(default=False) # Has this cache entry been filtered expiry_ts = odm.Date(index=True) # Expiry date tags = odm.Text() # Tags cache attack_matrix = odm.Text() # Att&ck Matrix cache heuristics = odm.Text() # Heuristics cache
class Debug(odm.Model): @odm.model(index=True, store=False) class CodeView(odm.Model): age = odm.Optional(odm.Integer()) cv_signature = odm.Optional( odm.EmptyableKeyword(copyto="__text__")) filename = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) guid = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) @odm.model(index=True, store=False) class POGO(odm.Model): @odm.model(index=True, store=False) class Entry(odm.Model): name = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) size = odm.Optional(odm.Integer()) start_rva = odm.Optional(odm.Integer()) entries = odm.Optional(odm.List(odm.Compound(Entry))) signature = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) addressof_rawdata = odm.Optional(odm.Integer()) characteristics = odm.Optional(odm.Integer()) major_version = odm.Optional(odm.Integer()) minor_version = odm.Optional(odm.Integer()) pointerto_rawdata = odm.Optional(odm.Integer()) sizeof_data = odm.Optional(odm.Integer()) timestamp = odm.Optional(odm.Integer()) hr_timestamp = odm.Optional(odm.Date()) type = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) code_view = odm.Optional(odm.Compound(CodeView)) pogo = odm.Optional(odm.Compound(POGO))
class IngestTask(odm.Model): # Submission Parameters submission: Submission = odm.Compound(Submission) # Shortcut for properties of the submission @property def file_size(self) -> int: return sum(file.size for file in self.submission.files) @property def params(self) -> SubmissionParams: return self.submission.params @property def sha256(self) -> str: return self.submission.files[0].sha256 # Information about the ingestion itself, parameters irrelevant scan_key = odm.Optional(odm.Keyword()) # the filescore key retries = odm.Integer(default=0) # Fields added after a submission is complete for notification/bookkeeping processes failure = odm.Text( default='') # If the ingestion has failed for some reason, what is it? score = odm.Optional( odm.Integer()) # Score from previous processing of this file extended_scan = odm.Enum(EXTENDED_SCAN_VALUES, default="skipped") ingest_id = odm.UUID() ingest_time = odm.Date(default="NOW")
class Resource(odm.Model): # Since we will end up flattening the Resources and only keeping the data nodes, # we keep the list of parent's resource_id and the list of parent's labels (name or resource_type) parent_resource_ids = odm.Optional( odm.EmptyableKeyword(copyto="__text__")) parent_labels = odm.Optional( odm.List(odm.EmptyableKeyword(copyto="__text__"))) characteristics = odm.Optional(odm.Integer()) num_childs = odm.Optional(odm.Integer()) depth = odm.Optional(odm.Integer()) name = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) resource_id = odm.Optional(odm.Integer()) resource_type = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) is_data = odm.Optional(odm.Boolean()) is_directory = odm.Optional(odm.Boolean()) major_version = odm.Optional(odm.Integer()) minor_version = odm.Optional(odm.Integer()) numberof_id_entries = odm.Optional(odm.Integer()) numberof_name_entries = odm.Optional(odm.Integer()) time_date_stamp = odm.Optional(odm.Integer()) hr_time_date_stamp = odm.Optional(odm.Date()) code_page = odm.Optional(odm.Integer()) sha256 = odm.Optional(odm.SHA256()) entropy = odm.Optional(odm.Float()) offset = odm.Optional(odm.Integer()) reserved = odm.Optional(odm.Integer())
class Export(odm.Model): @odm.model(index=True, store=False) class Entry(odm.Model): @odm.model(index=True, store=False) class Forward_Information(odm.Model): function = odm.Optional( odm.EmptyableKeyword(copyto="__text__")) library = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) address = odm.Optional(odm.Integer()) forward_information = odm.Optional( odm.Compound(Forward_Information)) function_rva = odm.Optional(odm.Integer()) is_extern = odm.Optional(odm.Boolean()) name = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) ordinal = odm.Optional(odm.Integer()) entries = odm.Optional(odm.List(odm.Compound(Entry))) export_flags = odm.Optional(odm.Integer()) major_version = odm.Optional(odm.Integer()) minor_version = odm.Optional(odm.Integer()) name = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) ordinal_base = odm.Optional(odm.Integer()) timestamp = odm.Optional(odm.Integer()) hr_timestamp = odm.Optional(odm.Date())
class Submission(odm.Model): sid = odm.UUID() # Submission ID to use time = odm.Date(default="NOW") files: List[File] = odm.List(odm.Compound(File), default=[]) # File block metadata: Dict[str, str] = odm.FlattenedObject(default={}) # Metadata submitted with the file notification: Notification = odm.Compound(Notification, default={}) # Notification queue parameters params: SubmissionParams = odm.Compound(SubmissionParams) # Parameters of the submission
class Submission(odm.Model): archive_ts = odm.Date(store=False, description="Archiving timestamp") classification = odm.Classification( description="Classification of the submission") error_count = odm.Integer( description="Total number of errors in the submission") errors: list[str] = odm.List(odm.Keyword(), store=False, description="List of error keys") expiry_ts = odm.Optional(odm.Date(store=False), description="Expiry timestamp") file_count = odm.Integer( description="Total number of files in the submission") files: list[File] = odm.List( odm.Compound(File), description="List of files that were originally submitted") max_score = odm.Integer( description="Maximum score of all the files in the scan") metadata = odm.FlattenedObject( store=False, description="Metadata associated to the submission") params: SubmissionParams = odm.Compound( SubmissionParams, description="Submission parameter details") results: list[str] = odm.List(odm.Keyword(), store=False, description="List of result keys") sid = odm.UUID(copyto="__text__", description="Submission ID") state = odm.Enum(values=SUBMISSION_STATES, description="Status of the submission") times = odm.Compound(Times, default={}, description="Submission-specific times") verdict = odm.Compound(Verdict, default={}, description="Malicious verdict details") # the filescore key, used in deduplication. This is a non-unique key, that is # shared by submissions that may be processed as duplicates. scan_key = odm.Optional(odm.Keyword(store=False, index=False)) def is_submit(self): return self.state == 'submitted' def is_complete(self): return self.state == 'completed' def is_initial(self): return self.is_submit() and not self.params.psid
class Process(odm.Model): objectid = odm.Compound(ObjectID, description="The object ID of the process object") # Parent process details pobjectid = odm.Compound(ObjectID, description="The object ID of the parent process object") pimage = odm.Optional(odm.Text(), description="The image of the parent process that spawned this process") pcommand_line = odm.Optional(odm.Text(), description="The command line that the parent process ran") ppid = odm.Optional(odm.Integer(), description="The process ID of the parent process") pid = odm.Optional(odm.Integer(), description="The process ID") image = odm.Text(default="<unknown_image>", description="The image of the process") command_line = odm.Optional(odm.Text(), description="The command line that the process ran") start_time = odm.Date(description="The time of creation for the process") end_time = odm.Date(description="The time of termination for the process") integrity_level = odm.Optional(odm.Text(), description="The integrity level of the process") image_hash = odm.Optional(odm.Text(), description="The hash of the file run") original_file_name = odm.Optional(odm.Text(), description="The original name of the file")
class User(odm.Model): agrees_with_tos = odm.Optional( odm.Date(index=False, store=False), description="Date the user agree with terms of service") api_quota = odm.Integer( default=10, store=False, description="Maximum number of concurrent API requests") apikeys = odm.Mapping(odm.Compound(ApiKey), default={}, index=False, store=False, description="Mapping of API keys") apps = odm.Mapping(odm.Compound(Apps), default={}, index=False, store=False, description="Applications with access to the account") can_impersonate = odm.Boolean( default=False, index=False, store=False, description="Allowed to query on behalf of others?") classification = odm.Classification( is_user_classification=True, copyto="__text__", default=Classification.UNRESTRICTED, description="Maximum classification for the user") dn = odm.Optional(odm.Keyword(store=False, copyto="__text__"), description="User's LDAP DN") email = odm.Optional(odm.Email(copyto="__text__"), description="User's email address") groups = odm.List(odm.Keyword(), copyto="__text__", default=["USERS"], description="List of groups the user submits to") is_active = odm.Boolean(default=True, description="Is the user active?") name = odm.Keyword(copyto="__text__", description="Full name of the user") otp_sk = odm.Optional( odm.Keyword(index=False, store=False), description="Secret key to generate one time passwords") password = odm.Keyword(index=False, store=False, description="BCrypt hash of the user's password") submission_quota = odm.Integer( default=5, store=False, description="Maximum number of concurrent submissions") type = odm.List(odm.Enum(values=USER_TYPES), default=['user'], description="Type of user") security_tokens = odm.Mapping(odm.Keyword(), index=False, store=False, default={}, description="Map of security tokens") uname = odm.Keyword(copyto="__text__", description="Username")
class ObjectID(odm.Model): guid = odm.Text(description="The GUID associated with the object") tag = odm.Optional(odm.Text(), description="The normalized tag of the object") treeid = odm.Optional(odm.Text(), description="The hash of the tree ID") processtree = odm.Optional( odm.Keyword(), description="Human-readable tree ID (concatenation of tags)") time_observed = odm.Optional( odm.Date(), description="The time at which the object was observed")
class FileScore(odm.Model): psid = odm.Optional( odm.UUID()) # ID of the parent submission to the associated submission expiry_ts = odm.Date( index=True) # Expiry timestamp, used for garbage collection. score = odm.Integer() # Maximum score for the associated submission errors = odm.Integer( ) # Number of errors that occurred during the previous analysis sid = odm.UUID() # ID of the associated submission time = odm.Float() # Epoch time at which the FileScore entry was created
class Header(odm.Model): characteristics_hash = odm.Optional(odm.Integer()) characteristics_list = odm.Optional( odm.List(odm.EmptyableKeyword(copyto="__text__"))) machine = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) numberof_sections = odm.Optional(odm.Integer()) numberof_symbols = odm.Optional(odm.Integer()) signature = odm.Optional(odm.List(odm.Integer())) timestamp = odm.Optional(odm.Integer()) hr_timestamp = odm.Optional(odm.Date())
class File(odm.Model): archive_ts = odm.Date(store=False, description="Archiving timestamp") ascii = odm.Keyword(index=False, store=False, description="Dotted ASCII representation of the first 64 bytes of the file") classification = odm.Classification(description="Classification of the file") entropy = odm.Float(description="Entropy of the file") expiry_ts = odm.Optional(odm.Date(store=False), description="Expiry timestamp") is_section_image = odm.Boolean(default=False, description="Is this an image from an Image Result Section?") hex = odm.Keyword(index=False, store=False, description="Hex dump of the first 64 bytes of the file") md5 = odm.MD5(copyto="__text__", description="MD5 of the file") magic = odm.Keyword(store=False, description="Output from libmagic related to the file") mime = odm.Optional(odm.Keyword(store=False), description="MIME type of the file as identified by libmagic") seen = odm.Compound(Seen, default={}, description="Details about when the file was seen") sha1 = odm.SHA1(copyto="__text__", description="SHA1 hash of the file") sha256 = odm.SHA256(copyto="__text__", description="SHA256 hash of the file") size = odm.Integer(description="Size of the file in bytes") ssdeep = odm.SSDeepHash(store=False, description="SSDEEP hash of the file") type = odm.Keyword(copyto="__text__", description="Type of file as identified by Assemblyline")
class SubmissionTree(odm.Model): classification = odm.Classification( default=Classification.UNRESTRICTED, description="Classification of the cache") filtered = odm.Boolean(default=False, description="Has this cache entry been filtered?") expiry_ts = odm.Date(description="Expiry timestamp") supplementary = odm.Text(index=False, description="Tree of supplementary files") tree = odm.Text(index=False, description="File tree cache")
class Workflow(odm.Model): classification = odm.Classification( copyto="__text__", default=Classification.UNRESTRICTED) # Classification of the workflow creation_date = odm.Date(default="NOW") # Creation date of the workflow creator = odm.Keyword() # UID of the creator edited_by = odm.Keyword() # UID of the last edit user hit_count = odm.Integer(default=0) # Number of time workflow hit labels = odm.List(odm.Keyword(), copyto="__text__", default=[]) # Labels applied by the workflow last_edit = odm.Date(default="NOW") # Last edit date last_seen = odm.Optional(odm.Date()) # Last hit date name = odm.Keyword(copyto="__text__") # Name of the workflow priority = odm.Optional( odm.Enum(copyto="__text__", values=PRIORITIES)) # Priority applied by the workflow query = odm.Keyword() # Query that the workflow runs status = odm.Optional(odm.Enum( copyto="__text__", values=STATUSES)) # Status applied by the workflow workflow_id = odm.Optional(odm.UUID()) # ID of the workflow
class Load_Configuration(odm.Model): @odm.model(index=True, store=False) class Code_Integrity(odm.Model): catalog = odm.Optional(odm.Integer()) catalog_offset = odm.Optional(odm.Integer()) flags = odm.Optional(odm.Integer()) reserved = odm.Optional(odm.Integer()) characteristics = odm.Optional(odm.Integer()) critical_section_default_timeout = odm.Optional(odm.Integer()) csd_version = odm.Optional(odm.Integer()) decommit_free_block_threshold = odm.Optional(odm.Integer()) decommit_total_free_threshold = odm.Optional(odm.Integer()) editlist = odm.Optional(odm.Integer()) global_flags_clear = odm.Optional(odm.Integer()) global_flags_set = odm.Optional(odm.Integer()) lock_prefix_table = odm.Optional(odm.Integer()) major_version = odm.Optional(odm.Integer()) maximum_allocation_size = odm.Optional(odm.Integer()) minor_version = odm.Optional(odm.Integer()) process_affinity_mask = odm.Optional(odm.Integer()) process_heap_flags = odm.Optional(odm.Integer()) reserved1 = odm.Optional(odm.Integer()) security_cookie = odm.Optional(odm.Integer()) timedatestamp = odm.Optional(odm.Integer()) hr_timedatestamp = odm.Optional(odm.Date()) version = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) virtual_memory_threshold = odm.Optional(odm.Integer()) se_handler_count = odm.Optional(odm.Integer()) se_handler_table = odm.Optional(odm.Integer()) guard_cf_check_function_pointer = odm.Optional(odm.Integer()) guard_cf_dispatch_function_pointer = odm.Optional(odm.Integer()) guard_cf_flags_list = odm.Optional( odm.List(odm.EmptyableKeyword(copyto="__text__"))) guard_cf_function_count = odm.Optional(odm.Integer()) guard_cf_function_table = odm.Optional(odm.Integer()) guard_flags = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) code_integrity = odm.Optional(odm.Compound(Code_Integrity)) guard_address_taken_iat_entry_count = odm.Optional(odm.Integer()) guard_address_taken_iat_entry_table = odm.Optional(odm.Integer()) guard_long_jump_target_count = odm.Optional(odm.Integer()) guard_long_jump_target_table = odm.Optional(odm.Integer()) dynamic_value_reloc_table = odm.Optional(odm.Integer()) hybrid_metadata_pointer = odm.Optional(odm.Integer()) dynamic_value_reloctable_offset = odm.Optional(odm.Integer()) dynamic_value_reloctable_section = odm.Optional(odm.Integer()) guard_rf_failure_routine = odm.Optional(odm.Integer()) guard_rf_failure_routine_function_pointer = odm.Optional(odm.Integer()) reserved2 = odm.Optional(odm.Integer()) guard_rf_verify_stackpointer_function_pointer = odm.Optional( odm.Integer()) hotpatch_table_offset = odm.Optional(odm.Integer()) addressof_unicode_string = odm.Optional(odm.Integer()) reserved3 = odm.Optional(odm.Integer())
class TCSignature(odm.Model): al_score = odm.Enum(values=SCORES, default="HIGH") al_status = odm.Enum(values=STATUSES, default="TESTING") callback = odm.Optional(odm.Keyword()) classification = odm.Classification(default=Classification.UNRESTRICTED) comment = odm.Optional(odm.Keyword()) implant_family = odm.Optional(odm.Keyword()) last_modified = odm.Date(default="NOW") name = odm.Keyword(copyto="__text__") threat_actor = odm.Optional(odm.Keyword()) values = odm.List(odm.Keyword())
class Error(odm.Model): archive_ts = odm.Date(store=False) # Archiving timestamp created = odm.Date(default="NOW") # Date at which the error was created expiry_ts = odm.Optional(odm.Date(store=False)) # Expiry time stamp response: Response = odm.Compound(Response) # Response from the service sha256 = odm.SHA256( copyto="__text__") # Hash of the file the error is related to type = odm.Enum(values=list(ERROR_TYPES.keys()), default="EXCEPTION") # Type of error def build_key(self, service_tool_version=None, task=None): key_list = [ self.sha256, self.response.service_name.replace('.', '_'), f"v{self.response.service_version.replace('.', '_')}", f"c{generate_conf_key(service_tool_version=service_tool_version, task=task)}", f"e{ERROR_TYPES.get(self.type, 0)}" ] return '.'.join(key_list)
class AnalysisMetadata(odm.Model): @odm.model( description= "The metadata regarding the machine where the analysis took place") class MachineMetadata(odm.Model): ip = odm.Optional( odm.IP(), description="The IP of the machine used for analysis") hypervisor = odm.Optional( odm.Keyword(), description="The hypervisor of the machine used for analysis") hostname = odm.Optional( odm.Keyword(), description="The name of the machine used for analysis") platform = odm.Optional( odm.Platform(), description="The platform of the machine used for analysis") version = odm.Optional( odm.Keyword(), description= "The version of the operating system of the machine used for analysis" ) architecture = odm.Optional( odm.Processor(), description="The architecture of the machine used for analysis" ) task_id = odm.Optional( odm.Keyword(), description="The ID used for identifying the analysis task") start_time = odm.Date(description="The start time of the analysis") end_time = odm.Date(description="The end time of the analysis") routing = odm.Optional( odm.Keyword(), description= "The routing used in the sandbox setup (Spoofed, Internet, Tor, VPN)" ) machine_metadata = odm.Optional( odm.Compound(MachineMetadata), description="The metadata of the analysis")
class Submission(odm.Model): sid = odm.UUID(description="Submission ID to use") time = odm.Date(default="NOW", description="Message time") files: List[File] = odm.List(odm.Compound(File), default=[], description="File block") metadata: Dict[str, str] = odm.FlattenedObject( default={}, description="Metadata submitted with the file") notification: Notification = odm.Compound( Notification, default={}, description="Notification queue parameters") params: SubmissionParams = odm.Compound( SubmissionParams, description="Parameters of the submission") scan_key: Opt[str] = odm.Optional(odm.Keyword())