class ALResults(odm.Model): attrib = odm.List(odm.Keyword(), default=[], store=True, copyto="__text__", description="List of attribution") av = odm.List(odm.Keyword(), default=[], store=True, copyto="__text__", description="List of AV hits") behavior = odm.List(odm.Keyword(), default=[], copyto="__text__", description="List of behaviors for the alert") detailed = odm.Compound(DetailedResults, description="Assemblyline Detailed result block") domain = odm.List(odm.Domain(), default=[], copyto="__text__", description="List of all domains") domain_dynamic = odm.List(odm.Domain(), default=[], description="List of domains found during Dynamic Analysis") domain_static = odm.List(odm.Domain(), default=[], description="List of domains found during Static Analysis") ip = odm.List(odm.IP(), default=[], copyto="__text__", description="List of all IPs") ip_dynamic = odm.List(odm.IP(), default=[], description="List of IPs found during Dynamic Analysis") ip_static = odm.List(odm.IP(), default=[], description="List of IPs found during Static Analysis") request_end_time = odm.Date(index=False, description="Finish time of the Assemblyline submission") score = odm.Integer(store=True, description="Maximum score found in the submission") uri = odm.List(odm.URI(), default=[], copyto="__text__", description="List of all URIs") uri_dynamic = odm.List(odm.URI(), default=[], description="List of URIs found during Dynamic Analysis") uri_static = odm.List(odm.URI(), default=[], description="List of URIs found during Static Analysis") yara = odm.List(odm.Keyword(), default=[], copyto="__text__", description="List of YARA rule hits")
class Subject(odm.Model): ip = odm.Optional(odm.IP(), description="Subject's IP") domain = odm.Optional(odm.Domain(), description="Subject's domain") uri = odm.Optional(odm.URI(), description="Subject's URI") process = odm.Optional(odm.Compound(Process), description="Subject's process") file = odm.Optional(odm.Text(), description="Subject's file") registry = odm.Optional(odm.Text(), description="Subject's registry key")
class NetworkHTTP(odm.Model): connection_details = odm.Compound( NetworkConnection, description="The low-level details of the HTTP request") request_uri = odm.URI(description="The URI requested") request_headers = odm.Mapping( odm.Json(), description="Headers included in the request") request_body = odm.Optional(odm.Text(), description="The body of the request") request_method = odm.Enum( [ # Standard HTTP methods "GET", "POST", "PUT", "DELETE", "HEAD", "CONNECT", "OPTIONS", "TRACE", "PATCH", # WebDAV HTTP methods "BCOPY", "BDELETE", "BMOVE", "BPROPFIND", "BPROPPATCH", "COPY", "DELETE", "LOCK", "MKCOL", "MOVE", "NOTIFY", "POLL", "PROPFIND", "PROPPATCH", "SEARCH", "SUBSCRIBE", "UNLOCK", "UNSUBSCRIBE", "X-MS-ENUMATTS" ], description="The method of the request") response_headers = odm.Mapping( odm.Json(), description="Headers included in the response") response_status_code = odm.Optional( odm.Integer(), description="The status code of the response") response_body = odm.Optional(odm.Text(), description="The body of the response")
class NetworkIOCs(odm.Model): domain = odm.Optional(odm.List(odm.Domain(copyto="__text__"))) ip = odm.Optional(odm.List(odm.IP(copyto="__text__"))) uri = odm.Optional(odm.List(odm.URI(copyto="__text__"))) uri_path = odm.Optional(odm.List(odm.URIPath(copyto="__text__")))
class NetworkIOCs(odm.Model): domain = odm.Optional(odm.List(odm.Domain(copyto="__text__")), description="Domain") ip = odm.Optional(odm.List(odm.IP(copyto="__text__")), description="IP") uri = odm.Optional(odm.List(odm.URI(copyto="__text__")), description="URI") uri_path = odm.Optional(odm.List(odm.URIPath(copyto="__text__")), description="URI Path")