def _hunt_file(self, param):
action_result = self.add_action_result(ActionResult(dict(param)))
summary_data = action_result.update_summary({})
ret_val = self._generate_api_token(action_result)
if phantom.is_fail(ret_val):
return ret_val
the_hash = param['hash']
if phantom.is_md5(the_hash):
hash_type = 'md5'
elif phantom.is_sha256(the_hash):
hash_type = 'sha256'
else:
return action_result.set_status(
phantom.APP_ERROR, "The given hash appears to be malformed")
ret_val, response = self._make_rest_call(SYMANTEC_HUNT_FILE.format(
the_hash, hash_type),
action_result,
auth_mode='Bearer',
headers={},
method='get')
if phantom.is_fail(ret_val):
return ret_val
# Adds data into action_result and summary
action_result.add_data(response)
summary_data['files_found'] = response.get('total')
return action_result.set_status(phantom.APP_SUCCESS)
def _validate_sha256(self, param):
# Strip out white spaces and then split the string with (',') delimiter to obtain list
hash_list = param.split(',')
hash_list = [file_hash.strip() for file_hash in hash_list]
# Validates whether all the hash are valid sha256
return all([phantom.is_sha256(file_hash) for file_hash in hash_list])
def _get_hash_type(self, hash_to_query):
if (phantom.is_md5(hash_to_query)):
return 'md5'
if (phantom.is_sha1(hash_to_query)):
return 'sha1'
if (phantom.is_sha256(hash_to_query)):
return 'sha256'
return None
def _create_file_artifacts(self, report_detail, container_id):
# Iterate each email data for fileHashes
for email in report_detail.get('emails', []):
cef = {}
cef_types = {}
discrete_email_md5 = set()
discrete_email_sha256 = set()
for filehash in email.get('relatedFileHashes', []):
if phantom.is_md5(filehash):
discrete_email_md5.add(filehash)
if phantom.is_sha256(filehash):
discrete_email_sha256.add(filehash)
# Create cefs for each filehash found in emails
for md5 in discrete_email_md5:
cef['fileHashMd5'] = md5
cef_types['fileHashMd5'] = ['hash', 'md5']
for sha256 in discrete_email_sha256:
cef['fileHashSha256'] = sha256
cef_types['fileHashSha256'] = ['hash', 'sha256']
if cef:
self._create_artifact(container_id, 'File Artifact', cef,
cef_types)
# Iterate each file data
for file_data in report_detail.get('files', []):
cef = {}
cef_types = {}
# Create a set of unique md5 and sha256 hash to be added as cef in artifact
discrete_md5 = set()
discrete_sha256 = set()
# Getting all the md5 from file_data
if file_data.get('md5'):
discrete_md5.add(file_data['md5'])
for parentmd5 in file_data.get('parentMd5s', []):
discrete_md5.add(parentmd5)
for parentmd5 in file_data.get('childMd5s', []):
discrete_md5.add(parentmd5)
# Getting all the sha256 from file_data
if file_data.get('sha256'):
discrete_sha256.add(file_data['sha256'])
# Create md5 cefs
for md5 in discrete_md5:
cef['fileHashMd5'] = md5
cef_types['fileHashMd5'] = ['hash', 'md5']
# Create sha256 cefs
for sha256 in discrete_sha256:
cef['fileHashSha256'] = sha256
cef_types['fileHashSha256'] = ['hash', 'sha256']
# Adding file size
if file_data.get('size'):
cef['fileSize'] = file_data['size']
# Create file name cefs
# Create a new artifact for each file name
for file_name in file_data.get('filename', []):
# Create copy of cef and cef_types to be re-used for
# each file name
file_cef = cef.copy()
file_cef_types = cef_types.copy()
file_cef['fileName'] = file_name
file_cef_types['fileName'] = ['file name']
self._create_artifact(container_id, 'File Artifact', file_cef,
file_cef_types)
# Create Artifact without filename cef if not present
if not file_data.get('filename'):
self._create_artifact(container_id, 'File Artifact', cef,
cef_types)