def dotransform(request, response, config):
# NW REST API Query and results
risk_name = request.value
diff = nwmodule.nwtime(config['netwitness/days'])
if 'ip' in request.fields:
ip = request.fields['ip']
query = 'select ip.dst where (time=%s) && risk.warning="%s" && ip.src=%s' % (diff, risk_name, ip)
else:
query = 'select ip.dst where (time=%s) && risk.warning="%s"' % (diff, risk_name)
json_data = json.loads(nwmodule.nwQuery(0, 0, query, 'application/json', 2500))
ip_list = []
for d in json_data['results']['fields']:
count = 1
for a in json_data['results']['fields']:
if d['value'] == a['value']:
count += 1
if d['value'] not in ip_list:
response += IPv4Address(d['value'].decode('ascii'), weight=count)
ip_list.append(d['value'])
return response
def dotransform(request, response, config):
# NW REST API Query and results
phrase = request.value
diff = nwmodule.nwtime(config['netwitness/days'])
query = 'select risk.warning where (time=%s) && risk.warning contains %s' % (diff, phrase)
json_data = json.loads(nwmodule.nwQuery(0, 0, query, 'application/json', 2500))
threat_list = []
for d in json_data['results']['fields']:
count = 1
for a in json_data['results']['fields']:
if d['value'] == a['value']:
count += 1
if d['value'] not in threat_list:
response += NWThreat(
d['value'].decode('ascii'),
metaid1=d['id1'],
metaid2=d['id2'],
type_=d['type'],
count=d['count'],
weight=count
)
threat_list.append(d['value'])
count = 0
return response
def dotransform(request, response, config):
# NW REST API Query and results
ip_entity = request.value
diff = nwmodule.nwtime(config["netwitness/days"])
query = "select service where (time=%s) && (ip.dst=%s || ip.src=%s)" % (diff, ip_entity, ip_entity)
json_data = json.loads(nwmodule.nwQuery(0, 0, query, "application/json", 2500))
service_list = []
for d in json_data["results"]["fields"]:
count = 1
for a in json_data["results"]["fields"]:
if d["value"] == a["value"]:
count += 1
if d["value"] not in service_list:
e = Service(d["value"].decode("ascii"), weight=count)
e += Field("ip", ip_entity, displayname="IP Address")
response += e
service_list.append(d["value"])
count = 0
return response
def dotransform(request, response, config):
# NW REST API Query and results
phrase = request.value
diff = nwmodule.nwtime(config['netwitness/days'])
query = 'select %s where (time=%s) && %s exists' % (phrase, diff, phrase)
json_data = json.loads(nwmodule.nwQuery(0, 0, query, 'application/json', 2500))
meta_list = []
for d in json_data['results']['fields']:
count = 1
for a in json_data['results']['fields']:
if d['value'] == a['value']:
count += 1
if d['value'] not in meta_list:
response += NWMetakey(
d['value'].decode('ascii'),
weight=count)
meta_list.append(d['value'])
count = 0
return response
def dotransform(request, response, config):
# NW REST API Query and results
hostname = request.value
diff = nwmodule.nwtime(config['netwitness/days'])
query = 'select service where (time=%s) && alias.host=%s' % (diff, hostname)
json_data = json.loads(nwmodule.nwQuery(0, 0, query, 'application/json', 2500))
service_list = []
for d in json_data['results']['fields']:
count = 1
for a in json_data['results']['fields']:
if d['value'] == a['value']:
count += 1
if d['value'] not in service_list:
e = Service(d['value'].decode('ascii'), weight=count)
e += Field("hostalias", hostname, displayname='Hostalias')
response += e
service_list.append(d['value'])
count = 0
return response
def dotransform(request, response, config):
# NW REST API Query and results
if "ip" in request.fields:
diff = nwmodule.nwtime(config["netwitness/days"])
query = "select ip.dst where (time=%s) && service=%s && (ip.dst=%s || ip.src=%s)" % (
diff,
request.fields["service"],
request.fields["ip"],
request.fields["ip"],
)
json_data = json.loads(nwmodule.nwQuery(0, 0, query, "application/json", 2500))
entity_list = []
for d in json_data["results"]["fields"]:
count = 1
for a in json_data["results"]["fields"]:
if d["value"] == a["value"]:
count += 1
if d["value"] not in entity_list:
response += IPv4Address(d["value"], weight=count)
entity_list.append(request.fields["ip"])
elif "hostname" in request.fields:
diff = nwmodule.nwtime(config["netwitness/days"])
query = "select ip.dst where (time=%s) && service=%s && alias.host=%s" % (
diff,
request.fields["service"],
request.fields["hostname"],
)
json_data = json.loads(nwmodule.nwQuery(0, 0, query, "application/json", 2500))
entity_list = []
for d in json_data["results"]["fields"]:
count = 1
for a in json_data["results"]["fields"]:
if d["value"] == a["value"]:
count += 1
if d["value"] not in entity_list:
response += IPv4Address(d["value"], weight=count)
entity_list.append(request.fields["hostname"])
return response
def dotransform(request, response, config):
# NW REST API Query and results
if 'ip' in request.fields:
diff = nwmodule.nwtime(config['netwitness/days'])
query = 'select ip.src where (time=%s) && service=%s && (ip.dst=%s || ip.src=%s)' % (diff, request.fields['service'],request.fields['ip'], request.fields['ip'])
json_data = json.loads(nwmodule.nwQuery(0, 0, query, 'application/json', 2500))
entity_list = []
for d in json_data['results']['fields']:
count = 1
for a in json_data['results']['fields']:
if d['value'] == a['value']:
count += 1
if d['value'] not in entity_list:
response += IPv4Address(d['value'], weight=count)
entity_list.append(request.fields['ip'])
elif 'hostname' in request.fields:
diff = nwmodule.nwtime(config['netwitness/days'])
query = 'select ip.src where (time=%s) && service=%s && alias.host=%s' % (diff, request.fields['service'], request.fields['hostname'])
json_data = json.loads(nwmodule.nwQuery(0, 0, query, 'application/json', 2500))
entity_list = []
for d in json_data['results']['fields']:
count = 1
for a in json_data['results']['fields']:
if d['value'] == a['value']:
count += 1
if d['value'] not in entity_list:
response += IPv4Address(d['value'], weight=count)
entity_list.append(request.fields['hostname'])
return response
def dotransform(request, response):
nwmodule.nw_http_auth()
# NW REST API Query and results
ip_entity = request.value
diff = nwmodule.nwtime(config['netwitness/days'])
query = 'select ip.dst where (time=%s) && ip.src=%s' % (diff, ip_entity)
json_data = json.loads(nwmodule.nwQuery(0, 0, query, 'application/json', 10))
ip_list = []
for d in json_data['results']['fields']:
if d['value'] not in ip_list:
response += IPv4Address(d['value'].decode('ascii'))
ip_list.append(d['value'])
return response
def dotransform(request, response, config):
# NW REST API Query and results
ip_entity = request.value
diff = nwmodule.nwtime(config['netwitness/days'])
query = 'select ip.src where (time=%s) && ip.dst=%s' % (diff, ip_entity)
json_data = json.loads(nwmodule.nwQuery(0, 0, query, 'application/json', 2500))
ip_list = []
for d in json_data['results']['fields']:
count = 1
for a in json_data['results']['fields']:
if d['value'] == a['value']:
count += 1
if d['value'] not in ip_list:
response += IPv4Address(d['value'].decode('ascii'), weight=count)
ip_list.append(d['value'])
count = 0
return response
def dotransform(request, response, config):
# NW REST API Query and results
ip_entity = request.value
diff = nwmodule.nwtime(config["netwitness/days"])
query = "select ip.dst where (time=%s) && ip.src=%s" % (diff, ip_entity)
json_data = json.loads(nwmodule.nwQuery(0, 0, query, "application/json", 2500))
ip_list = []
for d in json_data["results"]["fields"]:
count = 1
for a in json_data["results"]["fields"]:
if d["value"] == a["value"]:
count += 1
if d["value"] not in ip_list:
response += IPv4Address(d["value"].decode("ascii"), weight=count)
ip_list.append(d["value"])
count = 0
return response
def dotransform(request, response, config):
# NW REST API Query and results
diff = nwmodule.nwtime(config['netwitness/days'])
service = request.value
if 'ip' in request.fields:
ip = request.fields['ip']
query = 'select ip.dst where (time=%s) && service=%s && (ip.src=%s || ip.dst=%s)' % (diff, service, ip, ip)
else:
breadhost = request.fields['hostname']
query = 'select ip.dst where (time=%s) && service=%s && alias.host=%s' % (diff, service, breadhost)
json_data = json.loads(nwmodule.nwQuery(0, 0, query, 'application/json', 2500))
service_list = []
for d in json_data['results']['fields']:
count = 1
for a in json_data['results']['fields']:
if d['value'] == a['value']:
count += 1
if d['value'] not in service_list:
e = IPv4Address(d['value'].decode('ascii'), weight=count)
if 'ip' in request.fields:
e += Field("ip", ip, displayname='IP Address')
else:
e += Field("hostname", breadhost, displayname='Hostname')
e += Field("service", request.value, displayname='Service')
response += e
service_list.append(d['value'])
count = 0
return response