date_t = datetime.today()
tdelta = timedelta(days=1)
diff = date_t - tdelta
diff = "'" + diff.strftime("%Y-%b-%d %H:%M:%S") + "'-'" + date_t.strftime("%Y-%b-%d %H:%M:%S") + "'"

for i in fields:
    if "ip" in i:
        parse = i.split("=")
        ip = parse[1]
        where_clause = '(time=%s) && risk.warning="%s" && ip.src=%s || ip.dst=%s' % (diff, risk_name, ip, ip)
    else:
        where_clause = '(time=%s) && risk.warning="%s"' % (diff, risk_name)

field_name = "filename"
json_data = json.loads(nwmodule.nwValue(0, 0, 25, field_name, "application/json", where_clause))
file_list = []

# Print the Maltego XML Header
print trans_header
for d in json_data["results"]["fields"]:
    value = d["value"].decode("ascii")
    if value in file_list:
        continue
    elif value == "<none>":
        pass
    else:
        # Kind of a hack but hey it works!
        print """       <Entity Type="netwitness.NWFilename">
            <Value>%s</Value>
                <AdditionalFields>
Example #2
0
# Authenticate to the NW Concentrator via HTTP basic auth

nwmodule.nw_http_auth()

# NW REST API Query amd results

ip_entity = sys.argv[1]

date_t = datetime.today()
tdelta = timedelta(days=1)
diff = date_t - tdelta
diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime('%Y-%b-%d %H:%M:%S') + "'"

where_clause = '(time=%s) && ip.src=%s || ip.dst=%s' % (diff, ip_entity, ip_entity)
json_data = json.loads(nwmodule.nwValue(0, 0, 25, 'risk.warning', 'application/json', where_clause))
threat_list = []

print trans_header
for d in json_data['results']['fields']:
    value = d['value'].decode('ascii')
    if value in threat_list:
        continue
    else:
        # Kind of a hack but hey it works!
        print """       <Entity Type="netwitness.NWThreat">
            <Value>%s</Value>
                <AdditionalFields>
                    <Field Name="ip" DisplayName="IP Destination Address">%s</Field>
                    <Field Name="metaid1" DisplayName="Meta id1">%s</Field>
                    <Field Name="metaid2" DisplayName="Meta id2">%s</Field>
Example #3
0
fields = sys.argv[2].split('#')

date_t = datetime.today()
tdelta = timedelta(days=1)
diff = date_t - tdelta
diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime('%Y-%b-%d %H:%M:%S') + "'"

for i in fields:
    if 'ip' in i:
    	parse = i.split('=')
    	ip = parse[1]
    	where_clause = '(time=%s) && risk.warning="%s" && ip.src=%s || ip.dst=%s' % (diff, risk_name, ip, ip)
    else:
    	where_clause = '(time=%s) && risk.warning="%s"' % (diff, risk_name)

json_data = json.loads(nwmodule.nwValue(0, 0, 10, 'client', 'application/json', where_clause))
ua_list = []

print trans_header
for d in json_data['results']['fields']:
    value = d['value'].decode('ascii')
    if value in ip_list:
    	continue
    else:
    	# Kind of a hack but hey it works!
        print """       <Entity Type="netwitness.NWUserAgent">
        <Value>%s</Value>
        <AdditionalFields>
        	<Field Name="threat" DisplayName="Threat Name">%s</Field>
        	<Field Name="metaid1" DisplayName="Meta id1">%s</Field>
        	<Field Name="metaid2" DisplayName="Meta id2">%s</Field>
# Authenticate to the NW Concentrator via HTTP basic auth

nwmodule.nw_http_auth()

# NW REST API Query amd results

ip_entity = sys.argv[1]

date_t = datetime.today()
tdelta = timedelta(days=1)
diff = date_t - tdelta
diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime('%Y-%b-%d %H:%M:%S') + "'"

where_clause = '(time=%s) && ip.src=%s || ip.dst=%s' % (diff, ip_entity, ip_entity)
json_data = json.loads(nwmodule.nwValue(0, 0, 25, 'alias.host', 'application/json', where_clause))

print trans_header
for d in json_data['results']['fields']:
    # Kind of a hack but hey it works!
    print """       <Entity Type="maltego.Domain">
        <Value>%s</Value>
        <AdditionalFields>
            <Field Name="ip" DisplayName="IP Address">%s</Field>
            <Field Name="metaid1" DisplayName="Meta id1">%s</Field>
            <Field Name="metaid2" DisplayName="Meta id2">%s</Field>
            <Field Name="type" DisplayName="Type">%s</Field>
            <Field Name="count" DisplayName="Count">%s</Field>
        </AdditionalFields> 
    </Entity>""" % (d['value'].decode('ascii'), ip_entity, d['id1'], d['id2'], d['type'], d['count'])