def execute_autofocus_service(self):
data = self.getData()
AutoFocusAPI.api_key = self.autofocus_key
if self.service == 'get_sample_analysis' and self.data_type in [
'hash'
]:
sample = AFSample.get(data)
res = {
'metadata':
sample.serialize(),
'tags':
[tag.serialize() for tag in sample.__getattribute__('tags')],
'analysis': {}
}
for analyse in sample.get_analyses():
analysis_type = analyse.__class__.__name__
if analysis_type not in res['analysis']:
res['analysis'][analysis_type] = []
res['analysis'][analysis_type].append(analyse.serialize())
return res
elif self.service == 'search_ioc' and self.data_type in ['ip']:
searchIP = SearchJson_IP(data)
return searchIP.do_search()
elif self.service == 'search_ioc' and self.data_type in [
'domain', 'fqdn'
]:
searchDomain = SearchJson_Domain(data)
return searchDomain.do_search()
elif self.service == 'search_ioc' and self.data_type in ['mutex']:
searchMutex = SearchJson_Mutex(data)
return searchMutex.do_search()
elif self.service == 'search_ioc' and self.data_type in ['imphash']:
searchImpash = SearchJson_Imphash(data)
return searchImpash.do_search()
elif self.service == 'search_ioc' and self.data_type in ['tag']:
searchTag = SearchJson_TAG(data)
return searchTag.do_search()
elif self.service == 'search_ioc' and self.data_type in ['url']:
searchURL = SearchJson_URL(data)
return searchURL.do_search()
elif self.service == 'search_ioc' and self.data_type in ['user-agent']:
searchUserAgent = SearchJson_UserAgent(data)
return searchUserAgent.do_search()
elif self.service == 'search_json' and self.data_type in ['other']:
search = SearchJson(data)
return search.do_search()
else:
self.error('Unknown AutoFocus service or invalid data type')
from autofocus import AFSample, AFSampleAbsent
#AutoFocusAPI.api_key = "<my API key>"
###############################
# Searching for a single hash #
###############################
hash = "7f38fd3e55a4139d788a4475ab0a5d83bf7686a37ef5e54a65364a0d781b523c"
try:
# sample is instance of AFSample()
sample = AFSample.get(hash)
# Using instrospection, you can analyze the attributes of the AFSample instance
print "Pulled sample {} and got the follow attributes".format(hash)
for k, v in sample.__dict__.items():
print "\t{}={}".format(k, v)
except AFSampleAbsent:
pass # The sample isn't in AutoFocus
################################################
# Run an autofocus query (Exported via the UI) #
################################################
query = '{"operator":"all","children":[{"field":"sample.malware","operator":"is","value":1}]}'
# * AFSample.search is a generator, so you have to iterate over the results, which is required since it's common
# to search for large datasets
# * The client library handles all paging for you, so you just need to pose a question
# and parse the results
for sample in AFSample.search(query):
from autofocus import AFSample, AFConnectionActivity, AFUserAgentFragment, AFRelatedMacro
#AutoFocusAPI.api_key = "<my API key>"
sample = AFSample.get(
"8404e06ff383275462298e830bebe9540fab2092eca5523649d74e6e596ac23d")
for analysis in sample.get_analyses(AFConnectionActivity):
analysis
# user agent fragments
sample = AFSample.get(
"66ee855c9ea5dbad47c7da966dbdb7fef630c0421984f7eeb238f26fb45493f2")
# Can pull the user agent analyses in many different ways.
for analysis in sample.get_analyses(AFUserAgentFragment):
print analysis
for analysis in sample.get_analyses('user_agent'):
print analysis
for analysis in sample.get_analyses([AFUserAgentFragment]):
print analysis
for analysis in sample.get_analyses(['user_agent']):
print analysis
# service activity
sample = AFSample.get(
"652c70c144f0d2d177695c5dc47ed9fcc1606ebdf78a636cace91988f12185fa")
from autofocus import AFSample, AFSampleAbsent
#AutoFocusAPI.api_key = "<my API key>"
###############################
# Searching for a single hash #
###############################
hash = "7f38fd3e55a4139d788a4475ab0a5d83bf7686a37ef5e54a65364a0d781b523c"
try:
# sample is instance of AFSample()
sample = AFSample.get(hash)
# Using instrospection, you can analyze the attributes of the AFSample instance
print "Pulled sample {} and got the follow attributes".format(hash)
for k,v in sample.__dict__.items():
print "\t{}={}".format(k, v)
except AFSampleAbsent:
pass # The sample isn't in AutoFocus
################################################
# Run an autofocus query (Exported via the UI) #
################################################
query = '{"operator":"all","children":[{"field":"sample.malware","operator":"is","value":1}]}'
# * AFSample.search is a generator, so you have to iterate over the results, which is required since it's common
# to search for large datasets
# * The client library handles all paging for you, so you just need to pose a question
# and parse the results
from autofocus import AFSample, AFConnectionActivity, AFUserAgentFragment
#AutoFocusAPI.api_key = "<my API key>"
sample = AFSample.get("8404e06ff383275462298e830bebe9540fab2092eca5523649d74e6e596ac23d")
for analysis in sample.get_analyses(AFConnectionActivity):
analysis
# user agent fragments
sample = AFSample.get("66ee855c9ea5dbad47c7da966dbdb7fef630c0421984f7eeb238f26fb45493f2")
# Can pull the user agent analyses in many different ways.
for analysis in sample.get_analyses(AFUserAgentFragment):
print analysis
for analysis in sample.get_analyses('user_agent'):
print analysis
for analysis in sample.get_analyses([AFUserAgentFragment]):
print analysis
for analysis in sample.get_analyses(['user_agent']):
print analysis
# service activity
sample = AFSample.get("652c70c144f0d2d177695c5dc47ed9fcc1606ebdf78a636cace91988f12185fa")
for analysis in sample.get_analyses(['service']):
print analysis
