class FilePEImports(odm.Model):
fuzzy = odm.Optional(odm.List(odm.SSDeepHash(copyto="__text__")), description="Fuzzy")
md5 = odm.Optional(odm.List(odm.MD5(copyto="__text__")), description="MD5")
imphash = odm.Optional(odm.List(odm.MD5(copyto="__text__")), description="Imphash")
sorted_fuzzy = odm.Optional(odm.List(odm.SSDeepHash(copyto="__text__")), description="Sorted Fuzzy")
sorted_sha1 = odm.Optional(odm.List(odm.SHA1(copyto="__text__")), description="Sorted SHA1")
suspicious = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Suspicious")
class File(odm.Model):
md5 = odm.MD5(copyto="__text__", description="MD5 hash of file")
name = odm.Keyword(copyto="__text__", description="Name of the file")
sha1 = odm.SHA1(copyto="__text__", description="SHA1 hash of the file")
sha256 = odm.SHA256(copyto="__text__", description="SHA256 hash of the file")
size = odm.Integer(store=False, description="Size of the file in bytes")
type = odm.Keyword(copyto="__text__", description="Type of file as identified by Assemblyline")
class File(odm.Model): # File block
md5 = odm.MD5(copyto="__text__") # MD5 of the top level file
name = odm.Keyword(store=False, copyto="__text__") # Name of the file
sha1 = odm.SHA1(copyto="__text__") # SHA1 hash of the file
sha256 = odm.SHA256(copyto="__text__") # SHA256 hash of the file
size = odm.Integer(store=False) # Size of the file
type = odm.Keyword(
copyto="__text__") # Type of file as identified by Assemblyline
class FileInfo(odm.Model):
magic = odm.Keyword() # The output from libmagic which was used to determine the tag
md5 = odm.MD5() # MD5 of the file
mime = odm.Optional(odm.Keyword()) # The libmagic mime type
sha1 = odm.SHA1() # SHA1 hash of the file
sha256 = odm.SHA256() # SHA256 hash of the file
size = odm.Integer() # Size of the file
type = odm.Keyword() # The file type
class FilePEImports(odm.Model):
fuzzy = odm.Optional(
odm.List(odm.SSDeepHash(copyto="__text__")))
md5 = odm.Optional(odm.List(odm.MD5(copyto="__text__")))
sorted_fuzzy = odm.Optional(
odm.List(odm.SSDeepHash(copyto="__text__")))
sorted_sha1 = odm.Optional(
odm.List(odm.SHA1(copyto="__text__")))
suspicious = odm.Optional(
odm.List(odm.Keyword(copyto="__text__")))
class FileInfo(odm.Model):
magic = odm.Keyword(
description=
"The output from libmagic which was used to determine the tag")
md5 = odm.MD5(description="MD5 of the file")
mime = odm.Optional(odm.Keyword(), description="The libmagic mime type")
sha1 = odm.SHA1(description="SHA1 hash of the file")
sha256 = odm.SHA256(description="SHA256 hash of the file")
size = odm.Integer(description="Size of the file in bytes")
type = odm.Keyword(
description="Type of file as identified by Assemblyline")
class Sections(odm.Model):
name = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
characteristics_hash = odm.Optional(odm.Integer())
characteristics_list = odm.Optional(
odm.List(odm.EmptyableKeyword(copyto="__text__")))
entropy = odm.Optional(odm.Float())
entropy_without_padding = odm.Optional(odm.Float())
md5 = odm.Optional(odm.MD5())
offset = odm.Optional(odm.Integer())
size = odm.Optional(odm.Integer())
sizeof_raw_data = odm.Optional(odm.Integer())
virtual_address = odm.Optional(odm.Integer())
virtual_size = odm.Optional(odm.Integer())
virtual_address = odm.Optional(odm.Integer())
fullname = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
class File(odm.Model):
archive_ts = odm.Date(store=False, description="Archiving timestamp")
ascii = odm.Keyword(index=False, store=False,
description="Dotted ASCII representation of the first 64 bytes of the file")
classification = odm.Classification(description="Classification of the file")
entropy = odm.Float(description="Entropy of the file")
expiry_ts = odm.Optional(odm.Date(store=False), description="Expiry timestamp")
is_section_image = odm.Boolean(default=False, description="Is this an image from an Image Result Section?")
hex = odm.Keyword(index=False, store=False, description="Hex dump of the first 64 bytes of the file")
md5 = odm.MD5(copyto="__text__", description="MD5 of the file")
magic = odm.Keyword(store=False, description="Output from libmagic related to the file")
mime = odm.Optional(odm.Keyword(store=False), description="MIME type of the file as identified by libmagic")
seen = odm.Compound(Seen, default={}, description="Details about when the file was seen")
sha1 = odm.SHA1(copyto="__text__", description="SHA1 hash of the file")
sha256 = odm.SHA256(copyto="__text__", description="SHA256 hash of the file")
size = odm.Integer(description="Size of the file in bytes")
ssdeep = odm.SSDeepHash(store=False, description="SSDEEP hash of the file")
type = odm.Keyword(copyto="__text__", description="Type of file as identified by Assemblyline")
class File(odm.Model):
archive_ts = odm.Date(store=False) # Archiving timestamp
ascii = odm.Keyword(
index=False, store=False
) # Dotted ascii representation of the first 64 bytes of the file
classification = odm.Classification() # Classification of the file
entropy = odm.Float() # Entropy of the file
expiry_ts = odm.Optional(odm.Date(store=False)) # Expiry timestamp
hex = odm.Keyword(
index=False, store=False) # Hex dump of the first 64 bytes of the file
md5 = odm.MD5(copyto="__text__") # MD5 of the top level file
magic = odm.Keyword(
store=False) # Output from libmagic related to that file
mime = odm.Optional(odm.Keyword(
store=False)) # Mime type of the file as identified by libmagic
seen = odm.Compound(Seen,
default={}) # Attributes about when the file was seen
sha1 = odm.SHA1(copyto="__text__") # SHA1 hash of the file
sha256 = odm.SHA256(copyto="__text__") # SHA256 hash of the file
size = odm.Integer() # Size of the file
ssdeep = odm.SSDeepHash(store=False) # SSDEEP hash of the file
type = odm.Keyword(
copyto="__text__") # Type of file as identified by Assemblyline
class NetworkTLS(odm.Model):
ja3_hash = odm.Optional(odm.List(odm.MD5(copyto="__text__")))
ja3_string = odm.Optional(odm.List(odm.Keyword(copyto="__text__")))
sni = odm.Optional(odm.List(odm.Keyword(copyto="__text__")))
class Authentihash(odm.Model):
sha512 = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
sha384 = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
sha256 = odm.Optional(odm.SHA256())
sha1 = odm.Optional(odm.SHA1())
md5 = odm.Optional(odm.MD5())
class NetworkTLS(odm.Model):
ja3_hash = odm.Optional(odm.List(odm.MD5(copyto="__text__")), description="JA3 Hash")
ja3_string = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="JA3 String")
sni = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="SNI")
class ResultOntologyHeader(odm.Model):
@odm.model(index=False,
store=False,
description="Details about the Heuristics raised by a service")
class HeuristicDetails(odm.Model):
name = odm.Text(description="Name of the heuristic raised.")
tags = odm.Compound(Tagging,
description="Tags associated to heuristic")
# Required metadata
md5 = odm.MD5(description="MD5 of file")
sha1 = odm.SHA1(description="SHA1 of file")
sha256 = odm.SHA256(description="SHA256 of file")
type = odm.Keyword(
description="Type of file as identified by Assemblyline")
size = odm.Integer(description="Size of the file in bytes")
classification = odm.Keyword(
default=Classification.UNRESTRICTED,
description="Classification of the service result")
service_name = odm.Keyword(description="Service Name")
service_version = odm.Keyword(description="Service Version")
service_tool_version = odm.Optional(odm.Keyword(default=''),
description="Service Tool Version")
# Optional metadata
filenames = odm.Optional(odm.List(odm.Text()),
description="Known filenames associated to file")
date = odm.Optional(odm.Date(), description="Date of analysis")
parent = odm.Optional(
odm.SHA256(),
description="Immediate parent of file relative to submission")
sid = odm.Optional(odm.Keyword(),
description="Submission ID associated to file")
source_system = odm.Optional(
odm.Text(),
description=
"Which Assemblyline instance does the result originate from?")
original_source = odm.Optional(
odm.Text(),
description="Source as specified by submitter (from metadata)")
submitted_classification = odm.Keyword(
default=Classification.UNRESTRICTED,
description="Submitted classification")
submitter = odm.Optional(odm.Keyword(), description="Submitter")
retention_id = odm.Optional(
odm.Keyword(),
description="Reference to knowledge base for long-term data retention."
)
# What tags did the service associate to the result
tags = odm.Optional(odm.Compound(Tagging),
description="Tags raised by service")
# What tags are related to certain heuristics raised
# {
# "SERVICENAME_1": {
# "name": "Bad Things happened"
# "tags": {
# "network": {
# "static": {
# "uri": ["bad.domain", ...]
# ...
# }
# ...
# }
# ...
# }
# }
# }
heuristics = odm.Optional(odm.Mapping(odm.Compound(HeuristicDetails)),
description="Heuristics raised by service.")