def adversary_groups(galaxy):
connector = SnapshotConnector()
content = galaxy['elements']['adversary-groups']
for group in content['values']:
eids = search('"{}"'.format(group['value']), ['info', 'comment'])
eids += search(group['value'], ['value', 'tags'])
if group.get('synonyms'):
for syn in group.get('synonyms'):
eids += search('"{}"'.format(syn), ['info', 'comment'])
eids += search(syn, ['value', 'tags'])
if eids:
top = [e for e, f in eids.most_common(20)]
connector.update_group('adversaries:{}'.format(group['group']), *top)
def tools(galaxy):
connector = SnapshotConnector()
content = galaxy['elements']['threat-actor-tools']
for tool in content['values']:
eids = search('"{}"'.format(tool['value']), ['info', 'comment'])
eids += search(tool['value'], ['value', 'tags'])
if tool.get('synonyms'):
for syn in tool.get('synonyms'):
eids += search('"{}"'.format(syn), ['info', 'comment'])
eids += search(syn, ['value', 'tags'])
if eids:
top = [e for e, f in eids.most_common(20)]
connector.update_group('tools:{}'.format(tool['value']), *top)
def search_events():
if request.form.get('query'):
eids = search(request.form.get('query'))
if eids:
top = [e for e, f in eids.most_common(20)]
return merge_events(top)
return render_template('search.html')
def rebuild_eid_cache(self):
for sha256 in self.r.smembers('hashes_sha256'):
sha1, md5 = self.r.hmget(sha256, ['sha1', 'md5'])
eids = search('{} {} {}'.format(sha256, sha1, md5), 'value')
if eids:
all_eids = [e for e, f in eids.most_common()]
self.r.sadd('{}:eids'.format(sha256), *all_eids)
def search_hashes_slow(samples_hash):
if isinstance(samples_hash, list) or isinstance(samples_hash, set):
to_search = []
for h in samples_hash:
to_search += pe.get_all_hashes(h)
else:
to_search = pe.get_all_hashes(samples_hash)
eids = [e for e, f in search(' '.join(to_search), 'value').most_common()]
return eids