# NW REST API Query amd results
ip_entity = sys.argv[1]
date_t = datetime.today()
tdelta = timedelta(days=1)
diff = date_t - tdelta
diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime(
'%Y-%b-%d %H:%M:%S') + "'"
field_name = 'filetype'
where_clause = '(time=%s) && ip.dst=%s || ip.src=%s' % (diff, ip_entity,
ip_entity)
json_data = json.loads(
nwmodule.nwValue(0, 0, 25, field_name, 'application/json', where_clause))
file_list = []
print trans_header
for d in json_data['results']['fields']:
value = d['value'].decode('ascii')
# Kind of a hack but hey it works!
if value in file_list:
continue
else:
print """ <Entity Type="netwitness.NWFiletype">
<Value>%s</Value>
<AdditionalFields>
<Field Name="ip" DisplayName="IP Address">%s</Field>
<Field Name="metaid1" DisplayName="Meta id1">%s</Field>
<Field Name="metaid2" DisplayName="Meta id2">%s</Field>
date_t = datetime.today()
tdelta = timedelta(days=1)
diff = date_t - tdelta
diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime('%Y-%b-%d %H:%M:%S') + "'"
for i in fields:
if 'ip' in i:
parse = i.split('=')
ip = parse[1]
where_clause = '(time=%s) && risk.warning="%s" && ip.src=%s || ip.dst=%s' % (diff, risk_name, ip, ip)
else:
where_clause = '(time=%s) && risk.warning="%s"' % (diff, risk_name)
field_name = 'attachment'
json_data = json.loads(nwmodule.nwValue(0, 0, 25, field_name, 'application/json', where_clause))
file_list = []
# Print the Maltego XML Header
print trans_header
for d in json_data['results']['fields']:
value = d['value'].decode('ascii')
if value in file_list:
continue
elif value == "<none>":
pass
else:
# Kind of a hack but hey it works!
print """ <Entity Type="netwitness.NWFilename">
<Value>%s</Value>
<AdditionalFields>
date_t = datetime.today()
tdelta = timedelta(days=1)
diff = date_t - tdelta
diff = "'" + diff.strftime("%Y-%b-%d %H:%M:%S") + "'-'" + date_t.strftime("%Y-%b-%d %H:%M:%S") + "'"
for i in fields:
if "ip" in i:
parse = i.split("=")
ip = parse[1]
where_clause = '(time=%s) && risk.warning="%s" && ip.src=%s || ip.dst=%s' % (diff, risk_name, ip, ip)
else:
where_clause = '(time=%s) && risk.warning="%s"' % (diff, risk_name)
field_name = "filename"
json_data = json.loads(nwmodule.nwValue(0, 0, 25, field_name, "application/json", where_clause))
file_list = []
# Print the Maltego XML Header
print trans_header
for d in json_data["results"]["fields"]:
value = d["value"].decode("ascii")
if value in file_list:
continue
elif value == "<none>":
pass
else:
# Kind of a hack but hey it works!
print """ <Entity Type="netwitness.NWFilename">
<Value>%s</Value>
<AdditionalFields>
fields = sys.argv[2].split('#')
date_t = datetime.today()
tdelta = timedelta(days=1)
diff = date_t - tdelta
diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime('%Y-%b-%d %H:%M:%S') + "'"
for i in fields:
if 'ip' in i:
parse = i.split('=')
ip = parse[1]
where_clause = '(time=%s) && risk.warning="%s" && ip.src=%s || ip.dst=%s' % (diff, risk_name, ip, ip)
else:
where_clause = '(time=%s) && risk.warning="%s"' % (diff, risk_name)
json_data = json.loads(nwmodule.nwValue(0, 0, 10, 'client', 'application/json', where_clause))
ua_list = []
print trans_header
for d in json_data['results']['fields']:
value = d['value'].decode('ascii')
if value in ip_list:
continue
else:
# Kind of a hack but hey it works!
print """ <Entity Type="netwitness.NWUserAgent">
<Value>%s</Value>
<AdditionalFields>
<Field Name="threat" DisplayName="Threat Name">%s</Field>
<Field Name="metaid1" DisplayName="Meta id1">%s</Field>
<Field Name="metaid2" DisplayName="Meta id2">%s</Field>
nwmodule.nw_http_auth()
# NW REST API Query amd results
ip_entity = sys.argv[1]
date_t = datetime.today()
tdelta = timedelta(days=1)
diff = date_t - tdelta
diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime(
'%Y-%b-%d %H:%M:%S') + "'"
where_clause = '(time=%s) && ip.src=%s || ip.dst=%s' % (ip_entity, ip_entity)
json_data = json.loads(
nwmodule.nwValue(0, 0, 25, 'risk.warning', 'application/json',
where_clause))
threat_list = []
print trans_header
for d in json_data['results']['fields']:
value = d['value'].decode('ascii')
# Kind of a hack but hey it works!
if value in threat_list:
continue
else:
print """ <Entity Type="netwitness.NWThreatNoIP">
<Value>%s</Value>
<AdditionalFields>
<Field Name="ip" DisplayName="IP Source Address">%s</Field>
<Field Name="metaid1" DisplayName="Meta id1">%s</Field>
<Field Name="metaid2" DisplayName="Meta id2">%s</Field>
# Authenticate to the NW Concentrator via HTTP basic auth
nwmodule.nw_http_auth()
# NW REST API Query amd results
ip_entity = sys.argv[1]
date_t = datetime.today()
tdelta = timedelta(days=1)
diff = date_t - tdelta
diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime('%Y-%b-%d %H:%M:%S') + "'"
where_clause = '(time=%s) && ip.src=%s || ip.dst=%s' % (diff, ip_entity, ip_entity)
json_data = json.loads(nwmodule.nwValue(0, 0, 25, 'risk.warning', 'application/json', where_clause))
threat_list = []
print trans_header
for d in json_data['results']['fields']:
value = d['value'].decode('ascii')
if value in threat_list:
continue
else:
# Kind of a hack but hey it works!
print """ <Entity Type="netwitness.NWThreat">
<Value>%s</Value>
<AdditionalFields>
<Field Name="ip" DisplayName="IP Destination Address">%s</Field>
<Field Name="metaid1" DisplayName="Meta id1">%s</Field>
<Field Name="metaid2" DisplayName="Meta id2">%s</Field>
nwmodule.nw_http_auth()
# NW REST API Query amd results
ip_entity = sys.argv[1]
date_t = datetime.today()
tdelta = timedelta(days=1)
diff = date_t - tdelta
diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime(
'%Y-%b-%d %H:%M:%S') + "'"
where_clause = '(time=%s) && ip.src=%s || ip.dst=%s' % (diff, ip_entity,
ip_entity)
json_data = json.loads(
nwmodule.nwValue(0, 0, 25, 'alias.host', 'application/json', where_clause))
print trans_header
for d in json_data['results']['fields']:
# Kind of a hack but hey it works!
print """ <Entity Type="maltego.Domain">
<Value>%s</Value>
<AdditionalFields>
<Field Name="ip" DisplayName="IP Address">%s</Field>
<Field Name="metaid1" DisplayName="Meta id1">%s</Field>
<Field Name="metaid2" DisplayName="Meta id2">%s</Field>
<Field Name="type" DisplayName="Type">%s</Field>
<Field Name="count" DisplayName="Count">%s</Field>
</AdditionalFields>
</Entity>""" % (d['value'].decode('ascii'), ip_entity, d['id1'], d['id2'],
d['type'], d['count'])
# Authenticate to the NW Concentrator via HTTP basic auth
nwmodule.nw_http_auth()
# NW REST API Query amd results
ip_entity = sys.argv[1]
date_t = datetime.today()
tdelta = timedelta(days=1)
diff = date_t - tdelta
diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime('%Y-%b-%d %H:%M:%S') + "'"
where_clause = '(time=%s) && ip.src=%s || ip.dst=%s' % (diff, ip_entity, ip_entity)
json_data = json.loads(nwmodule.nwValue(0, 0, 25, 'alias.host', 'application/json', where_clause))
print trans_header
for d in json_data['results']['fields']:
# Kind of a hack but hey it works!
print """ <Entity Type="maltego.Domain">
<Value>%s</Value>
<AdditionalFields>
<Field Name="ip" DisplayName="IP Address">%s</Field>
<Field Name="metaid1" DisplayName="Meta id1">%s</Field>
<Field Name="metaid2" DisplayName="Meta id2">%s</Field>
<Field Name="type" DisplayName="Type">%s</Field>
<Field Name="count" DisplayName="Count">%s</Field>
</AdditionalFields>
</Entity>""" % (d['value'].decode('ascii'), ip_entity, d['id1'], d['id2'], d['type'], d['count'])