class ALResults(odm.Model): # Assemblyline result block
attrib = odm.List(odm.Keyword(), default=[],
copyto="__text__") # List of attribution
av = odm.List(odm.Keyword(), default=[], store=True,
copyto="__text__") # List of AV hits
behavior = odm.List(odm.Keyword(), default=[],
copyto="__text__") # List of behaviors for the alert
domain = odm.List(odm.Domain(), default=[],
copyto="__text__") # List of all domains
domain_dynamic = odm.List(
odm.Domain(),
default=[]) # List of domains found during dynamic analysis
domain_static = odm.List(
odm.Domain(),
default=[]) # List of domains foudn during static analysis
ip = odm.List(odm.IP(), default=[], copyto="__text__") # List of all IPs
ip_dynamic = odm.List(
odm.IP(), default=[]) # List of IPs found during dynamic analysis
ip_static = odm.List(
odm.IP(), default=[]) # List of IPs found during static analysis
request_end_time = odm.Date(
index=False) # End time of the Assemblyline submission
score = odm.Integer(store=True) # Maximum score found in the submission
yara = odm.List(odm.Keyword(), default=[],
copyto="__text__") # List of yara hits
class ALResults(odm.Model):
attrib = odm.List(odm.Keyword(), default=[], store=True, copyto="__text__", description="List of attribution")
av = odm.List(odm.Keyword(), default=[], store=True, copyto="__text__", description="List of AV hits")
behavior = odm.List(odm.Keyword(), default=[], copyto="__text__", description="List of behaviors for the alert")
detailed = odm.Compound(DetailedResults, description="Assemblyline Detailed result block")
domain = odm.List(odm.Domain(), default=[], copyto="__text__", description="List of all domains")
domain_dynamic = odm.List(odm.Domain(), default=[], description="List of domains found during Dynamic Analysis")
domain_static = odm.List(odm.Domain(), default=[], description="List of domains found during Static Analysis")
ip = odm.List(odm.IP(), default=[], copyto="__text__", description="List of all IPs")
ip_dynamic = odm.List(odm.IP(), default=[], description="List of IPs found during Dynamic Analysis")
ip_static = odm.List(odm.IP(), default=[], description="List of IPs found during Static Analysis")
request_end_time = odm.Date(index=False, description="Finish time of the Assemblyline submission")
score = odm.Integer(store=True, description="Maximum score found in the submission")
uri = odm.List(odm.URI(), default=[], copyto="__text__", description="List of all URIs")
uri_dynamic = odm.List(odm.URI(), default=[], description="List of URIs found during Dynamic Analysis")
uri_static = odm.List(odm.URI(), default=[], description="List of URIs found during Static Analysis")
yara = odm.List(odm.Keyword(), default=[], copyto="__text__", description="List of YARA rule hits")
class NetworkDNS(odm.Model):
connection_details = odm.Compound(
NetworkConnection,
description="The low-level details of the DNS request")
domain = odm.Domain(description="The domain requested")
resolved_ips = odm.List(odm.IP(),
description="A list of IPs that were resolved")
lookup_type = odm.Text(description="The type of DNS request")
class Subject(odm.Model):
ip = odm.Optional(odm.IP(), description="Subject's IP")
domain = odm.Optional(odm.Domain(), description="Subject's domain")
uri = odm.Optional(odm.URI(), description="Subject's URI")
process = odm.Optional(odm.Compound(Process),
description="Subject's process")
file = odm.Optional(odm.Text(), description="Subject's file")
registry = odm.Optional(odm.Text(),
description="Subject's registry key")
class NetworkIOCs(odm.Model):
domain = odm.Optional(odm.List(odm.Domain(copyto="__text__")))
ip = odm.Optional(odm.List(odm.IP(copyto="__text__")))
uri = odm.Optional(odm.List(odm.URI(copyto="__text__")))
uri_path = odm.Optional(odm.List(odm.URIPath(copyto="__text__")))
class NetworkIOCs(odm.Model):
domain = odm.Optional(odm.List(odm.Domain(copyto="__text__")), description="Domain")
ip = odm.Optional(odm.List(odm.IP(copyto="__text__")), description="IP")
uri = odm.Optional(odm.List(odm.URI(copyto="__text__")), description="URI")
uri_path = odm.Optional(odm.List(odm.URIPath(copyto="__text__")), description="URI Path")