class ALResults(odm.Model): # Assemblyline result block
attrib = odm.List(odm.Keyword(), default=[],
copyto="__text__") # List of attribution
av = odm.List(odm.Keyword(), default=[], store=True,
copyto="__text__") # List of AV hits
behavior = odm.List(odm.Keyword(), default=[],
copyto="__text__") # List of behaviors for the alert
domain = odm.List(odm.Domain(), default=[],
copyto="__text__") # List of all domains
domain_dynamic = odm.List(
odm.Domain(),
default=[]) # List of domains found during dynamic analysis
domain_static = odm.List(
odm.Domain(),
default=[]) # List of domains foudn during static analysis
ip = odm.List(odm.IP(), default=[], copyto="__text__") # List of all IPs
ip_dynamic = odm.List(
odm.IP(), default=[]) # List of IPs found during dynamic analysis
ip_static = odm.List(
odm.IP(), default=[]) # List of IPs found during static analysis
request_end_time = odm.Date(
index=False) # End time of the Assemblyline submission
score = odm.Integer(store=True) # Maximum score found in the submission
yara = odm.List(odm.Keyword(), default=[],
copyto="__text__") # List of yara hits
class ALResults(odm.Model):
attrib = odm.List(odm.Keyword(), default=[], store=True, copyto="__text__", description="List of attribution")
av = odm.List(odm.Keyword(), default=[], store=True, copyto="__text__", description="List of AV hits")
behavior = odm.List(odm.Keyword(), default=[], copyto="__text__", description="List of behaviors for the alert")
detailed = odm.Compound(DetailedResults, description="Assemblyline Detailed result block")
domain = odm.List(odm.Domain(), default=[], copyto="__text__", description="List of all domains")
domain_dynamic = odm.List(odm.Domain(), default=[], description="List of domains found during Dynamic Analysis")
domain_static = odm.List(odm.Domain(), default=[], description="List of domains found during Static Analysis")
ip = odm.List(odm.IP(), default=[], copyto="__text__", description="List of all IPs")
ip_dynamic = odm.List(odm.IP(), default=[], description="List of IPs found during Dynamic Analysis")
ip_static = odm.List(odm.IP(), default=[], description="List of IPs found during Static Analysis")
request_end_time = odm.Date(index=False, description="Finish time of the Assemblyline submission")
score = odm.Integer(store=True, description="Maximum score found in the submission")
uri = odm.List(odm.URI(), default=[], copyto="__text__", description="List of all URIs")
uri_dynamic = odm.List(odm.URI(), default=[], description="List of URIs found during Dynamic Analysis")
uri_static = odm.List(odm.URI(), default=[], description="List of URIs found during Static Analysis")
yara = odm.List(odm.Keyword(), default=[], copyto="__text__", description="List of YARA rule hits")
class NetworkDNS(odm.Model):
connection_details = odm.Compound(
NetworkConnection,
description="The low-level details of the DNS request")
domain = odm.Domain(description="The domain requested")
resolved_ips = odm.List(odm.IP(),
description="A list of IPs that were resolved")
lookup_type = odm.Text(description="The type of DNS request")
class Subject(odm.Model):
ip = odm.Optional(odm.IP(), description="Subject's IP")
domain = odm.Optional(odm.Domain(), description="Subject's domain")
uri = odm.Optional(odm.URI(), description="Subject's URI")
process = odm.Optional(odm.Compound(Process),
description="Subject's process")
file = odm.Optional(odm.Text(), description="Subject's file")
registry = odm.Optional(odm.Text(),
description="Subject's registry key")
class NetworkConnection(odm.Model):
objectid = odm.Compound(ObjectID,
description="The object ID of the process object")
process = odm.Optional(
odm.Compound(Process),
description="The process that spawned the network connection")
source_ip = odm.Optional(odm.IP(),
description="The source IP of the connection")
source_port = odm.Optional(odm.Integer(),
description="The source port of the connection")
destination_ip = odm.IP(description="The destination IP of the connection")
destination_port = odm.Integer(
description="The destination port of the connection")
transport_layer_protocol = odm.Enum(
["tcp", "udp"],
description="The transport layer protocol of the connection")
direction = odm.Enum(["outbound", "inbound", "unknown"],
description="The direction of the network connection")
class ServiceClient(odm.Model):
"""Session data for a service worker.
This is not saved in the datastore, and its not shared with any other components
"""
client_id: str = odm.Keyword() # Session ID of the client
container_id: str = odm.Keyword() # Docker container ID of the client
ip: str = odm.IP() # IP address of the client
service_name: str = odm.Keyword(
) # Name of the service running on the client
service_version: str = odm.Keyword(
) # Version of the service running on the client
service_tool_version: Opt[str] = odm.Optional(
odm.Keyword()) # Tool version of the service running on the client
service_timeout: int = odm.Integer(
) # Timeout of the service running on the client
current: Opt[Current] = odm.Optional(odm.Compound(
Current)) # Info about the current status and task assigned
tasking_counters = odm.Optional(
odm.Any()) # MetricsFactory counters for the service
class MachineMetadata(odm.Model):
ip = odm.Optional(
odm.IP(),
description="The IP of the machine used for analysis")
hypervisor = odm.Optional(
odm.Keyword(),
description="The hypervisor of the machine used for analysis")
hostname = odm.Optional(
odm.Keyword(),
description="The name of the machine used for analysis")
platform = odm.Optional(
odm.Platform(),
description="The platform of the machine used for analysis")
version = odm.Optional(
odm.Keyword(),
description=
"The version of the operating system of the machine used for analysis"
)
architecture = odm.Optional(
odm.Processor(),
description="The architecture of the machine used for analysis"
)
class NetworkIOCs(odm.Model):
domain = odm.Optional(odm.List(odm.Domain(copyto="__text__")))
ip = odm.Optional(odm.List(odm.IP(copyto="__text__")))
uri = odm.Optional(odm.List(odm.URI(copyto="__text__")))
uri_path = odm.Optional(odm.List(odm.URIPath(copyto="__text__")))
class NetworkIOCs(odm.Model):
domain = odm.Optional(odm.List(odm.Domain(copyto="__text__")), description="Domain")
ip = odm.Optional(odm.List(odm.IP(copyto="__text__")), description="IP")
uri = odm.Optional(odm.List(odm.URI(copyto="__text__")), description="URI")
uri_path = odm.Optional(odm.List(odm.URIPath(copyto="__text__")), description="URI Path")