def test_get_analysis_by_id_raises_when_analysis_is_queued(self):
# Arrange
analysis_id = 'analysis_id'
with responses.RequestsMock() as mock:
mock.add('GET',
url='{}/analyses/{}'.format(self.full_url, analysis_id),
status=202,
json={'status': AnalysisStatusCode.QUEUED.value})
# Act
with self.assertRaises(errors.AnalysisIsStillRunningError):
FileAnalysis.from_analysis_id(analysis_id)
def get_analysis_sub_analyses_command(intezer_api: IntezerApi,
args: dict) -> CommandResults:
analysis_id = args.get('analysis_id')
try:
analysis = FileAnalysis.from_analysis_id(analysis_id, api=intezer_api)
if not analysis:
return _get_missing_analysis_result(analysis_id=str(analysis_id))
except AnalysisIsStillRunning:
return _get_analysis_running_result(analysis_id=str(analysis_id))
sub_analyses: List[SubAnalysis] = analysis.get_sub_analyses()
all_sub_analyses_ids = [sub.analysis_id for sub in sub_analyses]
sub_analyses_table = tableToMarkdown('Sub Analyses',
all_sub_analyses_ids,
headers=['Analysis IDs'])
context_json = {
'ID': analysis.analysis_id,
'SubAnalysesIDs': all_sub_analyses_ids
}
return CommandResults(outputs_prefix='Intezer.Analysis',
outputs_key_field='ID',
readable_output=sub_analyses_table,
outputs=context_json,
raw_response=all_sub_analyses_ids)
def check_analysis_status_and_get_results_command(
intezer_api: IntezerApi, args: dict) -> List[CommandResults]:
analysis_type = args.get('analysis_type', 'File')
analysis_ids = argToList(args.get('analysis_id'))
indicator_name = args.get('indicator_name')
command_results = []
for analysis_id in analysis_ids:
try:
if analysis_type == 'Endpoint':
response = intezer_api.get_url_result(
f'/endpoint-analyses/{analysis_id}')
analysis_result = response.json()['result']
elif analysis_type == 'Url':
analysis = UrlAnalysis.from_analysis_id(analysis_id,
api=intezer_api)
if not analysis:
command_results.append(
_get_missing_url_result(analysis_id))
continue
else:
analysis_result = analysis.result()
else:
analysis = FileAnalysis.from_analysis_id(analysis_id,
api=intezer_api)
if not analysis:
command_results.append(
_get_missing_analysis_result(analysis_id))
continue
else:
analysis_result = analysis.result()
if analysis_result and analysis_type == 'Endpoint':
command_results.append(
enrich_dbot_and_display_endpoint_analysis_results(
analysis_result, indicator_name))
elif analysis_result and analysis_type == 'Url':
command_results.append(
enrich_dbot_and_display_url_analysis_results(
analysis_result, intezer_api))
elif analysis_result:
command_results.append(
enrich_dbot_and_display_file_analysis_results(
analysis_result))
except HTTPError as http_error:
if http_error.response.status_code == HTTPStatus.CONFLICT:
command_results.append(
_get_analysis_running_result(analysis_id=analysis_id))
elif http_error.response.status_code == HTTPStatus.NOT_FOUND:
command_results.append(
_get_missing_analysis_result(analysis_id))
else:
raise http_error
except AnalysisIsStillRunning:
command_results.append(
_get_analysis_running_result(analysis_id=analysis_id))
return command_results
def get_analysis_iocs_command(intezer_api: IntezerApi,
args: dict) -> CommandResults:
analysis_id = args.get('analysis_id')
try:
analysis = FileAnalysis.from_analysis_id(analysis_id, api=intezer_api)
except HTTPError as error:
if error.response.status_code == HTTPStatus.CONFLICT:
return _get_analysis_running_result(analysis_id=str(analysis_id))
raise
if not analysis:
return _get_missing_analysis_result(analysis_id=str(analysis_id))
iocs = analysis.iocs
readable_output = ''
if iocs:
if network_iocs := iocs.get('network'):
readable_output += tableToMarkdown('Network IOCs', network_iocs)
if files_iocs := iocs.get('files'):
readable_output += tableToMarkdown('Files IOCs', files_iocs)
def test_get_analysis_by_id_analysis_object_when_latest_analysis_found(
self):
# Arrange
analysis_id = 'analysis_id'
analysis_report = {'analysis_id': analysis_id, 'sha256': 'hash'}
with responses.RequestsMock() as mock:
mock.add('GET',
url='{}/analyses/{}'.format(self.full_url, analysis_id),
status=200,
json={
'result': analysis_report,
'status': 'succeeded'
})
# Act
analysis = FileAnalysis.from_analysis_id(analysis_id)
self.assertIsNotNone(analysis)
self.assertEqual(analysis_id, analysis.analysis_id)
self.assertEqual(consts.AnalysisStatusCode.FINISH, analysis.status)
self.assertDictEqual(analysis_report, analysis.result())
def enrich_dbot_and_display_url_analysis_results(intezer_result, intezer_api):
summary = intezer_result.pop('summary')
_refine_gene_counts(summary)
intezer_result.update(summary)
verdict = summary['verdict_type']
submitted_url = intezer_result['submitted_url']
analysis_id = intezer_result['analysis_id']
dbot = {
'Vendor': 'Intezer',
'Type': 'Url',
'Indicator': submitted_url,
'Score': dbot_score_by_verdict.get(verdict, 0)
}
url = {
'URL': submitted_url,
'Metadata': intezer_result,
'ExistsInIntezer': True
}
if verdict == 'malicious':
url['Malicious'] = {'Vendor': 'Intezer'}
if 'redirect_chain' in intezer_result:
redirect_chain = ' → '.join(
f'{node["response_status"]}: {node["url"]}'
for node in intezer_result['redirect_chain'])
intezer_result['redirect_chain'] = redirect_chain
if 'indicators' in intezer_result:
indicators: Dict[str, List[str]] = defaultdict(list)
for indicator in intezer_result['indicators']:
indicators[indicator['classification']].append(indicator['text'])
indicators_text = [
get_indicator_text('malicious', indicators),
get_indicator_text('suspicious', indicators),
get_indicator_text('informative', indicators),
]
intezer_result['indicators'] = '\n'.join(
indicator_text for indicator_text in indicators_text
if indicator_text)
presentable_result = '## Intezer Url analysis result\n'
presentable_result += f' Url: {submitted_url}\n'
presentable_result += f' Verdict: **{verdict}** ({summary["verdict_name"]})\n'
presentable_result += f'[Analysis Link]({intezer_result["analysis_url"]})\n'
downloaded_file_presentable_result = ''
if 'downloaded_file' in intezer_result:
downloaded_file = intezer_result.pop('downloaded_file')
presentable_result += f'Downloaded file SHA256: {downloaded_file["sha256"]}\n'
presentable_result += f'Downloaded file Verdict: **{downloaded_file["analysis_summary"]["verdict_type"]}**\n'
downloaded_file_analysis = FileAnalysis.from_analysis_id(
downloaded_file['analysis_id'], intezer_api)
intezer_result['downloaded_file'] = downloaded_file_analysis.result()
downloaded_file_presentable_result = _file_analysis_presentable_code(
downloaded_file_analysis.result())
md = tableToMarkdown('Analysis Report',
intezer_result,
url_keys=['analysis_url'])
presentable_result += md + downloaded_file_presentable_result
return CommandResults(readable_output=presentable_result,
raw_response=intezer_result,
outputs={
outputPaths['dbotscore']: dbot,
outputPaths['url']: url,
'Intezer.Analysis(val.ID && val.ID == obj.ID)': {
'ID': analysis_id,
'Status': 'Done'
}
})
