def add_update_many(self, source, sig_type, data, dedup_name=True):
"""\
Add or update multiple signatures.
Required:
source : Source of the signature
sig_type : Type of signature
data : List of signatures
Data block example:
[ # List of signatures to update
{
"name": "sig_name", # Signature name
"type": "yara", # One of yara, suricata or tagcheck
"data": "rule sample {...}", # Data of the rule to be added
"source": "yara_signatures" # Source from where the signature has been gathered
},
...
]
Optional:
dedup_name : Should we check if the signatures already exist before inserting it (default: True)
Returns:
{
"success": 23, # Number of successful inserts
"errors": [], # List of signature that failed
"skipped": [], # List of skipped signatures, they already exist
}
"""
return self._connection.post(api_path_by_module(self, **get_function_kwargs('data', 'self')), json=data)
def list(self, query="*:*", rows=10, offset=0):
"""\
List the potential workflows (per page)
Required:
query : query to filter the workflow
rows : number of items returned
offset : offset in the results to start returning data
"""
return self._connection.get(
api_path('search', 'workflow', **get_function_kwargs('self')))
def dynamic(self, sha256, copy_sid=None, name=None):
"""\
Resubmit a file for dynamic analysis
Required:
sid : Submission ID. (string)
Throws a Client exception if the submission does not exist.
"""
kw = get_function_kwargs('self', 'sha256')
return self._connection.get(api_path_by_module(self, sha256, **kw))
def list(self, query="*:*", rows=10, offset=0, sort="uname asc"):
"""\
List users of the system (per page)
Required:
offset : Offset in the user bucket
query : Filter to apply to the user list
rows : Max number of user returned
sort : Sort order
"""
return self._connection.get(
api_path_by_module(self, **get_function_kwargs('self')))
def download(self, output=None, query=None):
"""\
Download the signatures. Defaults to all if no query is provided.
Optional:
output : Path or file handle. (string or file-like object)
query : lucene query (string)
If output is not specified the content is returned.
"""
path = api_path_by_module(self, **get_function_kwargs('output', 'self'))
if output:
return self._connection.download(path, stream_output(output))
return self._connection.download(path, raw_output)
def multiple(self, error=None, result=None):
"""\
Get multiple result and error keys at the same time.
Optional:
error : List of error keys. (list of strings).
result : List of result keys. (list of strings).
"""
if result is None:
result = []
if error is None:
error = []
data = dumps(get_function_kwargs('self'))
return self._connection.post(api_path('result', 'multiple_keys'),
data=data)
def ownership(self, q, tc=None, tc_start=None, fq_list=None):
"""\
Set ownership on alerts matching the search criteria.
Required:
q : Query used to limit the scope of the data (string)
Optional:
tc : Time constraint applied to the query (string)
tc_start : Date which the time constraint will be applied to [Default: NOW] (string)
fq_list : List of filter queries (list of strings)
"""
if not fq_list:
fq_list = []
kw = get_function_kwargs('self', 'fq_list', 'ownership')
path = api_path('alert/ownership/batch',
params_tuples=[('fq', fq) for fq in fq_list],
**kw)
return self._connection.get(path)
def status(self, q, status, tc=None, tc_start=None, fq_list=None):
"""\
Set the status on alerts matching the search criteria.
Required:
q : Query used to limit the scope of the data (string)
status : Status (enum: MALICIOUS, NON-MALICIOUS, ASSESS)
Optional:
tc : Time constraint applied to the query (string)
tc_start : Date which the time constraint will be applied to [Default: NOW] (string)
fq_list : List of filter queries (list of strings)
"""
if not fq_list:
fq_list = []
kw = get_function_kwargs('self', 'fq_list', 'status')
path = api_path('alert/status/batch',
params_tuples=[('fq', fq) for fq in fq_list],
**kw)
return self._connection.post(path, json=status)
def priority(self, q, priority, tc=None, tc_start=None, fq_list=None):
"""\
Set the priority on alerts matching the search criteria.
Required:
q : Query used to limit the scope of the data (string)
priority: Priority (enum: LOW, MEDIUM, HIGH, CRITICAL)
Optional:
tc : Time constraint applied to the query (string)
tc_start : Date which the time constraint will be applied to [Default: NOW] (string)
fq_list : List of filter queries (list of strings)
"""
if not fq_list:
fq_list = []
kw = get_function_kwargs('self', 'fq_list', 'priority')
path = api_path('alert/priority/batch',
params_tuples=[('fq', fq) for fq in fq_list],
**kw)
return self._connection.post(path, json=priority)
def label(self, q, labels, tc=None, tc_start=None, fq_list=None):
"""\
Add labels to alerts matching the search criteria.
Required:
q : Query used to limit the scope of the data (string)
labels : Labels to apply (list of strings)
Optional:
tc : Time constraint applied to the query (string)
tc_start : Date which the time constraint will be applied to [Default: NOW] (string)
fq_list : List of filter queries (list of strings)
"""
if not fq_list:
fq_list = []
kw = get_function_kwargs('self', 'fq_list', 'labels')
path = api_path('alert/label/batch',
params_tuples=[('fq', fq) for fq in fq_list],
**kw)
return self._connection.post(path, json=labels)
def download(self, sha256, encoding=None, sid=None, output=None):
"""\
Download the file with the given sha256.
Required:
sha256 : File key (string)
Optional:
encoding : Which file encoding do you want for the file (string)
output : Path or file handle (string or file-like object)
sid : ID of the submission the download is for
If carted the file will inherit the submission metadata (string)
If output is not specified the content is returned.
Throws a Client exception if the file does not exist.
"""
kw = get_function_kwargs('output', 'self', 'sha256')
path = api_path_by_module(self, sha256, **kw)
if output:
return self._connection.download(path, stream_output(output))
return self._connection.download(path, raw_output)
def add_update(self, data, dedup_name=True):
"""\
Add or update a signature.
Required:
Data block:
{
"name": "sig_name", # Signature name
"type": "yara", # One of yara, suricata or tagcheck
"data": "rule sample {...}", # Data of the rule to be added
"source": "yara_signatures" # Source from where the signature has been gathered
}
Optional:
dedup_name : Should we check if the signature already exist before inserting it (default: True)
Returns:
{
"success": True,
"signature_id": <ID of the saved signature>
}
"""
return self._connection.post(api_path_by_module(self, **get_function_kwargs('data', 'self')), json=data)