def do_transform(self, request, response, config): entity = request.entity res = run_oneshot("VT Hash Report", request, config) if res: virus_res = res["nodes"][0] context_vt = list( filter(lambda x: x["source"] == "VirusTotal", res["nodes"][0]["context"])) context_filter = sorted(context_vt, key=lambda x: parser.parse(x["last_seen"])) last_context = None if len(context_filter) > 0: last_context = context_filter[0] entity.malicious = last_context["malicious"] entity.undetected = last_context["undetected"] entity.suspicious = last_context["suspicious"] entity.magic = last_context["magic"] response += entity for r in res["links"]: obs = get_observable(r["src"]["id"], config) h = Hash(obs["value"]) h.malicious = last_context["malicious"] h.undetected = last_context["undetected"] h.suspicious = last_context["suspicious"] h.magic = last_context["magic"] response += h return response
def do_transform(self, request, response, config): entity = request.entity res = run_oneshot("VT Urls Contacted", request, config) for r in res["links"]: obs = get_observable(r["src"]["id"], config) url = Url(obs["value"]) response += url return response
def do_transform(self, request, response, config): entity = request.entity res = run_oneshot("VT Com files domain", request, config) for r in res["links"]: obs = get_observable(r["src"]["id"], config) new_file = Hash(obs["value"]) if "tags" in obs: new_file.tags = [t["name"] for t in obs["tags"]] response += new_file return response
def do_transform(self, request, response, config): entity = request.entity res = run_oneshot("VT Domain Contacted", request, config) for r in res["links"]: obs = get_observable(r["src"]["id"], config) hostname = Hostname(obs["value"]) hostname.link_label = "first_seen: %s last_seen: %s" % ( r["first_seen"], r["last_seen"], ) response += hostname return response
def do_transform(self, request, response, config): entity = request.entity res = run_oneshot("VT IP Resolution", request, config) for r in res["links"]: obs = get_observable(r["src"]["id"], config) hostname = Hostname(obs["value"]) context_vt = [ (entity.value, c[entity.value]) for c in obs["context"] if c["source"] == "VirusTotal PDNS" and entity.value in c ] last_resolution = sorted(context_vt, key=lambda x: parser.parse(x[1])) hostname.link_label = "last_resolution: %s" % last_resolution[0][1] response += hostname return response