def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot("VT Hash Report", request, config)
if res:
virus_res = res["nodes"][0]
context_vt = list(
filter(lambda x: x["source"] == "VirusTotal",
res["nodes"][0]["context"]))
context_filter = sorted(context_vt,
key=lambda x: parser.parse(x["last_seen"]))
last_context = None
if len(context_filter) > 0:
last_context = context_filter[0]
entity.malicious = last_context["malicious"]
entity.undetected = last_context["undetected"]
entity.suspicious = last_context["suspicious"]
entity.magic = last_context["magic"]
response += entity
for r in res["links"]:
obs = get_observable(r["src"]["id"], config)
h = Hash(obs["value"])
h.malicious = last_context["malicious"]
h.undetected = last_context["undetected"]
h.suspicious = last_context["suspicious"]
h.magic = last_context["magic"]
response += h
return response
def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot("VT Urls Contacted", request, config)
for r in res["links"]:
obs = get_observable(r["src"]["id"], config)
url = Url(obs["value"])
response += url
return response
def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot("VT Com files domain", request, config)
for r in res["links"]:
obs = get_observable(r["src"]["id"], config)
new_file = Hash(obs["value"])
if "tags" in obs:
new_file.tags = [t["name"] for t in obs["tags"]]
response += new_file
return response
def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot("VT Domain Contacted", request, config)
for r in res["links"]:
obs = get_observable(r["src"]["id"], config)
hostname = Hostname(obs["value"])
hostname.link_label = "first_seen: %s last_seen: %s" % (
r["first_seen"],
r["last_seen"],
)
response += hostname
return response
def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot("VT IP Resolution", request, config)
for r in res["links"]:
obs = get_observable(r["src"]["id"], config)
hostname = Hostname(obs["value"])
context_vt = [
(entity.value, c[entity.value]) for c in obs["context"]
if c["source"] == "VirusTotal PDNS" and entity.value in c
]
last_resolution = sorted(context_vt,
key=lambda x: parser.parse(x[1]))
hostname.link_label = "last_resolution: %s" % last_resolution[0][1]
response += hostname
return response