class DockerConfig(odm.Model): allow_internet_access: bool = odm.Boolean( default=False, description="Does the container have internet-access?") command: Opt[list[str]] = odm.Optional( odm.List(odm.Keyword()), description="Command to run when container starts up.") cpu_cores: float = odm.Float(default=1.0, description="CPU allocation") environment: list[EnvironmentVariable] = odm.List( odm.Compound(EnvironmentVariable), default=[], description="Additional environemnt variables for the container") image: str = odm.Keyword( description= "Complete name of the Docker image with tag, may include registry") registry_username: Opt[str] = odm.Optional( odm.Keyword(), description="The username to use when pulling the image") registry_password: Opt[str] = odm.Optional( odm.Keyword(), description="The password or token to use when pulling the image") registry_type: str = odm.Enum(values=["docker", "harbor"], default='docker', description="The type of container registry") ports: list[str] = odm.List( odm.Keyword(), default=[], description="What ports of container to expose?") ram_mb: int = odm.Integer(default=512, description="Container RAM limit") ram_mb_min: int = odm.Integer(default=128, description="Container RAM request")
class FileShortcut(odm.Model): command_line = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Command Line") icon_location = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Icon Location") machine_id = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Machine ID") tracker_mac = odm.Optional( odm.List(odm.Keyword(copyto="__text__")), description="Possible MAC address from the Tracker block" )
class Signature(odm.Model): @odm.model( description= "The subject of the signature, aka something interesting that the signature was raised on that is worth reporting" ) class Subject(odm.Model): ip = odm.Optional(odm.IP(), description="Subject's IP") domain = odm.Optional(odm.Domain(), description="Subject's domain") uri = odm.Optional(odm.URI(), description="Subject's URI") process = odm.Optional(odm.Compound(Process), description="Subject's process") file = odm.Optional(odm.Text(), description="Subject's file") registry = odm.Optional(odm.Text(), description="Subject's registry key") name = odm.Keyword(description="The name of the signature") process = odm.Optional( odm.Compound(Process), description="The process associated with the signature") subjects = odm.Optional( odm.List(odm.Compound(Subject)), description= "A list of subjects. A signature can have more than one subject.") description = odm.Optional( odm.Keyword(), description="The description of the signature") attack = odm.Optional( odm.List(odm.Compound(Attack)), description= "A list of Att&ck patterns and categories of the signature")
class Current(odm.Model): """The current assignment for a service worker""" status: str = odm.Enum(values=STATUSES, default='INITIALIZING') # Status of the client task: Opt[Task] = odm.Optional(odm.Compound(Task)) task_timeout: Opt[datetime] = odm.Optional( odm.Date()) # Time the task was assigned to the client
class Service(odm.Model): # Regexes applied to assemblyline style file type string accepts = odm.Keyword(store=True, default=DEFAULT_SERVICE_ACCEPTS) rejects = odm.Optional( odm.Keyword(store=True, default=DEFAULT_SERVICE_REJECTS)) category = odm.Keyword(store=True, default="Static Analysis", copyto="__text__") config = odm.Mapping(odm.Any(), default={}, index=False, store=False) description = odm.Text(store=True, default="NA", copyto="__text__") default_result_classification = odm.ClassificationString( default=Classification.UNRESTRICTED) enabled = odm.Boolean(store=True, default=False) is_external = odm.Boolean(default=False) licence_count = odm.Integer(default=0) name = odm.Keyword(store=True, copyto="__text__") version = odm.Keyword(store=True) # Should the result cache be disabled for this service disable_cache = odm.Boolean(default=False) stage = odm.Keyword(store=True, default="CORE", copyto="__text__") submission_params: SubmissionParams = odm.List( odm.Compound(SubmissionParams), index=False, default=[]) timeout = odm.Integer(default=60) docker_config: DockerConfig = odm.Compound(DockerConfig) dependencies = odm.Mapping(odm.Compound(DependencyConfig), default={}) update_channel: str = odm.Enum(values=["stable", "rc", "beta", "dev"], default='stable') update_config: UpdateConfig = odm.Optional(odm.Compound(UpdateConfig))
class Alert(odm.Model): alert_id = odm.Keyword(copyto="__text__") # ID of the alert al = odm.Compound(ALResults) # Assemblyline result block archive_ts = odm.Date(store=False) # Archiving timestamp attack = odm.Compound(Attack) # Attack result block classification = odm.Classification() # Classification of the alert expiry_ts = odm.Optional(odm.Date(store=False)) # Expiry timestamp extended_scan = odm.Enum(values=EXTENDED_SCAN_VALUES, store=False) # Status of the extended scan file = odm.Compound(File) # File block filtered = odm.Boolean(default=False) # Are the alert result filtered heuristic = odm.Compound(Heuristic) # Heuristic result block label = odm.List(odm.Keyword(), copyto="__text__", default=[]) # List of labels applied to the alert metadata = odm.FlattenedObject( default={}, store=False) # Metadata submitted with the file owner = odm.Optional(odm.Keyword()) # Owner of the alert priority = odm.Optional( odm.Enum(values=PRIORITIES)) # Priority applied to the alert reporting_ts = odm.Date() # Time at which the alert was created sid = odm.UUID(store=False) # ID of the submission related to this alert status = odm.Optional( odm.Enum(values=STATUSES)) # Status applied to the alert ts = odm.Date() # Timestamp at which the file was submitted type = odm.Keyword() # Type of alert verdict = odm.Compound(Verdict, default={}) # Verdict timing
class FilePListDTPlatform(odm.Model): build = odm.Optional( odm.List(odm.Keyword(copyto="__text__"))) name = odm.Optional( odm.List(odm.Keyword(copyto="__text__"))) version = odm.Optional( odm.List(odm.Keyword(copyto="__text__")))
class AppProvider(odm.Model): access_token_url: str = odm.Keyword() user_get: str = odm.Optional(odm.Keyword()) group_get: str = odm.Optional(odm.Keyword()) scope: str = odm.Keyword() client_id: str = odm.Optional(odm.Keyword()) client_secret: str = odm.Optional(odm.Keyword())
class IngestTask(odm.Model): # Submission Parameters submission: Submission = odm.Compound(Submission) # Shortcut for properties of the submission @property def file_size(self) -> int: return sum(file.size for file in self.submission.files) @property def params(self) -> SubmissionParams: return self.submission.params @property def sha256(self) -> str: return self.submission.files[0].sha256 # Information about the ingestion itself, parameters irrelevant scan_key = odm.Optional(odm.Keyword()) # the filescore key retries = odm.Integer(default=0) # Fields added after a submission is complete for notification/bookkeeping processes failure = odm.Text( default='') # If the ingestion has failed for some reason, what is it? score = odm.Optional( odm.Integer()) # Score from previous processing of this file extended_scan = odm.Enum(EXTENDED_SCAN_VALUES, default="skipped") ingest_id = odm.UUID() ingest_time = odm.Date(default="NOW")
class FileOLE(odm.Model): @odm.model(index=True, store=False, description="OLE Macro Model") class FileOLEMacro(odm.Model): sha256 = odm.Optional(odm.List(odm.SHA256(copyto="__text__")), description="SHA256 of Macro") suspicious_string = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Suspicious Strings") @odm.model(index=True, store=False, description="OLE Summary Model") class FileOLESummary(odm.Model): author = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Author") codepage = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Code Page") comment = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Comment") company = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Company") create_time = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Creation Time") last_printed = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Date Last Printed") last_saved_by = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="User Last Saved By") last_saved_time = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Date Last Saved") manager = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Manager") subject = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Subject") title = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Title") macro = odm.Optional(odm.Compound(FileOLEMacro), description="OLE Macro") summary = odm.Optional(odm.Compound(FileOLESummary), description="OLE Summary") clsid = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="CLSID") dde_link = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="DDE Link") fib_timestamp = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="FIB Timestamp")
class FileIMGExiftool(odm.Model): creator_tool = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Image Creation Tool") derived_document_id = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Derived Document ID") document_id = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Document ID") instance_id = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Instance ID") toolkit = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Toolkit")
class SMTP(odm.Model): from_adr: str = odm.Optional(odm.Keyword()) host: str = odm.Optional(odm.Keyword()) password: str = odm.Optional(odm.Keyword()) port: int = odm.Integer() tls: bool = odm.Boolean() user: str = odm.Optional(odm.Keyword())
class ESMetrics(odm.Model): hosts: str = odm.Optional(odm.List(odm.Keyword())) host_certificates: str = odm.Optional(odm.Keyword()) warm: int = odm.Integer() cold: int = odm.Integer() delete: int = odm.Integer() unit = odm.Enum(['d', 'h', 'm'])
class Statistics(odm.Model): count = odm.Integer(default=0) min = odm.Integer(default=0) max = odm.Integer(default=0) avg = odm.Integer(default=0) sum = odm.Integer(default=0) first_hit = odm.Optional(odm.Date()) last_hit = odm.Optional(odm.Date())
class Section(odm.Model): body = odm.Optional(odm.Text(copyto="__text__")) # Text body of the result section classification = odm.Classification() # Classification of the section body_format = odm.Enum(values=BODY_FORMAT, index=False) # Type of body in this section depth = odm.Integer(index=False) # Depth of the section heuristic = odm.Optional(odm.Compound(Heuristic)) # Heuristic used to score result section tags = odm.Compound(Tagging, default={}) # List of tags associated to this section title_text = odm.Text(copyto="__text__") # Title of the section
class Statistics(odm.Model): count = odm.Integer(default=0, description="Count of statistical hits") min = odm.Integer(default=0, description="Minimum value of all stastical hits") max = odm.Integer(default=0, description="Maximum value of all stastical hits") avg = odm.Integer(default=0, description="Anerage of all stastical hits") sum = odm.Integer(default=0, description="Sum of all stastical hits") first_hit = odm.Optional(odm.Date(), description="Date of first hit of statistic") last_hit = odm.Optional(odm.Date(), description="Date of last hit of statistic")
class Heuristic(odm.Model): heur_id = odm.Keyword(copyto="__text__") # Triggered heuristic name = odm.Keyword(copyto="__text__") # Name of the heuristics attack_id = odm.Optional(odm.Enum(values=PATTERNS, copyto="__text__")) # Attack matrix ID attack_pattern = odm.Optional(odm.Keyword(copyto="__text__")) # Attack matrix Pattern Name attack_categories = odm.Optional(odm.List(odm.Keyword())) # Attack matrix Categories signature = odm.Optional(odm.Keyword()) # Signature that triggered the heuristic score = odm.Integer() # Heuristic's score
class ScalerProfile(odm.Model): """Minimal description for an assemblyline core component controlled by the scaler.""" growth: int = odm.Optional(odm.Integer()) shrink: int = odm.Optional(odm.Integer()) backlog: int = odm.Optional(odm.Integer()) min_instances: int = odm.Optional(odm.Integer()) max_instances: int = odm.Optional(odm.Integer()) queue: str = odm.Keyword() container_config: DockerConfig = odm.Compound(DockerConfig)
class FilePListDT(odm.Model): @odm.model(index=True, store=False, description="PList DT Platform Model") class FilePListDTPlatform(odm.Model): build = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Build") name = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Name") version = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Version") compiler = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Compiler") platform = odm.Optional(odm.Compound(FilePListDTPlatform), description="Platform Information")
class ResponseBody(odm.Model): milestones = odm.Compound(Milestone, default={}) # Milestone block service_version = odm.Keyword(store=False) # Version of the service service_name = odm.Keyword(copyto="__text__") # Name of the service that scan the file service_tool_version = odm.Optional(odm.Keyword(copyto="__text__")) # Tool version of the service supplementary = odm.List(odm.Compound(File), default=[]) # List of supplementary files extracted = odm.List(odm.Compound(File), default=[]) # List of extracted files service_context = odm.Optional(odm.Keyword(index=False, store=False)) # Context about the service service_debug_info = odm.Optional(odm.Keyword(index=False, store=False)) # Debug info about the service
class FileSWFHeader(odm.Model): @odm.model(index=True, store=False, description="SWF Header Frame") class FileSWFHeaderFrame(odm.Model): count = odm.Optional(odm.List(odm.Integer()), description="Number of Frames") rate = odm.Optional(odm.List(odm.Keyword()), description="Speed of Animation") size = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Size of Frame") frame = odm.Optional(odm.Compound(FileSWFHeaderFrame), description="Header Frame Information") version = odm.Optional(odm.List(odm.Keyword(copyto="__text__")), description="Version")
class User(odm.Model): agrees_with_tos = odm.Optional( odm.Date(index=False, store=False), description="Date the user agree with terms of service") api_quota = odm.Integer( default=10, store=False, description="Maximum number of concurrent API requests") apikeys = odm.Mapping(odm.Compound(ApiKey), default={}, index=False, store=False, description="Mapping of API keys") apps = odm.Mapping(odm.Compound(Apps), default={}, index=False, store=False, description="Applications with access to the account") can_impersonate = odm.Boolean( default=False, index=False, store=False, description="Allowed to query on behalf of others?") classification = odm.Classification( is_user_classification=True, copyto="__text__", default=Classification.UNRESTRICTED, description="Maximum classification for the user") dn = odm.Optional(odm.Keyword(store=False, copyto="__text__"), description="User's LDAP DN") email = odm.Optional(odm.Email(copyto="__text__"), description="User's email address") groups = odm.List(odm.Keyword(), copyto="__text__", default=["USERS"], description="List of groups the user submits to") is_active = odm.Boolean(default=True, description="Is the user active?") name = odm.Keyword(copyto="__text__", description="Full name of the user") otp_sk = odm.Optional( odm.Keyword(index=False, store=False), description="Secret key to generate one time passwords") password = odm.Keyword(index=False, store=False, description="BCrypt hash of the user's password") submission_quota = odm.Integer( default=5, store=False, description="Maximum number of concurrent submissions") type = odm.List(odm.Enum(values=USER_TYPES), default=['user'], description="Type of user") security_tokens = odm.Mapping(odm.Keyword(), index=False, store=False, default={}, description="Map of security tokens") uname = odm.Keyword(copyto="__text__", description="Username")
class UpdateSource(odm.Model): name = odm.Keyword() password = odm.Optional(odm.Keyword()) pattern = odm.Optional(odm.Keyword()) private_key = odm.Optional(odm.Keyword()) uri = odm.Keyword() username = odm.Optional(odm.Keyword()) headers = odm.List(odm.Compound(EnvironmentVariable), default=[]) default_classification = odm.Classification(default=Classification.UNRESTRICTED)
class POGO(odm.Model): @odm.model(index=True, store=False) class Entry(odm.Model): name = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) size = odm.Optional(odm.Integer()) start_rva = odm.Optional(odm.Integer()) entries = odm.Optional(odm.List(odm.Compound(Entry))) signature = odm.Optional(odm.EmptyableKeyword(copyto="__text__"))
class ResultOntology(odm.Model): header = odm.Compound(ResultOntologyHeader, description="Result Ontology Header") antivirus = odm.Optional(odm.List(odm.Compound(Antivirus)), description="List of Antivirus Ontologies") pe = odm.Optional(odm.List(odm.Compound(PE)), description="List of PE Ontologies") sandbox = odm.Optional(odm.List(odm.Compound(Sandbox)), description="List of Sandbox Ontologies")
class ObjectID(odm.Model): guid = odm.Text(description="The GUID associated with the object") tag = odm.Optional(odm.Text(), description="The normalized tag of the object") treeid = odm.Optional(odm.Text(), description="The hash of the tree ID") processtree = odm.Optional( odm.Keyword(), description="Human-readable tree ID (concatenation of tags)") time_observed = odm.Optional( odm.Date(), description="The time at which the object was observed")
class Rich_Header(odm.Model): @odm.model(index=True, store=False) class Entry(odm.Model): build_id = odm.Optional(odm.Integer()) count = odm.Optional(odm.Integer()) entry_id = odm.Optional(odm.Integer()) key = odm.Optional(odm.Integer()) hash = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) entries = odm.Optional(odm.List(odm.Compound(Entry)))
class Response(odm.Model): message = odm.Text(copyto="__text__") # Error message service_debug_info = odm.Optional( odm.Keyword()) # Info about where the service was processed service_name = odm.Keyword( copyto="__text__") # Name of the service that had an error service_tool_version = odm.Optional( odm.Keyword(copyto="__text__")) # Tool version of the service service_version = odm.Keyword() # Version of the service status = odm.Enum(values=STATUSES) # Status of the error
class FilePEImports(odm.Model): fuzzy = odm.Optional( odm.List(odm.SSDeepHash(copyto="__text__"))) md5 = odm.Optional(odm.List(odm.MD5(copyto="__text__"))) sorted_fuzzy = odm.Optional( odm.List(odm.SSDeepHash(copyto="__text__"))) sorted_sha1 = odm.Optional( odm.List(odm.SHA1(copyto="__text__"))) suspicious = odm.Optional( odm.List(odm.Keyword(copyto="__text__")))
class Version(odm.Model): @odm.model(index=True, store=False) class Fixed_File_Info(odm.Model): file_date_ls = odm.Optional(odm.Integer()) file_date_ms = odm.Optional(odm.Integer()) file_flags = odm.Optional(odm.Integer()) file_flags_mask = odm.Optional(odm.Integer()) file_os = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) file_subtype = odm.Optional( odm.EmptyableKeyword(copyto="__text__")) file_type = odm.Optional( odm.EmptyableKeyword(copyto="__text__")) file_version_ls = odm.Optional(odm.Integer()) file_version_ms = odm.Optional(odm.Integer()) product_version_ls = odm.Optional(odm.Integer()) product_version_ms = odm.Optional(odm.Integer()) signature = odm.Optional(odm.Integer()) struct_version = odm.Optional(odm.Integer()) @odm.model(index=True, store=False) class String_File_Info(odm.Model): @odm.model(index=True, store=False) class LangCode_Item(odm.Model): @odm.model(index=True, store=False) class Item(odm.Model): key = odm.Optional( odm.EmptyableKeyword(copyto="__text__")) value = odm.Optional( odm.EmptyableKeyword(copyto="__text__")) key = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) type = odm.Optional(odm.Integer()) lang = odm.Optional( odm.EmptyableKeyword(copyto="__text__")) sublang = odm.Optional( odm.EmptyableKeyword(copyto="__text__")) code_page = odm.Optional( odm.EmptyableKeyword(copyto="__text__")) items = odm.Optional(odm.List(odm.Compound(Item))) key = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) type = odm.Optional(odm.Integer()) langcode_items = odm.Optional( odm.List(odm.Compound(LangCode_Item))) @odm.model(index=True, store=False) class Var_File_Info(odm.Model): key = odm.Optional(odm.EmptyableKeyword(copyto="__text__")) type = odm.Optional(odm.Integer()) translations = odm.Optional(odm.List(odm.Integer())) type = odm.Optional(odm.Integer()) fixed_file_info = odm.Optional(odm.Compound(Fixed_File_Info)) string_file_info = odm.Optional(odm.Compound(String_File_Info)) var_file_info = odm.Optional(odm.Compound(Var_File_Info))