class ALResults(odm.Model):
attrib = odm.List(odm.Keyword(), default=[], store=True, copyto="__text__", description="List of attribution")
av = odm.List(odm.Keyword(), default=[], store=True, copyto="__text__", description="List of AV hits")
behavior = odm.List(odm.Keyword(), default=[], copyto="__text__", description="List of behaviors for the alert")
detailed = odm.Compound(DetailedResults, description="Assemblyline Detailed result block")
domain = odm.List(odm.Domain(), default=[], copyto="__text__", description="List of all domains")
domain_dynamic = odm.List(odm.Domain(), default=[], description="List of domains found during Dynamic Analysis")
domain_static = odm.List(odm.Domain(), default=[], description="List of domains found during Static Analysis")
ip = odm.List(odm.IP(), default=[], copyto="__text__", description="List of all IPs")
ip_dynamic = odm.List(odm.IP(), default=[], description="List of IPs found during Dynamic Analysis")
ip_static = odm.List(odm.IP(), default=[], description="List of IPs found during Static Analysis")
request_end_time = odm.Date(index=False, description="Finish time of the Assemblyline submission")
score = odm.Integer(store=True, description="Maximum score found in the submission")
uri = odm.List(odm.URI(), default=[], copyto="__text__", description="List of all URIs")
uri_dynamic = odm.List(odm.URI(), default=[], description="List of URIs found during Dynamic Analysis")
uri_static = odm.List(odm.URI(), default=[], description="List of URIs found during Static Analysis")
yara = odm.List(odm.Keyword(), default=[], copyto="__text__", description="List of YARA rule hits")
class Subject(odm.Model):
ip = odm.Optional(odm.IP(), description="Subject's IP")
domain = odm.Optional(odm.Domain(), description="Subject's domain")
uri = odm.Optional(odm.URI(), description="Subject's URI")
process = odm.Optional(odm.Compound(Process),
description="Subject's process")
file = odm.Optional(odm.Text(), description="Subject's file")
registry = odm.Optional(odm.Text(),
description="Subject's registry key")
class NetworkHTTP(odm.Model):
connection_details = odm.Compound(
NetworkConnection,
description="The low-level details of the HTTP request")
request_uri = odm.URI(description="The URI requested")
request_headers = odm.Mapping(
odm.Json(), description="Headers included in the request")
request_body = odm.Optional(odm.Text(),
description="The body of the request")
request_method = odm.Enum(
[
# Standard HTTP methods
"GET",
"POST",
"PUT",
"DELETE",
"HEAD",
"CONNECT",
"OPTIONS",
"TRACE",
"PATCH",
# WebDAV HTTP methods
"BCOPY",
"BDELETE",
"BMOVE",
"BPROPFIND",
"BPROPPATCH",
"COPY",
"DELETE",
"LOCK",
"MKCOL",
"MOVE",
"NOTIFY",
"POLL",
"PROPFIND",
"PROPPATCH",
"SEARCH",
"SUBSCRIBE",
"UNLOCK",
"UNSUBSCRIBE",
"X-MS-ENUMATTS"
],
description="The method of the request")
response_headers = odm.Mapping(
odm.Json(), description="Headers included in the response")
response_status_code = odm.Optional(
odm.Integer(), description="The status code of the response")
response_body = odm.Optional(odm.Text(),
description="The body of the response")
class NetworkIOCs(odm.Model):
domain = odm.Optional(odm.List(odm.Domain(copyto="__text__")))
ip = odm.Optional(odm.List(odm.IP(copyto="__text__")))
uri = odm.Optional(odm.List(odm.URI(copyto="__text__")))
uri_path = odm.Optional(odm.List(odm.URIPath(copyto="__text__")))
class NetworkIOCs(odm.Model):
domain = odm.Optional(odm.List(odm.Domain(copyto="__text__")), description="Domain")
ip = odm.Optional(odm.List(odm.IP(copyto="__text__")), description="IP")
uri = odm.Optional(odm.List(odm.URI(copyto="__text__")), description="URI")
uri_path = odm.Optional(odm.List(odm.URIPath(copyto="__text__")), description="URI Path")