def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot("VT Hash Report", request, config)
if res:
virus_res = res["nodes"][0]
context_vt = list(
filter(lambda x: x["source"] == "VirusTotal",
res["nodes"][0]["context"]))
context_filter = sorted(context_vt,
key=lambda x: parser.parse(x["last_seen"]))
last_context = None
if len(context_filter) > 0:
last_context = context_filter[0]
entity.malicious = last_context["malicious"]
entity.undetected = last_context["undetected"]
entity.suspicious = last_context["suspicious"]
entity.magic = last_context["magic"]
response += entity
for r in res["links"]:
obs = get_observable(r["src"]["id"], config)
h = Hash(obs["value"])
h.malicious = last_context["malicious"]
h.undetected = last_context["undetected"]
h.suspicious = last_context["suspicious"]
h.magic = last_context["magic"]
response += h
return response
def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot('PassiveTotal Passive DNS', request, config)
for item in res['nodes']:
entity_add = Ip(item['value'])
entity_add.link_label = 'Server NS'
response += entity_add
return response
def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot("VT Urls Contacted", request, config)
for r in res["links"]:
obs = get_observable(r["src"]["id"], config)
url = Url(obs["value"])
response += url
return response
def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot("VT Com files domain", request, config)
for r in res["links"]:
obs = get_observable(r["src"]["id"], config)
new_file = Hash(obs["value"])
if "tags" in obs:
new_file.tags = [t["name"] for t in obs["tags"]]
response += new_file
return response
def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot('Get Subdomains', request, config)
for item in res['nodes']:
if entity.value != item['value']:
h = Hostname(item['value'])
h.link_label = 'PT Subdomains'
response += h
return response
def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot("VT Domain Contacted", request, config)
for r in res["links"]:
obs = get_observable(r["src"]["id"], config)
hostname = Hostname(obs["value"])
hostname.link_label = "first_seen: %s last_seen: %s" % (
r["first_seen"],
r["last_seen"],
)
response += hostname
return response
def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot("VT IP Resolution", request, config)
for r in res["links"]:
obs = get_observable(r["src"]["id"], config)
hostname = Hostname(obs["value"])
context_vt = [
(entity.value, c[entity.value]) for c in obs["context"]
if c["source"] == "VirusTotal PDNS" and entity.value in c
]
last_resolution = sorted(context_vt,
key=lambda x: parser.parse(x[1]))
hostname.link_label = "last_resolution: %s" % last_resolution[0][1]
response += hostname
return response
def do_transform(self, request, response, config):
res = run_oneshot('UrlScanIo', request, config)
if res:
for n in res['nodes']:
contexts_urlscan = list(
filter(lambda x: x['source'] == 'UrlScanIo', n['context']))
for context in contexts_urlscan:
results_json = json.loads(context['raw'])
for r in results_json:
page = r['page']
if 'url' in page:
url = Url(page['url'])
url.link_label = 'url'
response += url
if 'domain' in page:
hostname = Hostname(page['domain'])
hostname.link_label = 'domain'
response += hostname
if 'asn' in page:
asn = page['asn']
if 'AS' in asn:
as_ent = Text(asn.split('AS')[1])
else:
as_ent = Text(asn)
as_ent.link_label = 'AS'
response += as_ent
if 'server' in page:
server = Text(page['server'])
server.link_label = 'server'
response += server
task = r['task']
if 'url' in task:
url = Url(task['url'])
url.link_label = 'task url %s' % task['time']
response += url
return response
def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot('Shodan', request, config)
current_node = list(
filter(lambda x: 'value' in x and x['value'] == entity.value,
res['nodes']))
context_shodan = list(
filter(lambda x: x['source'] == 'shodan_query',
current_node[0]['context']))
last_context_shodan = sorted(
context_shodan, key=lambda x: parser.parse(x['last_update']))[0]
for d in last_context_shodan['domains']:
hostname = Hostname(d)
hostname.link_label = 'last_update: %s' % last_context_shodan[
'last_update']
response += hostname
for h in last_context_shodan['hostnames']:
hostname = Hostname(h)
hostname.link_label = 'last_update: %s' % last_context_shodan[
'last_update']
response += hostname
if 'org' in last_context_shodan and last_context_shodan['org']:
company = Company(last_context_shodan['org'])
company.link_label = 'hoster'
response += company
asn = As(last_context_shodan['asn'].split('AS')[1])
response += asn
for p in last_context_shodan['ports']:
port = Port(p)
port.link_label = 'service'
response += port
return response
def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot('Get Malware', request, config)
return do_get_malware_pt(res, entity, response)
def do_transform(self, request, response, config):
entity = request.entity
res = run_oneshot('PassiveTotal Passive DNS', request, config)
return do_pdns_pt(res, entity, response)