beagle.datasources.virustotal package

Submodules

beagle.datasources.virustotal.generic_vt_sandbox module

class beagle.datasources.virustotal.generic_vt_sandbox.GenericVTSandbox(behaviour_report_file: str, hash_metadata_file: str = None)[source]

Bases: beagle.datasources.base_datasource.DataSource

Converts a Virustotal V3 API behavior report to a Beagle graph.

This DataSource outputs data in the schema accepted by GenericTransformer.

Providing the hash’s metadata JSON allows for proper creation of a metadata object. * This can be fetched from https://www.virustotal.com/api/v3/files/{id}

Behavior reports come from https://www.virustotal.com/api/v3/files/{id}/behaviours * Beagle generates one graph per report in the attributes array.

Where {id} is the sha256 of the file.

Parameters:
  • behaviour_report (str) – File containing A single behaviour report from one of the virustotal linked sandboxes.
  • hash_metadata (str) – File containing the hashes metadata, containing its detections.
KNOWN_ATTRIBUTES = ['files_deleted', 'processes_tree', 'files_opened', 'files_written', 'modules_loaded', 'files_attribute_changed', 'files_dropped', 'has_html_report', 'analysis_date', 'sandbox_name', 'http_conversations', 'ip_traffic', 'dns_lookups', 'registry_keys_opened', 'registry_keys_deleted', 'registry_keys_set']
category = 'VT Sandbox'
events() → Generator[[dict, None], None][source]

Generator which must yield each event as a dictionary from the datasource one by one, once the generator is exhausted, this signals the datasource is exhausted.

Returns:Generator over all events from this datasource.
Return type:Generator[dict, None, None]
metadata() → dict[source]

Generates the metadata based on the provided hash_metadata file.

Returns:Name, number of malicious detections, AV results, and common_name from VT.
Return type:dict
name = 'VirusTotal v3 API Sandbox Report Files'
transformers = [<class 'beagle.transformers.generic_transformer.GenericTransformer'>]

beagle.datasources.virustotal.generic_vt_sandbox_api module

class beagle.datasources.virustotal.generic_vt_sandbox_api.GenericVTSandboxAPI(file_hash: str, sandbox_name: str = None)[source]

Bases: beagle.datasources.base_datasource.ExternalDataSource, beagle.datasources.virustotal.generic_vt_sandbox.GenericVTSandbox

A class which provides an easy way to fetch VT v3 API sandbox data. This can be used to directly pull sandbox data from VT.

Parameters:
  • file_hash (str) – The hash of the file you want to graph.
  • sandbox_name (str, optional) – The name of the sandbox you want to pull from VT (there may be multiple available). (the default is None, which picks the first one)
Raises:

RuntimeError – If there is not virustotal API key defined.

Examples

>>> datasource = GenericVTSandboxAPI(
    file_hash="ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa',
    sandbox_name="Dr.Web vxCube"
)
category = 'VT Sandbox'
name = 'VirusTotal v3 API Sandbox Report'
transformers = [<class 'beagle.transformers.generic_transformer.GenericTransformer'>]

Module contents