beagle.datasources.virustotal package¶
Submodules¶
beagle.datasources.virustotal.generic_vt_sandbox module¶
-
class
beagle.datasources.virustotal.generic_vt_sandbox.
GenericVTSandbox
(behaviour_report_file: str, hash_metadata_file: str = None)[source]¶ Bases:
beagle.datasources.base_datasource.DataSource
Converts a Virustotal V3 API behavior report to a Beagle graph.
This DataSource outputs data in the schema accepted by GenericTransformer.
Providing the hash’s metadata JSON allows for proper creation of a metadata object. * This can be fetched from https://www.virustotal.com/api/v3/files/{id}
Behavior reports come from https://www.virustotal.com/api/v3/files/{id}/behaviours * Beagle generates one graph per report in the attributes array.
Where {id} is the sha256 of the file.
Parameters: - behaviour_report (str) – File containing A single behaviour report from one of the virustotal linked sandboxes.
- hash_metadata (str) – File containing the hashes metadata, containing its detections.
-
KNOWN_ATTRIBUTES
= ['files_deleted', 'processes_tree', 'files_opened', 'files_written', 'modules_loaded', 'files_attribute_changed', 'files_dropped', 'has_html_report', 'analysis_date', 'sandbox_name', 'http_conversations', 'ip_traffic', 'dns_lookups', 'registry_keys_opened', 'registry_keys_deleted', 'registry_keys_set']¶
-
category
= 'VT Sandbox'¶
-
events
() → Generator[[dict, None], None][source]¶ Generator which must yield each event as a dictionary from the datasource one by one, once the generator is exhausted, this signals the datasource is exhausted.
Returns: Generator over all events from this datasource. Return type: Generator[dict, None, None]
-
metadata
() → dict[source]¶ Generates the metadata based on the provided hash_metadata file.
Returns: Name, number of malicious detections, AV results, and common_name from VT. Return type: dict
-
name
= 'VirusTotal v3 API Sandbox Report Files'¶
-
transformers
= [<class 'beagle.transformers.generic_transformer.GenericTransformer'>]¶
beagle.datasources.virustotal.generic_vt_sandbox_api module¶
-
class
beagle.datasources.virustotal.generic_vt_sandbox_api.
GenericVTSandboxAPI
(file_hash: str, sandbox_name: str = None)[source]¶ Bases:
beagle.datasources.base_datasource.ExternalDataSource
,beagle.datasources.virustotal.generic_vt_sandbox.GenericVTSandbox
A class which provides an easy way to fetch VT v3 API sandbox data. This can be used to directly pull sandbox data from VT.
Parameters: - file_hash (str) – The hash of the file you want to graph.
- sandbox_name (str, optional) – The name of the sandbox you want to pull from VT (there may be multiple available). (the default is None, which picks the first one)
Raises: RuntimeError
– If there is not virustotal API key defined.Examples
>>> datasource = GenericVTSandboxAPI( file_hash="ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa', sandbox_name="Dr.Web vxCube" )
-
category
= 'VT Sandbox'¶
-
name
= 'VirusTotal v3 API Sandbox Report'¶
-
transformers
= [<class 'beagle.transformers.generic_transformer.GenericTransformer'>]¶