forked from yeti-platform/yeti
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvirustotal_apiv3.py
70 lines (58 loc) · 2.11 KB
/
virustotal_apiv3.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
import logging
import re
from datetime import timedelta, datetime
from core import Feed
from core.config.config import yeti_config
from core.observables import Hash, File
# Variable
VTAPI = yeti_config.get("vt", "key")
headers = {"x-apikey": VTAPI}
limit = 10
params = {"limit": limit}
regex = "[A-Fa-f0-9]{64}" # Find SHA256
class VirusTotalPriv(Feed):
default_values = {
"frequency": timedelta(minutes=5),
"name": "VirusTotalHuntingV3",
"source": "https://www.virustotal.com/api/v3/intelligence/hunting_notifications",
"description": "Feed of hunting for VirusTotal API v3",
}
settings = {
"vt_url_hunting_v3": {
"name": "VT Url Hunting v3",
"description": "Hunting feed for VT API v3",
}
}
def update(self):
if VTAPI:
self.source = (
"https://www.virustotal.com/api/v3/intelligence/hunting_notifications"
)
for index, item in self.update_json(
params=params, headers=headers, key="data"
):
self.analyze(item)
else:
logging.error("Your VT API key is not set in the config file!")
def analyze(self, item):
tags = []
context = {"source": self.name}
# Parse value of interest
subject = item["attributes"]["rule_name"]
date = item["attributes"]["date"]
tags2 = item["attributes"]["tags"]
sha2 = re.search(regex, str(tags2)).group()
date_string = datetime.utcfromtimestamp(date).strftime("%d/%m/%Y %H:%M:%S")
tags2.remove(sha2)
# Update to Yeti DB
f_vt3 = File.get_or_create(value="FILE:{}".format(sha2))
sha256 = Hash.get_or_create(value=sha2)
f_vt3.active_link_to(sha256, "sha256", self.name)
tags.append(tags2)
tags.append(subject)
context["date_added"] = date_string
context["snippet"] = item["attributes"]["snippet"]
# context['source_country'] = item["attributes"]['source_country']
context["raw"] = item
f_vt3.tag(str(tags))
f_vt3.add_context(context)