Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
for intrusion_set in self.intel.values():
if not intrusion_set['indicators']:
continue
found = False
for indicator in intrusion_set['indicators']:
query = build_query_for_indicators([indicator])
events = self.event_stream(query_string=query,
return_fields=[])
name = intrusion_set['name']
for event in events:
found = True
event.add_emojis([emojis.get_emoji('SKULL')])
event.add_tags([name])
event.commit()
event.add_comment(
'Indicator "{0:s}" found for actor "{1:s}"'.format(
indicator['name'], name))
if found:
actors_found.append(name)
self.sketch.add_view(
'Domain activity for actor {0:s}'.format(name),
self.NAME,
query_string=query)
if actors_found:
return '{0:d} actors were found! [{1:s}]'.format(
len(actors_found), ', '.join(actors_found))
if '.' not in domain:
continue
watched_domains_list.append(domain)
watched_domains = {}
for domain in watched_domains_list:
minhash = self._get_minhash_from_domain(domain)
watched_domains[domain] = {
'hash': minhash,
'depth': len(domain.split('.'))
}
similar_domain_counter = 0
whitelist_encountered = False
evil_emoji = emojis.get_emoji('SKULL_CROSSBONE')
phishing_emoji = emojis.get_emoji('FISHING_POLE')
for domain, _ in iter(domain_counter.items()):
emojis_to_add = []
tags_to_add = []
text = None
similar_domains = self._get_similar_domains(
domain, watched_domains)
if similar_domains:
similar_domain_counter += 1
emojis_to_add.append(evil_emoji)
emojis_to_add.append(phishing_emoji)
tags_to_add.append('phishy-domain')
similar_text_list = ['{0:s} [score: {1:.2f}]'.format(
phishy_domain,
score) for phishy_domain, score in similar_domains]
return ''
re_flag = sum(flags)
else:
re_flag = 0
try:
expression = re.compile(expression_string, flags=re_flag)
except re.error as exception:
# pylint: disable=logging-format-interpolation
logging.warning((
'Regular expression failed to compile, with '
'error: {0!s}').format(exception))
return ''
emoji_names = config.get('emojis', [])
emojis_to_add = [emojis.get_emoji(x) for x in emoji_names]
return_fields = [attribute]
events = self.event_stream(
query_string=query, query_dsl=query_dsl,
return_fields=return_fields)
event_counter = 0
for event in events:
attribute_field = event.source.get(attribute)
if isinstance(attribute_field, six.text_type):
attribute_value = attribute_field
elif isinstance(attribute_field, (list, tuple)):
attribute_value = ','.join(attribute_field)
elif isinstance(attribute_field, (int, float)):
attribute_value = attribute_field
logging.warning('Unable to calculate the 85th percentile.')
highest_count_domain = domain_counter.most_common(1)
if highest_count_domain:
_, highest_count = highest_count_domain[0]
domain_85th_percentile = highest_count + 10
else:
domain_85th_percentile = 100
common_domains = [
x for x, y in domain_counter.most_common()
if y >= domain_85th_percentile]
rare_domains = [
x for x, y in domain_counter.most_common()
if y <= domain_20th_percentile]
satellite_emoji = emojis.get_emoji('SATELLITE')
for domain, count in iter(domain_counter.items()):
emojis_to_add = [satellite_emoji]
tags_to_add = []
cdn_provider = utils.get_cdn_provider(domain)
if cdn_provider:
tags_to_add.append('known-cdn')
cdn_counter[cdn_provider] += 1
if domain in common_domains:
tags_to_add.append('common_domain')
if domain in rare_domains:
tags_to_add.append('rare_domain')
for event in domains.get(domain, []):
def run(self):
"""Entry point for the analyzer.
Returns:
String with summary of the analyzer result
"""
login_emoji = emojis.get_emoji('unlock')
logoff_emoji = emojis.get_emoji('lock')
screen_emoji = emojis.get_emoji('screen')
screensaver_logon = LOGON_TYPES.get('7')
login_counter = 0
logoff_counter = 0
# TODO: Add EVT lookups, ID 528 for logon and 538, 540 for logoff.
# TODO: Add RDP EVT lookups, ID 682 for logon and 683 for logoff.
query = (
'data_type:"windows:evtx:record" AND (event_identifier:4624 OR '
'event_identifier:4778 OR event_identifier:4779 OR '
'event_identifier:4634 OR event_identifier:4647)')
return_fields = [
'message', 'data_type', 'strings', 'strings_parsed',
'event_identifier']
def run(self):
"""Entry point for the analyzer.
Returns:
String with summary of the analyzer result
"""
login_emoji = emojis.get_emoji('unlock')
logoff_emoji = emojis.get_emoji('lock')
screen_emoji = emojis.get_emoji('screen')
screensaver_logon = LOGON_TYPES.get('7')
login_counter = 0
logoff_counter = 0
# TODO: Add EVT lookups, ID 528 for logon and 538, 540 for logoff.
# TODO: Add RDP EVT lookups, ID 682 for logon and 683 for logoff.
query = (
'data_type:"windows:evtx:record" AND (event_identifier:4624 OR '
'event_identifier:4778 OR event_identifier:4779 OR '
'event_identifier:4634 OR event_identifier:4647)')
return_fields = [
'message', 'data_type', 'strings', 'strings_parsed',
'event_identifier']
# Generator of events based on your query.
String with summary of the analyzer result
"""
# TODO: Once we can identify user generated events this should be
# updated to include all user generated events instead of focusing
# solely on browser events.
query = 'source_short:"WEBHIST" OR source:"WEBHIST"'
return_fields = ['timestamp', 'url', 'tag', '__ts_emojis']
data_frame = self.event_pandas(
query_string=query, return_fields=return_fields)
if not data_frame.shape[0]:
return 'No browser events discovered.'
sleeping_emoji = emojis.get_emoji('SLEEPING_FACE')
# This query filters out all timestamps that have a zero timestamp as
# well as those that occur after 2038-01-01, this may need to be
# changed in the future.
data_frame['timestamp'] = pd.to_numeric(data_frame.timestamp)
data_frame = data_frame[
(data_frame.timestamp > 0) & (
data_frame.timestamp < 2145916800000000)]
data_frame['datetime'] = pd.to_datetime(
data_frame.timestamp / 1e6, utc=True, unit='s')
data_frame['hour'] = pd.to_numeric(
data_frame.datetime.dt.strftime('%H'))
total_count = data_frame.shape[0]
activity_hours, threshold, aggregation = get_active_hours(data_frame)