in msticpy/sectools/tiproviders/ibm_xforce.py [0:0]
def parse_results(self, response: LookupResult) -> Tuple[bool, TISeverity, Any]:
"""
Return the details of the response.
Parameters
----------
response : LookupResult
The returned data response
Returns
-------
Tuple[bool, TISeverity, Any]
bool = positive or negative hit
TISeverity = enumeration of severity
Object with match details
"""
severity = TISeverity.information
if self._failed_response(response) or not isinstance(response.raw_result, dict):
return False, severity, "Not found."
result = True
result_dict = {}
if (
response.ioc_type in ["ipv4", "ipv6", "url", "dns"]
and not response.query_subtype
):
score = response.raw_result.get("score", 0)
result_dict.update(
{
"score": response.raw_result.get("score", 0),
"cats": response.raw_result.get("cats"),
"categoryDescriptions": response.raw_result.get(
"categoryDescriptions"
),
"reason": response.raw_result.get("reason"),
"reasonDescription": response.raw_result.get(
"reasonDescription", 0
),
"tags": response.raw_result.get("tags", 0),
}
)
severity = (
TISeverity.information
if score < 2
else TISeverity.warning
if 2 <= score < 5
else TISeverity.high
)
if (
response.ioc_type in ["file_hash", "md5_hash", "sha1_hash", "sha256_hash"]
or response.query_subtype == "malware"
):
malware = response.raw_result.get("malware")
if malware:
result_dict.update(
{
"risk": malware.get("risk"),
"family": malware.get("family"),
"reasonDescription": response.raw_result.get(
"reasonDescription", 0
),
}
)
severity = TISeverity.high
if (
response.ioc_type
in [
"dns",
"ipv4",
"ipv6",
"hostname",
]
and response.query_subtype in ["info", "passivedns", "whois"]
):
records = response.raw_result.get("total_rows", 0)
contact = response.raw_result.get("contact", 0)
if records:
result_dict.update({"records": records})
elif contact:
result_dict.update({"contact": contact})
return result, severity, result_dict