in elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_filehash/ioc_hybridanalysis.py [0:0]
def test(self, hash_list):
"""run the query and build the report (results)"""
# Get the remaining quota for this run
remaining_quota = self.get_remaining_quota()
ha_results = {}
# Query HA API for file hashes
count = 0
for md5 in hash_list:
if count < remaining_quota:
# Within quota, let's check the file hash with HA
ha_result = self.get_ha_file_results(md5)
# No results, let's return it clean
if len(ha_result) == 0:
ha_results[md5] = {"result": "clean"}
elif is_json(ha_result):
# Loop through the results to get the first analysis (submission) date
first_analysis_time = datetime.utcnow()
for result in ha_result:
analysis_start_time = get_value(
"analysis_start_time", result, None
)
if analysis_start_time is not None:
analysis_start_time_date = parser.isoparse(
analysis_start_time
).replace(tzinfo=None)
first_analysis_time = (
first_analysis_time
if first_analysis_time < analysis_start_time_date
else analysis_start_time_date
)
# Found
ha_results[md5] = {
"record": ha_result,
"result": "newAlarm",
"first_submitted": first_analysis_time.isoformat(),
# TO-DO: loop through the submissions to get the time 'last_seen'
}
else:
# some horrible error
# implement logging here
continue
else:
# Quota reached, skip the check
ha_results[md5] = {"result": "skipped, quota reached"}
count += 1
return ha_results