in elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_filehash/ioc_vt.py [0:0]
def test(self, hash_list):
"""run the query and build the report (results)"""
# Get the remaining quota for this run
remaining_quota = self.get_remaining_quota()
vt_results = {}
# Query VT API for file hashes
count = 0
for md5 in hash_list:
if count < remaining_quota:
# Within quota, let's check the file hash with VT
vt_result = self.get_vt_file_results(md5)
if vt_result is not None:
if isinstance(vt_result, type({})) and "data" in vt_result:
# Get first submission date
first_submitted_ts = get_value(
"data.attributes.first_submission_date", vt_result, None
)
try:
first_submitted_date = datetime.fromtimestamp(
first_submitted_ts
).isoformat()
# pylint: disable=broad-except
except Exception:
first_submitted_date = None
last_analysis_ts = get_value(
"data.attributes.last_analysis_date", vt_result, None
)
try:
last_analysis_date = datetime.fromtimestamp(
last_analysis_ts
).isoformat()
# pylint: disable=broad-except
except Exception:
last_analysis_date = None
# Found
vt_results[md5] = {
"record": vt_result,
"result": "newAlarm",
"first_submitted": first_submitted_date,
"last_seen": last_analysis_date,
}
else:
vt_results[md5] = {"result": "clean"}
else:
# 404 not found
vt_results[md5] = {"result": "clean"}
else:
# Quota reached, skip the check
vt_results[md5] = {"result": "skipped, quota reached"}
count += 1
return vt_results