in elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_filehash/ioc_ibm.py [0:0]
def test(self, hash_list):
"""run the query and build the report (results)"""
self.logger.debug("Checking IOCs on IBM X-Force: %s", hash_list)
# Get the remaining quota for this run
remaining_quota = self.get_remaining_quota()
ibm_results = {}
# Query VT API for file hashes
count = 0
for md5 in hash_list:
if count < remaining_quota:
# Within quota, let's check the file hash with VT
ibm_result = self.get_ibm_xforce_file_results(md5)
if ibm_result is not None:
if isinstance(ibm_result, type({})) and "malware" in ibm_result:
# Get first submission date
first_submitted_date = get_value(
"malware.created", ibm_results, None
)
# Found and marked as malware
ibm_results[md5] = {
"record": ibm_result,
"result": "newAlarm",
"first_submitted": first_submitted_date,
}
else:
ibm_results[md5] = {"result": "clean"}
else:
# 404 not found
ibm_results[md5] = {"result": "clean"}
else:
# Quota reached, skip the check
ibm_results[md5] = {"result": "skipped, quota reached"}
count += 1
return ibm_results