msticpy.context.vtlookupv3.vtfile_behavior module
VirusTotal File Behavior functions.
- class msticpy.context.vtlookupv3.vtfile_behavior.SIProcess(process_id: str, name: str, cmd_line: str, parent_id: int = - 1, proc_key: Optional[str] = None, parent_key: Optional[str] = None, path: Optional[str] = None, IsRoot: bool = False, IsLeaf: bool = False, IsBranch: bool = False, children: list = [], time_offset: int = 0)
Bases:
object
Data class to hold each process from detonation.
Method generated by attrs for class SIProcess.
- IsBranch: bool
- IsLeaf: bool
- IsRoot: bool
- children: list
- cmd_line: str
- name: str
- parent_id: int
- parent_key: Optional[str]
- path: Optional[str]
- proc_key: Optional[str]
- process_id: str
- time_offset: int
- class msticpy.context.vtlookupv3.vtfile_behavior.VTFileBehavior(vt_key: Optional[str] = None, file_id: Optional[str] = None, file_summary: Optional[Union[DataFrame, Series, Dict[str, Any]]] = None)
Bases:
object
VirusTotal File Behavior class.
Initialize the VTFileBehavior class.
- Parameters
vt_key (str, optional) – VirusTotal API key, by default None
file_id (Optional[str], optional) – The ID of the file to look up, by default None
file_summary (Optional[Union[pd.DataFrame, pd, Series, Dict[str, Any]]], optional) – VT file summary - this can be in one of the following formats: VT object dictionary Pandas DataFrame - first row is assumed to be the file summary Pandas Series by default None
- browse() Optional[ipywidgets.VBox]
Browse the behavior categories.
- get_file_behavior(sandbox: Optional[str] = None)
Retrieve the file behavior data.
- Parameters
sandbox (str, optional) – Name of specific sandbox to retrieve, by default None If None, it will retrieve the behavior summary.
- property has_behavior_data: bool
Return true if file behavior data available.
- property has_evtx: bool
Return True if EVTX data is available (Enterprise only).
- property has_memdump: bool
Return True if memory dump data is available (Enterprise only).
- property has_pcap: bool
Return True if PCAP data is available (Enterprise only).
- classmethod list_sandboxes() List[str]
Return list of known sandbox types.
- property process_tree: Any
Return the process tree plot.
- property sandbox_id: str
Return sandbox ID of detonation.