msticpy.context.vtlookupv3.vtfile_behavior module

VirusTotal File Behavior functions.

class msticpy.context.vtlookupv3.vtfile_behavior.SIProcess(process_id: str, name: str, cmd_line: str, parent_id: int = -1, proc_key: str | None = None, parent_key: str | None = None, path: str | None = None, IsRoot: bool = False, IsLeaf: bool = False, IsBranch: bool = False, children: list = NOTHING, time_offset: int = 0)

Bases: object

Data class to hold each process from detonation.

Method generated by attrs for class SIProcess.

IsBranch: bool
IsLeaf: bool
IsRoot: bool
children: list
cmd_line: str
name: str
parent_id: int
parent_key: str | None
path: str | None
proc_key: str | None
process_id: str
time_offset: int
class msticpy.context.vtlookupv3.vtfile_behavior.VTFileBehavior(vt_key: str | None = None, file_id: str | None = None, file_summary: pd.DataFrame | pd.Series | dict[str, Any] | None = None)

Bases: object

VirusTotal File Behavior class.

Initialize the VTFileBehavior class.

Parameters:
  • vt_key (str, optional) – VirusTotal API key, by default None

  • file_id (Optional[str], optional) – The ID of the file to look up, by default None

  • file_summary (Optional[Union[pd.DataFrame, pd, Series, dict[str, Any]]], optional) – VT file summary - this can be in one of the following formats: VT object dictionary Pandas DataFrame - first row is assumed to be the file summary Pandas Series by default None

browse() widgets.VBox | None

Browse the behavior categories.

get_file_behavior(sandbox: str | None = None) None

Retrieve the file behavior data.

Parameters:

sandbox (str, optional) – Name of specific sandbox to retrieve, by default None If None, it will retrieve the behavior summary.

property has_behavior_data: bool

Return true if file behavior data available.

property has_evtx: bool

Return True if EVTX data is available (Enterprise only).

property has_memdump: bool

Return True if memory dump data is available (Enterprise only).

property has_pcap: bool

Return True if PCAP data is available (Enterprise only).

classmethod list_sandboxes() list[str]

Return list of known sandbox types.

property process_tree: figure | None

Return the process tree plot.

property sandbox_id: str

Return sandbox ID of detonation.