msticpy.context.vtlookupv3.vtfile_behavior module
VirusTotal File Behavior functions.
- class msticpy.context.vtlookupv3.vtfile_behavior.SIProcess(process_id: str, name: str, cmd_line: str, parent_id: int = -1, proc_key: str | None = None, parent_key: str | None = None, path: str | None = None, IsRoot: bool = False, IsLeaf: bool = False, IsBranch: bool = False, children: list = NOTHING, time_offset: int = 0)
Bases:
object
Data class to hold each process from detonation.
Method generated by attrs for class SIProcess.
- IsBranch: bool
- IsLeaf: bool
- IsRoot: bool
- children: list
- cmd_line: str
- name: str
- parent_id: int
- parent_key: str | None
- path: str | None
- proc_key: str | None
- process_id: str
- time_offset: int
- class msticpy.context.vtlookupv3.vtfile_behavior.VTFileBehavior(vt_key: str | None = None, file_id: str | None = None, file_summary: pd.DataFrame | pd.Series | dict[str, Any] | None = None)
Bases:
object
VirusTotal File Behavior class.
Initialize the VTFileBehavior class.
- Parameters:
vt_key (str, optional) – VirusTotal API key, by default None
file_id (Optional[str], optional) – The ID of the file to look up, by default None
file_summary (Optional[Union[pd.DataFrame, pd, Series, dict[str, Any]]], optional) – VT file summary - this can be in one of the following formats: VT object dictionary Pandas DataFrame - first row is assumed to be the file summary Pandas Series by default None
- browse() widgets.VBox | None
Browse the behavior categories.
- get_file_behavior(sandbox: str | None = None) None
Retrieve the file behavior data.
- Parameters:
sandbox (str, optional) – Name of specific sandbox to retrieve, by default None If None, it will retrieve the behavior summary.
- property has_behavior_data: bool
Return true if file behavior data available.
- property has_evtx: bool
Return True if EVTX data is available (Enterprise only).
- property has_memdump: bool
Return True if memory dump data is available (Enterprise only).
- property has_pcap: bool
Return True if PCAP data is available (Enterprise only).
- classmethod list_sandboxes() list[str]
Return list of known sandbox types.
- property process_tree: figure | None
Return the process tree plot.
- property sandbox_id: str
Return sandbox ID of detonation.