msticpy.context.vtlookupv3.vtfile_behavior module

VirusTotal File Behavior functions.

class msticpy.context.vtlookupv3.vtfile_behavior.SIProcess(process_id, name, cmd_line, parent_id=-1, proc_key=None, parent_key=None, path=None, IsRoot=False, IsLeaf=False, IsBranch=False, children=NOTHING, time_offset=0)

Bases: object

Data class to hold each process from detonation.

Method generated by attrs for class SIProcess.

Parameters:

  • process_id (str)

  • name (str)

  • cmd_line (str)

  • parent_id (int)

  • proc_key (str | None)

  • parent_key (str | None)

  • path (str | None)

  • IsRoot (bool)

  • IsLeaf (bool)

  • IsBranch (bool)

  • children (list)

  • time_offset (int)

IsBranch: bool
IsLeaf: bool
IsRoot: bool
children: list
cmd_line: str
name: str
parent_id: int
parent_key: str | None
path: str | None
proc_key: str | None
process_id: str
time_offset: int
class msticpy.context.vtlookupv3.vtfile_behavior.VTFileBehavior(vt_key, file_id=None, file_summary=None)

Bases: object

VirusTotal File Behavior class.

Initialize the VTFileBehavior class.

Parameters:

  • vt_key (str, optional) – VirusTotal API key, by default None

  • file_id (Optional[str], optional) – The ID of the file to look up, by default None

  • file_summary (Optional[Union[pd.DataFrame, pd, Series, dict[str, Any]]], optional) – VT file summary - this can be in one of the following formats: VT object dictionary Pandas DataFrame - first row is assumed to be the file summary Pandas Series by default None

browse()

Browse the behavior categories.

Parameters:

self (Self)

Return type:

widgets.VBox | None

categories: dict[str, Any]
file_id: str | Any | None
file_summary: Series | dict[str, Timestamp] | dict[str, Any]
get_file_behavior(sandbox=None)

Retrieve the file behavior data.

Parameters:

  • sandbox (str, optional) – Name of specific sandbox to retrieve, by default None If None, it will retrieve the behavior summary.

  • self (Self)

Return type:

None

property has_behavior_data: bool

Return true if file behavior data available.

property has_evtx: bool

Return True if EVTX data is available (Enterprise only).

property has_memdump: bool

Return True if memory dump data is available (Enterprise only).

property has_pcap: bool

Return True if PCAP data is available (Enterprise only).

classmethod list_sandboxes()

Return list of known sandbox types.

Return type:

list[str]

property process_tree: figure | None

Return the process tree plot.

process_tree_df: DataFrame | None
property sandbox_id: str

Return sandbox ID of detonation.