Python SDK for using ReversingLabs services.
Project description
ReversingLabs SDK
The official Python SDK for using ReversingLabs services.
The idea behind this SDK is to enable easier out-of-the-box development of software integrations and automation services that need to interact with ReversingLabs.
The SDK consists of several modules, where each module represents either one ReversingLabs service, ReversingLabs appliance or the ReversingLabs TitaniumCloud.
ReversingLabs SDK Cookbook
For a simple and comprehensive guide on how to start using the ReversingLabs SDK, visit the ReversingLabs SDK Cookbook and explore the provided steps and examples.
Module: a1000
A Python module representing the ReversingLabs A1000 malware analysis platform.
Class:
class A1000(object):
def __init__(self, host, username, password, token, fields_v2, ticore_fields, wait_time_seconds, retries, verify, proxies, user_agent):
Parameters:
host
- A1000 address
username
- A1000 username
password
- A1000 password
token
- A1000 user token for the REST API
fields_v2
- optional fields that will be returned in the analysis report
ticore_fields
- optional fields that will be returned in the report from the TitaniumScale endpoint
wait_time_seconds
- wait time between each report fetching retry
retries
- number of report fetching retries
verify
- verify SSL certificate
proxies
- optional proxies in use
user_agent
- optional user agent string
NOTE!
The default means of authorization on the ReversingLabs A1000 REST API is the token.
If username and password are used instead, a token fetching request will be done so the token can be used in further actions without the user explicitly providing the token.
Class methods:
configuration_dump
- Returns the configuration of the instantiated A1000 object
test_connection
- Creates a request towards the A1000 Check Status API to test the connection with A1000
upload_sample_from_path
- Accepts a file path string and returns a response containing the analysis task ID
upload_sample_from_file
- Accepts a file open in 'rb' mode and returns a response containing the analysis task ID
submit_url_for_analysis
- Sends a URL for analysis on A1000.
check_submitted_url_status
- Accepts a task id returned by upload_sample_from_url and returns a response containing processing status and report if the report is ready
file_analysis_status
- Accepts a list of file hashes and returns their analysis completion information.
get_submitted_url_report
- Accepts a task ID returned by upload_sample_from_url and returns a response
- This method utilizes the set number of retries and wait time in seconds to time out if the analysis results are not ready
submit_url_for_analysis_and_get_report
- Sends a URL for analysis on A1000.
- The result fetching action of this method utilizes the set number of retries and wait time in seconds to time out if the analysis results are not ready
get_summary_report_v2
- Accepts a single hash or a list of hashes and returns JSON containing a summary report for each of them
- This method utilizes the set number of retries and wait time in seconds to time out if the analysis results are not ready
upload_sample_and_get_summary_report_v2
- Accepts either a file path string or an open file in 'rb' mode for file upload and returns a summary analysis report response
- This method combines uploading a sample and obtaining the summary analysis report
- The result fetching action of this method utilizes the set number of retries and wait time in seconds to time out if the analysis results are not ready
get_detailed_report_v2
- Accepts a single hash or a list of hashes and returns a detailed analysis report for the selected samples
- This method utilizes the set number of retries and wait time in seconds and times out if the analysis results are not ready
upload_sample_and_get_detailed_report_v2
- Accepts either a file path string or an open file in 'rb' mode for file upload and returns a detailed analysis report response.
- This method combines uploading a sample and obtaining the detailed analysis report.
- Additional fields can be provided.
- The result fetching action of this method utilizes the set number of retries and wait time in seconds to time out if the analysis results are not ready.
get_classification_v3
- Get classification for one sample
reanalyze_samples_v2
- Accepts a single hash or a list of hashes of various types and reanalyzes the corresponding sample(s)
- This method can be used for reanalyzing a single sample or a batch of samples, depending on the data type passed
list_extracted_files_v2
- Get a list of all files TitaniumCore engine extracted from the requested sample during static analysis
list_extracted_files_v2_aggregated
- Get a list of all files TitaniumCore engine extracted from the requested sample during static analysis
- Paging is done automatically and results from individual responses aggregated into one list and returned
download_extracted_files
- Accepts a single hash string and returns a downloadable archive file containing files extracted from the desired sample
download_sample
- Accepts a single hash string and returns a downloadable sample
delete_samples
- Accepts a single hash string or a list of hashes and deletes the corresponding samples from A1000
check_sample_removal_status_v2
- "Accepts the task ID returned by the bulk sample removal endpoint and returns a response that indicates if the removal request was finished successfully and if all samples have been deleted
create_pdf_report
- Accepts a single hash string and initiates the creation of a PDF analysis report for the requested sample. The response includes links to the pdf creation status endpoint and pdf download ednpoint for the requested sample
check_pdf_report_creation
- Accepts a single hash string that should correspond to the hash used in the request with create_pdf_report method. The response includes an informative message about the status of the PDF report previously requested
download_pdf_report
- Accepts a single hash string that should correspond to the hash used in the request with create_pdf_report method
get_titanium_core_report_v2
- Accepts a single hash string and gets the full TitaniumCore static analysis report for the requested sample. The requested sample must be present on the appliance. If the optional fields parameter is not provided in the request, all available parts of the static analysis report are returned in the response
create_dynamic_analysis_report
- Accepts a single hash string and initiates the creation of PDF or HTML reports for samples that have gone through dynamic analysis in the ReversingLabs Cloud Sandbox. The response includes links to the report creation status endpoint and report download ednpoint for the requested sample
check_dynamic_analysis_report_status
- Accepts a single hash string and report format parameters that should correspond to the parameters used in the request with create_dynamic_analysis_report method. The response includes an informative message about the status of the report previously requested
download_dynamic_analysis_report
- Accepts a single hash string and report format parameters that should correspond to the parameters used in the request with create_dynamic_analysis_report method
set_classification
- Accepts a single hash string, allows the user to set the classification of a sample, either in TitaniumCloud or locally on the A1000. Returns a response containing a new classification
delete_classification
- Accepts a single hash string, allows the user to delete the classification of a sample, either in TitaniumCloud or locally on the A1000
get_user_tags
- Accepts a single hash string and returns lists of existing user tags for the requested sample
post_user_tags
- Accepts a single hash string and adds one or more user tags to the requested sample
delete_user_tags
- Accepts a single hash string and removes one or more user tags from the requested sample
get_yara_rulesets_on_the_appliance_v2
- Retrieves a list of YARA rulesets that are on the A1000 appliance
- The list can be filtered by several criteria (ruleset status, source, and owner) using optional parameters
get_yara_ruleset_contents
- Retrieves the full contents of the requested ruleset in raw text/plain format
- All rulesets can be retrieved, regardless of their current status on the appliance (enabled, disabled…)
get_yara_ruleset_matches_v2
- Retrieves the list of YARA matches (both local and cloud) for requested rulesets
- If multiple rulesets are provided in the request, only the samples that match all requested rulesets are listed in the response.
create_or_update_yara_ruleset
- Creates a new YARA ruleset if it doesn’t exist
- If a ruleset with the specified name already exists, a new revision (update) of the ruleset is created
delete_yara_ruleset
- Deletes the specified YARA ruleset and its matches from the appliance
enable_or_disable_yara_ruleset
- Enables/disables ruleset on the appliance
- Administrators can manage any ruleset while regular A1000 users can only manage their own rulesets
get_yara_ruleset_synchronization_time
- Gets information about the current synchronization status for TitaniumCloud-enabled rulesets
update_yara_ruleset_synchronization_time
- Updates the TitaniumCloud synchronization time for TitaniumCloud-enabled YARA rulesets
start_or_stop_yara_local_retro_scan
- Allows users to initiate the Local Retro scan on the A1000 appliance, and stop the Local Retro scan that is in progress on the appliance
get_yara_local_retro_scan_status
- Gets the status of Local Retro scan on the A1000 appliance
start_or_stop_yara_cloud_retro_scan
- Allows users to start and stop a Cloud Retro scan for a specified ruleset on the A1000 appliance, as well as to clear all Cloud Retro results for the ruleset
get_yara_cloud_retro_scan_status
- Gets the status of Cloud Retro for the specified YARA ruleset. The response indicates the current state of Cloud Retro
advanced_search_v3
- Sends a query string to the A1000 Advanced Search API v3
advanced_search_v3_aggregated
- Sends a query string to the A1000 Advanced Search API v3
- Paging is done automatically and results from individual responses aggregated into one list and returned
list_containers_for_hashes
- Gets a list of all top-level containers from which the requested sample has been extracted during analysis
- This is a bulk API, meaning that a single request can be used to simultaneously query containers for multiple file hashes
network_url_report
- Accepts a URL string and returns a report about the requested URL
network_domain_report
- Accepts a domain string and returns a report about the requested domain
network_ip_addr_report
- Accepts an IP address string and returns a report about the requested IP address
network_ip_to_domain
- Accepts an IP address string and returns a list of IP-to-domain mappings
network_ip_to_domain_aggregated
- Accepts an IP address string and returns a list of IP-to-domain mappings.
- This method performs the paging automatically and returns a specified maximum number of records
network_urls_from_ip
- Accepts an IP address string and returns a list of URLs hosted on the requested IP address
network_urls_from_ip_aggregated
- Accepts an IP address string and returns a list of URLs hosted on the requested IP address
- This method performs the paging automatically and returns a specified maximum number of records
network_files_from_ip
- Accepts an IP address string and returns a list of hashes and classifications for files found on the requested IP address
network_files_from_ip_aggregated
- Accepts an IP address string and returns a list of hashes and classifications for files found on the requested IP address
- This method performs the paging automatically and returns a specified maximum number of records
Module: ticloud
A Python module representing the ReversingLabs TitaniumCloud API-s.
Each class in this module represents one TitaniumCloud API and can be instantiated using the same set of parameters:
def __init__(self, host, username, password, verify, proxies, user_agent, allow_none_return)
Parameters:
host
- TitaniumCloud address
username
- TitaniumCloud username
password
- TitaniumCloud password
verify
- verify SSL certificate
proxies
- optional proxies in use
user_agent
- optional user agent string
allow_none_return
- if set to True
, 404
response codes will return None
instead of NotFoundError
Class:
class FileReputation(TiCloudAPI)
TCA-0101
Methods:
get_file_reputation
- Accepts a hash string or a list of hash strings and returns file reputation
- Hash strings in a passed list must all be of the same hashing algorithm
Class:
class AVScanners(TiCloudAPI)
TCA-0103
Methods:
get_scan_results
- Accepts a hash string or a list of hash strings and returns AV scanner results
- Hash strings in a passed list must all be of the same hashing algorithm
Class:
class FileAnalysis(TiCloudAPI)
TCA-0104
Methods:
get_analysis_results
- Accepts a hash string or a list of hash strings and returns extended file analysis
extract_uri_list_from_report
- Accepts a list of entries from the FileAnalysis report and returns a list of URI-s from those entries.
get_file_type
- Accepts a sample hash and returns the file type string
Class:
class RHA1FunctionalSimilarity(TiCloudAPI)
TCA-0301
Methods:
get_similar_hashes
- Accepts a hash string and returns a list of functionally similar hashes
- Returns only one defined page of results using one request
get_similar_hashes_aggregated
- Accepts a hash string and returns a list of functionally similar hashes
- Returns a list of results aggregated through multiple paginated requests
Class:
class RHA1Analytics(TiCloudAPI)
TCA-0321
Methods:
get_rha1_analytics
- Accepts one or more hash strings and returns a count of functionally similar hashes grouped by classification
Class:
class URIStatistics(TiCloudAPI)
TCA-0402
Methods:
get_uri_statistics
- Accepts a URI string and returns a count of files associated with that URI grouped by classification
Class:
class URIIndex(TiCloudAPI)
TCA-0401
Methods:
get_uri_index
- Accepts a URI string and returns a list of files associated with this URI
- Returns only one defined page of results using one request
get_uri_index_aggregated
- Accepts a URI string and returns a list of files associated with this URI
- Returns a list of results aggregated through multiple paginated requests
Class:
class AdvancedSearch(TiCloudAPI)
TCA-0320
Methods:
search
- Accepts a search query string and performs advanced search on the API
- Returns only one defined page of results using one request
search_aggregated
- Accepts a search query string and performs advanced search on the API
- Returns a list of results aggregated through multiple paginated requests
Class:
class ExpressionSearch(TiCloudAPI)
TCA-0306
Methods:
search
- Provides samples first seen on a particular date, filtered by search criteria.
search_aggregated
- Provides samples first seen on a particular date, filtered by search criteria.
- This method performs the paging automatically.
get_latest_expression
- Provdes samples for yesterday’s date tha match the requested criteria.
statistics_search
- Returns statistics about new samples in ReversingLabs TitaniumCloud on the requested date that match the used search criteria.
get_latest_statistics
- Returns statistics about new samples in ReversingLabs TitaniumCloud from yesterday's date.
Class:
class FileDownload(TiCloudAPI)
TCA-0201
Methods:
get_download_status
- Accepts a hash string and returns the sample's availability for download
download_sample
- Accepts a hash string and downloads the related sample from TitaniumCloud
Class:
class URLThreatIntelligence(TiCloudAPI)
TCA-0403
Methods:
get_url_report
- Accepts a URL string and returns detailed URL analysis info
get_downloaded_files
- Accepts a URL string and returns a list of files downloaded from that URL
get_latest_url_analysis_feed
- Returns the latest URL analysis reports
- Returns only one defined page of results using one request
get_latest_url_analysis_feed_aggregated
- Returns the latest URL analysis reports
- Returns a list of results aggregated through multiple paginated requests
get_url_analysis_feed_from_date
- Accepts time format and a start time and returns URL analysis reports from that defined time onward
- It is possible to list analyses up to 90 days into the past
- Returns only one defined page of results using one request
get_url_analysis_feed_from_date_aggregated
- Accepts time format and a start time and returns URL analysis reports from that defined time onward
- It is possible to list analyses up to 90 days into the past
- Returns a list of results aggregated through multiple paginated requests
Class:
class AnalyzeURL(TiCloudAPI)
TCA-0404
Methods:
submit_url
- Sends a URL string for analysis and returns an analysis task ID
Class:
class FileUpload(TiCloudAPI)
TCA-0202 and TCA-0203
Methods:
upload_sample_from_path
- Accepts a file path string and uploads the desired file to the File Upload API
upload_sample_from_file
- Accepts an open file handle and uploads the desired file to the File Upload API
Class:
class DeleteFile(TiCloudAPI)
TCA-0204
Methods:
delete_samples
- Accepts a single hash string or a list of hash strings belonging to samples you want to delete from the cloud
- You can only delete samples that were uploaded by the same cloud account
Class:
class ReanalyzeFile(TiCloudAPI)
TCA-0205
Methods:
reanalyze_samples
- Accepts a single hash string or a list of hash strings belonging to samples in the cloud you want to reanalyze
- The samples need to be already present in the cloud in order to be reanalyzed
Class:
class DynamicAnalysis(TiCloudAPI)
TCA-0207 and TCA-0106
Methods:
detonate_sample
- Submits a sample available in the cloud for dynamic analysis and returns processing info
- The sample needs to be available in TitaniumCloud beforehand
detonate_url
- Submits a URL for dynamic analysis and returns processing info
get_dynamic_analysis_results
- Returns dynamic analysis results for a desired sample or URL
- The analysis of the selected sample or URL must be finished for the results to be available
Class:
class CertificateIndex(TiCloudAPI)
TCA-0501
Methods:
get_certificate_information
- Accepts a hash (thumbprint) and returns a list of SHA1 hashes for samples signed with the certificate matching the requested thumbprint
get_certificate_information_aggregated
- Accepts a hash (thumbprint) and returns a list of SHA1 hashes for samples signed with the certificate matching the requested thumbprint
- This method automatically handles paging and returns a list of results instead of a Response object
Class:
class CertificateAnalytics(TiCloudAPI)
TCA-0502
Methods:
get_certificate_analytics
- Accepts a certificate hash thumbprint (hash string) and returns certificate analytics results
Class:
class CertificateThumbprintSearch(TiCloudAPI)
TCA-0503
Methods:
search_common_names
- Accepts a certificate common name and returns common names matching the request, along with the list of thumbprints of all the certificates sharing that common name
search_common_names_aggregated
- Accepts a certificate common name and returns common names matching the request, along with the list of thumbprints of all the certificates sharing that common name
- This method automatically handles paging and returns a list of results instead of a Response object
Class:
class RansomwareIndicators(TiCloudAPI)
Ransomware Indicators Feed
Methods:
get_indicators
- Accepts a list of indicator type strings and integers for historical hours, health check and returning only freemium indicators. Returns indicators of ransomware and related tools
Class:
class NewMalwareFilesFeed(ContinuousFeed)
TCF-0101
Methods:
pull_with_timestamp
- Accepts a time format definition and a time value. Returns malware detections from the requested time
pull
- Returns a list of malware detections since the point in time set by the set_start method. If the user has not previously used this method, nor has the set_start method been called, it will return records starting with the current timestamp
set_start
- This method sets the starting time for the pull method
Class:
class MWPChangeEventsFeed(ContinuousFeed)
TCF-0111
Methods:
pull_with_timestamp
- Accepts a time format definition and a time value. Returns samples with a newly calculated or changed malware presence (MWP) classification and threat name from the requested time
pull
- Returns a list of classification and threat name changes since the point in time set by the set_start() method
set_start
- This method sets the starting time for the pull() method
Class:
class NewMalwareURIFeed(TiCloudAPI)
TCF-0301
Methods:
pull_with_timestamp
- Accepts a time format definition and a time value. Returns records with Ps, domains, URLs, emails, and sample hashes extracted from malware samples
pull_latest
- Returns a maximum of 1000 latest records with Ps, domains, URLs, emails, and sample hashes extracted from malware samples
Class:
class NewFilesFirstScan(TiCloudAPI)
TCF-0107
Methods:
feed_query
- Accepts a time format definition and a time value. Optional arguments are available sample and result limit
- Returns a list of hashes for samples collected from various sources and scanned for the frist time in TitaniumCloud system
start_query
- Accepts a time format definition and a time value
- Sets the starting timestamp for the pull_query
pull_query
- Returns the list of hashes for samples scanned for the first time starting with the timestamp defined with start_query
Class:
class NewFilesFirstAndRescan(TiCloudAPI)
TCF-0108
Methods:
feed_query
- Accepts a time format definition and a time value. Optional arguments are available sample and result limit
- Returns a continuous list of samples in the TitaniumCloud system which have been scanned for the frist time or rescanned
start_query
- Accepts a time format definition and a time value
- Sets the starting timestamp for the pull_query
pull_query
- Returns the list of hashes for scanned samples starting with the timestamp defined with the start_query
Class:
class FilesWithDetectionChanges(TiCloudAPI)
TCF-0109
Methods:
feed_query
- Accepts a time format definition and a time value. Optional arguments are available sample and result limit
- Returns a list of hashes for scanned samples (first time scan or detection changes), starting with the provided timestamp
start_query
- Accepts a time format definition and a time value
- Sets the starting timestamp for the pull_query
pull_query
- Returns the list of hashes for scanned samples starting with the timestamp defined with the start_query
Class:
class CvesExploitedInTheWild(TiCloudAPI)
TCF-0202
Methods:
pull_daily_cve_report
- Accepts a time format definition and a time value.
- Returns a document containing the list of malware hashes (SHA1, SHA256, MD5), threat names, and threat counts associated with the CVE identifiers for the requested day
pull_latest_cve_report
- Returns a document containing the list of malware hashes (SHA1, SHA256, MD5), threat names, and threat counts associated with the CVE identifiers for the latest day for which we have data
Class:
class NewExploitOrCveSamplesFoundInWildHourly(TiCloudAPI)
TCF-0203
Methods:
hourly_exploit_list_query
- Accepts a time format definition and a time value. Optional arguments are available sample and result limit
- Returns a list of new file hashes that contain CVE or exploit identification and that are detected within the requested one-hour period in the TitaniumCloud system
latest_hourly_exploit_list_query
- Returns the results from latest hour for which we have data
Class:
class NewExploitAndCveSamplesFoundInWildDaily(TiCloudAPI)
TCF-0204
Methods:
daily_exploit_list_query
- Accepts a time format definition and a time value. Optional arguments are available sample and result limit
- Returns a list of ne file hashes that contain CVE or exploit identification and that are detected per day period in th TitaniumCloud system
latest_daily_exploit_list_query
- Returns the results from latest day for which we have data
Class:
class NewWhitelistedFiles(TiCloudAPI)
TCF-0501
Methods:
feed_query
- Accepts a time definition and a time value. Optional arguments are available sample and result limit
- Returns a list of newly whitelisted samples since the requested time
start_query
- Sets the starting timestamp for the pull_query
pull_query
- Returns the list of newly whitelisted samples, with the timestamp defined with the start_query
Class:
class ChangesWhitelistedFiles(TiCloudAPI)
TCF-0502
Methods:
feed_query
- Accepts a time definition and a time value
- Returns a list of the samples which changed their whitelist status since requested time
latest_query
- Returns the 1000 latest samples which changed their whitelist status
Class:
class ImpHashSimilarity(TiCloudAPI)
TCA-0302
Methods:
get_imphash_index
- Accepts an imphash and returns a list of SHA-1 hashes of files sharing that imphash
get_imphash_index_aggregated
- Accepts an imphash and returns a list of SHA-1 hashes of files sharing that imphash
- This method automatically handles paging and returns a list of results instead of a Response object
Class:
class YARAHunting(TiCloudAPI)
TCA-0303
Methods:
create_ruleset
- Creates a new YARA ruleset
- The ruleset_text parameter needs to be a stringified YARA ruleset / a Unicode string
delete_ruleset
- Deletes a YARA ruleset
get_ruleset_info
- Get information for a specific YARA ruleset or all YARA rulesets in the collection
get_ruleset_text
- Get the text of a YARA ruleset
yara_matches_feed
- Returns a recordset of YARA ruleset matches in the specified time range
Class:
class YARARetroHunting(TiCloudAPI)
TCA-0319
Methods:
enable_retro_hunt
- Enables the retro hunt for the specified ruleset that has been submitted to TitaniumCloud prior to deployment of YARA retro
start_retro_hunt
- Starts the retro hunt for the specified ruleset
check_status
- Checks the retro hunt status for the specified ruleset
cancel_retro_hunt
- Cancels the retro hunt for the specified ruleset
yara_retro_matches_feed
- Returns a recordset of YARA ruleset matches in the specified time range
Class:
class FileReputationUserOverride(TiCloudAPI)
TCA-0102
Methods:
override_classification
- Accepts two parameters
- A list of samples whose classification needs to be overriden
- A list of samples whose classification override needs to me removed
- Accepts two parameters
list_active_overrides
- Accepts a hash type designation and returns the hashes of all currently active classification overrides for the current organization.
list_active_overrides_aggregated
- Accepts a hash type designation and returns the hashes of all currently active classification overrides for the current organization. This method does the paging action automatically and a maximum number of results returned in the list can be defined with the max_results parameter.
Class:
class DomainThreatIntelligence(TiCloudAPI)
TCA-0405
Methods:
get_domain_report
- Accepts a domain string and returns threat intelligence data for the submitted domain.
get_downloaded_files
- Accepts a domain string and retrieves a list of files downloaded from the submitted domain.
get_downloaded_files_aggregated
- Accepts a domain string and retrieves a list of files downloaded from the submitted domain. This method performs the paging automatically and returns a list of results. The maximum number of results to be returned can be set.
urls_from_domain
- Accepts a domain string and returns a list of URLs associated with the requested domain.
urls_from_domain_aggregated
- Accepts a domain string and returns a list of URLs associated with the requested domain. This method performs the paging automatically and returns a list of results. The maximum number of results to be returned can be set.
domain_to_ip_resolutions
- Accepts a domain string and returns a list of domain-to-IP mappings for the requested domain.
domain_to_ip_resolutions_aggregated
- Accepts a domain string and returns a list of domain-to-IP mappings for the requested domain. This method performs the paging automatically and returns a list of results. The maximum number of results to be returned can be set.
related_domains
- Accepts a domain string and returns a list of domains that have the same top parent domain as the requested domain.
related_domains_aggregated
- Accepts a domain string and returns a list of domains that have the same top parent domain as the requested domain. This method performs the paging automatically and returns a list of results. The maximum number of results to be returned can be set.
Class:
class IPThreatIntelligence(TiCloudAPI)
TCA-0406
Methods:
get_ip_report
- Accepts an IP address as a string and returns threat intelligence data for the submitted IP address.
get_downloaded_files
- Accepts an IP address as a string and returns a list of files downloaded from the submitted IP address.
get_downloaded_files_aggregated
- Accepts an IP address as a string and returns a list of files downloaded from the submitted IP address. This method performs the paging automatically and returns a list of results. The maximum number of results to be returned can be set.
urls_from_ip
- Accepts an IP address as a string and returns a list of URLs associated with the requested IP.
urls_from_ip_aggregated
- Accepts an IP address as a string and returns a list of URLs associated with the requested IP. This method performs the paging automatically and returns a list of results. The maximum number of results to be returned can be set.
ip_to_domain_resolutions
- Accepts an IP address as a string and returns a list of IP-to-domain mappings for the specified IP address.
ip_to_domain_resolutions_aggregated
- Accepts an IP address as a string and returns a list of IP-to-domain mappings for the specified IP address. This method performs the paging automatically and returns a list of results. The maximum number of results to be returned can be set.
Class:
class FileAnalysisNonMalicious(TiCloudAPI)
TCA-0105
Methods:
get_analysis_results
- Accepts a hash string or a list of hash strings and returns knowledge about the given samples if they are classified as goodware.
Class:
class DataChangeSubscription(TiCloudAPI)
TCA-0206
Methods:
subscribe
- Subscribes to a list of samples (hashes) for which the changed data (if there are any) will be delivered in the Data Change Feed.
unsubscribe
- Unsubscribes from a list of samples that the user was previously subscribed to.
set_start_time
- Sets the starting point for the DataChangeSubscription.pull_from_feed method.
pull_from_feed
- Returns a recordset with samples to which the user is subscribed. The starting point for this action is set using the DataChangeSubscription.set_start_time method. If the starting point is not set, this method will return records starting with the current timestamp. Every subsequent request will continue from the timestamp where the previous request ended.
continuous_data_change_feed
- Returns a recordset with samples to which the user is subscribed from the timestamp stated in the request onwards. To fetch the next recordset, use the last_timestamp value from the response and submit it in a new request as the time_value parameter.
Class:
class NewMalwarePlatformFiltered(TiCloudAPI)
TCF-0102-0106
Methods:
feed_query
- Returns a list of malware samples optionally filtered by platform since the requested timestamp.
start_query
- Sets the starting timestamp for the pull_query.
pull_query
- Returns the list of malware samples optionally filtered by platform since a point in time set by the start_query.
Class:
class CustomerUsage(TiCloudAPI)
TCA-9999
Methods:
daily_usage
- Returns information about daily service usage for the TitaniumCloud account that sent the request.
monthly_usage
- Returns information about monthly service usage for the TitaniumCloud account that sent the request.
date_range_usage
- This method returns total usage for all product licenses with a fixed quota over a single date range.
active_yara_rulesets
- This method returns information about the number of active YARA rulesets for the TitaniumCloud account that sent the request.
quota_limits
- This method returns current quota limits for API-s accessible to the authenticated user.
Class:
class NetworkReputation(TiCloudAPI)
TCA-0407
Methods:
get_network_reputation
- Returns reputation information about queried URL-, domains and IP addresses.
Class:
class MalwareFamilyDetection(TiCloudAPI)
TCA-0305
Methods:
get_malware_family
- Returns all malware families to which sample belongs based on the detections from the latest AV scan
Class:
class VerticalFeedsStatistics(TiCloudAPI)
Vertical Feed Statistics API provides information about new malware samples detection in the ReversingLabs TitaniumCloud system, filtered by category (industry). Categories and API codes correspond to the ReversingLabs Targeted and Industry-Specific File Indicator Feeds (e.g., Financial, Retail, Exploits...).
Codes | Feed Name |
---|---|
TCA-0307 | APT (Advanced Persistent Threats) Statistics |
TCA-0308 | Financial Services Malware Statistics |
TCA-0309 | Retail Sector Malware Statistics |
TCA-0310 | Ransomware Statistics |
TCA-0311 | CVE Exploits Statistics |
TCA-0317 | Malware configuration Statistics |
Methods:
feed_query
- Returns information about new malware samples detected in TitaniumCloud, filtered by category
Class:
class VerticalFeedsSearch(TiCloudAPI)
Service can be used to retrieve information about new malware samples from ReversingLabs Targeted and Industry-Specific File Indicator Feeds by searching for malware family names. The feeds are specialized collections of malware families that are known to have significant impact within specific industries (Retail, Financial), as well as of malware families that share a common trait (exploits, ransomware). ReversingLabs carefully selects malware families for each feed based on public and internal research.
Codes | Feed name | Malware Family Names |
---|---|---|
TCA-0312 | APT (Advanced Persistent Threats) | CosmicDuke, CozyBear, Stuxnet, Hellsing |
TCA-0313 | Financial Services Malware | Alice, Dorkbot, Ramnit, Ripper |
TCA-0314 | Retail Sector Malware | AbaddonPOS, ChewBacca, Katrina, Poseidon |
TCA-0315 | Ransomware | BitCrypt, Nanolocker, NotPetya, WannaCry |
TCA-0316 | CVE Exploits | CVE-2008-4844, CVE-2014-0495, CVE-2017-0147, CVE-2017-8291 |
TCA-0318 | Malware Configuration | DarkComet, PoisonIvy, XtremeRAT, CyberGate |
Methods:
latest_query
- Returns latest information about new malware samples from ReversingLabs Targeted and Industry-Specific File Indicator Feeds by searching for malware family names.
feed_query
- Retruns information about new malware samples from ReversingLabs Targeted and Industry-Specific File Indicator Feeds by searching for malware family names based on time when they are added to a particular feed
Class:
class NetworkReputationUserOverride(TiCloudAPI)
TCA-0408
Methods:
reputation_override
- This method enables two actions in one request:
- Send a list of network locations whose classification needs to be overriden.
- Send a list of network locations whose classification override needs to be removed.
- This method enables two actions in one request:
list_overrides
- Returns a list of overrides that the user has made.
Class:
class TAXIIRansomwareFeed(TiCloudAPI)
Methods:
discovery_info
- Returns the information from the TAXII Server's discovery endpoint.
- The returned info shows the available api roots.
api_root_info
- Returns information about a specific api root.
collections_info
- Returns information about available collections in an api root.
get_objects
- Returns objects from a TAXII collection.
- Results can be filtered using several parameters.
get_objects_aggregated
- Returns objects from a TAXII collection.
- This method does the paging automatically and returns a defined number of objects as a list in the end.
Class:
class AdvancedActions(object)
Methods:
enriched_file_analysis
- Accepts a sample hash and returns a TCA-0104 File Analysis report enriched with a TCA-0106 Dynamic Analysis report.
Module: tiscale
A Python module representing the ReversingLabs TitaniumScale malware analysis appliance.
Class:
class TitaniumScale(object):
def __init__(self, host, token, wait_time_seconds, retries, verify, proxies, user_agent)
Parameters:
host
- TitaniumScale address
token
- TitaniumScale user token for the REST API
wait_time_seconds
- wait time between each report fetching retry
retries
- number of report fetching retries
verify
- verify SSL certificate
proxies
- optional proxies in use
user_agent
- optional user agent string
Methods:
upload_sample_from_path
- Accepts a file path string for file upload and returns a response containing the analysis task URL
upload_sample_from_file
- Accepts a file opened in 'rb' mode for file upload and returns a response containing the analysis task URL
get_results
- Accepts an analysis task URL and returns a file analysis summary or a full analysis report
- This method utilizes the set number of retries and wait time in seconds to time out if the analysis results are not ready
upload_sample_and_get_results
- Accepts a file path string or an opened file in 'rb' mode for file upload and returns a file analysis summary or a full analysis report
- This method combines uploading a sample and obtaining the analysis results
- The result obtaining action of this method utilizes the set number of retries and wait time in seconds to time out if the analysis results are not ready
list_processing_tasks
- Lists processing tasks generated by file submission requests.
get_processing_task_info
- Retrieves information about a completed file processing task
delete_processing_task
- Deletes a processing task record from the system.
delete_multiple_tasks
- Deletes multiple task records from the system based on the time when they were submitted.
get_yara_id
- Retrieves the identifier of the current set of YARA rules on the TitaniumScale Worker instance.
Module: fie
A Python module representing the ReversingLabs File Inspection Engine platform.
Class:
class FileInspectionEngine(object):
def __init__(self, host, verify, proxies, user_agent)
Parameters:
host
- File Inspection Engine address
verify
- verify SSL certificate
proxies
- optional proxies in use
user_agent
- optional user agent string
Methods:
test_connection
- Creates a lightweight request towards the FIE scan API to test the connection.
scan_using_file_path
- Sends a file to the FIE for inspection and returns a simple verdict in the submit response.
- Uses a file path string as input.
scan_using_open_file
- Sends a file to the FIE for inspection and returns a simple verdict in the submit response.
- Uses an open file handle as input.
report_using_file_path
- Sends a file to the FIE for inspection and returns a more complex analysis report in the submit response.
- Uses a file path string as input.
report_using_open_file
- Sends a file to the FIE for inspection and returns a more complex analysis report in the submit response.
- Uses an open file handle as input.
Examples
A1000
from ReversingLabs.SDK.a1000 import A1000
# Using username and password for authorization
a1000 = A1000(
host="https://a1000.address",
username="username",
password="password",
verify=True,
wait_time_seconds=3,
retries=10
)
response = a1000.upload_sample_and_get_summary_report_v2(
file_path="/path/to/file.exe",
retry=True,
custom_filename="CustomName",
tags="custom,tags,go,here",
)
json_report = response.json()
from ReversingLabs.SDK.a1000 import A1000
# Using the token for authorization
a1000 = A1000(
host="http://a1000.address",
token="1js76asmklaslk288japj29s89z",
verify=False,
wait_time_seconds=2,
retries=15
)
response = a1000.list_extracted_files_v2(
sample_hash="cf23df2207d99a74fbe169e3eba035e633b65d94",
page_size=30
)
json_report = response.json()
TitaniumCloud
from ReversingLabs.SDK.ticloud import FileReputation, URIStatistics, FileDownload, FileUpload
host = "https://data.reversinglabs.com"
username = "username"
password = "password"
user_agent = "MyCustom App v0.0.1"
file_reputation = FileReputation(
host=host,
username=username,
password=password,
user_agent=user_agent
)
reputation = file_reputation.get_file_reputation(
hash_input="cf23df2207d99a74fbe169e3eba035e633b65d94",
extended_results=True,
show_hashes_in_results=False
)
uri_statistics = URIStatistics(
host=host,
username=username,
password=password,
user_agent=user_agent
)
statistics = uri_statistics.get_uri_statistics(
uri_input="youtube.com"
)
file_download = FileDownload(
host=host,
username=username,
password=password,
user_agent=user_agent
)
download = file_download.download_sample(
hash_input="cf23df2207d99a74fbe169e3eba035e633b65d94"
)
with open("/path/to/file", "wb") as file_handle:
file_handle.write(download.content)
file_upload = FileUpload(
host=host,
username=username,
password=password,
user_agent=user_agent
)
upload = file_upload.upload_sample_from_path(
file_path="/path/to/file",
sample_name="Custom Sample Name",
sample_domain="webdomain.com"
)
TitaniumScale
from ReversingLabs.SDK.tiscale import TitaniumScale
titanium_scale = TitaniumScale(
host="https://tiscale.address",
token="examplesecrettoken", # replace with a proper token
verify=True,
wait_time_seconds=5,
retries=6
)
results = titanium_scale.upload_sample_and_get_results(
file_source=open("/path/to/file.exe", "rb"),
full_report=True
)
File Inspection Engine
from ReversingLabs.SDK.fie import FileInspectionEngine
fie = FileInspectionEngine(
host="http://fie.address",
verify=True
)
results = fie.scan_using_file_path(
file_path="/local/path/to/file.exe"
)
print(results.json())
Error handling
Each module raises corresponding custom exceptions according to the error status code returned in the response. Custom exception classes that correspond to error status codes also carry the original response object in its entirety. To learn how to fetch and use the response object out of the exception object, see the following examples.
from ReversingLabs.SDK.ticloud import FileReputation
file_rep = FileReputation(
host="https://data.reversinglabs.com",
username="u/username",
password="password"
)
try:
resp = file_rep.get_file_reputation(hash_input="cf23df2207d99a74fbe169e3eba035e633b65d94")
except Exception as e:
if hasattr(e, "response_object"):
print(e.response_object.content)
else:
raise
Same approach can also be used for A1000 and TitaniumScale.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for reversinglabs_sdk_py3-2.7.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 319283311c13866f552294c783ab61e536998b06bef271fa4f6c4fbb6a5c8f6e |
|
MD5 | 953022057e015ca2a9100ea022d3b2a8 |
|
BLAKE2b-256 | d5e07fe35bfcde73cf52b29f061578115ab46be3fe619288e56602621e65b208 |
Hashes for reversinglabs_sdk_py3-2.7.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | fc25fd33b48e1ec3855639201b66bfb975e80b0bf043540394d4ebd50f4110c4 |
|
MD5 | 03b1535964bfbe9d19a29299f290e653 |
|
BLAKE2b-256 | 3ca3df568fe3996920231473940456107b3f167a1d294e27902943af2d0eb2af |