-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathgenerate_visualizations.py
124 lines (107 loc) · 3.27 KB
/
generate_visualizations.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
""" This script generates the visualizations JSON object that you can import into Kibana to visualize Cuckoo data"""
import json
from copy import deepcopy
visualize_base = {
"_id": "Cuckoo-Summary-Directory-Created",
"_type": "visualization",
"_source": {
"title": "Cuckoo - Summary - Directory Created",
"visState": "{\"title\":\"Cuckoo - Summary - Directory Enumerated\",\"type\":\"table\",\"params\":{\"perPage\":50,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"summary.directory_created\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"cuckoo*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
}
}
}
visState = {
"params": {
"perPage": 50,
"showMeticsAtAllLevels": False,
"showPartialRows": False
},
"listeners": {},
"type": "table",
"aggs": [
{
"params": {},
"type": "count",
"id": "1",
"schema": "metric"
},
{
"params": {
"orderBy": "1",
"field": "summary.directory_created",
"order": "desc",
"size": 50
},
"type": "terms",
"id": "2",
"schema": "bucket"
}
],
"title": "Cuckoo - Summary - Directory Enumerated"
}
base_id = "Cuckoo"
summary = """summary.downloads_file
summary.directory_enumerated
summary.wmi_query
summary.directory_created
summary.file_deleted
summary.file_recreated
summary.fetches_url
summary.file_exists
summary.regkey_deleted
summary.connects_ip
summary.command_line
summary.regkey_read
summary.file_failed
summary.file_opened
summary.guid
summary.mutex
summary.file_created
summary.regkey_written
summary.directory_removed
summary.file_moved
summary.resolves_host
summary.file_read
summary.regkey_opened
summary.file_written
summary.file_copied
summary.dll_loaded
summary.connects_host"""
summary_fields = summary.split()
procmemory_fields = ["procmemory.extracted.urls", "procmemory.extracted.type"]
target = """target.file.yara.strings
target.category
target.file.md5
target.file.yara.meta.description
target.file.sha512
target.file.path
target.file.yara.meta.author
target.file.crc32
target.file.sha1
target.file.name
target.file.sha256
target.file.type
target.file.size
target.file.urls
target.file.ssdeep"""
target_fields = target.split()
all_fields = procmemory_fields + summary_fields + target_fields
visualizations = []
for field in all_fields:
cuckoo_type, cuckoo_name = field.split(".", 1)
id = "cuckoo" + " " + cuckoo_type + " " + cuckoo_name
visstate = visState
visstate["aggs"][1]["params"]["field"] = field
visualization = deepcopy(visualize_base)
visualization["_source"]["visState"] = json.dumps(visstate)
visualization["_id"] = id
visualization["_source"]["title"] = "cuckoo" + " - " + cuckoo_type + " - " + cuckoo_name
print visualization["_source"]["title"]
visualizations.append(visualization)
with open("dumped_visualizations.json", "wb") as f:
f.write(json.dumps(visualizations, indent=4))