assemblyline-models 0.8.1

Data models for the Assemblyline malware analysis platform.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71


use std::collections::HashMap;

use serde::{Deserialize, Serialize};
use struct_metadata::Described;

use crate::{ElasticMeta, Readable, types::{ExpandingClassification, Text}};


/// Model of Service Heuristics
#[derive(Debug, Serialize, Deserialize, Described, Clone)]
#[metadata_type(ElasticMeta)]
#[metadata(index=true, store=true)]
pub struct Heuristic {
    /// List of all associated ATT&CK IDs
    #[metadata(copyto="__text__")]
    #[serde(default)]
    pub attack_id: Vec<String>,
    /// Classification of the heuristic
    #[serde(flatten)]
    pub classification: ExpandingClassification,
    /// Description of the heuristic
    #[metadata(copyto="__text__")]
    pub description: Text,
    /// What type of files does this heuristic target?
    #[metadata(copyto="__text__")]
    pub filetype: String,
    /// ID of the Heuristic
    #[metadata(copyto="__text__")]
    pub heur_id: String,
    /// Name of the heuristic
    #[metadata(copyto="__text__")]
    pub name: String,
    /// Default score of the heuristic
    pub score: i32,
    /// Score of signatures for this heuristic
    #[serde(default)]
    pub signature_score_map: HashMap<String, i32>,
    /// Statistics related to the Heuristic
    #[serde(default)]
    pub stats: Statistics,
    /// Maximum score for heuristic
    pub max_score: Option<i32>,
}

impl Readable for Heuristic {
    fn set_from_archive(&mut self, _from_archive: bool) {}
}


/// Statistics Model
#[derive(Debug, Serialize, Deserialize, Described, Default, Clone)]
#[serde(default)]
#[metadata_type(ElasticMeta)]
#[metadata(index=true, store=true)]
pub struct Statistics {
    /// Count of statistical hits
    pub count: i32,
    /// Minimum value of all stastical hits
    pub min: i32,
    /// Maximum value of all stastical hits
    pub max: i32,
    /// Average of all stastical hits
    pub avg: i32,
    /// Sum of all stastical hits
    pub sum: i32,
    /// Date of first hit of statistic
    pub first_hit: Option<chrono::DateTime<chrono::Utc>>,
    /// Date of last hit of statistic
    pub last_hit: Option<chrono::DateTime<chrono::Utc>>,
}