Closed thelok closed 8 years ago
Interesting. If you view that specific Malware Analyses via the web I assume the field doesn't exist either?
How do you view it via the web?
Man, getting the ID was really difficult. But the answer is no it doesn't exist in the web JSON result either.
There's a victim count though.
What if you add "&metadata=1" to the URL. does it show submitter_count as a viable field?
A whole bunch of extra fields but no submitter count
On a separate note, in the query builder the "Status" field is never used when submitting the form, probably because it has an id="text".
And "importing" IP_ADDRESS types don't work because the CRITs vocab doesn't define a IP_ADDRESS type =) Sounds like we'll need a mapping or a new type.
Won't need a new type. We purposely decided to specify whether something is IPv4 or IPv6. Same goes with exporting. It will require you to pick IP_ADDRESS at this time. But we will need to map on import I guess.
Added a couple things. Hopefully that maps at least the IP_ADDRESS and IP_SUBNET types to IPV4_ADDRESS and IPV4_SUBNET (we really should check to see if we should use v4 or v6). Also removed SUBMITTER_COUNT from something we query for on import since we don't really use it (still following up with the TX folks as I was unaware it was being removed). Also fixed the Status ID so it's actually "status" now. Let me know if those fixes help anything!
Ok after discussing with the ThreatExchange folks it seems submitter_count
was removed from the Graph for all of the ThreatExchange objects. I updated pytx
to 0.4.1 to support this and also updated the CRITs code again to remove it. You'll need to update to master and to the latest version of pytx
.
That was fast, thanks!
I understand ThreatExchange is still under development, but just want to document this here.
Queried for malware families => variants => dropped by => Import