Logmanager documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Logmanager documentation
  2. /
  3. Additional informations
  4. /
  5. Events processing in blockly
  6. /
  7. Defined XML blocks
  8. /
  9. Special blocks
  10. /
  11. Special elements
  12. /
  13. Decode LEEF

Decode LEEF

This block is used to convert data in LEEF format to the dictionary data type. Block containing data in LEEF format is connected to the input, in most cases “message” block with “raw” key. Output of this block is a dictionary data type.

Block XML representation

XML representation of decode_leef block

<xml xmlns="http://www.w3.org/1999/xhtml">
  <block type="decode_leef">
    <value name="LEEF">
      <block type="message">
        <field name="OBJECT">raw</field>
      </block>
    </value>
  </block>
</xml>

Example of visual representation

Block "Decode LEEF"

Block “Decode LEEF”

Example of block usage

Example of "Decode LEEF" block

Example of “Decode LEEF” block

Block is used on the “set item to” row in the example:

  • loads data from “raw” key of “message” dictionary, created dictionary is saved into the “item” variable,
  • variables from input message will appear in the processing result.

Input data 

LEEF:0|HP|TippingPoint Advanced Threat Appliance - Network|3.71.1067|200119|Sample file sandbox analysis is finished|3|rt=Apr 01 2015 18:27:15 GMT+02:00 dvc=192.0.2.105 dvchost=ata deviceMacAddress=00:01:02:03:04:05 deviceExternalId=2D01275A8A0A-4C79B10C-3082-17B0-B315 fname=NONAMEFL fileHash=90CEAE5C4DB03632B845BE35953CB965583F1A72 deviceProcessHash=A8B1CB90931725E6A1413AA79A20858A6EA5E289 fileType=Text (HTML) fsize=107324 cs1Label=SandboxImageType cs1=win7sp1en_dn4.ova cn1Label=GRIDIsKnownGood cn1=-1 cn2Label=ROZRating cn2=-1 cn3Label=PcapReady cn3=0

Processing result

Results of "Decode LEEF" block

Results of “Decode LEEF” block