Decode LEEF
This section is available only in EnglishThis block is used to convert data in LEEF format to the dictionary data type. Block containing data in LEEF format is connected to the input, in most cases “message” block with “raw” key. Output of this block is a dictionary data type.
XML representation of decode_leef block
<xml xmlns="http://www.w3.org/1999/xhtml">
<block type="decode_leef">
<value name="LEEF">
<block type="message">
<field name="OBJECT">raw</field>
</block>
</value>
</block>
</xml>
Block is used on the “set item to” row in the example:
- loads data from “raw” key of “message” dictionary, created dictionary is saved into the “item” variable,
- variables from input message will appear in the processing result.
LEEF:0|HP|TippingPoint Advanced Threat Appliance - Network|3.71.1067|200119|Sample file sandbox analysis is finished|3|rt=Apr 01 2015 18:27:15 GMT+02:00 dvc=192.0.2.105 dvchost=ata deviceMacAddress=00:01:02:03:04:05 deviceExternalId=2D01275A8A0A-4C79B10C-3082-17B0-B315 fname=NONAMEFL fileHash=90CEAE5C4DB03632B845BE35953CB965583F1A72 deviceProcessHash=A8B1CB90931725E6A1413AA79A20858A6EA5E289 fileType=Text (HTML) fsize=107324 cs1Label=SandboxImageType cs1=win7sp1en_dn4.ova cn1Label=GRIDIsKnownGood cn1=-1 cn2Label=ROZRating cn2=-1 cn3Label=PcapReady cn3=0