Endpoint analysis

EndpointAnalysis uploads the output of an endpoint scan to Intezer Analyze for triage. Both online and offline scans are supported.

Upload an offline scan directory

When the scanner has produced its output on disk, point an EndpointAnalysis at the directory and submit:

from pprint import pprint
from intezer_sdk import api
from intezer_sdk.endpoint_analysis import EndpointAnalysis

api.set_global_api('<api_key>')

analysis = EndpointAnalysis(offline_scan_directory='/path/to/scan_output')
analysis.send(wait=True)
pprint(analysis.result())

Look up an existing endpoint analysis

If you already have an analysis id (for example from a webhook or from Alert.scans) you can load the analysis object without re-submitting:

from intezer_sdk.endpoint_analysis import EndpointAnalysis

analysis = EndpointAnalysis.from_analysis_id('<analysis_id>')
pprint(analysis.result())

from_analysis_id() returns None if no analysis exists for the given id.

Iterate sub-analyses

Each interesting artifact found by the endpoint scan becomes a SubAnalysis:

for sub_analysis in analysis.get_sub_analyses():
    print(sub_analysis.sha256, sub_analysis.verdict)