intezer_sdk package

The intezer_sdk package wraps the Intezer Analyze 2.0 API. The submodules below correspond one-to-one with the public modules in the package; private modules whose names start with an underscore are intentionally omitted.

Submodules

intezer_sdk.account module

Account information and quota management.

This module exposes the Account class for retrieving account details, listing accounts in an organization, and reading quota usage.

class intezer_sdk.account.Account(account_id: str, account_details: dict, *, api: IntezerApiClient)

Bases: object

Represents an Intezer account and provides access to its details and quota.

property created_time: datetime | None

property email: str | None

classmethod from_account_id(account_id: str, api: IntezerApiClient = None) → Account | None

Get details about an account.

Parameters:

• account_id – The account id

• api – The API connection to Intezer.

Returns:

The account

classmethod from_myself(api: IntezerApiClient = None) → Account

Get information about the current account

Parameters:

api – The API connection to Intezer.

Returns:

The account

classmethod get_my_quota(api: IntezerApiClient = None, raise_on_no_file_quota=False, raise_on_no_endpoint_quota=False) → dict

Get quota usage of the current account

Parameters:

• api – The API connection to Intezer.

• raise_on_no_file_quota – should raise intezer_sdk.errors.InsufficientQuotaError if no file quota left

• raise_on_no_endpoint_quota – should raise intezer_sdk.errors.InsufficientQuotaError if no endpoint quota left

Returns:

classmethod get_organization_account(api: IntezerApiClient = None) → list[Account]

Get all accounts in the organization.

Parameters:

api – The API connection to Intezer.

Returns:

A list of accounts associated with the organization

property last_sign_in_time: datetime | None

property name: str

intezer_sdk.alerts module

Alert ingestion and search.

This module exposes the Alert class for sending raw or pre-parsed alerts to Intezer, polling for triage results, and providing a triage verdict back to the analyst. It also offers helpers for fetching alerts by id and searching alert history.

class intezer_sdk.alerts.Alert(alert_id: str | None = None, environment: str | None = None, alert_stream: BinaryIO | None = None, api: IntezerApiClient = None)

Bases: object

The Alert class is used to represent an alert from the Intezer Platform API.

Variables:

• alert_id (str) – The alert id.

• _report – The raw alert data.

• verdict (str) – The verdict of the alert.

• family_name (str) – The family name of the alert.

• sender (str) – The sender of the alert.

• intezer_alert_url (str) – URL for the alert in Intezer’s website.

• scans (list) – Relevant scans for the alert.

• alert_update_time (datetime.datetime | None) – Timestamp when this alert was updated.

check_status() → AlertStatusCode

Refresh the alert data from the Intezer Platform API - overrides current data (if exists) with the new data.

Returns:

The updated status of the alert.

delete(wait_for_completion: bool = False) → Operation

fetch_scans()

Fetch the scans of the alert.

classmethod from_id(alert_id: str, environment: str | None = None, api: IntezerApiClient = None, fetch_scans: bool = False, wait: bool = False, timeout: int | None = None, raise_on_in_progress: bool = True)

Create a new Alert instance, and fetch the alert data from the Intezer Platform API.

Parameters:

• alert_id – The alert id.

• environment – The environment of the alert.

• api – The API connection to Intezer.

• fetch_scans – Whether to fetch the scans for the alert - this could take some time.

• wait – Wait for the alert to finish processing before returning.

• raise_on_in_progress – Raise AlertInProgressError if status is IN_PROGRESS instead of returning partial alert data (only applies when wait=False).

• timeout – The timeout for the wait operation.

Raises:

• intezer_sdk.errors.AlertNotFound – If the alert was not found.

• intezer_sdk.errors.AlertInProgressError – If the alert is still being processed and raise_on_in_progress=True.

• intezer_sdk.errors.AlertConflictError – If the alert is ambiguous across environments and no environment was provided.

Returns:

The Alert instance, with the updated alert data.

get_raw_data(environment: str | None = None, raw_data_type: str = 'raw_alert') → dict

Get raw alert data.

Parameters:

• environment – The environment to get raw data from. If not provided, the environment will be taken from the alert.

• raw_data_type – The type of raw data to retrieve. Defaults to ‘raw_alert’.

Returns:

The raw alert data.

is_running() → bool

notify() → list[str]

Send a notification for this alert.

Raises:

• intezer_sdk.errors.AlertNotFoundError – If the alert was not found.

• intezer_sdk.errors.AlertInProgressError – If the alert is still being processed.

Raises:

requests.HTTPError if the request failed for any reason.

Returns:

List of notified channels.

result() → dict

Get the raw alert result, as received from Intezer Platform API.

Raises:

• intezer_sdk.errors.AlertNotFoundError – If the alert was not found.

• intezer_sdk.errors.AlertInProgressError – If the alert is in progress and raise_on_in_progress=True.

Returns:

The raw alert dictionary.

classmethod send(raw_alert: dict, alert_mapping: dict, source: str, api: IntezerApiClient = None, environment: str | None = None, display_fields: list[str] | None = None, default_verdict: str | None = None, alert_sender: str | None = None, wait: bool = False, timeout: int | None = None)

Send an alert for further investigation using the Intezer Platform API.

Parameters:

• raw_alert – The raw alert data.

• alert_mapping – The alert mapping - defines how to map the raw alert to get relevant information.

• source – The source of the alert.

• api – The API connection to Intezer.

• environment – The environment of the alert.

• display_fields – Fields from raw alert to display in the alert’s webpage.

• default_verdict – The default verdict to send the alert with.

• alert_sender – The sender of the alert.

• wait – Wait for the alert to finish processing before returning.

• timeout – The timeout for the wait operation.

Raises:

requests.HTTPError if the request failed for any reason.

Returns:

The Alert instance, initialized with the alert id. when the wait parameter is set to True, the resulting alert object will be initialized with the alert triage data.

classmethod send_phishing_email(raw_email: BinaryIO | None = None, api: IntezerApiClient | None = None, environment: str | None = None, default_verdict: str | None = None, alert_sender: str | None = None, wait: bool = False, timeout: int | None = None, email_path: str | None = None, additional_info: dict | None = None, zip_password: str | None = None)

Send an alert for further investigation using the Intezer Platform API. Should pass either raw_email or email_path.

Parameters:

• raw_email – The raw alert data.

• api – The API connection to Intezer.

• environment – The environment of the alert.

• default_verdict – The default verdict to send the alert with.

• alert_sender – The sender of the alert.

• wait – Wait for the alert to finish processing before returning.

• timeout – The timeout for the wait operation.

• email_path – The path to the email file.

• additional_info – Additional information to send with the alert.

• zip_password – ZIP password to extract the email.

Raises:

requests.HTTPError if the request failed for any reason.

Returns:

The Alert instance, initialized with the alert id. when the wait parameter is set to True, the resulting alert object will be initialized with the alert triage data.

wait_for_completion(interval: int = None, sleep_before_first_check=False, timeout: timedelta | None = None)

Blocks until the alert is finished processing, or until the timeout is reached.

Parameters:

• interval – The interval to wait between checks in seconds.

• sleep_before_first_check – Whether to sleep before the first status check.

• timeout – Maximum duration to wait for analysis completion in seconds.

Raises:

• intezer_sdk.errors.AlertNotFoundError – If the alert was not found.

• TimeoutError – If the timeout was reached.

intezer_sdk.alerts.generate_alerts_history_search_filters(*, start_time: datetime = None, end_time: datetime = None, environments: list[str] = None, offset: int = None, limit: int = None, sources: list[str] = None, risk_categories: list[str] = None, alert_verdicts: list[str] = None, family_names: list[str] = None, response_statuses: list[str] = None, hostnames: list[str] = None, free_text: str = None, site_name: str = None, account_name: str = None, exclude_alert_ids: list[str] = None, usernames: list[str] = None, file_hashes: list[str] = None, process_commandlines: list[str] = None, sort_by: list[str] = None, is_mitigated: bool = None, email_sender: str = None, email_recipient: str = None, email_subject: str = None, email_cc: str = None, email_bcc: str = None, email_message_id: str = None, email_reported_by: str = None, device_private_ips: list[str] = None, device_external_ips: list[str] = None, device_ids: list[str] = None, time_filter_type: str = None, sort_order: str = None, ips: list[str] = None, domains: list[str] = None, incident_ids: list[str] = None) → dict[str, Any]

intezer_sdk.alerts.get_alerts_by_alert_ids(alert_ids: list[str], environments: list[str] = None, api: IntezerApi = None) → tuple[int, list[dict]]

Get alerts by alert ids.

Parameters:

• alert_ids – list of all ids to get alerts from.

• environments – what environments to get alerts from.

• api – The API connection to Intezer.

Returns:

amount of alerts sent from server and list of alerts with all details about each alert.

intezer_sdk.alerts.query_alerts_history(*, start_time: datetime = None, end_time: datetime = None, api: IntezerApiClient = None, environments: list[str] = None, offset: int = 0, limit: int = 100, sources: list[str] = None, risk_categories: list[str] = None, alert_verdicts: list[str] = None, family_names: list[str] = None, response_statuses: list[str] = None, hostnames: list[str] = None, free_text: str = None, site_name: str = None, account_name: str = None, exclude_alert_ids: list[str] = None, usernames: list[str] = None, file_hashes: list[str] = None, process_commandlines: list[str] = None, sort_by: list[str] = None, is_mitigated: bool = None, email_sender: str = None, email_recipient: str = None, email_subject: str = None, email_cc: str = None, email_bcc: str = None, email_message_id: str = None, email_reported_by: str = None, device_private_ips: list[str] = None, device_external_ips: list[str] = None, device_ids: list[str] = None, time_filter_type: str = None, sort_order: str = None, ips: list[str] = None, domains: list[str] = None, incident_ids: list[str] = None) → AlertsHistoryResult

Query for alerts history with query param.

Parameters:

• environments – Query alerts only from these environments.

• offset – Offset to start querying from - used for pagination.

• limit – Maximum number of alerts to return - used for pagination.

• start_time – Query alerts that were created after this timestamp (in UTC).

• end_time – Query alerts that were created before this timestamp (in UTC).

• api – Instance of Intezer API for request server.

• sources – Query alerts only with these sources.

• risk_categories – Query alerts only with these risk categories.

• alert_verdicts – Query alerts only with these alert verdicts.

• family_names – Query alerts only with these family names.

• response_statuses – Query alerts only with these response statuses.

• hostnames – Query alerts only with these hostnames.

• free_text – Query alerts that contain this text in the following fields: family name, hostname, alert verdict.

• site_name – Query alerts only with this site name.

• account_name – Query alerts only with this account name.

• exclude_alert_ids – Query alerts that do not have these alert ids.

• usernames – Query alerts only with these usernames.

• file_hashes – Query alerts only with these file hashes.

• ips – Query alerts only with these IPs.

• domains – Query alerts only with these domains.

• incident_ids – Query alerts only with these incident ids.

• process_commandlines – Query alerts only with these process commandlines.

• is_mitigated – Query alerts only with this is_mitigated value.

• email_sender – Query alerts only with these email sender.

• email_recipient – Query alerts only with these email recipient.

• email_subject – Query alerts only with this email subject.

• email_cc – Query alerts only with this email cc.

• email_bcc – Query alerts only with this email bcc.

• email_message_id – Query alerts only with this email message id.

• email_reported_by – Query alerts only with this email reported by.

• device_private_ips – Query alerts only with these private ips.

• device_external_ips – Query alerts only with these external ips.

• device_ids – Query alerts only with these device ids.

• time_filter_type – The time value to filter alerts by (creation_time / triage_time / triage_change_time / triage_or_triage_change_time / alert_update_time).

• sort_order – The order to sort the alerts by (asc / desc).

• sort_by – Sort alerts only with this sort_by_key value (CREATION_TIME / TRIAGE_TIME / TRIAGE_CHANGE_TIME / ALERT_UPDATE_TIME).

Returns:

Alert query result from server as Results iterator.

intezer_sdk.alerts_results module

Paginated alerts history result set.

This module exposes AlertsHistoryResult, returned from intezer_sdk.alerts.query_alerts_history(), which lazily paginates over alert records that match a search filter.

class intezer_sdk.alerts_results.AlertsHistoryResult(request_url_path: str, api: IntezerApiClient, filters: dict)

Bases: HistoryResult

Paginated result set of alerts matching a search filter.

intezer_sdk.analyses_history module

Search and paginate analysis history.

This module provides query helpers for retrieving file, URL, and endpoint analysis history, returning AnalysesHistoryResult instances that paginate over the matching analyses.

intezer_sdk.analyses_history.query_endpoint_analyses_history(*, start_date: datetime, end_date: datetime, api: IntezerApiClient = None, aggregated_view: bool = None, sources: list[str] = None, verdicts: list[str] = None, computer_names: list[str] = None, limit: int = 100, offset: int = 0) → AnalysesHistoryResult

Query for endpoint analyses history.

Parameters:

• start_date – Date to query from.

• end_date – Date to query until.

• api – Instance of Intezer API for request server.

• aggregated_view – Should the result be aggregated by latest computer.

• sources – Filter the analyses by its source.

• verdicts – Filter by the analysis’s verdict

• computer_names – Filter by computer names

• limit – Number of analyses returned by the query.

• offset – Number of analyses to skips the before beginning to return the analyses.

Returns:

Endpoint query result from server as Results iterator.

intezer_sdk.analyses_history.query_file_analyses_history(*, start_date: datetime, end_date: datetime, api: IntezerApiClient = None, aggregated_view: bool = None, sources: list[str] = None, verdicts: list[str] = None, file_hash: str = None, family_names: list[str] = None, file_name: str = None, limit: int = 100, offset: int = 0) → AnalysesHistoryResult

Query for file analyses history.

Parameters:

• start_date – Date to query from.

• end_date – Date to query until.

• api – Instance of Intezer API for request server.

• aggregated_view – Should the result be aggregated by latest hash.

• sources – Filter the analyses by its source.

• verdicts – Filter by the analysis’s verdict

• file_name – Filter by the uploaded file’s name

• family_names – Filter by the analysis’s malicious family name

• file_hash – Filter by the file’s hash, in one of the following formats: SHA256, SHA1 or MD5

• limit – Number of analyses returned by the query.

• offset – Number of analyses to skips the before beginning to return the analyses.

Returns:

File query result from server as Results iterator.

intezer_sdk.analyses_history.query_url_analyses_history(*, start_date: datetime, end_date: datetime, api: IntezerApiClient = None, sources: list[str] = None, verdicts: list[str] = None, sub_verdicts: list[str] = None, did_download_file: bool = None, submitted_url: str = None, scanned_url: str = None, url: str = None, aggregated_view: bool = False, limit: int = 100, offset: int = 0, exact_match: bool = False) → AnalysesHistoryResult

Query for url analyses history.

Parameters:

• start_date – Date to query from.

• end_date – Date to query until.

• api – Instance of Intezer API for request server.

• sources – Filter the analyses by its source.

• verdicts – Filter by the analysis’s verdict

• sub_verdicts – Filter by the analysis’s verdict

• did_download_file – Should the result be aggregated by latest url.

• submitted_url – Filter by specific url

• scanned_url – Filter by specific scanned_url

• url – Filter by submitted url or scanned url

• aggregated_view – Should the result be aggregated by latest url.

• limit – Number of analyses returned by the query.

• offset – Number of analyses to skips the before beginning to return the analyses.

• exact_match – Filters results to return only exact matches of the URL.

Returns:

URL query result from server as Results iterator.

intezer_sdk.analyses_results module

Paginated analyses history result set.

This module exposes AnalysesHistoryResult, returned by the query_*_analyses_history helpers in intezer_sdk.analyses_history.

class intezer_sdk.analyses_results.AnalysesHistoryResult(request_url_path: str, api: IntezerApiClient, filters: dict)

Bases: HistoryResult

Paginated result set of analyses matching a search filter.

intezer_sdk.analysis module

File and URL analysis.

This module exposes FileAnalysis and UrlAnalysis, the primary entry points for submitting samples to Intezer Analyze, polling for status, and inspecting results, sub-analyses, IOCs, dynamic TTPs, and metadata.

class intezer_sdk.analysis.FileAnalysis(file_path: str = None, file_hash: str = None, file_stream: BinaryIO = None, disable_dynamic_unpacking: bool = None, disable_static_unpacking: bool = None, api: IntezerApiClient = None, file_name: str = None, code_item_type: str = None, zip_password: str = None, download_url: str = None, sandbox_command_line_arguments: str = None, sandbox_machine_type: str = None)

Bases: Analysis

FileAnalysis is a class for analyzing files. It is a subclass of the BaseAnalysis class and requires an API connection to Intezer.

Variables:

• analysis_id (str) – The analysis id.

• status (intezer_sdk.consts.AnalysisStatusCode) – The status of the analysis.

• analysis_time (datetime.datetime) – The date that the analysis was executed.

download_file(path: str = None, output_stream: IO = None, password_protection: str = None)

Downloads the analysis’s file.

path or output_stream must be provided. :param path: A path to where to save the file, it can be either a directory or non-existing file path. :param output_stream: A file-like object to write the file’s content to. :param password_protection: set password protection to download file as zip with password.

property dynamic_ttps: list

Gets the list of dynamic TTP’s for a specific analysis id.

Returns:

The list of dynamic ttps

classmethod from_analysis_id(analysis_id: str, api: IntezerApiClient = None) → FileAnalysis | None

Returns a FileAnalysis instance with the given analysis ID. Returns None when analysis doesn’t exist.

Parameters:

• analysis_id – The ID of the analysis to retrieve.

• api – The API connection to Intezer.

Returns:

A FileAnalysis instance with the given analysis ID.

classmethod from_latest_hash_analysis(file_hash: str, api: IntezerApiClient = None, private_only: bool = False, composed_only: bool = None, days_threshold_for_latest_analysis: int = None, **additional_parameters) → FileAnalysis | None

Returns the latest FileAnalysis instance for the given file hash, with the option to filter by private analyses only. Returns None when analysis doesn’t exist.

Parameters:

• file_hash – The hash of the file to retrieve analysis for.

• api – The API connection to Intezer.

• private_only – A flag to filter results by private analyses only.

• composed_only – A flag to filter results by composed analyses only.

• days_threshold_for_latest_analysis – The number of days to look back for the latest analysis.

• additional_parameters – Additional parameters to pass to the API.

Returns:

The latest FileAnalysis instance for the given file hash.

get_detections(wait: bool | int = False, wait_timeout: timedelta | None = None) → Operation | None

Gets the detection report intezer_sdk.operation.Operation related to specific analysis.

Parameters:

• wait – Should wait until the operation completes.

• wait_timeout – Maximum duration to wait for analysis completion in seconds.

Returns:

An operation object.

get_root_analysis() → SubAnalysis

Get the root analysis.

Returns:

The root analysis.

get_sub_analyses() → list[SubAnalysis]

Get a list of sub analysis.

Returns:

List of sub analyses

property iocs: dict

Gets the list of network and files IOCs of a specific analysis id.

Returns:

a dictionary with network and files IOCs

property sub_verdict: str

The analysis sub-verdict.

property verdict: str

The analysis verdict.

class intezer_sdk.analysis.UrlAnalysis(url: str | None = None, api: IntezerApiClient = None)

Bases: Analysis

UrlAnalysis is a class for analyzing URLs. It is a subclass of the BaseAnalysis class and requires an API connection to Intezer.

Variables:

• analysis_id (str) – The analysis id.

• status (intezer_sdk.consts.AnalysisStatusCode) – The status of the analysis.

• analysis_time (datetime.datetime) – The date that the analysis was executed.

• url (str) – The analyzed url

property downloaded_file_analysis: FileAnalysis | None

In case the url downloaded a file, returns the downloaded file analysis, otherwise, None.

classmethod from_analysis_id(analysis_id: str, api: IntezerApiClient = None) → UrlAnalysis | None

Returns a UrlAnalysis instance with the given analysis ID. Returns None when analysis doesn’t exist.

Parameters:

• analysis_id – The ID of the analysis to retrieve.

• api – The API connection to Intezer.

Returns:

A UrlAnalysis instance with the given analysis ID.

classmethod from_latest_analysis(url: str, days_threshold_for_latest_analysis: int = 1, api: IntezerApiClient = None, exact_match: bool = False) → UrlAnalysis | None

Returns a UrlAnalysis instance with the latest analysis of the given URL. Note: For more control over the query (beyond the submitted URL), use the ‘query_url_analyses_history’ method. :param url: The ‘submitted URL’ to retrieve the latest analysis for. :param days_threshold_for_latest_analysis: The number of days to look back for the latest analysis. :param api: The API connection to Intezer. :param exact_match: If True, the URL must match exactly. Otherwise, try to find similar URLs which were analyzed. :return: A UrlAnalysis instance with the latest analysis of the given URL.

property sub_verdict: str

The analysis sub-verdict.

property verdict: str

The analysis verdict.

intezer_sdk.api module

HTTP client and global API configuration.

This module exposes IntezerApiClient, the low-level HTTP client used by all SDK objects, and set_global_api() / get_global_api() for configuring a shared API instance authenticated by API key. It also provides raise_for_status(), used internally to surface API errors.

class intezer_sdk.api.IntezerApiClient(*, api_version: str = None, api_key: str = None, base_url: str = None, verify_ssl: bool = True, proxies: dict[str, str] = None, on_premise_version: OnPremiseVersion = None, user_agent: str = None, renew_token_window=20, max_retry=3, timeout_in_seconds: int | None = None)

Bases: object

assert_any_on_premise()

assert_on_premise_above_v21_11()

assert_on_premise_above_v22_10()

authenticate()

Authenticate against Intezer.

Raises:

intezer_sdk.errors.InvalidApiKeyError: When the API key is invalid

is_available() → bool

request_with_refresh_expired_access_token(*, method: str, path: str, data: dict = None, params: dict = None, headers: dict = None, files: dict = None, stream: bool = None, base_url: str = None, timeout_in_seconds: int | None = None) → Response

intezer_sdk.api.IntezerProxy

alias of IntezerApiClient

intezer_sdk.api.get_global_api() → IntezerApi

Returns the global IntezerApi previously configured with set_global_api()

Raises:

intezer_sdk.errors.GlobalApiIsNotInitializedError in case the api wasn’t configured

Returns:

The global api

intezer_sdk.api.set_global_api(api_key: str = None, api_version: str = None, base_url: str = None, verify_ssl: bool = True, on_premise_version: OnPremiseVersion = None, proxies: dict[str, str] = None) → IntezerApiClient

Configure the global api

Parameters:

• api_key – The api key

• api_version – The api version

• base_url – The base url. Configure this when using on-premise.

• verify_ssl – A requests compatible “verify” value. Setting as False will not verify the SSL certificate

• on_premise_version – You’re on-premise version

• proxies – A requests compatible “proxies” dict

Returns:

The configured api

intezer_sdk.api.set_global_api_custom_instance(api: IntezerApiClient) → IntezerApiClient

Configure the global api with a custom instance

Parameters:

api – The api instance

Returns:

The configured api

intezer_sdk.base_analysis module

Base class for analyses.

This module exposes the abstract Analysis base, shared by FileAnalysis, UrlAnalysis, and EndpointAnalysis.

class intezer_sdk.base_analysis.Analysis(api: IntezerApiClient = None)

Bases: object

Analysis is a base class representing an analysis of a file, URL or endpoint. It requires an API connection to Intezer.

check_status() → AnalysisStatusCode

Check the status of the analysis.

Returns:

The status of the analysis.

abstractmethod classmethod from_analysis_id(analysis_id: str, api: IntezerApiClient = None) → Analysis

is_analysis_running() → bool

Check if the analysis is running.

Returns:

True if the analysis is running, False otherwise.

result() → dict

property running_analysis_duration: timedelta | None

Returns the time elapsed from the analysis sending and now. Returns None when the analysis finished.

Returns:

time elapsed from the analysis sending and now.

send(wait: bool | int = False, wait_timeout: timedelta | None = None, **additional_parameters) → None

abstract property verdict: str

The analysis verdict.

wait_for_completion(interval: int = None, sleep_before_first_check=False, timeout: timedelta | None = None)

Blocks until the analysis is completed.

Parameters:

• interval – The interval to wait between checks in seconds.

• sleep_before_first_check – Whether to sleep before the first status check.

• timeout – Maximum duration to wait for analysis completion in seconds.

intezer_sdk.cases module

Search and inspect cases.

This module exposes the Case class for fetching case metadata, triage results, and the related devices, users, and TTPs. It also provides query_cases_history() for paginated case searches.

class intezer_sdk.cases.Case(case_id: str, api: IntezerApiClient = None)

Bases: object

The Case class is used to represent a case from the Intezer Platform API.

Variables:

• case_id (str) – The case id.

• case_title (str) – The case title.

• case_status (str) – The current status of the case.

• case_priority (str) – The current priority of the case.

• alerts_count (int) – Number of alerts attached to the case.

• risk_category (str) – The risk category calculated for the case.

• case_verdict (str) – The verdict assigned to the case by triage.

• response_status (str) – The response status of the case triage.

• analyst_verdict (str) – The analyst verdict on the case.

• intezer_case_url (str) – URL for the case in Intezer’s website.

fetch_info()

Fetch the case data from the Intezer Platform API.

Raises:

intezer_sdk.errors.CaseNotFoundError – If the case was not found.

classmethod from_id(case_id: str, api: IntezerApiClient = None) → Case

Create a new Case instance, and fetch the case data from the Intezer Platform API.

Parameters:

• case_id – The case id.

• api – The API connection to Intezer.

Raises:

intezer_sdk.errors.CaseNotFoundError – If the case was not found.

Returns:

The Case instance, with the updated case data.

get_devices() → list[dict]

Get the devices related to this case.

Returns:

The list of devices related to the case.

get_ttps() → list[dict]

Get the TTPs related to this case.

Returns:

The list of TTPs related to the case.

get_users() → list[dict]

Get the users related to this case.

Returns:

The list of users related to the case.

result() → dict | None

Get the raw case result, as received from Intezer Platform API.

Returns:

The raw case dictionary.

intezer_sdk.cases.generate_cases_search_filters(*, case_ids: list[str] = None, exclude_case_ids: list[str] = None, time_range_start: int = None, time_range_end: int = None, time_range_field: str = None, sources: list[str] = None, free_text: str = None, sub_tenant_names: list[str] = None, devices: dict = None, users: dict = None, alert_identifiers: list[dict] = None, risk_categories: list[str] = None, case_verdicts: list[str] = None, response_statuses: list[str] = None, case_statuses: list[str] = None, assigned_account_ids: list[str] = None, priorities: list[str] = None, external_ticket_vendors: list[str] = None, analyst_verdicts: list[str] = None, offset: int = None, limit: int = None, search_mode: str = None, sort_by: str = None) → dict[str, Any]

intezer_sdk.cases.query_cases_history(*, api: IntezerApiClient = None, case_ids: list[str] = None, exclude_case_ids: list[str] = None, time_range_start: int = None, time_range_end: int = None, time_range_field: str = None, sources: list[str] = None, free_text: str = None, sub_tenant_names: list[str] = None, devices: dict = None, users: dict = None, alert_identifiers: list[dict] = None, risk_categories: list[str] = None, case_verdicts: list[str] = None, response_statuses: list[str] = None, case_statuses: list[str] = None, assigned_account_ids: list[str] = None, priorities: list[str] = None, external_ticket_vendors: list[str] = None, analyst_verdicts: list[str] = None, offset: int = 0, limit: int = 100, search_mode: str = None, sort_by: str = None) → CasesHistoryResult

Query for cases with query params.

Parameters:

• api – Instance of Intezer API for request server.

• case_ids – Query only these case ids.

• exclude_case_ids – Query cases that do not have these case ids.

• time_range_start – Start of time range (Unix timestamp in seconds).

• time_range_end – End of time range (Unix timestamp in seconds).

• time_range_field – Field to apply the time range on (creation_time / modification_time / last_attached_alert_time).

• sources – Query cases only with these sources.

• free_text – Free text used to search across title, case id, devices and assigned accounts.

• sub_tenant_names – Query cases only with these sub tenant names.

• devices – Filters related to devices involved in the case (hostnames, device_private_ips, device_external_ips, device_ids, device_tags, device_managed_by, device_keys, source_device_keys, target_device_keys).

• users – Filters related to users involved in the case (user_ids, user_emails, user_names, user_sids, user_keys).

• alert_identifiers – Query cases only with these alert identifiers (list of {alert_id, environment}).

• risk_categories – Query cases only with these risk categories.

• case_verdicts – Query cases only with these case verdicts.

• response_statuses – Query cases only with these response statuses.

• case_statuses – Query cases only with these case statuses (suppressed / new / in_progress / on_hold / closed).

• assigned_account_ids – Query cases only with these assigned account ids.

• priorities – Query cases only with these priorities (informational / low / medium / high / escalated).

• external_ticket_vendors – Query cases only with these external ticket vendors.

• analyst_verdicts – Query cases only with these analyst verdicts.

• offset – Offset to start querying from - used for pagination.

• limit – Maximum number of cases to return - used for pagination.

• search_mode – How multiple filters are combined (and / or).

• sort_by – Sorting field for the results (creation_time / alerts_count / modification_time / last_attached_alert_time).

Returns:

Case query result from server as Results iterator.

intezer_sdk.cases_results module

Paginated cases history result set.

This module exposes CasesHistoryResult, returned from intezer_sdk.cases.query_cases_history(), which lazily paginates over case records that match a search filter.

class intezer_sdk.cases_results.CasesHistoryResult(request_url_path: str, api: IntezerApiClient, filters: dict)

Bases: HistoryResult

Paginated result set of cases matching a search filter.

intezer_sdk.consts module

Shared enums and constants.

This module collects the enums (analysis status, code item type, verdicts, alert status, on-premise version, …) and string constants used across the SDK.

class intezer_sdk.consts.AlertStatusCode(*values)

Bases: AutoName

FINISHED = 'finished'

IN_PROGRESS = 'in_progress'

NOT_FOUND = 'not_found'

QUEUED = 'queued'

class intezer_sdk.consts.AnalysisStatusCode(*values)

Bases: Enum

CREATED = 'created'

FAILED = 'failed'

FINISH = 'finished'

FINISHED = 'finished'

IN_PROGRESS = 'in_progress'

QUEUED = 'queued'

class intezer_sdk.consts.AutoName(new_class_name, /, names, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

class intezer_sdk.consts.CodeItemType(*values)

Bases: AutoName

FILE = 'file'

MEMORY_MODULE = 'memory_module'

class intezer_sdk.consts.EndpointAnalysisEndReason(*values)

Bases: Enum

DONE = 'done'

FAILED = 'failed'

INTERRUPTED = 'interrupted'

class intezer_sdk.consts.EndpointAnalysisVerdict(*values)

Bases: AutoName

INCOMPLETE = 'incomplete'

MALICIOUS = 'malicious'

NO_THREATS = 'no_threats'

SUSPICIOUS = 'suspicious'

class intezer_sdk.consts.FileAnalysisVerdict(*values)

Bases: AutoName

MALICIOUS = 'malicious'

NEUTRAL = 'neutral'

NOT_SUPPORTED = 'not_supported'

NO_THREATS = 'no_threats'

SUSPICIOUS = 'suspicious'

TRUSTED = 'trusted'

UNKNOWN = 'unknown'

class intezer_sdk.consts.IndexStatusCode(*values)

Bases: Enum

CREATED = 'created'

FINISH = 'finished'

FINISHED = 'finished'

IN_PROGRESS = 'in_progress'

class intezer_sdk.consts.IndexType(*values)

Bases: AutoName

MALICIOUS = 'malicious'

TRUSTED = 'trusted'

static from_str(label)

class intezer_sdk.consts.OnPremiseVersion(*values)

Bases: IntEnum

V21_11 = 21

V22_10 = 22

V23_10 = 23

class intezer_sdk.consts.SoftwareType(*values)

Bases: AutoName

ADMINISTRATION_TOOL = 'administration_tool'

APPLICATION = 'application'

INSTALLER = 'installer'

INTERPRETER = 'interpreter'

LIBRARY = 'library'

MALICIOUS_PACKER = 'malicious_packer'

MALWARE = 'malware'

PACKER = 'packer'

class intezer_sdk.consts.URLAnalysisVerdict(*values)

Bases: AutoName

MALICIOUS = 'malicious'

NO_THREATS = 'no_threats'

SUSPICIOUS = 'suspicious'

intezer_sdk.devices module

Search the device inventory.

This module provides helpers for building device search filters and querying the device history, returning a paginated DevicesHistoryResult.

class intezer_sdk.devices.Device(device_id: str | None = None, api: IntezerApiClient = None)

Bases: object

The Device class is used to represent a device from the Intezer API.

Variables:

• device_id (str) – The device id.

• hostname (str) – The devic hostname.

• host_type (str) – The type of the devic.

• os_type (str) – The os_type of the device.

• os_version (str) – The os version of the devie.

fetch_info()

Fetch the device data from the Intezer Platform API.

Raises:

intezer_sdk.errors.DeviceNotFound – If the device was not found.

classmethod from_id(device_id: str, api: IntezerApiClient = None) → Device

Create a new Device instance, and fetch the device data from the Intezer Platform API.

Parameters:

• device_id – The device id.

• api – The API connection to Intezer.

• timeout – The timeout for the wait operation.

Raises:

intezer_sdk.errors.DeviceNotFound – If the device was not found.

Returns:

The Device instance, with the updated device data.

result() → dict | None

Get the raw device result, as received from Intezer Platform API.

Raises:

intezer_sdk.errors.IncidentNotFound – If the device was not found.

Returns:

The raw device dictionary.

intezer_sdk.devices.generate_devices_history_search_filters(*, device_ids: list[str] = None, environments: list[str] = None, offset: int = None, limit: int = None, time_range_start: datetime = None, time_range_end: datetime = None, external_ips: list[str] = None, host_groups: list[str] = None, host_tags: list[str] = None, hostnames: list[str] = None, managed_by: list[str] = None, os_names: list[str] = None, os_versions: list[str] = None, private_ips: list[str] = None, cloud_providers: list[str] = None, host_types: list[str] = None, last_login_users: list[str] = None, site_names: list[str] = None, include_raw_device: bool = None) → dict[str, Any]

intezer_sdk.devices.query_devices_history(*, api: IntezerApiClient = None, search_mode: Literal['and', 'or'] = 'and', device_ids: list[str] = None, environments: list[str] = None, offset: int = None, limit: int = None, time_range_start: datetime = None, time_range_end: datetime = None, external_ips: list[str] = None, host_groups: list[str] = None, host_tags: list[str] = None, hostnames: list[str] = None, managed_by: list[str] = None, os_names: list[str] = None, os_versions: list[str] = None, private_ips: list[str] = None, cloud_providers: list[str] = None, host_types: list[str] = None, last_login_users: list[str] = None, site_names: list[str] = None, include_raw_device: bool = None) → DevicesHistoryResult

Query devices history with query param.

Parameters:

• api – Instance of Intezer API for request server.

• search_mode – The search mode to use for the query (and / or).

• device_ids – Query only this device ids.

• environments – Query devices only from these environments.

• offset – Offset to start querying from - used for pagination.

• limit – Maximum number of devices to return - used for pagination.

• time_range_start – Query devices that were discovered after this timestamp (in UTC).

• time_range_end – Query devices that were discovered before this timestamp (in UTC).

• external_ips – Query devices only with these external ips.

• host_groups – Query devices which only appear in these host groups.

• host_tags – Query devices only with these host tags.

• hostnames – Query devices only with these hostnames.

• managed_by – Query devices only managed by these products.

• os_names – Query devices only with these OS names.

• os_versions – Query devices only with these OS versions.

• private_ips – Query devices only with these private ips.

• cloud_providers – Query devices from these cloud providers.

• host_types – Query devices only with these host types (e.g. server, workstation).

• last_login_users – Query devices only with these last login users.

• site_names – Query devices only with these site names.

• include_raw_device – Include raw device data in the results.

Returns:

Device query result from server as Results iterator.

intezer_sdk.devices_results module

Paginated devices history result set.

This module exposes DevicesHistoryResult, returned from intezer_sdk.devices.query_devices_history(), which lazily paginates over device records that match a search filter.

class intezer_sdk.devices_results.DevicesHistoryResult(request_url_path: str, api: IntezerApiClient, filters: dict, search_mode: Literal['and', 'or'] = 'and')

Bases: HistoryResult

Paginated result set of devices matching a search filter.

intezer_sdk.endpoint_analysis module

Endpoint scan analysis.

This module exposes EndpointAnalysis, used to upload endpoint scanner output to Intezer Analyze, poll for completion, and inspect the resulting sub-analyses. It also exposes download_endpoint_scanner() for fetching the scanner binary.

class intezer_sdk.endpoint_analysis.EndpointAnalysis(api: IntezerApiClient = None, scan_api: EndpointScanApi = None, offline_scan_directory: str = None, max_concurrent_uploads: int = None)

Bases: Analysis

EndpointAnalysis is a class for analyzing endpoints. It is a subclass of the Analysis class and requires an API connection to Intezer.

Variables:

• analysis_id (str) – The analysis id.

• status (intezer_sdk.consts.AnalysisStatusCode) – The status of the analysis.

• analysis_time (datetime.datetime) – The date that the analysis was executed.

classmethod from_analysis_id(analysis_id: str, api: IntezerApiClient = None)

Returns an EndpointAnalysis instance with the given analysis ID. Returns None when analysis doesn’t exist.

Parameters:

• analysis_id – The ID of the analysis to retrieve.

• api – The API connection to Intezer.

Returns:

An EndpointAnalysis instance with the given analysis ID.

get_sub_analyses(verdicts: list[str] = None) → list[SubAnalysis]

Get the sub_analyses of the current analysis. :param verdicts: A list of the verdicts to filter by. :return: A list of SubAnalysis objects.

property verdict: str

The analysis verdict.

intezer_sdk.endpoint_analysis.download_endpoint_scanner(platform: str = None, path: str = None, output_stream: IO = None, api: IntezerApiClient = None)

Download the endpoint scanner to a file or stream. :param platform: The platform to download the scanner for. :param path: The path to save the scanner to. :param output_stream: The stream to write the scanner to. :param api: The API connection to Intezer.

intezer_sdk.errors module

Exception hierarchy raised by the SDK.

All errors raised by SDK operations derive from IntezerError. Subclasses identify specific failure modes (insufficient quota, analysis still running, unsupported on-premise version, …).

exception intezer_sdk.errors.AlertConflictError(alert_id: str)

Bases: AlertError

exception intezer_sdk.errors.AlertError

Bases: IntezerError

exception intezer_sdk.errors.AlertInProgressError(alert_id: str)

Bases: AlertError

exception intezer_sdk.errors.AlertNotFoundError(alert_id: str)

Bases: AlertError

exception intezer_sdk.errors.AnalysisFailedError

Bases: IntezerError

intezer_sdk.errors.AnalysisHasAlreadyBeenSent

alias of AnalysisHasAlreadyBeenSentError

exception intezer_sdk.errors.AnalysisHasAlreadyBeenSentError

Bases: IntezerError

intezer_sdk.errors.AnalysisIsAlreadyRunning

alias of AnalysisIsAlreadyRunningError

exception intezer_sdk.errors.AnalysisIsAlreadyRunningError(response: Response, running_analysis_id: str | None)

Bases: ServerError

intezer_sdk.errors.AnalysisIsStillRunning

alias of AnalysisIsStillRunningError

exception intezer_sdk.errors.AnalysisIsStillRunningError

Bases: IntezerError

exception intezer_sdk.errors.AnalysisRateLimitError(response: Response, message: str = 'Analysis rate limit reached')

Bases: ServerError

exception intezer_sdk.errors.AnalysisSkippedByRuleError(response: Response)

Bases: ServerError

exception intezer_sdk.errors.CaseNotFoundError(case_id: str)

Bases: IntezerError

exception intezer_sdk.errors.DeviceNotFoundError(incident_id: str)

Bases: IntezerError

exception intezer_sdk.errors.FamilyNotFoundError(family_id: str)

Bases: IntezerError

exception intezer_sdk.errors.FileTooLargeError(response: Response)

Bases: ServerError

intezer_sdk.errors.GlobalApiIsNotInitialized

alias of GlobalApiIsNotInitializedError

exception intezer_sdk.errors.GlobalApiIsNotInitializedError

Bases: IntezerError

exception intezer_sdk.errors.HashDoesNotExistError(response: Response)

Bases: ServerError

exception intezer_sdk.errors.IncidentNotFoundError(incident_id: str)

Bases: IntezerError

intezer_sdk.errors.IndexFailed

alias of IndexFailedError

exception intezer_sdk.errors.IndexFailedError(response: Response)

Bases: ServerError

intezer_sdk.errors.IndexHasAlreadyBeenSent

alias of IndexHasAlreadyBeenSentError

exception intezer_sdk.errors.IndexHasAlreadyBeenSentError

Bases: IntezerError

exception intezer_sdk.errors.InsufficientPermissionsError(response: Response)

Bases: ServerError

intezer_sdk.errors.InsufficientQuota

alias of InsufficientQuotaError

exception intezer_sdk.errors.InsufficientQuotaError(response: Response)

Bases: ServerError

exception intezer_sdk.errors.IntezerError

Bases: Exception

exception intezer_sdk.errors.InvalidAlertArgumentError(message: str)

Bases: AlertError

exception intezer_sdk.errors.InvalidAlertMappingError(response: Response)

Bases: AlertError

intezer_sdk.errors.InvalidApiKey

alias of InvalidApiKeyError

exception intezer_sdk.errors.InvalidApiKeyError(response: Response)

Bases: ServerError

exception intezer_sdk.errors.InvalidUrlError(response: Response)

Bases: ServerError

exception intezer_sdk.errors.OperationStillRunningError(operation)

Bases: IntezerError

exception intezer_sdk.errors.ReportDoesNotExistError

Bases: IntezerError

exception intezer_sdk.errors.ServerError(message: str, response: Response)

Bases: IntezerError

exception intezer_sdk.errors.SubAnalysisNotFoundError(analysis_id: str)

Bases: IntezerError

intezer_sdk.errors.SubAnalysisOperationStillRunning

alias of OperationStillRunningError

intezer_sdk.errors.SubAnalysisOperationStillRunningError

alias of OperationStillRunningError

intezer_sdk.errors.UnsupportedOnPremiseVersion

alias of UnsupportedOnPremiseVersionError

exception intezer_sdk.errors.UnsupportedOnPremiseVersionError

Bases: IntezerError

exception intezer_sdk.errors.UrlOfflineError(response: Response)

Bases: ServerError

intezer_sdk.family module

Genetic malware family lookup.

This module exposes Family for retrieving information about a malware family (name, type, tags) by id, and get_family_by_name() for looking up a family by name.

class intezer_sdk.family.Family(family_id: str, name: str = None, family_type: str = None, *, api: IntezerApiClient = None)

Bases: object

A genetic malware family known to Intezer.

fetch_info()

classmethod from_family_id(family_id: str, api: IntezerApiClient = None) → Family | None

property name: str

property tags: list[str]

property type: str

intezer_sdk.family.get_family_by_name(family_name: str, api: IntezerApiClient = None) → Family | None

intezer_sdk.file module

File-level operations.

This module exposes File for indexing, downloading, and inspecting code blocks of a stored file by hash, and the Block dataclass describing a disassembled code block.

class intezer_sdk.file.Block(address: int, software_type: str, families: list[str])

Bases: object

A code block belonging to a file: its address, software type, and matching genetic families.

address: int

families: list[str]

property is_common

software_type: str

class intezer_sdk.file.File(file_path: str = None, sha256: str = None, api: IntezerApiClient = None)

Bases: object

File is a class for file-related operations including indexing and downloading. It provides a unified interface for file management operations.

check_index_status()

Check the index status.

Returns:

The index status code.

download(path: str = None, output_stream: IO = None, password_protection: str = None)

Download the file (only works for sha256-based files).

path or output_stream must be provided. :param path: A path to where to save the file, it can be either a directory or non-existing file path. :param output_stream: A file-like object to write the file’s content to. :param password_protection: Set password protection to download file as zip with password.

property file_path: str

Get the file path.

get_code_blocks(wait: bool | int = False, wait_timeout: timedelta | None = None) → Operation

Retrieves a report containing information about reused code blocks for the given SHA-256 hash.

Parameters:

• wait – Should wait until the operation completes.

• wait_timeout – Maximum duration to wait for operation completion.

Returns:

operation.Operation: An operation object that will contain the code blocks result.

index(index_as: IndexType, family_name: str = None, wait: bool | int = False)

Index the file.

Parameters:

• index_as – The type of the index (trusted or malicious).

• family_name – The family name to index as (mandatory if index_as is malicious).

• wait – Whether to wait for the indexing to complete.

property index_id

Get the index ID.

property index_status

Get the current index status.

property sha256: str

Get the SHA256 hash of the file.

unset_indexing(wait: bool | int = False)

Unset the indexing request (only works for sha256-based files).

Parameters:

wait – Whether to wait for the operation to complete.

wait_for_index_completion(interval: int = None, sleep_before_first_check=False)

Blocks until the index is completed.

Parameters:

• interval – The interval to wait between checks.

• sleep_before_first_check – Whether to sleep before the first status check.

intezer_sdk.history_results module

Base class for paginated history result sets.

This module exposes HistoryResult, the abstract iterator/pagination backbone reused by analyses, alerts, devices, and incidents history result types.

class intezer_sdk.history_results.HistoryResult(request_url_path: str, api: IntezerApiClient, filters: dict)

Bases: object

Abstract iterator over a paginated history endpoint.

Iterate the instance to walk all pages, call all() to materialize every result into a list, or read current_page to inspect the current page only. Subclasses implement _fetch_history for endpoint-specific request and response parsing.

all() → list

List all remaining and exists analysis’s from server.

property current_page: list

Get current page, if not exits, ask a new one from server.

intezer_sdk.incidents module

Search and inspect incidents.

This module provides helpers for building incident search filters and querying the incident history, returning a paginated IncidentsHistoryResult.

class intezer_sdk.incidents.Incident(incident_id: str | None = None, environment: str | None = None, api: IntezerApiClient = None)

Bases: object

The Incident class is used to represent an incident from the Intezer API.

Variables:

• incident_id (str) – The incident id.

• name (str) – The incident name.

• source (str) – The source of the incident.

• sender (str) – The sender of the incident.

• risk_category (str) – The risk_category of the incident.

• risk_level – The risk_level of the incident. Can be one of ‘informational’, ‘low’, ‘medium’, ‘high’, ‘critical’.

• intezer_incident_url (str) – URL for the incident in Intezer’s website.

fetch_info()

Fetch the incident data from the Intezer Platform API.

Raises:

intezer_sdk.errors.IncidentNotFound – If the incident was not found.

classmethod from_id(incident_id: str, environment: str | None = None, api: IntezerApiClient = None) → Incident

Create a new Incident instance, and fetch the incident data from the Intezer Platform API.

Parameters:

• incident_id – The incident id.

• environment – The environment of the incident.

• api – The API connection to Intezer.

Raises:

intezer_sdk.errors.IncidentNotFound – If the incident was not found.

Returns:

The Incident instance, with the updated incident data.

get_raw_data(environment: str | None = None, raw_data_type: str = 'raw_incident') → dict

Get raw incident data.

Parameters:

• environment – The environment to get raw data from. If not provided, the environment will be taken from the incident.

• raw_data_type – The type of raw data to retrieve. Defaults to ‘raw_incident’.

Returns:

The raw incident data.

result() → dict | None

Get the raw incident result, as received from Intezer Platform API.

Raises:

intezer_sdk.errors.IncidentNotFound – If the incident was not found.

Returns:

The raw incident dictionary.

intezer_sdk.incidents.generate_incidents_history_search_filters(*, incident_ids: list[str] = None, environments: list[str] = None, offset: int = None, limit: int = None, time_filter_type: list[str] = None, start_time: datetime = None, end_time: datetime = None, sources: list[str] = None, senders: list[str] = None, severities: list[str] = None, statuses: list[str] = None, names: list[str] = None, related_alert_ids: list[str] = None, risk_categories: list[str] = None, response_statuses: list[str] = None, free_text: str = None, sort_by: list[str] = None, sort_order: str = None, include_raw_incident: bool = None) → dict[str, Any]

intezer_sdk.incidents.query_incidents_history(*, api: IntezerApiClient = None, incident_ids: list[str] = None, environments: list[str] = None, offset: int = 0, limit: int = 100, time_filter_type: list[str] = None, start_time: datetime = None, end_time: datetime = None, sources: list[str] = None, senders: list[str] = None, severities: list[str] = None, statuses: list[str] = None, names: list[str] = None, related_alert_ids: list[str] = None, risk_categories: list[str] = None, response_statuses: list[str] = None, free_text: str = None, sort_by: list[str] = None, sort_order: str = None, include_raw_incident: bool = None) → IncidentsHistoryResult

Query for incidents history with query param.

Parameters:

• api – Instance of Intezer API for request server.

• incident_ids – Query only this incident ids.

• environments – Query incidents only from these environments.

• offset – Offset to start querying from - used for pagination.

• limit – Maximum number of incidents to return - used for pagination.

• time_filter_type – The time value to filter incidents by (creation_time / received_time / triage_time / triage_change_time / triage_or_triage_change_time).

• start_time – Query incidents that were created after this timestamp (in UTC).

• end_time – Query incidents that were created before this timestamp (in UTC).

• sources – Query incidents only with these sources.

• senders – Query incidents only with these senders.

• severities – Query incidents only with these severities.

• statuses – Query incidents only with these statuses.

• names – Query incidents only with these names.

• related_alert_ids – Query incidents only with these related alert ids.

• risk_categories – Query incidents only with these risk categories.

• response_statuses – Query incidents only with these response statuses.

• free_text – Query incidents that contain this text in the following fields: name, severity, status, related_alert_ids.

• sort_by – Sort incidents only with this sort_by_key value (creation_time / received_time / triage_time / triage_change_time / risk_score).

• sort_order – The order to sort the incidents by (asc / desc).

• include_raw_incident – Include the raw incident data in the results.

Returns:

Incident query result from server as Results iterator.

intezer_sdk.incidents_results module

Paginated incidents history result set.

This module exposes IncidentsHistoryResult, returned from intezer_sdk.incidents.query_incidents_history(), which lazily paginates over incident records that match a search filter.

class intezer_sdk.incidents_results.IncidentsHistoryResult(request_url_path: str, api: IntezerApiClient, filters: dict)

Bases: HistoryResult

Paginated result set of incidents matching a search filter.

intezer_sdk.index module

Index files as trusted or malicious.

This module exposes the Index operation, which submits a file (by path or sha256) to be tagged in the Intezer genetic database under a given family.

class intezer_sdk.index.Index(index_as: IndexType, file_path: str = None, sha256: str = None, api: IntezerApiClient = None, family_name: str = None)

Bases: object

Submit a file or hash to be indexed under a given family in the genetic database.

check_status()

Check the index status.

Returns:

The index status code.

send(wait: bool | int = False)

Send the index request.

Parameters:

wait – Whether to wait for the indexing to complete.

unset_indexing(wait: bool | int = False)

Unset the indexing request.

Parameters:

wait – Whether to wait for the indexing to complete.

wait_for_completion(interval: int = None, sleep_before_first_check=False)

Blocks until the index is completed

Parameters:

• interval – The interval to wait between checks

• sleep_before_first_check – Whether to sleep before the first status check

intezer_sdk.operation module

Long-running asynchronous operations.

This module exposes Operation, used to track asynchronous Intezer operations (such as IOC, TTP, and metadata generation triggered from an analysis), wait for them to finish, and read their results.

class intezer_sdk.operation.Operation(url: str, name: str, api: IntezerApiClient = None)

Bases: object

The Operation class is used to represent an asynchronous operation with the Intezer API.

check_status() → bool

Check the status of the operation. :return: Returns a boolean indicating whether the operation has finished or is still running.

get_result()

Returns the result of the operation, raising an error if the operation is still running. :return: The operation result

wait_for_completion(interval: int = None, sleep_before_first_check=False, wait_timeout: timedelta | None = None) → None

Blocks until the operation is completed. :param interval: The interval to wait between checks in seconds. :param sleep_before_first_check: Whether to sleep before the first status check. :param wait_timeout: Maximum duration to wait for analysis completion in seconds.

intezer_sdk.sub_analysis module

Sub-analysis access.

This module exposes SubAnalysis, a single component (root or extracted file) within a composed file analysis. Sub-analyses provide access to the component’s code reuse, metadata, IOCs, TTPs, capabilities, strings, and the ability to download the underlying file.

class intezer_sdk.sub_analysis.SubAnalysis(analysis_id: str, composed_analysis_id: str, sha256: str, source: str, extraction_info: dict | None, api: IntezerApiClient = None, verdict=None)

Bases: object

SubAnalysis is a class representing a sub-analysis object in an Intezer API.

property code_reuse

download_file(path: str = None, output_stream: IO = None, password_protection: str = None)

Downloads the analysis’s file. path or output_stream must be provided. :param path: A path to where to save the file, it can be either a directory or non-existing file path. :param output_stream: A file-like object to write the file’s content to. :param password_protection: set password protection to download file as zip with password.

property extraction_info: dict | None

find_related_files(family_id: str, wait: bool | int = False, wait_timeout: timedelta | None = None) → Operation

classmethod from_analysis_id(analysis_id: str, composed_analysis_id: str, lazy_load=True, api: IntezerApiClient = None) → SubAnalysis | None

class method that creates a new instance of the class by fetching the details of the sub-analysis from the Intezer API. If lazy_load is set to True, the details of the sub-analysis are not fetched immediately. If lazy_load is set to False, the details of the sub-analysis are fetched immediately. Returns None when analysis doesn’t exist. :param analysis_id: The ID of the analysis to retrieve. :param composed_analysis_id: The ID of the parent analysis to retrieve. :param lazy_load: bool indicating if the details of the sub-analysis should be fetched immediately or not :param api: The API connection to Intezer. :return: A SubAnalysis instance with the given analysis ID.

generate_vaccine(wait: bool | int = False, wait_timeout: timedelta | None = None) → Operation

get_account_related_samples(wait: bool | int = False, wait_timeout: timedelta | None = None) → Operation | None

get_capabilities(wait: bool | int = False, wait_timeout: timedelta | None = None) → Operation

get_string_related_samples(string_value: str, wait: bool | int = False, wait_timeout: timedelta | None = None) → Operation

get_strings(wait: bool | int = False, wait_timeout: timedelta | None = None) → Operation

property indicators: list[dict]

property metadata

property sha256: str

property source: str

property verdict: str

intezer_sdk.util module

Utility helpers for summaries and filters.

This module provides helpers for rendering human-readable analysis summaries, working with EML attachments, and adding filter values to a query dict.

intezer_sdk.util.add_filter(filters: dict, key: str, value: Any)

intezer_sdk.util.find_largest_family(analysis: FileAnalysis) → dict

intezer_sdk.util.get_analysis_family(analysis: FileAnalysis, software_type_priorities: list[str], should_use_largest_families: bool = True) → tuple[str | None, int | None]

intezer_sdk.util.get_analysis_family_by_family_id(analysis: FileAnalysis, family_id: str) → int

intezer_sdk.util.get_analysis_summary(analysis: FileAnalysis, no_emojis: bool = False, short: bool = False, use_hash_link=False) → str

intezer_sdk.util.get_analysis_summary_metadata(analysis: FileAnalysis, use_hash_link: bool = False, should_use_largest_families: bool = True, should_include_related_samples: bool = True) → dict[str, any]

intezer_sdk.util.get_emoji(key: str)

intezer_sdk.util.human_readable_size(num: int) → str

Module contents