Merge pull request #314 from target/datetime-updates-and-onenote-change

ScanDocx Datetime Updates and OneNote File Emit Change

src/python/strelka/scanners/scan_docx.py

@@ -26,23 +26,21 @@ def scan(self, data, file, options, expire_at):
                 self.event["comments"] = docx_doc.core_properties.comments
                 self.event["content_status"] = docx_doc.core_properties.content_status
                 if docx_doc.core_properties.created is not None:
-                    self.event["created"] = int(
-                        docx_doc.core_properties.created.strftime("%s")
-                    )
+                    self.event["created"] = docx_doc.core_properties.created.isoformat()
                 self.event["identifier"] = docx_doc.core_properties.identifier
                 self.event["keywords"] = docx_doc.core_properties.keywords
                 self.event["language"] = docx_doc.core_properties.language
                 self.event[
                     "last_modified_by"
                 ] = docx_doc.core_properties.last_modified_by
                 if docx_doc.core_properties.last_printed is not None:
-                    self.event["last_printed"] = int(
-                        docx_doc.core_properties.last_printed.strftime("%s")
-                    )
+                    self.event[
+                        "last_printed"
+                    ] = docx_doc.core_properties.last_printed.isoformat()
                 if docx_doc.core_properties.modified is not None:
-                    self.event["modified"] = int(
-                        docx_doc.core_properties.modified.strftime("%s")
-                    )
+                    self.event[
+                        "modified"
+                    ] = docx_doc.core_properties.modified.isoformat()
                 self.event["revision"] = docx_doc.core_properties.revision
                 self.event["subject"] = docx_doc.core_properties.subject
                 self.event["title"] = docx_doc.core_properties.title

src/python/strelka/scanners/scan_onenote.py

@@ -13,20 +13,12 @@ class ScanOnenote(strelka.Scanner):
     """Extracts embedded files in OneNote files."""
 
     def scan(self, data, file, options, expire_at):
+        # For every embedded file, extract payload and submit back into Strelka pipeline
         for match in re.finditer(
             binascii.unhexlify(b"e716e3bd65261145a4c48d4d0b7a9eac"), data
         ):
-            fdso = FileDataStoreObject.parse(data[match.span(0)[0] :])
-            payload = fdso.FileData
+            obj = FileDataStoreObject.parse(data[match.span(0)[0] :])
+            payload = obj.FileData
 
-            extract_file = strelka.File(
-                source=self.name, name=hashlib.sha256(payload).hexdigest()
-            )
-
-            for c in strelka.chunk_string(payload):
-                self.upload_to_coordinator(
-                    extract_file.pointer,
-                    c,
-                    expire_at,
-                )
-            self.files.append(extract_file)
+            # Send extracted file back to Strelka
+            self.emit_file(self.name, name=hashlib.sha256(payload).hexdigest())

src/python/strelka/tests/test_scan_docx.py

@@ -18,12 +18,12 @@ def test_scan_docx(mocker):
         "category": "",
         "comments": "",
         "content_status": "",
-        "created": 1671208080,
+        "created": "2022-12-16T16:28:00",
         "identifier": "",
         "keywords": "",
         "language": "",
         "last_modified_by": "Ryan.OHoro",
-        "modified": 1671209040,
+        "modified": "2022-12-16T16:44:00",
         "revision": 2,
         "subject": "",
         "title": "",