Merge pull request #999 from pjuhas/develop

Bitcoin Abuse analyzer
TheHive-Project · Jul 22, 2022 · 630fa4e · 630fa4e
2 parents 66070de + bed8be8
commit 630fa4e
Show file tree

Hide file tree

Showing 5 changed files with 134 additions and 0 deletions.
diff --git a/analyzers/BitcoinAbuse/BitcoinAbuse.json b/analyzers/BitcoinAbuse/BitcoinAbuse.json
@@ -0,0 +1,20 @@
+{
+  "name": "BitcoinAbuse",
+  "version": "1.0",
+  "author": "Peter Juhas",
+  "url": "https://github.com/pjuhas/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Check Bitcoin address against Bitcoin Abuse database",
+  "dataTypeList": ["btc_address"],
+  "baseConfig": "BitcoinAbuse",
+  "configurationItems": [
+    {
+      "name": "key",
+      "description": "API key for Bitcoin Abuse",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ],
+  "command": "BitcoinAbuse/BitcoinAbuse.py"
+}
diff --git a/analyzers/BitcoinAbuse/BitcoinAbuse.py b/analyzers/BitcoinAbuse/BitcoinAbuse.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python
+import requests
+from cortexutils.analyzer import Analyzer
+
+
+class BitcoinAbuse(Analyzer):
+
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.test_key = self.get_param('config.key', None, 'Missing Bitcoin Abuse API key')
+
+    def summary(self, raw):
+        color = 0
+        taxonomies = []
+        level = 'info'
+        namespace = 'Bitcoin Abuse'
+        predicate = 'Report count'
+        value = "0"
+        if "count" in raw:
+            value = "{}".format(raw["count"])
+            color = raw["count"]
+
+        if color == 0:
+            level = "safe"
+        elif color < 5:
+            level = "suspicious"
+        elif color > 4:
+            level = "malicious"
+
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        return {'taxonomies': taxonomies}
+
+    def run(self):
+        Analyzer.run(self)
+        if self.data_type == 'btc_address':
+            try:
+                data = self.get_data()
+                s = requests.Session()
+                response_details = s.get('https://www.bitcoinabuse.com/api/reports/check?address={}&api_token={}'
+                                         .format(data, self.test_key))
+                if response_details.status_code == 200:
+                    result = response_details.json()
+                    self.report(result if len(result) > 0 else {})
+                else:
+                    self.error('Failed to query Bitcoin Abuse details. Status_code {}'.format(response_details.status_code))
+            except Exception as e:
+                self.unexpectedError(e)
+        else:
+            self.notSupported()
+
+
+if __name__ == '__main__':
+    BitcoinAbuse().run()
diff --git a/analyzers/BitcoinAbuse/requirements.txt b/analyzers/BitcoinAbuse/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+requests
diff --git a/thehive-templates/BitcoinAbuse_1_0/long.html b/thehive-templates/BitcoinAbuse_1_0/long.html
@@ -0,0 +1,56 @@
+<div class="panel panel-info" ng-if="::content.recent" ng-init="recent_limit = 20">
+    <div class="panel-heading">
+        <strong>Summary</strong>
+        <span class="pull-right" ng-show="::content.recent.length > 20">
+            <a href ng-show="recent_limit===20" ng-click="recent_limit = undefined">Show All ({{::content.recent.length}})</a>
+            <a href ng-show="!recent_limit" ng-click="recent_limit = 20">Show less</a>
+        </span>
+    </div>
+
+    <div class="panel-body">
+        <table class="table table-hover">
+            <tr>
+                <th>Description</th>
+                <th>Time</th>
+            </tr>
+            <tr ng-repeat="r in content.recent | limitTo:recent_limit | orderBy:'-created_at'">
+                <td>{{r.description | ellipsis:130}}</td>
+                <td>{{r.created_at}}</td>
+            </tr>
+        </table>
+    </div>
+</div>
+<div class="panel panel-info" ng-if="::content.recent">
+    <div class="panel-heading">
+        <strong>Other info</strong>
+    </div>
+    <div class="panel-body">
+        <table class="table table-hover">
+            <tr>
+                <td>URL</td>
+                <td>
+                    <span>
+                        <i class="fa fa-search"></i>
+                        <a ng-href="https://www.bitcoinabuse.com/reports/{{content.address}}" target="_blank">View Full Report</a>
+                    </span>
+                </td>
+            </tr>
+        </table>
+    </div>
+</div>
+
+    <!-- General error  -->
+    <div class="panel panel-danger" ng-if="!success">
+        <div class="panel-heading">
+            <strong>{{artifact.data | fang}}</strong>
+        </div>
+        <div class="panel-body">
+            <dl class="dl-horizontal" ng-if="content.errorMessage">
+                <dt>
+                    <i class="fa fa-warning"></i> urlscan.io:
+                </dt>
+                <dd class="wrap">{{content.errorMessage}}</dd>
+            </dl>
+        </div>
+    </div>
+
diff --git a/thehive-templates/BitcoinAbuse_1_0/short.html b/thehive-templates/BitcoinAbuse_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>