#214 add long and short reports

TheHive-Project · Jun 8, 2018 · e94162a · e94162a
1 parent 5f4fa3d
commit e94162a
Show file tree

Hide file tree

Showing 7 changed files with 129 additions and 4 deletions.
diff --git a/analyzers/DomainTools/DomainTools_RiskEvidenceScore.json b/analyzers/DomainTools/DomainTools_RiskEvidenceScore.json
@@ -4,8 +4,8 @@
     "author": "CERT-BDF",
     "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
     "license": "AGPL-V3",
-    "description": "Use DomainTools to get a list of domain names sharing the same IP address.",
-    "dataTypeList": ["domain"],
+    "description": "Use DomainTools to get a risk score and evidence details",
+    "dataTypeList": ["domain","fqdn"],
     "command": "DomainTools/domaintools_analyzer.py",
     "baseConfig": "DomainTools",
     "config": {

diff --git a/analyzers/DomainTools/DomainTools_RiskScore.json b/analyzers/DomainTools/DomainTools_RiskScore.json
@@ -4,8 +4,8 @@
     "author": "CERT-BDF",
     "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
     "license": "AGPL-V3",
-    "description": "Use DomainTools to get a list of domain names sharing the same IP address.",
-    "dataTypeList": ["domain"],
+    "description": "Use DomainTools to get a risk score ",
+    "dataTypeList": ["domain","fqdn"],
     "command": "DomainTools/domaintools_analyzer.py",
     "baseConfig": "DomainTools",
     "config": {

diff --git a/analyzers/DomainTools/domaintools_analyzer.py b/analyzers/DomainTools/domaintools_analyzer.py
@@ -97,6 +97,9 @@ def summary(self, raw):
             r["name_server"] = raw["name_server"]["hostname"]
             r["domain_count"] = raw["name_server"]["total"]
 
+        if "risk_score" in raw and raw["risk_score"] >= 0:
+            r["risk_score"] = raw["risk_score"]
+
         taxonomies = []
 
         # Prepare predicate and value for each service
@@ -126,6 +129,16 @@ def summary(self, raw):
                 taxonomies.append(
                     self.build_taxonomy("info", "DT", "Whois", "\"REGISTRANT:{}\"".format(r["registrant"])))
 
+        if r["risk_score"]:
+            if r["risk_score"] == 0:
+                level = "safe"
+            elif 0 < r["risk_score"] <= 50:
+                level = "suspicious"
+            elif r["risk_score"] > 50:
+                level = "malicious"
+            taxonomies.append(
+                self.build_taxonomy(level, "DT", "Risk", "\"{}\"".format(r["risk_score"])))
+
         result = {'taxonomies': taxonomies}
         return result
 

diff --git a/thehive-templates/DomainTools_RiskEvidenceScore_2_0/long.html b/thehive-templates/DomainTools_RiskEvidenceScore_2_0/long.html
@@ -0,0 +1,56 @@
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
+
+
+<div class="panel panel-info" ng-if="success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+		<dl class="dl-horizontal">
+			<dt>Domaintools Risk Score</dt>
+			<dd>
+                <span class="label" ng-class="{'label-success' : content.risk_score == 0,  'label-warning' :  content.risk_score > 0 && content.risk_score <= 50,
+                            'label-danger': content.risk_score > 50}">
+                    {{content.risk_score}}
+                </span>
+
+            </dd>
+		</dl>
+        <br><br>
+        <h4 class="panel-title">Compoments</h4>
+        <br>
+		<table class="table table-striped table-bordered">
+            <thead>
+                <tr>
+                    <th>Name</th>
+                    <th>Risk Score</th>
+                    <th>Evidence</th>
+                </tr>
+            </thead>
+            <tbody ng-repeat="r in content.components">
+                <tr>
+                    <td>{{r.name}}</td>
+                    <td>
+                        <span class="label" ng-class="{'label-success' : content.risk_score == 0,  'label-warning' :  content.risk_score > 0 && content.risk_score <= 50,
+                            'label-danger': content.risk_score > 50}">
+                        {{r.risk_score}}
+                </span>
+                    </td>
+                    <td >
+                        <ul class="list-unstyled">
+                            <li ng-repeat="e in r.evidence">{{e}}</li>
+                        </ul>
+                    </td>
+                </tr>
+            </tbody>
+        </table>
+
+    </div>
+</div>
diff --git a/thehive-templates/DomainTools_RiskEvidenceScore_2_0/short.html b/thehive-templates/DomainTools_RiskEvidenceScore_2_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>
diff --git a/thehive-templates/DomainTools_RiskScore_2_0/long.html b/thehive-templates/DomainTools_RiskScore_2_0/long.html
@@ -0,0 +1,50 @@
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
+
+
+<div class="panel panel-info" ng-if="success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+		<dl class="dl-horizontal">
+			<dt>Domaintools Risk Score</dt>
+			<dd>
+                <span class="label" ng-class="{'label-success' : content.risk_score == 0,  'label-warning' :  content.risk_score > 0 && content.risk_score <= 50,
+                            'label-danger': content.risk_score > 50}">
+                    {{content.risk_score}}
+                </span>
+
+            </dd>
+		</dl>
+        <br><br>
+        <h4 class="panel-title">Compoments</h4>
+        <br>
+		<table class="table table-striped table-bordered">
+            <thead>
+                <tr>
+                    <th>Name</th>
+                    <th>Risk Score</th>
+                </tr>
+            </thead>
+            <tbody ng-repeat="r in content.components">
+                <tr>
+                    <td>{{r.name}}</td>
+                    <td>
+                        <span class="label" ng-class="{'label-success' : content.risk_score == 0,  'label-warning' :  content.risk_score > 0 && content.risk_score <= 50,
+                            'label-danger': content.risk_score > 50}">
+                        {{r.risk_score}}
+                </span>
+                    </td>
+                </tr>
+            </tbody>
+        </table>
+
+    </div>
+</div>
diff --git a/thehive-templates/DomainTools_RiskScore_2_0/short.html b/thehive-templates/DomainTools_RiskScore_2_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>