From e94162a5d42c66832e992d1dc451556e54c6ea50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Leonard?= <jerome@thehive-project.org>
Date: Sat, 9 Jun 2018 01:50:41 +0200
Subject: [PATCH] #214 add long and short reports

---
 .../DomainTools_RiskEvidenceScore.json        |  4 +-
 .../DomainTools/DomainTools_RiskScore.json    |  4 +-
 analyzers/DomainTools/domaintools_analyzer.py | 13 +++++
 .../long.html                                 | 56 +++++++++++++++++++
 .../short.html                                |  3 +
 .../DomainTools_RiskScore_2_0/long.html       | 50 +++++++++++++++++
 .../DomainTools_RiskScore_2_0/short.html      |  3 +
 7 files changed, 129 insertions(+), 4 deletions(-)
 create mode 100644 thehive-templates/DomainTools_RiskEvidenceScore_2_0/long.html
 create mode 100644 thehive-templates/DomainTools_RiskEvidenceScore_2_0/short.html
 create mode 100644 thehive-templates/DomainTools_RiskScore_2_0/long.html
 create mode 100644 thehive-templates/DomainTools_RiskScore_2_0/short.html

diff --git a/analyzers/DomainTools/DomainTools_RiskEvidenceScore.json b/analyzers/DomainTools/DomainTools_RiskEvidenceScore.json
index fa2fcb700..2a81ce804 100644
--- a/analyzers/DomainTools/DomainTools_RiskEvidenceScore.json
+++ b/analyzers/DomainTools/DomainTools_RiskEvidenceScore.json
@@ -4,8 +4,8 @@
     "author": "CERT-BDF",
     "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
     "license": "AGPL-V3",
-    "description": "Use DomainTools to get a list of domain names sharing the same IP address.",
-    "dataTypeList": ["domain"],
+    "description": "Use DomainTools to get a risk score and evidence details",
+    "dataTypeList": ["domain","fqdn"],
     "command": "DomainTools/domaintools_analyzer.py",
     "baseConfig": "DomainTools",
     "config": {
diff --git a/analyzers/DomainTools/DomainTools_RiskScore.json b/analyzers/DomainTools/DomainTools_RiskScore.json
index 3d30812a5..d236a4d1f 100644
--- a/analyzers/DomainTools/DomainTools_RiskScore.json
+++ b/analyzers/DomainTools/DomainTools_RiskScore.json
@@ -4,8 +4,8 @@
     "author": "CERT-BDF",
     "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
     "license": "AGPL-V3",
-    "description": "Use DomainTools to get a list of domain names sharing the same IP address.",
-    "dataTypeList": ["domain"],
+    "description": "Use DomainTools to get a risk score ",
+    "dataTypeList": ["domain","fqdn"],
     "command": "DomainTools/domaintools_analyzer.py",
     "baseConfig": "DomainTools",
     "config": {
diff --git a/analyzers/DomainTools/domaintools_analyzer.py b/analyzers/DomainTools/domaintools_analyzer.py
index fe7374721..7a3238a57 100755
--- a/analyzers/DomainTools/domaintools_analyzer.py
+++ b/analyzers/DomainTools/domaintools_analyzer.py
@@ -97,6 +97,9 @@ def summary(self, raw):
             r["name_server"] = raw["name_server"]["hostname"]
             r["domain_count"] = raw["name_server"]["total"]
 
+        if "risk_score" in raw and raw["risk_score"] >= 0:
+            r["risk_score"] = raw["risk_score"]
+
         taxonomies = []
 
         # Prepare predicate and value for each service
@@ -126,6 +129,16 @@ def summary(self, raw):
                 taxonomies.append(
                     self.build_taxonomy("info", "DT", "Whois", "\"REGISTRANT:{}\"".format(r["registrant"])))
 
+        if r["risk_score"]:
+            if r["risk_score"] == 0:
+                level = "safe"
+            elif 0 < r["risk_score"] <= 50:
+                level = "suspicious"
+            elif r["risk_score"] > 50:
+                level = "malicious"
+            taxonomies.append(
+                self.build_taxonomy(level, "DT", "Risk", "\"{}\"".format(r["risk_score"])))
+
         result = {'taxonomies': taxonomies}
         return result
 
diff --git a/thehive-templates/DomainTools_RiskEvidenceScore_2_0/long.html b/thehive-templates/DomainTools_RiskEvidenceScore_2_0/long.html
new file mode 100644
index 000000000..7ed852aef
--- /dev/null
+++ b/thehive-templates/DomainTools_RiskEvidenceScore_2_0/long.html
@@ -0,0 +1,56 @@
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
+
+
+<div class="panel panel-info" ng-if="success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+		<dl class="dl-horizontal">
+			<dt>Domaintools Risk Score</dt>
+			<dd>
+                <span class="label" ng-class="{'label-success' : content.risk_score == 0,  'label-warning' :  content.risk_score > 0 && content.risk_score <= 50,
+                            'label-danger': content.risk_score > 50}">
+                    {{content.risk_score}}
+                </span>
+
+            </dd>
+		</dl>
+        <br><br>
+        <h4 class="panel-title">Compoments</h4>
+        <br>
+		<table class="table table-striped table-bordered">
+            <thead>
+                <tr>
+                    <th>Name</th>
+                    <th>Risk Score</th>
+                    <th>Evidence</th>
+                </tr>
+            </thead>
+            <tbody ng-repeat="r in content.components">
+                <tr>
+                    <td>{{r.name}}</td>
+                    <td>
+                        <span class="label" ng-class="{'label-success' : content.risk_score == 0,  'label-warning' :  content.risk_score > 0 && content.risk_score <= 50,
+                            'label-danger': content.risk_score > 50}">
+                        {{r.risk_score}}
+                </span>
+                    </td>
+                    <td >
+                        <ul class="list-unstyled">
+                            <li ng-repeat="e in r.evidence">{{e}}</li>
+                        </ul>
+                    </td>
+                </tr>
+            </tbody>
+        </table>
+
+    </div>
+</div>
\ No newline at end of file
diff --git a/thehive-templates/DomainTools_RiskEvidenceScore_2_0/short.html b/thehive-templates/DomainTools_RiskEvidenceScore_2_0/short.html
new file mode 100644
index 000000000..57f9d29cf
--- /dev/null
+++ b/thehive-templates/DomainTools_RiskEvidenceScore_2_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>
diff --git a/thehive-templates/DomainTools_RiskScore_2_0/long.html b/thehive-templates/DomainTools_RiskScore_2_0/long.html
new file mode 100644
index 000000000..b7069a972
--- /dev/null
+++ b/thehive-templates/DomainTools_RiskScore_2_0/long.html
@@ -0,0 +1,50 @@
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
+
+
+<div class="panel panel-info" ng-if="success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+		<dl class="dl-horizontal">
+			<dt>Domaintools Risk Score</dt>
+			<dd>
+                <span class="label" ng-class="{'label-success' : content.risk_score == 0,  'label-warning' :  content.risk_score > 0 && content.risk_score <= 50,
+                            'label-danger': content.risk_score > 50}">
+                    {{content.risk_score}}
+                </span>
+
+            </dd>
+		</dl>
+        <br><br>
+        <h4 class="panel-title">Compoments</h4>
+        <br>
+		<table class="table table-striped table-bordered">
+            <thead>
+                <tr>
+                    <th>Name</th>
+                    <th>Risk Score</th>
+                </tr>
+            </thead>
+            <tbody ng-repeat="r in content.components">
+                <tr>
+                    <td>{{r.name}}</td>
+                    <td>
+                        <span class="label" ng-class="{'label-success' : content.risk_score == 0,  'label-warning' :  content.risk_score > 0 && content.risk_score <= 50,
+                            'label-danger': content.risk_score > 50}">
+                        {{r.risk_score}}
+                </span>
+                    </td>
+                </tr>
+            </tbody>
+        </table>
+
+    </div>
+</div>
\ No newline at end of file
diff --git a/thehive-templates/DomainTools_RiskScore_2_0/short.html b/thehive-templates/DomainTools_RiskScore_2_0/short.html
new file mode 100644
index 000000000..57f9d29cf
--- /dev/null
+++ b/thehive-templates/DomainTools_RiskScore_2_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>