TheHive-Project · 3c7 · Jun 4, 2018 · May 11, 2018 · May 11, 2018 · May 15, 2018
diff --git a/analyzers/Threatcrowd/Threatcrowd.json b/analyzers/Threatcrowd/Threatcrowd.json
@@ -0,0 +1,19 @@
+{
+    "name": "Threatcrowd",
+    "author": "Rémi ALLAIN, Cyberprotect",
+    "license": "AGPL-V3",
+    "url": "https://github.com/Cyberprotect/Cortex-Analyzers",
+    "version": "1.0",
+    "description": "Search for information on threatcrowd.org",
+    "dataTypeList": [
+        "email",
+        "ip",
+        "domain"
+    ],
+    "command": "Threatcrowd/threatcrowd_analyzer.py",
+    "baseConfig": "Threatcrowd",
+    "config": {
+        "check_tlp": false,
+        "service": "get"
+    }
+}
diff --git a/analyzers/Threatcrowd/requirements.txt b/analyzers/Threatcrowd/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+requests
diff --git a/analyzers/Threatcrowd/threatcrowd_analyzer.py b/analyzers/Threatcrowd/threatcrowd_analyzer.py
@@ -0,0 +1,46 @@
+#!/usr/bin/env python
+# encoding: utf-8
+
+import requests
+from cortexutils.analyzer import Analyzer
+
+class Threatcrowd(Analyzer):
+
+    URI = "https://www.threatcrowd.org/searchApi/v2"
+
+    def summary(self, raw):
+        taxonomies = []
+
+        level = "info"
+        value = "None"
+
+        if 'votes' in raw:
+            r = raw.get('votes')
+            value = r
+            if r == 1:
+                level = "safe"
+            elif r == 0:
+                level = "suspicious"
+            elif r == -1:
+                level = "malicious"
+
+        taxonomies.append(self.build_taxonomy(level, "Threatcrowd", "votes", value))
+
+        result = {"taxonomies": taxonomies}
+        return result
+
+    def run(self):
+        Analyzer.run(self)
+
+        if (self.data_type == 'domain' or self.data_type == 'ip' or self.data_type == 'email'):
+            try:
+                response = requests.get("{}/{}/report/".format(self.URI, self.data_type), {self.data_type: self.get_data()})
+                self.report(response.json())
+            except Exception as e:
+                self.unexpectedError(e)
+        else:
+            self.notSupported()
+
+
+if __name__ == '__main__':
+    Threatcrowd().run()
diff --git a/thehive-templates/Threatcrowd_1_0/long.html b/thehive-templates/Threatcrowd_1_0/long.html
@@ -0,0 +1,69 @@
+<div class="panel panel-info" ng-if="success">
+    <div class="panel-heading">
+        Threatcrowd analysis for 
+        <strong>{{artifact.data}}</strong>
+    </div>
+    <div class="panel-body">
+        <h4 class="dl-horizontal">
+            Votes :  <strong>{{content.votes}}</strong>
+            <br/>
+            <a href="{{content.permalink}}">View report on threatcrowd.org</a>
+        </h4>
+        <table class="table table-bordered">
+            <tr>
+                <th>References</th>
+            </tr>
+            <tr ng-repeat="ref in ::content.references">
+				<td>{{ref}}</td>
+			</tr>
+        </table>
+        <table class="table table-bordered">
+            <tr>
+                <th>Domains</th>
+            </tr>
+            <tr ng-repeat="dom in ::content.domains">
+                <td>{{dom}}</td>
+			</tr>
+        </table>
+        <table class="table table-bordered">
+            <tr>
+                <th>Subdomains</th>
+            </tr>
+            <tr ng-repeat="dom in ::content.subdomains">
+                <td>{{dom}}</td>
+			</tr>
+        </table>
+        <table class="table table-bordered">
+            <tr>
+                <th>Emails</th>
+            </tr>
+            <tr ng-repeat="email in ::content.emails">
+                <td>{{email}}</td>
+			</tr>
+        </table>
+        <table class="table table-bordered">
+            <tr>
+                <th colspan="3">Resolutions</th>
+            </tr>
+            <tr>
+                <th>Last resolved</th>
+                <th>Domain</th>
+                <th>Ip</th>
+            </tr>
+            <tr ng-repeat="res in ::content.resolutions">
+                <td>{{res.last_resolved}}</td>
+                <td>{{res.domain}}</td>
+                <td>{{res.ip_address}}</td>
+			</tr>
+        </table>
+    </div>
+</div>
+
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
diff --git a/thehive-templates/Threatcrowd_1_0/short.html b/thehive-templates/Threatcrowd_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>