From cc4891ff5b5593cc5a8d09ee8364aa5ee1ce99be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Leonard?= Date: Wed, 22 Apr 2020 11:48:45 +0200 Subject: [PATCH 01/36] #710 extract interesting artifacts from email source --- analyzers/EmlParser/parse.py | 21 +++++++++++++++++++++ analyzers/EmlParser/requirements.txt | 1 + 2 files changed, 22 insertions(+) diff --git a/analyzers/EmlParser/parse.py b/analyzers/EmlParser/parse.py index 0934aaca6..981ed902e 100755 --- a/analyzers/EmlParser/parse.py +++ b/analyzers/EmlParser/parse.py @@ -8,6 +8,7 @@ import hashlib import base64 from pprint import pprint +import iocextract class EmlParserAnalyzer(Analyzer): @@ -43,6 +44,26 @@ def summary(self, raw): return {"taxonomies": taxonomies} + def artifacts(self, raw): + artifacts = [] + urls = list(iocextract.extract_urls(str(raw))) + ipv4s = list(iocextract.extract_ipv4s(str(raw))) + mail_addresses = list(iocextract.extract_emails(str(raw))) + hashes = list(iocextract.extract_hashes(str(raw))) + + if urls: + for u in urls: + artifacts.append(self.build_artifact('url',str(u))) + if ipv4s: + for i in ipv4s: + artifacts.append(self.build_artifact('ip',str(i))) + if mail_addresses: + for e in mail_addresses: + artifacts.append(self.build_artifact('mail',str(e))) + if hashes: + for h in hashes: + artifacts.append(self.build_artifact('hash',str(h))) + return artifacts def parseEml(filepath): diff --git a/analyzers/EmlParser/requirements.txt b/analyzers/EmlParser/requirements.txt index f1b90baeb..b23ebd9b8 100644 --- a/analyzers/EmlParser/requirements.txt +++ b/analyzers/EmlParser/requirements.txt @@ -1,3 +1,4 @@ cortexutils;python_version>='3.5' eml_parser python-magic +iocextract \ No newline at end of file From f58287dbd2951c900a6682960dcaf179d6aeca1a Mon Sep 17 00:00:00 2001 From: Davide Arcuri Date: Tue, 24 Mar 2020 17:33:46 +0100 Subject: [PATCH 02/36] malwarebazaar hash search --- analyzers/MalwareBazaar/MalwareBazaar.json | 2 +- .../MalwareBazaar/MalwareBazaar_analyzer.py | 62 ++++++++++++++++++ analyzers/MalwareBazaar/requirements.txt | 2 + thehive-templates/MalwareBazaar_1_0/long.html | 64 +++++++++++++++++++ .../MalwareBazaar_1_0/short.html | 3 + 5 files changed, 132 insertions(+), 1 deletion(-) create mode 100755 analyzers/MalwareBazaar/MalwareBazaar_analyzer.py create mode 100644 analyzers/MalwareBazaar/requirements.txt create mode 100644 thehive-templates/MalwareBazaar_1_0/long.html create mode 100644 thehive-templates/MalwareBazaar_1_0/short.html diff --git a/analyzers/MalwareBazaar/MalwareBazaar.json b/analyzers/MalwareBazaar/MalwareBazaar.json index 2915606ce..13b4329b3 100644 --- a/analyzers/MalwareBazaar/MalwareBazaar.json +++ b/analyzers/MalwareBazaar/MalwareBazaar.json @@ -6,7 +6,7 @@ "version": "1.0", "baseConfig": "MalwareBazaar", "description": "Search hashes on MalwareBazaar.", - "dataTypeList": ["hash"], + "dataTypeList": ["domain", "fqdn", "url", "hash", "ip"], "command": "MalwareBazaar/MalwareBazaar_analyzer.py", "configurationItems": [ { "name": "api_key", diff --git a/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py b/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py new file mode 100755 index 000000000..0744e61eb --- /dev/null +++ b/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py @@ -0,0 +1,62 @@ +#!/usr/bin/env python3 +import requests +from cortexutils.analyzer import Analyzer + +BASEURL = 'https://mb-api.abuse.ch/api/v1/' + +class MalwareBazaarnalyzer(Analyzer): + def __init__(self): + Analyzer.__init__(self) + self.api_key = self.get_param("config.api_key", None) + + def run(self): + data = self.get_data() + if not data: + self.error('No observable or file given.') + + results = {} + if self.data_type == 'hash': + if len(data) in [32, 40, 64]: + headers = { 'API-KEY': self.api_key } + data = { + 'query': 'get_info', + 'hash': data, + } + results = requests.post(BASEURL, data=data, timeout=15, headers=headers) + + if results.status_code == 200: + results = results.json() + if results['query_status'] in ['http_post_expected', 'illegal_hash', 'no_hash_provided']: + self.error('MalwareBazaar returned error: %s' % results['query_status']) + else: + results['data'] = results['data'][0] + else: + self.error('Only sha256, sha1 and md5 supported by MalwareBazaar.') + else: + self.error('Datatype not supported.') + + self.report(results) + + def summary(self, raw): + taxonomies = [] + namespace = "MalwareBazaar" + + if raw['query_status'] == 'hash_not_found': + taxonomies.append(self.build_taxonomy( + 'info', + namespace, + 'Search', + 'No results' + )) + else: + taxonomies.append(self.build_taxonomy( + 'malicious', + namespace, + 'Signature', + raw['data'].get('signature', 'Unknown') + )) + return {"taxonomies": taxonomies} + + +if __name__ == '__main__': + MalwareBazaarnalyzer().run() diff --git a/analyzers/MalwareBazaar/requirements.txt b/analyzers/MalwareBazaar/requirements.txt new file mode 100644 index 000000000..6aabc3cfa --- /dev/null +++ b/analyzers/MalwareBazaar/requirements.txt @@ -0,0 +1,2 @@ +cortexutils +requests diff --git a/thehive-templates/MalwareBazaar_1_0/long.html b/thehive-templates/MalwareBazaar_1_0/long.html new file mode 100644 index 000000000..5f04575f0 --- /dev/null +++ b/thehive-templates/MalwareBazaar_1_0/long.html @@ -0,0 +1,64 @@ +
+
+ MalwareBazaar search results for + {{artifact.data | fang}} +
+
+
+
+
Hashes
+
+ md5: {{content.data.md5_hash}}
+ sha256: {{content.data.sha256_hash}}
+ sha1: {{content.data.sha1_hash}}
+ imphash: {{content.data.imphash}}
+ ssdeep: {{content.data.ssdeep}} +
+
First seen (UTC)
+
{{content.data.first_seen}}
+
Last seen (UTC)
+
{{content.data.last_seen}}
+
Filename
+
{{content.data.file_name}}
+
Filetype
+
{{content.data.file_type}} {{content.data.file_type_mime}}
+
Filetype
+
{{content.data.file_type}}
+
Signature
+
{{content.data.signature}}
+
Tags
+
{{tag}}
+
+
+
+
+ + +
+
+ {{artifact.data | fang}} +
+
+
+
+ MalwareBazaar: +
+
No results
+
+
+
+ + +
+
+ {{artifact.data | fang}} +
+
+
+
+ MalwareBazaar: +
+
{{content.errorMessage}}
+
+
+
diff --git a/thehive-templates/MalwareBazaar_1_0/short.html b/thehive-templates/MalwareBazaar_1_0/short.html new file mode 100644 index 000000000..3d711c221 --- /dev/null +++ b/thehive-templates/MalwareBazaar_1_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}="{{t.value}}" + From 903c5e0d5e5299ab00aefa6186590b7b084b4190 Mon Sep 17 00:00:00 2001 From: Arcuri Davide Date: Mon, 30 Mar 2020 19:12:32 +0200 Subject: [PATCH 03/36] Added more info in long template --- thehive-templates/MalwareBazaar_1_0/long.html | 65 +++++++++++++++++-- 1 file changed, 58 insertions(+), 7 deletions(-) diff --git a/thehive-templates/MalwareBazaar_1_0/long.html b/thehive-templates/MalwareBazaar_1_0/long.html index 5f04575f0..67bef6048 100644 --- a/thehive-templates/MalwareBazaar_1_0/long.html +++ b/thehive-templates/MalwareBazaar_1_0/long.html @@ -14,20 +14,71 @@ imphash: {{content.data.imphash}}
ssdeep: {{content.data.ssdeep}} +
Reporter
+
{{content.data.reporter}}
First seen (UTC)
{{content.data.first_seen}}
-
Last seen (UTC)
-
{{content.data.last_seen}}
+
Last seen (UTC)
+
{{content.data.last_seen}}
Filename
{{content.data.file_name}}
Filetype
-
{{content.data.file_type}} {{content.data.file_type_mime}}
-
Filetype
-
{{content.data.file_type}}
+
{{content.data.file_type}} {{content.data.file_type_mime}}
+
Delivery Method
+
{{content.data.delivery_method}}
Signature
-
{{content.data.signature}}
+
{{content.data.signature}}
Tags
-
{{tag}}
+
{{tag}}
+ + + + +
+
Intelligence
+
+
+
+
Clamav
+
{{content.data.intelligence.clamav}}
+ +
Downloads
+
{{content.data.intelligence.downloads}}
+ +
Uploads
+
{{content.data.intelligence.uploads}}
+ +
Mail
+
+ + {{k}} > {{v}}
+ +
+
+
+
+
+ +
+
File Information
+
+

+ {{info.context}}: {{info.value}} +

+
+
+ +
+
Comments
+
+
+
+
{{comment.display_name}} - {{comment.date_added}}
+
{{comment.comment}}
+
+
+
Comment
+
{{content.data.comment}}
From 68eca6ce5f0388e404d09cae34fe7182e7a3966f Mon Sep 17 00:00:00 2001 From: Arcuri Davide Date: Tue, 31 Mar 2020 08:31:42 +0200 Subject: [PATCH 04/36] hash_not_found error --- analyzers/MalwareBazaar/MalwareBazaar_analyzer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py b/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py index 0744e61eb..126e422f8 100755 --- a/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py +++ b/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py @@ -28,7 +28,7 @@ def run(self): results = results.json() if results['query_status'] in ['http_post_expected', 'illegal_hash', 'no_hash_provided']: self.error('MalwareBazaar returned error: %s' % results['query_status']) - else: + elif results['query_status'] != 'hash_not_found': results['data'] = results['data'][0] else: self.error('Only sha256, sha1 and md5 supported by MalwareBazaar.') From cbce69dba9e2b3baef266643bafe54937d24889e Mon Sep 17 00:00:00 2001 From: Arcuri Davide Date: Tue, 14 Apr 2020 15:41:31 +0200 Subject: [PATCH 05/36] fix class name --- analyzers/MalwareBazaar/MalwareBazaar_analyzer.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py b/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py index 126e422f8..cb6a5f307 100755 --- a/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py +++ b/analyzers/MalwareBazaar/MalwareBazaar_analyzer.py @@ -4,7 +4,7 @@ BASEURL = 'https://mb-api.abuse.ch/api/v1/' -class MalwareBazaarnalyzer(Analyzer): +class MalwareBazaarAnalyzer(Analyzer): def __init__(self): Analyzer.__init__(self) self.api_key = self.get_param("config.api_key", None) @@ -59,4 +59,4 @@ def summary(self, raw): if __name__ == '__main__': - MalwareBazaarnalyzer().run() + MalwareBazaarAnalyzer().run() From 36f42065f182097c92c6467faa552528caf6fa16 Mon Sep 17 00:00:00 2001 From: Davide Arcuri Date: Wed, 1 Apr 2020 15:58:18 +0200 Subject: [PATCH 06/36] add anyrun analyzer --- analyzers/AnyRun/AnyRun_Sandbox_Analysis.json | 28 ++++ analyzers/AnyRun/anyrun_analyzer.py | 130 ++++++++++++++++++ analyzers/AnyRun/requirements.txt | 2 + .../AnyRun_Sandbox_1_0/long.html | 120 ++++++++++++++++ .../AnyRun_Sandbox_1_0/short.html | 3 + 5 files changed, 283 insertions(+) create mode 100644 analyzers/AnyRun/AnyRun_Sandbox_Analysis.json create mode 100755 analyzers/AnyRun/anyrun_analyzer.py create mode 100644 analyzers/AnyRun/requirements.txt create mode 100644 thehive-templates/AnyRun_Sandbox_1_0/long.html create mode 100644 thehive-templates/AnyRun_Sandbox_1_0/short.html diff --git a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json new file mode 100644 index 000000000..d48a1eea0 --- /dev/null +++ b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json @@ -0,0 +1,28 @@ +{ + "name": "AnyRun_Sandbox_Analysis", + "version": "1.0", + "author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Any.Run Sandbox file analysis", + "dataTypeList": ["file", "url"], + "command": "AnyRun/anyrun_analyzer.py", + "baseConfig": "AnyRun", + "configurationItems": [ + { + "name": "token", + "description": "API token", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "verify_ssl", + "description": "Verify SSL certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + } + ] +} diff --git a/analyzers/AnyRun/anyrun_analyzer.py b/analyzers/AnyRun/anyrun_analyzer.py new file mode 100755 index 000000000..0e705eec7 --- /dev/null +++ b/analyzers/AnyRun/anyrun_analyzer.py @@ -0,0 +1,130 @@ +#!/usr/bin/env python3 +# encoding: utf-8 +import time +import requests +from os.path import basename +from cortexutils.analyzer import Analyzer +from requests.packages.urllib3.exceptions import InsecureRequestWarning + + +class AnyRunAnalyzer(Analyzer): + def __init__(self): + Analyzer.__init__(self) + self.url = "https://api.any.run/v1" + self.token = self.get_param("config.token", None, "Service token is missing") + self.verify_ssl = self.get_param("config.verify_ssl", True, None) + if not self.verify_ssl: + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + def summary(self, raw): + taxonomies = [] + level = "safe" + namespace = "AnyRun" + predicate = "Sandbox" + value = ( + raw.get("analysis", {}).get("scores", {}).get("verdict", {}).get("score", 0) + ) + if 50 < value < 100: + level = "suspicious" + elif value == 100: + level = "malicious" + + taxonomies.append( + self.build_taxonomy(level, namespace, predicate, "{0}/100".format(value)) + ) + + return {"taxonomies": taxonomies} + + def run(self): + Analyzer.run(self) + + try: + headers = {"Authorization": "API-Key {0}".format(self.token)} + + status_code = None + tries = 0 + if self.data_type == "file": + filepath = self.get_param("file", None, "File is missing") + filename = self.get_param("filename", basename(filepath)) + while status_code in (None, 429) and tries <= 15: + with open(filepath, "rb") as sample: + files = {"file": (filename, sample)} + response = requests.post( + "{0}/analysis".format(self.url), + files=files, + headers=headers, + verify=self.verify_ssl, + ) + status_code = response.status_code + if status_code == 200: + task_id = response.json()["data"]["taskid"] + elif status_code == 201: + task_id = response.json()["taskid"] + elif status_code == 429: + # it not support parallel runs, so we wait and resubmit later + time.sleep(60) + tries += 1 + else: + self.error(response.json()["message"]) + elif self.data_type == "url": + url = self.get_param("data", None, "Url is missing") + data = {"obj_type": "url", "obj_url": url} + while status_code in (None, 429) and tries <= 15: + response = requests.post( + "{0}/analysis".format(self.url), + data=data, + headers=headers, + verify=self.verify_ssl, + ) + status_code = response.status_code + if status_code == 200: + task_id = response.json()["data"]["taskid"] + elif status_code == 201: + task_id = response.json()["taskid"] + elif status_code == 429: + # it not support parallel runs, so we wait and resubmit later + time.sleep(60) + tries += 1 + else: + self.error(response.json()["message"]) + else: + self.error("Invalid data type!") + + finished = False + tries = 0 + while not finished and tries <= 15: # wait max 15 mins + time.sleep(60) + response = requests.get( + "{0}/analysis/{1}".format(self.url, task_id), + headers=headers, + verify=self.verify_ssl, + ) + if response.status_code == 200: + finished = ( + True if response.json()["data"]["status"] == "done" else False + ) + elif 400 < response.status_code < 500: + self.error(response.json()["message"]) + tries += 1 + if not finished: + self.error("AnyRun analysis timed out") + + # this items could be huge, we provide link to the report so avoid them in cortex + final_report = response.json()["data"] + final_report.pop("environments", None) + final_report.pop("modified", None) + for incident in final_report.get("incidents", []): + incident.pop("events", None) + for process in final_report.get("processes", []): + process.pop("modules", None) + self.report(final_report) + + except requests.exceptions.RequestException as e: + self.error(str(e)) + + except Exception as e: + self.unexpectedError(e) + + +if __name__ == "__main__": + AnyRunAnalyzer().run() diff --git a/analyzers/AnyRun/requirements.txt b/analyzers/AnyRun/requirements.txt new file mode 100644 index 000000000..6aabc3cfa --- /dev/null +++ b/analyzers/AnyRun/requirements.txt @@ -0,0 +1,2 @@ +cortexutils +requests diff --git a/thehive-templates/AnyRun_Sandbox_1_0/long.html b/thehive-templates/AnyRun_Sandbox_1_0/long.html new file mode 100644 index 000000000..02dac1237 --- /dev/null +++ b/thehive-templates/AnyRun_Sandbox_1_0/long.html @@ -0,0 +1,120 @@ +
+ +
+ Any.Run Sandbox +
+
+
+

Link

+
+
+
+
+
+
</div> +
+
+
+

Counters

+
+
+

Registry

+
+
Read
{{content.counters.registry.read}}
+
Write
{{content.counters.registry.write}}
+
Delete
{{content.counters.registry.delete}}
+
Total
{{content.counters.registry.total}}
+
+
+
+

Processes

+
+
Monitored
{{content.counters.processes.monitored}}
+
Suspicious
{{content.counters.processes.suspicious}}
+
Malicious
{{content.counters.processes.malicious}}
+
Total
{{content.counters.processes.total}}
+
+
+
+

Files

+
+
Text
{{content.counters.files.text}}
+
Suspicious
{{content.counters.files.suspicious}}
+
Malicious
{{content.counters.files.malicious}}
+
Unknown
{{content.counters.files.unknows}}
+
+
+
+

Network

+
+
Dns
{{content.counters.network.dns}}
+
Http
{{content.counters.network.http}}
+
Connections
{{content.counters.network.connections}}
+
Threats
{{content.counters.network.threats}}
+
+
+ +
+
+

Scores

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

Mitre

+
+
+ + + +
+
+
+
+
+ + +
+
+ Any.Run Sandbox Error +
+
+
+
Error:
+
{{content.errorMessage}}
+
+
+
\ No newline at end of file diff --git a/thehive-templates/AnyRun_Sandbox_1_0/short.html b/thehive-templates/AnyRun_Sandbox_1_0/short.html new file mode 100644 index 000000000..96eef2a47 --- /dev/null +++ b/thehive-templates/AnyRun_Sandbox_1_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}="{{t.value}}" +  From 8fce93df5f10c7fa55da38c05cbd043b45c59d38 Mon Sep 17 00:00:00 2001 From: Davide Arcuri Date: Wed, 1 Apr 2020 19:06:44 +0200 Subject: [PATCH 07/36] Improve long template: score, tags, fix small errors --- .../AnyRun_Sandbox_1_0/long.html | 90 +++++++++++-------- 1 file changed, 51 insertions(+), 39 deletions(-) diff --git a/thehive-templates/AnyRun_Sandbox_1_0/long.html b/thehive-templates/AnyRun_Sandbox_1_0/long.html index 02dac1237..741127bba 100644 --- a/thehive-templates/AnyRun_Sandbox_1_0/long.html +++ b/thehive-templates/AnyRun_Sandbox_1_0/long.html @@ -4,6 +4,15 @@ Any.Run Sandbox
+
+
+
Score:
{{content.analysis.scores.verdict.score}}/100
+
Threat Score:
+
{{content.analysis.scores.verdict.threatLevelText}}
+
Tags:
{{tag.tag}}
+
+
+

Link

@@ -11,86 +20,89 @@

Link

-
</div> +
+

Counters

Registry

-
Read
{{content.counters.registry.read}}
-
Write
{{content.counters.registry.write}}
-
Delete
{{content.counters.registry.delete}}
-
Total
{{content.counters.registry.total}}
+
Read:
{{content.counters.registry.read}}
+
Write:
{{content.counters.registry.write}}
+
Delete:
{{content.counters.registry.delete}}
+
Total:
{{content.counters.registry.total}}

Processes

-
Monitored
{{content.counters.processes.monitored}}
-
Suspicious
{{content.counters.processes.suspicious}}
-
Malicious
{{content.counters.processes.malicious}}
-
Total
{{content.counters.processes.total}}
+
Monitored:
{{content.counters.processes.monitored}}
+
Suspicious:
{{content.counters.processes.suspicious}}
+
Malicious:
{{content.counters.processes.malicious}}
+
Total:
{{content.counters.processes.total}}

Files

-
Text
{{content.counters.files.text}}
-
Suspicious
{{content.counters.files.suspicious}}
-
Malicious
{{content.counters.files.malicious}}
-
Unknown
{{content.counters.files.unknows}}
+
Text:
{{content.counters.files.text}}
+
Suspicious:
{{content.counters.files.suspicious}}
+
Malicious:
{{content.counters.files.malicious}}
+
Unknown:
{{content.counters.files.unknown}}

Network

-
Dns
{{content.counters.network.dns}}
-
Http
{{content.counters.network.http}}
-
Connections
{{content.counters.network.connections}}
-
Threats
{{content.counters.network.threats}}
+
Dns:
{{content.counters.network.dns}}
+
Http:
{{content.counters.network.http}}
+
Connections:
{{content.counters.network.connections}}
+
Threats:
{{content.counters.network.threats}}
+

Scores

-
-
-
-
-
-
+
+
+
+
+
+

-
-
-
-
-
-
+
+
+
+
+
+

-
-
-
-
-
-
+
+
+
+
+
+

-
-
-
-
+
+
+
+
+

Mitre

From 26fa591d5cf45fc34de09f31462c0a0a7d433a20 Mon Sep 17 00:00:00 2001 From: Davide Arcuri Date: Tue, 21 Apr 2020 09:16:26 +0200 Subject: [PATCH 08/36] fix infos_domain --- analyzers/Shodan/shodan_analyzer.py | 16 +++++++------- .../Shodan_InfoDomain_1_0/long.html | 22 +++++++++---------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/analyzers/Shodan/shodan_analyzer.py b/analyzers/Shodan/shodan_analyzer.py index c0109a44e..6a14b87d5 100755 --- a/analyzers/Shodan/shodan_analyzer.py +++ b/analyzers/Shodan/shodan_analyzer.py @@ -64,17 +64,17 @@ def summary(self, raw): else: taxonomies.append(self.build_taxonomy(levelorange, namespace, 'VULNS', totalcve)) elif self.service == 'info_domain': - if 'ips' in raw['infos_domain']: - value = "{}".format(len(raw['infos_domain']['ips'])) + if 'ips' in raw['info_domain']: + value = "{}".format(len(raw['info_domain']['ips'])) taxonomies.append(self.build_taxonomy(level, namespace, 'IPs', value)) - if 'all_domains' in raw['infos_domain']: - value = "{}".format(len(raw['infos_domain']['all_domains'])) + if 'all_domains' in raw['info_domain']: + value = "{}".format(len(raw['info_domain']['all_domains'])) taxonomies.append(self.build_taxonomy(level, namespace, 'Domains', value)) - if 'asn' in raw['infos_domain']: - value = "{}".format(len(raw['infos_domain']['asn'])) + if 'asn' in raw['info_domain']: + value = "{}".format(len(raw['info_domain']['asn'])) taxonomies.append(self.build_taxonomy(level, namespace, 'ASNs', value)) - if 'isp' in raw['infos_domain']: - value = "{}".format(len(raw['infos_domain']['isp'])) + if 'isp' in raw['info_domain']: + value = "{}".format(len(raw['info_domain']['isp'])) taxonomies.append(self.build_taxonomy(level, namespace, 'ISPs', value)) elif self.service == 'dns_resolve': value = "{}".format(len(raw['records'])) diff --git a/thehive-templates/Shodan_InfoDomain_1_0/long.html b/thehive-templates/Shodan_InfoDomain_1_0/long.html index 95aabff92..1877c5fa1 100644 --- a/thehive-templates/Shodan_InfoDomain_1_0/long.html +++ b/thehive-templates/Shodan_InfoDomain_1_0/long.html @@ -6,54 +6,54 @@
ASN
- {{content.infos_domain.asn.join(', ') || '-'}} + {{content.info_domain.asn.join(', ') || '-'}}
ISP
- - + -
    -
  • {{i}}
    • +
  • {{i}}
Domains
- - + -
    -
  • {{i | fang}}
    • +
  • {{i | fang}}
Ports
- {{content.infos_domain.ports.join(', ') || '-'}} + {{content.info_domain.ports.join(', ') || '-'}}
Orgs
- - + -
    -
  • {{i}}
    • +
  • {{i}}
Transports
- {{content.infos_domain.transports.join(', ') || '-'}} + {{content.info_domain.transports.join(', ') || '-'}}
IPs
- - + -
    -
  • {{i | fang}}
    • +
  • {{i | fang}}
From 7ce4cd4767c1606d8b7238df06dbd0bbd9715a32 Mon Sep 17 00:00:00 2001 From: Davide Arcuri Date: Tue, 7 Apr 2020 11:46:56 +0200 Subject: [PATCH 09/36] yeti fix issues --- analyzers/Yeti/Yeti.json | 8 ++++++++ analyzers/Yeti/requirements.txt | 2 +- analyzers/Yeti/yeti.py | 6 ++---- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/analyzers/Yeti/Yeti.json b/analyzers/Yeti/Yeti.json index baddf0173..1f09fb1de 100644 --- a/analyzers/Yeti/Yeti.json +++ b/analyzers/Yeti/Yeti.json @@ -22,6 +22,14 @@ "type": "string", "multi": false, "required": false + }, + { + "name": "verify_ssl", + "description": "Verify SSL certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true } ] } diff --git a/analyzers/Yeti/requirements.txt b/analyzers/Yeti/requirements.txt index aca4b34a9..931afd991 100644 --- a/analyzers/Yeti/requirements.txt +++ b/analyzers/Yeti/requirements.txt @@ -1,2 +1,2 @@ cortexutils -git+https://github.com/yeti-platform/pyeti ; python_version<='2.7' +git+https://github.com/yeti-platform/pyeti diff --git a/analyzers/Yeti/yeti.py b/analyzers/Yeti/yeti.py index 01dd37989..c30f8581c 100755 --- a/analyzers/Yeti/yeti.py +++ b/analyzers/Yeti/yeti.py @@ -10,6 +10,7 @@ def __init__(self): Analyzer.__init__(self) self.url = self.get_param('config.url', None, 'Missing URL for Yeti API') self.api_key = self.get_param('config.api_key') + self.verify_ssl = self.get_param("config.verify_ssl", True, None) def summary(self, raw): count = len(raw.get('findings', [])) @@ -26,15 +27,12 @@ def summary(self, raw): return result def run(self): - api = pyeti.YetiApi("{}/api/".format(self.url), api_key=self.api_key) + api = pyeti.YetiApi("{}/api/".format(self.url), api_key=self.api_key, verify_ssl=self.verify_ssl) data = self.get_data() try: result = api.observable_search(value=data) - if not result: - self.error('Service unavailable, please check if Yeti server is running') - self.report({ 'findings': result }) From 4c80f7dbbdcebba6f0bfb883242d4f839097f91f Mon Sep 17 00:00:00 2001 From: Tom Asselman Date: Thu, 26 Mar 2020 10:29:11 +0100 Subject: [PATCH 10/36] Fix bug emlparser when 'content-type' string in mail is in lower case Emlparser crashes when the string "Content-Type" is not found. In some cases it's available as "Content-type" or "content-type" , this fixes those cases --- analyzers/EmlParser/parse.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/EmlParser/parse.py b/analyzers/EmlParser/parse.py index 981ed902e..cabf8b0a7 100755 --- a/analyzers/EmlParser/parse.py +++ b/analyzers/EmlParser/parse.py @@ -89,7 +89,7 @@ def parseEml(filepath): #splited string because it was returning the body inside 'Content-Type' hParser = email.parser.HeaderParser() h = str(hParser.parsestr(raw_eml)) - result['headers'] = h[:h.index('Content-Type:')] + result['headers'] = h[:h.lower().index('content-type:')] parsed_eml = eml_parser.eml_parser.decode_email(filepath, include_raw_body=True, include_attachment_data=True) #parsed_eml['header'].keys() gives: From 22cfd43b247d6a693dbfbc747a3e03e8d26403ba Mon Sep 17 00:00:00 2001 From: Miles Florence Date: Wed, 12 Feb 2020 03:37:19 -0800 Subject: [PATCH 11/36] Updated vendor lib to python3 --- analyzers/DNSDB/dnsdb_query.py | 200 +++++++++++++++++++++------------ 1 file changed, 129 insertions(+), 71 deletions(-) diff --git a/analyzers/DNSDB/dnsdb_query.py b/analyzers/DNSDB/dnsdb_query.py index 0fad57c99..57b38e254 100755 --- a/analyzers/DNSDB/dnsdb_query.py +++ b/analyzers/DNSDB/dnsdb_query.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (c) 2013 by Farsight Security, Inc. # @@ -14,8 +14,11 @@ # See the License for the specific language governing permissions and # limitations under the License. +# Python3 compatability by: https://github.com/guyddr/dnsdb-query + import calendar import errno +import json import locale import optparse import os @@ -23,30 +26,33 @@ import sys import time import urllib -import urllib2 -from cStringIO import StringIO +from io import StringIO -try: - import json -except ImportError: - import simplejson as json +import urllib3 -DEFAULT_CONFIG_FILE = '/etc/dnsdb-query.conf' +DEFAULT_CONFIG_FILES = filter(os.path.isfile, ('/etc/dnsdb-query.conf', os.path.expanduser('~/.dnsdb-query.conf'))) DEFAULT_DNSDB_SERVER = 'https://api.dnsdb.info' +DEFAULT_HTTP_PROXY = '' +DEFAULT_HTTPS_PROXY = '' cfg = None options = None +debug = False # set to True to print raw queries and responses locale.setlocale(locale.LC_ALL, '') + class QueryError(Exception): pass + class DnsdbClient(object): - def __init__(self, server, apikey, limit=None): + def __init__(self, server, apikey, limit=None, http_proxy=None, https_proxy=None): self.server = server self.apikey = apikey self.limit = limit + self.http_proxy = http_proxy + self.https_proxy = https_proxy def query_rrset(self, oname, rrtype=None, bailiwick=None, before=None, after=None): if bailiwick: @@ -71,6 +77,7 @@ def query_rdata_ip(self, rdata_ip, before=None, after=None): return self._query(path, before, after) def _query(self, path, before=None, after=None): + res = [] url = '%s/lookup/%s' % (self.server, path) params = {} @@ -85,57 +92,80 @@ def _query(self, path, before=None, after=None): if after: params['time_last_after'] = after if params: - url += '?{0}'.format(urllib.urlencode(params)) - - req = urllib2.Request(url) - req.add_header('Accept', 'application/json') - req.add_header('X-Api-Key', self.apikey) - http = urllib2.urlopen(req) - while True: - line = http.readline() - if not line: - break - yield json.loads(line) + url += '?{0}'.format(urllib.parse.urlencode(params)) + + if self.https_proxy: + manager = urllib3.ProxyManager(self.https_proxy) + elif self.http_proxy: + manager = urllib3.ProxyManager(self.http_proxy) + else: + manager = urllib3.PoolManager() + + headers = { + 'Accept': 'application/json', + 'X-Api-Key': self.apikey + } + + if debug: + sys.stderr.write(";; query URL =" + url) + + try: + r = manager.request(method='GET', url=url, headers=headers) + + json_data = r.data.decode('utf-8') + if json_data: + json_list = json_data.splitlines() + for line in json_list: + yield json.loads(line) + + except (urllib3.exceptions.HTTPError) as e: + raise QueryError(str(e)) + def quote(path): - return urllib.quote(path, safe='') + return urllib.parse.quote(path, safe='') + def sec_to_text(ts): return time.strftime('%Y-%m-%d %H:%M:%S -0000', time.gmtime(ts)) + def rrset_to_text(m): s = StringIO() - if 'bailiwick' in m: - s.write(';; bailiwick: %s\n' % m['bailiwick']) + try: + if 'bailiwick' in m: + s.write(';; bailiwick: %s\n' % m['bailiwick']) + + if 'count' in m: + s.write(';; count: %s\n' % locale.format('%d', m['count'], True)) - if 'count' in m: - s.write(';; count: %s\n' % locale.format('%d', m['count'], True)) + if 'time_first' in m: + s.write(';; first seen: %s\n' % sec_to_text(m['time_first'])) + if 'time_last' in m: + s.write(';; last seen: %s\n' % sec_to_text(m['time_last'])) - if 'time_first' in m: - s.write(';; first seen: %s\n' % sec_to_text(m['time_first'])) - if 'time_last' in m: - s.write(';; last seen: %s\n' % sec_to_text(m['time_last'])) + if 'zone_time_first' in m: + s.write(';; first seen in zone file: %s\n' % sec_to_text(m['zone_time_first'])) + if 'zone_time_last' in m: + s.write(';; last seen in zone file: %s\n' % sec_to_text(m['zone_time_last'])) - if 'zone_time_first' in m: - s.write(';; first seen in zone file: %s\n' % sec_to_text(m['zone_time_first'])) - if 'zone_time_last' in m: - s.write(';; last seen in zone file: %s\n' % sec_to_text(m['zone_time_last'])) + if 'rdata' in m: + for rdata in m['rdata']: + s.write('%s IN %s %s\n' % (m['rrname'], m['rrtype'], rdata)) - if 'rdata' in m: - for rdata in m['rdata']: - s.write('%s IN %s %s\n' % (m['rrname'], m['rrtype'], rdata)) + s.seek(0) + return s.read() + finally: + s.close() - s.seek(0) - return s.read() def rdata_to_text(m): return '%s IN %s %s' % (m['rrname'], m['rrtype'], m['rdata']) -def parse_config(cfg_fname): + +def parse_config(cfg_files): config = {} - cfg_files = filter(os.path.isfile, - (cfg_fname, os.path.expanduser('~/.dnsdb-query.conf'))) if not cfg_files: raise IOError(errno.ENOENT, 'dnsdb_query: No config files found') @@ -148,6 +178,7 @@ def parse_config(cfg_fname): return config + def time_parse(s): try: epoch = int(s) @@ -169,38 +200,56 @@ def time_parse(s): m = re.match(r'^(?=\d)(?:(\d+)w)?(?:(\d+)d)?(?:(\d+)h)?(?:(\d+)m)?(?:(\d+)s?)?$', s, re.I) if m: - return -1*(int(m.group(1) or 0)*604800 + \ - int(m.group(2) or 0)*86400+ \ - int(m.group(3) or 0)*3600+ \ - int(m.group(4) or 0)*60+ \ - int(m.group(5) or 0)) + return -1 * (int(m.group(1) or 0) * 604800 + \ + int(m.group(2) or 0) * 86400 + \ + int(m.group(3) or 0) * 3600 + \ + int(m.group(4) or 0) * 60 + \ + int(m.group(5) or 0)) raise ValueError('Invalid time: "%s"' % s) + +def epipe_wrapper(func): + def f(*args, **kwargs): + try: + return func(*args, **kwargs) + except IOError as e: + if e.errno == errno.EPIPE: + sys.exit(e.errno) + raise + + return f + + +@epipe_wrapper def main(): global cfg global options + global debug - parser = optparse.OptionParser(epilog='Time formats are: "%Y-%m-%d", "%Y-%m-%d %H:%M:%S", "%d" (UNIX timestamp), "-%d" (Relative time in seconds), BIND format (e.g. 1w1h, (w)eek, (d)ay, (h)our, (m)inute, (s)econd)') - parser.add_option('-c', '--config', dest='config', type='string', - help='config file', default=DEFAULT_CONFIG_FILE) + parser = optparse.OptionParser( + epilog='Time formats are: "%Y-%m-%d", "%Y-%m-%d %H:%M:%S", "%d" (UNIX timestamp), "-%d" (Relative time in seconds), BIND format (e.g. 1w1h, (w)eek, (d)ay, (h)our, (m)inute, (s)econd)') + parser.add_option('-c', '--config', dest='config', + help='config file', action='append') parser.add_option('-r', '--rrset', dest='rrset', type='string', - help='rrset [/[/BAILIWICK]]') + help='rrset [/[/BAILIWICK]]') parser.add_option('-n', '--rdataname', dest='rdata_name', type='string', - help='rdata name [/]') + help='rdata name [/]') parser.add_option('-i', '--rdataip', dest='rdata_ip', type='string', - help='rdata ip ') + help='rdata ip ') parser.add_option('-t', '--rrtype', dest='rrtype', type='string', - help='rrset or rdata rrtype') + help='rrset or rdata rrtype') parser.add_option('-b', '--bailiwick', dest='bailiwick', type='string', - help='rrset bailiwick') + help='rrset bailiwick') parser.add_option('-s', '--sort', dest='sort', type='string', help='sort key') parser.add_option('-R', '--reverse', dest='reverse', action='store_true', default=False, - help='reverse sort') + help='reverse sort') parser.add_option('-j', '--json', dest='json', action='store_true', default=False, - help='output in JSON format') + help='output in JSON format') parser.add_option('-l', '--limit', dest='limit', type='int', default=0, - help='limit number of results') + help='limit number of results') + parser.add_option('-d', '--debug', dest='debug', action='store_true', default=False, + help='print debug output') parser.add_option('', '--before', dest='before', type='string', help='only output results seen before this time') parser.add_option('', '--after', dest='after', type='string', help='only output results seen after this time') @@ -210,32 +259,40 @@ def main(): parser.print_help() sys.exit(1) + debug = options.debug + try: if options.before: options.before = time_parse(options.before) - except ValueError, e: - print 'Could not parse before: {}'.format(options.before) + except ValueError as e: + print('Could not parse before: {}'.format(options.before)) try: if options.after: options.after = time_parse(options.after) - except ValueError, e: - print 'Could not parse after: {}'.format(options.after) + except ValueError as e: + print('Could not parse after: {}'.format(options.after)) try: - cfg = parse_config(options.config) - except IOError, e: - sys.stderr.write(e.message) + cfg = parse_config(options.config or DEFAULT_CONFIG_FILES) + except IOError as e: + sys.stderr.writable(str(e)) sys.exit(1) - if not 'DNSDB_SERVER' in cfg: cfg['DNSDB_SERVER'] = DEFAULT_DNSDB_SERVER + if not 'HTTP_PROXY' in cfg: + cfg['HTTP_PROXY'] = DEFAULT_HTTP_PROXY + if not 'HTTPS_PROXY' in cfg: + cfg['HTTPS_PROXY'] = DEFAULT_HTTPS_PROXY if not 'APIKEY' in cfg: sys.stderr.write('dnsdb_query: APIKEY not defined in config file\n') sys.exit(1) - client = DnsdbClient(cfg['DNSDB_SERVER'], cfg['APIKEY'], options.limit) + client = DnsdbClient(cfg['DNSDB_SERVER'], cfg['APIKEY'], + limit=options.limit, + http_proxy=cfg['HTTP_PROXY'], + https_proxy=cfg['HTTPS_PROXY']) if options.rrset: if options.rrtype or options.bailiwick: qargs = (options.rrset, options.rrtype, options.bailiwick) @@ -246,7 +303,7 @@ def main(): fmt_func = rrset_to_text elif options.rdata_name: if options.rrtype: - qargs = (options.rdata_name, options.rrtype, options.bailiwick) + qargs = (options.rdata_name, options.rrtype) else: qargs = (options.rdata_name.split('/', 1)) @@ -269,14 +326,15 @@ def main(): if not options.sort in results[0]: sort_keys = results[0].keys() sort_keys.sort() - sys.stderr.write('dnsdb_query: invalid sort key "%s". valid sort keys are %s\n' % (options.sort, ', '.join(sort_keys))) + sys.stderr.write('dnsdb_query: invalid sort key "%s". valid sort keys are %s\n' % ( + options.sort, ', '.join(sort_keys))) sys.exit(1) results.sort(key=lambda r: r[options.sort], reverse=options.reverse) for res in results: sys.stdout.write('%s\n' % fmt_func(res)) - except (urllib2.HTTPError, urllib2.URLError), e: - print >>sys.stderr, str(e) + except QueryError as e: + sys.stderr.write(e) sys.exit(1) if __name__ == '__main__': - main() + main() \ No newline at end of file From 50f3d27bf45cb0205991efe4277f8391e2d66397 Mon Sep 17 00:00:00 2001 From: Miles Florence Date: Wed, 12 Feb 2020 03:38:00 -0800 Subject: [PATCH 12/36] Minor fix to address different error handling in py3 --- analyzers/DNSDB/dnsdb.py | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/analyzers/DNSDB/dnsdb.py b/analyzers/DNSDB/dnsdb.py index 19af57c97..689e9f71e 100755 --- a/analyzers/DNSDB/dnsdb.py +++ b/analyzers/DNSDB/dnsdb.py @@ -1,7 +1,7 @@ -#!/usr/bin/env python2 -# encoding: utf-8 +#!/usr/bin/env python3 + import datetime -from urllib2 import HTTPError +from urllib3.exceptions import HTTPError from dnsdb_query import DnsdbClient, QueryError from cortexutils.analyzer import Analyzer @@ -65,12 +65,10 @@ def run(self): "records": map(lambda r: self.update_date('time_first', self.update_date('time_last', r)), self.execute_dnsdb_service(client)) }) - except HTTPError, e: - if e.code != 404: - self.unexpectedError(e) - else: - self.report({"records": []}) + except Exception as e: + self.unexpectedError(e) + self.report({"records": []}) if __name__ == '__main__': - DnsDbAnalyzer().run() + DnsDbAnalyzer().run() \ No newline at end of file From 5c5ab21427642f3e5b38e4b0ea81d9cfaa50cecd Mon Sep 17 00:00:00 2001 From: Miles Florence Date: Wed, 12 Feb 2020 03:39:34 -0800 Subject: [PATCH 13/36] JSON and datetime were moved to stdlib --- analyzers/DNSDB/requirements.txt | 2 -- 1 file changed, 2 deletions(-) diff --git a/analyzers/DNSDB/requirements.txt b/analyzers/DNSDB/requirements.txt index 43fe0b391..d71f30df0 100644 --- a/analyzers/DNSDB/requirements.txt +++ b/analyzers/DNSDB/requirements.txt @@ -1,4 +1,2 @@ -datetime -simplejson cortexutils future \ No newline at end of file From 3fba9353f3eb43a23801ddefb4b01991f2f485e2 Mon Sep 17 00:00:00 2001 From: Miles Florence Date: Wed, 12 Feb 2020 03:40:04 -0800 Subject: [PATCH 14/36] future lib was a bandage left over from python2 --- analyzers/DNSDB/requirements.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/analyzers/DNSDB/requirements.txt b/analyzers/DNSDB/requirements.txt index d71f30df0..8ad52a568 100644 --- a/analyzers/DNSDB/requirements.txt +++ b/analyzers/DNSDB/requirements.txt @@ -1,2 +1 @@ cortexutils -future \ No newline at end of file From a80fd98c066f1b118869ff20202300ed10f10fcb Mon Sep 17 00:00:00 2001 From: Miles Florence Date: Wed, 12 Feb 2020 03:40:47 -0800 Subject: [PATCH 15/36] Adding requests as it will be the log-term solution --- analyzers/DNSDB/requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/analyzers/DNSDB/requirements.txt b/analyzers/DNSDB/requirements.txt index 8ad52a568..6aabc3cfa 100644 --- a/analyzers/DNSDB/requirements.txt +++ b/analyzers/DNSDB/requirements.txt @@ -1 +1,2 @@ cortexutils +requests From 1330213beccd57d98644a4d478f3cd90bf323e0c Mon Sep 17 00:00:00 2001 From: Miles Florence Date: Wed, 12 Feb 2020 03:41:10 -0800 Subject: [PATCH 16/36] vbump to python:3 --- analyzers/DNSDB/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/DNSDB/Dockerfile b/analyzers/DNSDB/Dockerfile index b178e3d01..b7db084a0 100644 --- a/analyzers/DNSDB/Dockerfile +++ b/analyzers/DNSDB/Dockerfile @@ -1,4 +1,4 @@ -FROM python:2 +FROM python:3 WORKDIR /worker COPY . DNSDB From 2f1cdda2ae3940fb77df79d5e72c8aa2d9f8d29e Mon Sep 17 00:00:00 2001 From: Davide Arcuri Date: Mon, 13 Apr 2020 15:13:37 +0200 Subject: [PATCH 17/36] fix map object vs json --- analyzers/DNSDB/dnsdb.py | 4 ++-- analyzers/DNSDB/dnsdb_query.py | 14 ++++++++------ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/analyzers/DNSDB/dnsdb.py b/analyzers/DNSDB/dnsdb.py index 689e9f71e..8d13e20f4 100755 --- a/analyzers/DNSDB/dnsdb.py +++ b/analyzers/DNSDB/dnsdb.py @@ -62,8 +62,8 @@ def run(self): try: client = DnsdbClient(self.dnsdb_server, self.dnsdb_key) self.report({ - "records": map(lambda r: self.update_date('time_first', self.update_date('time_last', r)), - self.execute_dnsdb_service(client)) + "records": list(map(lambda r: self.update_date('time_first', self.update_date('time_last', r)), + self.execute_dnsdb_service(client))) }) except Exception as e: self.unexpectedError(e) diff --git a/analyzers/DNSDB/dnsdb_query.py b/analyzers/DNSDB/dnsdb_query.py index 57b38e254..a055ea0eb 100755 --- a/analyzers/DNSDB/dnsdb_query.py +++ b/analyzers/DNSDB/dnsdb_query.py @@ -111,12 +111,14 @@ def _query(self, path, before=None, after=None): try: r = manager.request(method='GET', url=url, headers=headers) - - json_data = r.data.decode('utf-8') - if json_data: - json_list = json_data.splitlines() - for line in json_list: - yield json.loads(line) + if r.status == 200: + json_data = r.data.decode('utf-8') + if json_data: + json_list = json_data.splitlines() + for line in json_list: + yield json.loads(line) + else: + raise QueryError(r.text) except (urllib3.exceptions.HTTPError) as e: raise QueryError(str(e)) From 576e6730ffb0ccb46f6057ff05800bb115070182 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Sun, 26 Jan 2020 03:49:50 +0000 Subject: [PATCH 18/36] Add CyberChef analyzer --- analyzers/CyberChef/CyberChefFromBase64.json | 24 +++++++++ .../CyberChef/CyberChefFromCharCode.json | 24 +++++++++ analyzers/CyberChef/CyberChefFromHex.json | 24 +++++++++ analyzers/CyberChef/cyberchef.py | 54 +++++++++++++++++++ analyzers/CyberChef/long.html | 16 ++++++ analyzers/CyberChef/requirements.txt | 1 + analyzers/CyberChef/short.html | 3 ++ 7 files changed, 146 insertions(+) create mode 100644 analyzers/CyberChef/CyberChefFromBase64.json create mode 100644 analyzers/CyberChef/CyberChefFromCharCode.json create mode 100644 analyzers/CyberChef/CyberChefFromHex.json create mode 100755 analyzers/CyberChef/cyberchef.py create mode 100644 analyzers/CyberChef/long.html create mode 100644 analyzers/CyberChef/requirements.txt create mode 100644 analyzers/CyberChef/short.html diff --git a/analyzers/CyberChef/CyberChefFromBase64.json b/analyzers/CyberChef/CyberChefFromBase64.json new file mode 100644 index 000000000..794963796 --- /dev/null +++ b/analyzers/CyberChef/CyberChefFromBase64.json @@ -0,0 +1,24 @@ +{ + "name": "CyberChef_FromBase64", + "version": "1.0", + "author": "Wes Lambert", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Convert Base64 with CyberChef Server", + "dataTypeList": ["other"], + "baseConfig": "CyberChef", + "config": { + "service": "FromBase64" + }, + "command": "CyberChef/cyberchef.py", + "configurationItems": [ + { + "name": "url", + "description": "CyberChef Server URL", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "http://192.168.1.178:3000/" + } + ] +} diff --git a/analyzers/CyberChef/CyberChefFromCharCode.json b/analyzers/CyberChef/CyberChefFromCharCode.json new file mode 100644 index 000000000..cf77d7f67 --- /dev/null +++ b/analyzers/CyberChef/CyberChefFromCharCode.json @@ -0,0 +1,24 @@ +{ + "name": "CyberChef_FromCharCode", + "version": "1.0", + "author": "Wes Lambert", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Convert Char Code with CyberChef Server", + "dataTypeList": ["other"], + "baseConfig": "CyberChef", + "config": { + "service": "FromCharCode" + }, + "command": "CyberChef/cyberchef.py", + "configurationItems": [ + { + "name": "url", + "description": "CyberChef Server URL", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "http://192.168.1.178:3000/" + } + ] +} diff --git a/analyzers/CyberChef/CyberChefFromHex.json b/analyzers/CyberChef/CyberChefFromHex.json new file mode 100644 index 000000000..ab97d10cb --- /dev/null +++ b/analyzers/CyberChef/CyberChefFromHex.json @@ -0,0 +1,24 @@ +{ + "name": "CyberChef_FromHex", + "version": "1.0", + "author": "Wes Lambert", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Convert Hex with CyberChef Server", + "dataTypeList": ["other"], + "baseConfig": "CyberChef", + "config": { + "service": "FromHex" + }, + "command": "CyberChef/cyberchef.py", + "configurationItems": [ + { + "name": "url", + "description": "CyberChef Server URL", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "http://192.168.1.178:3000/" + } + ] +} diff --git a/analyzers/CyberChef/cyberchef.py b/analyzers/CyberChef/cyberchef.py new file mode 100755 index 000000000..a61d66d20 --- /dev/null +++ b/analyzers/CyberChef/cyberchef.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +import json +import requests +from cortexutils.analyzer import Analyzer + +class CyberchefAnalyzer(Analyzer): + def __init__(self): + Analyzer.__init__(self) + self.observable = self.get_param('data', None, 'Data missing!') + self.service = self.get_param('config.service', None, 'Service is missing') + self.url = self.get_param('config.url', None, 'URL is missing') + + def summary(self, raw): + taxonomies = [] + level = 'info' + namespace = 'CyberChef' + + # Set predicate for input + predicate = 'input_data' + taxonomies.append(self.build_taxonomy(level, namespace, predicate, raw['input_data'])) + + # Set predicate for output_data + predicate = 'output_data' + taxonomies.append(self.build_taxonomy(level, namespace, predicate, raw['output_data'])) + + return {"taxonomies": taxonomies} + + def run(self): + try: + observable = str(self.observable) + url = self.url + if self.service == 'FromHex': + data = {"input": observable, "recipe":{"op":"From Hex", "args": ["Auto"]}} + elif self.service == "FromBase64": + data = { "input": observable, "recipe":[{"op":"From Base64","args":["A-Za-z0-9+/=",True]}]} + elif self.service == "FromCharCode": + # Recipe from https://github.com/mattnotmax/cyberchef-recipes#recipe-3---from-charcode + data = { "input": observable, "recipe":[{"op":"Regular expression","args":["User defined","([0-9]{2,3}(,\\s|))+",True,True,False,False,False,False,"List matches"]},{"op":"From Charcode","args":["Comma",10]},{"op":"Regular expression","args":["User defined","([0-9]{2,3}(,\\s|))+",True,True,False,False,False,False,"List matches"]},{"op":"From Charcode","args":["Space",10]}]} + headers = { 'Content-Type': 'application/json' } + r = requests.post(url.strip('/') + '/bake', headers=headers, data=json.dumps(data)) + response_bytes = r.text + clean_bytes = response_bytes.strip('[').strip(']').split(',') + output_data = "" + for i in clean_bytes: + output_data = str(output_data + str(chr(int(i)))) + self.report({ 'input_data': observable, 'output_data': output_data }) + except: + self.error("Could not convert provided data.") + +if __name__ == '__main__': + CyberchefAnalyzer().run() + diff --git a/analyzers/CyberChef/long.html b/analyzers/CyberChef/long.html new file mode 100644 index 000000000..e4be416d8 --- /dev/null +++ b/analyzers/CyberChef/long.html @@ -0,0 +1,16 @@ +
+
+ CyberChef Data Conversion +
+
+ + + + + + + + +
InputOutput
{{content.input_data | ellipsis:40}}{{content.output_data}}
+
+
diff --git a/analyzers/CyberChef/requirements.txt b/analyzers/CyberChef/requirements.txt new file mode 100644 index 000000000..0b72e19b9 --- /dev/null +++ b/analyzers/CyberChef/requirements.txt @@ -0,0 +1 @@ +dnyspython diff --git a/analyzers/CyberChef/short.html b/analyzers/CyberChef/short.html new file mode 100644 index 000000000..5fc0dabfb --- /dev/null +++ b/analyzers/CyberChef/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}="{{t.value}}" + From 5e2a9922d01c94131dcdc52b3b95dbf89ea45ca4 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 13 Feb 2020 20:15:12 -0500 Subject: [PATCH 19/36] Add cortexutils --- analyzers/CyberChef/requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/analyzers/CyberChef/requirements.txt b/analyzers/CyberChef/requirements.txt index 0b72e19b9..dabc6930f 100644 --- a/analyzers/CyberChef/requirements.txt +++ b/analyzers/CyberChef/requirements.txt @@ -1 +1,2 @@ +cortexutils dnyspython From 8d136061125aa7e6c4f04f3f4b58b1c946f909b3 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 13 Feb 2020 20:17:18 -0500 Subject: [PATCH 20/36] Fix typo --- analyzers/CyberChef/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/CyberChef/requirements.txt b/analyzers/CyberChef/requirements.txt index dabc6930f..ea4658251 100644 --- a/analyzers/CyberChef/requirements.txt +++ b/analyzers/CyberChef/requirements.txt @@ -1,2 +1,2 @@ cortexutils -dnyspython +dnspython From 0a434a227634fa841d25001645f6ebf0a7017be9 Mon Sep 17 00:00:00 2001 From: weslambert Date: Sat, 21 Mar 2020 19:24:11 -0400 Subject: [PATCH 21/36] Updated script, as results are currently failing --- analyzers/CyberChef/cyberchef.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/analyzers/CyberChef/cyberchef.py b/analyzers/CyberChef/cyberchef.py index a61d66d20..16a1ce867 100755 --- a/analyzers/CyberChef/cyberchef.py +++ b/analyzers/CyberChef/cyberchef.py @@ -40,11 +40,7 @@ def run(self): data = { "input": observable, "recipe":[{"op":"Regular expression","args":["User defined","([0-9]{2,3}(,\\s|))+",True,True,False,False,False,False,"List matches"]},{"op":"From Charcode","args":["Comma",10]},{"op":"Regular expression","args":["User defined","([0-9]{2,3}(,\\s|))+",True,True,False,False,False,False,"List matches"]},{"op":"From Charcode","args":["Space",10]}]} headers = { 'Content-Type': 'application/json' } r = requests.post(url.strip('/') + '/bake', headers=headers, data=json.dumps(data)) - response_bytes = r.text - clean_bytes = response_bytes.strip('[').strip(']').split(',') - output_data = "" - for i in clean_bytes: - output_data = str(output_data + str(chr(int(i)))) + output_data = "".join([chr(x) for x in r.json().get('value', [])]) self.report({ 'input_data': observable, 'output_data': output_data }) except: self.error("Could not convert provided data.") From 9c1fda32855ebddc0af613ecbb094fd16564adcd Mon Sep 17 00:00:00 2001 From: Arcuri Davide Date: Sun, 22 Mar 2020 12:34:00 +0100 Subject: [PATCH 22/36] check server response before decode --- analyzers/CyberChef/cyberchef.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/analyzers/CyberChef/cyberchef.py b/analyzers/CyberChef/cyberchef.py index 16a1ce867..b3392e9c2 100755 --- a/analyzers/CyberChef/cyberchef.py +++ b/analyzers/CyberChef/cyberchef.py @@ -40,8 +40,11 @@ def run(self): data = { "input": observable, "recipe":[{"op":"Regular expression","args":["User defined","([0-9]{2,3}(,\\s|))+",True,True,False,False,False,False,"List matches"]},{"op":"From Charcode","args":["Comma",10]},{"op":"Regular expression","args":["User defined","([0-9]{2,3}(,\\s|))+",True,True,False,False,False,False,"List matches"]},{"op":"From Charcode","args":["Space",10]}]} headers = { 'Content-Type': 'application/json' } r = requests.post(url.strip('/') + '/bake', headers=headers, data=json.dumps(data)) - output_data = "".join([chr(x) for x in r.json().get('value', [])]) - self.report({ 'input_data': observable, 'output_data': output_data }) + if r.status_code == 200: + output_data = "".join([chr(x) for x in r.json().get('value', [])]) + self.report({ 'input_data': observable, 'output_data': output_data }) + else: + self.error('Server responded with %d: %s' % (r.status_code, r.text)) except: self.error("Could not convert provided data.") From 59375f171dd698da04ceda751c38a45d7b08b3f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Leonard?= Date: Fri, 24 Apr 2020 17:19:06 +0200 Subject: [PATCH 23/36] #599 #600 #697 Update short report to avoid being too long, remove input in short reports, add templates folders, improve long report to see both complete input and output --- ...mBase64.json => CyberChef_FromBase64.json} | 0 ...rCode.json => CyberChef_FromCharCode.json} | 0 ...hefFromHex.json => CyberChef_FromHex.json} | 0 analyzers/CyberChef/cyberchef.py | 8 +--- analyzers/CyberChef/long.html | 16 -------- .../CyberChef_FromBase64_1_0/long.html | 37 +++++++++++++++++++ .../CyberChef_FromBase64_1_0}/short.html | 0 .../CyberChef_FromCharCode_1_0/long.html | 37 +++++++++++++++++++ .../CyberChef_FromCharCode_1_0/short.html | 3 ++ .../CyberChef_FromHex_1_0/long.html | 37 +++++++++++++++++++ .../CyberChef_FromHex_1_0/short.html | 3 ++ 11 files changed, 119 insertions(+), 22 deletions(-) rename analyzers/CyberChef/{CyberChefFromBase64.json => CyberChef_FromBase64.json} (100%) rename analyzers/CyberChef/{CyberChefFromCharCode.json => CyberChef_FromCharCode.json} (100%) rename analyzers/CyberChef/{CyberChefFromHex.json => CyberChef_FromHex.json} (100%) delete mode 100644 analyzers/CyberChef/long.html create mode 100644 thehive-templates/CyberChef_FromBase64_1_0/long.html rename {analyzers/CyberChef => thehive-templates/CyberChef_FromBase64_1_0}/short.html (100%) create mode 100644 thehive-templates/CyberChef_FromCharCode_1_0/long.html create mode 100644 thehive-templates/CyberChef_FromCharCode_1_0/short.html create mode 100644 thehive-templates/CyberChef_FromHex_1_0/long.html create mode 100644 thehive-templates/CyberChef_FromHex_1_0/short.html diff --git a/analyzers/CyberChef/CyberChefFromBase64.json b/analyzers/CyberChef/CyberChef_FromBase64.json similarity index 100% rename from analyzers/CyberChef/CyberChefFromBase64.json rename to analyzers/CyberChef/CyberChef_FromBase64.json diff --git a/analyzers/CyberChef/CyberChefFromCharCode.json b/analyzers/CyberChef/CyberChef_FromCharCode.json similarity index 100% rename from analyzers/CyberChef/CyberChefFromCharCode.json rename to analyzers/CyberChef/CyberChef_FromCharCode.json diff --git a/analyzers/CyberChef/CyberChefFromHex.json b/analyzers/CyberChef/CyberChef_FromHex.json similarity index 100% rename from analyzers/CyberChef/CyberChefFromHex.json rename to analyzers/CyberChef/CyberChef_FromHex.json diff --git a/analyzers/CyberChef/cyberchef.py b/analyzers/CyberChef/cyberchef.py index b3392e9c2..eb48eccff 100755 --- a/analyzers/CyberChef/cyberchef.py +++ b/analyzers/CyberChef/cyberchef.py @@ -16,14 +16,10 @@ def summary(self, raw): taxonomies = [] level = 'info' namespace = 'CyberChef' - - # Set predicate for input - predicate = 'input_data' - taxonomies.append(self.build_taxonomy(level, namespace, predicate, raw['input_data'])) # Set predicate for output_data - predicate = 'output_data' - taxonomies.append(self.build_taxonomy(level, namespace, predicate, raw['output_data'])) + predicate = self.service + taxonomies.append(self.build_taxonomy(level, namespace, predicate, "baked!")) return {"taxonomies": taxonomies} diff --git a/analyzers/CyberChef/long.html b/analyzers/CyberChef/long.html deleted file mode 100644 index e4be416d8..000000000 --- a/analyzers/CyberChef/long.html +++ /dev/null @@ -1,16 +0,0 @@ -
-
- CyberChef Data Conversion -
-
- - - - - - - - -
InputOutput
{{content.input_data | ellipsis:40}}{{content.output_data}}
-
-
diff --git a/thehive-templates/CyberChef_FromBase64_1_0/long.html b/thehive-templates/CyberChef_FromBase64_1_0/long.html new file mode 100644 index 000000000..ec672efed --- /dev/null +++ b/thehive-templates/CyberChef_FromBase64_1_0/long.html @@ -0,0 +1,37 @@ + + +
+
+ CyberChef Data Conversion +
+
+ + + + + + + + +
InputOutput
{{content.input_data }}
{{content.output_data}}
+
+
diff --git a/analyzers/CyberChef/short.html b/thehive-templates/CyberChef_FromBase64_1_0/short.html similarity index 100% rename from analyzers/CyberChef/short.html rename to thehive-templates/CyberChef_FromBase64_1_0/short.html diff --git a/thehive-templates/CyberChef_FromCharCode_1_0/long.html b/thehive-templates/CyberChef_FromCharCode_1_0/long.html new file mode 100644 index 000000000..ec672efed --- /dev/null +++ b/thehive-templates/CyberChef_FromCharCode_1_0/long.html @@ -0,0 +1,37 @@ + + +
+
+ CyberChef Data Conversion +
+
+ + + + + + + + +
InputOutput
{{content.input_data }}
{{content.output_data}}
+
+
diff --git a/thehive-templates/CyberChef_FromCharCode_1_0/short.html b/thehive-templates/CyberChef_FromCharCode_1_0/short.html new file mode 100644 index 000000000..5fc0dabfb --- /dev/null +++ b/thehive-templates/CyberChef_FromCharCode_1_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}="{{t.value}}" + diff --git a/thehive-templates/CyberChef_FromHex_1_0/long.html b/thehive-templates/CyberChef_FromHex_1_0/long.html new file mode 100644 index 000000000..ec672efed --- /dev/null +++ b/thehive-templates/CyberChef_FromHex_1_0/long.html @@ -0,0 +1,37 @@ + + +
+
+ CyberChef Data Conversion +
+
+ + + + + + + + +
InputOutput
{{content.input_data }}
{{content.output_data}}
+
+
diff --git a/thehive-templates/CyberChef_FromHex_1_0/short.html b/thehive-templates/CyberChef_FromHex_1_0/short.html new file mode 100644 index 000000000..5fc0dabfb --- /dev/null +++ b/thehive-templates/CyberChef_FromHex_1_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}="{{t.value}}" + From ac9204bd528dbfcc00a3abc55cf14a17135dbacc Mon Sep 17 00:00:00 2001 From: MOA-AMR-COSSI Date: Fri, 20 Mar 2020 21:49:28 +0100 Subject: [PATCH 24/36] Add OpenCTI Analyzer --- analyzers/OpenCTI/OpenCTI.json | 57 ++++++++ analyzers/OpenCTI/opencti.py | 119 +++++++++++++++ analyzers/OpenCTI/requirements.txt | 2 + .../OpenCTI_SearchObservable_1_0/long.html | 136 ++++++++++++++++++ .../OpenCTI_SearchObservable_1_0/short.html | 3 + 5 files changed, 317 insertions(+) create mode 100644 analyzers/OpenCTI/OpenCTI.json create mode 100755 analyzers/OpenCTI/opencti.py create mode 100644 analyzers/OpenCTI/requirements.txt create mode 100644 thehive-templates/OpenCTI_SearchObservable_1_0/long.html create mode 100644 thehive-templates/OpenCTI_SearchObservable_1_0/short.html diff --git a/analyzers/OpenCTI/OpenCTI.json b/analyzers/OpenCTI/OpenCTI.json new file mode 100644 index 000000000..d7dabe98a --- /dev/null +++ b/analyzers/OpenCTI/OpenCTI.json @@ -0,0 +1,57 @@ +{ + "name": "OpenCTI_SearchObservable", + "author": "ANSSI", + "license": "AGPL-V3", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers/", + "version": "1.0", + "description": "Query multiple OpenCTI instances for an observable.", + "dataTypeList": [ + "domain", + "ip", + "url", + "fqdn", + "uri_path", + "user-agent", + "hash", + "email", + "mail", + "mail_subject", + "registry", + "regexp", + "other", + "filename" + ], + "baseConfig": "OpenCTI", + "command": "OpenCTI/opencti.py", + "configurationItems": [ + { + "name": "name", + "description": "Name of OpenCTI servers", + "multi": true, + "required": false, + "type": "string" + }, + { + "name": "url", + "description": "URL of OpenCTI servers", + "type": "string", + "multi": true, + "required": true + }, + { + "name": "key", + "description": "API key for each server", + "type": "string", + "multi": true, + "required": true + }, + { + "name": "cert_check", + "description": "Verify server certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + } + ] +} diff --git a/analyzers/OpenCTI/opencti.py b/analyzers/OpenCTI/opencti.py new file mode 100755 index 000000000..df327219b --- /dev/null +++ b/analyzers/OpenCTI/opencti.py @@ -0,0 +1,119 @@ +#!/usr/bin/env python3 +from cortexutils.analyzer import Analyzer +from pycti import OpenCTIApiClient + +class OpenCTIAnalyzer(Analyzer): + """Searches for given Observables in configured OpenCTI instances. All standard data types are supported.""" + + def __init__(self): + Analyzer.__init__(self) + + self.service = self.get_param( + 'config.service', "search_observable", None) + + ssl = self.get_param('config.cert_check', True) + names = self.get_param('config.name', None, 'No OpenCTI instance name given.') + urls = self.get_param('config.url', None, 'No OpenCTI url given.') + keys = self.get_param('config.key', None, 'No OpenCTI api key given.') + + if len(names) != len(urls) or len(urls) != len(keys): + self.error("Config error: please add a name, an url and a key for each OpenCTI instance.") + + else: + try: + self.openctis = [] + for i in range(len(names)): + self.openctis.append({ + "name": names[i], + "url": urls[i], + "api_client": OpenCTIApiClient( + urls[i], + keys[i], + "error", + ssl, + ) + }) + except Exception as e: + self.error(str(e)) + + def summary(self, raw): + taxonomies = [] + level = "info" + namespace = "OpenCTI" + predicate = "Search Observable" + + data = [] + found = False + for r in raw['results']: + if r['observable']: + found = True + for res in r['reports']: + if 'id' in res: + data.append(res['id']) + + # return number of reports + value = "Found - " if found else "Not found - " + if not data: + value += "0 reports" + taxonomies.append(self.build_taxonomy(level, namespace, predicate, value)) + else: + value += "{} report(s)".format(len(list(set(data)))) + level = "suspicious" + taxonomies.append(self.build_taxonomy(level, namespace, predicate, value)) + + return {"taxonomies": taxonomies} + + def run(self): + + data = self.get_param('data', None, 'Data is missing') + + response = [] + + for opencti in self.openctis: + # Lookup observable + observable = opencti["api_client"].stix_observable.read( + filters=[{"key": "observable_value", "values": [data]}] + ) + reports = [] + if observable: + # Strip observable data for lighter output. + del(observable["markingDefinitionsIds"]) + del(observable["tagsIds"]) + del(observable["externalReferencesIds"]) + del(observable["indicatorsIds"]) + + # Get a list of reports containing this observable + reports = opencti["api_client"].report.list( + filters=[ + { + "key": "observablesContains", + "values": [observable["id"]], + } + ] + ) + + # Strip reports data for lighter output. + for r in reports: + del(r["graph_data"]) + del(r["objectRefs"]) + del(r["observableRefs"]) + del(r["relationRefs"]) + del(r["markingDefinitionsIds"]) + del(r["tagsIds"]) + del(r["externalReferencesIds"]) + del(r["objectRefsIds"]) + del(r["observableRefsIds"]) + del(r["relationRefsIds"]) + + response.append({ + "name": opencti["name"], + "url": opencti["url"], + "observable": observable, + "reports": reports + }) + + self.report({'results': response}) + + +if __name__ == '__main__': + OpenCTIAnalyzer().run() diff --git a/analyzers/OpenCTI/requirements.txt b/analyzers/OpenCTI/requirements.txt new file mode 100644 index 000000000..252bc2840 --- /dev/null +++ b/analyzers/OpenCTI/requirements.txt @@ -0,0 +1,2 @@ +cortexutils +pycti diff --git a/thehive-templates/OpenCTI_SearchObservable_1_0/long.html b/thehive-templates/OpenCTI_SearchObservable_1_0/long.html new file mode 100644 index 000000000..dbc802574 --- /dev/null +++ b/thehive-templates/OpenCTI_SearchObservable_1_0/long.html @@ -0,0 +1,136 @@ +
+
+ OpenCTI {{res.name}} - Report from {{res.url}} +
+
+
+
+
No results
+
No results from OpenCTI {{res.name}}
+
+
+
+
+
Observable Id:
+
{{res.observable.id}}
+
+
+
Entity Type:
+
{{res.observable.entity_type}}
+
+
+
Created on:
+
{{res.observable.created_at}}
+
+
+
Created by:
+
{{res.observable.createdByRef.name}}
+
+
+
Marking Definitions:
+
+ {{md.definition}} + + {{md.definition}} + +
+
+
+
Tags:
+
+ {{tag.tag_type}}:{{tag.value}} + + {{tag.tag_type}}:{{tag.value}} + +
+
+
+
External refs:
+
+ {{extref.source_name}} +
+
+
+
Indicators:
+
+ {{ind.indicator_pattern}} +
+
+
+
+
+
Report Id:
+
{{report.id}}
+
+
+
Report class:
+
{{report.report_class}}
+
+
+
Name:
+
{{report.name}}
+
+
+
Description:
+
{{report.description}}
+
+
+
Published on:
+
{{report.published}}
+
+
+
Source confidence level:
+
{{report.source_confidence_level}}
+
+
+
Created by:
+
{{report.createdByRef.name}}
+
+
+
Marking Definitions:
+
+ {{md.definition}} + + {{md.definition}} + +
+
+
+
Tags:
+
+ {{tag.tag_type}}:{{tag.value}} + + {{tag.tag_type}}:{{tag.value}} + +
+
+
+
External refs:
+
+ {{extref.source_name}} +
+
+
+
+
+
+
+ + + +
+
+ {{(artifact.data || artifact.attachment.name) | fang}} +
+
+ {{content.errorMessage}} +
+
diff --git a/thehive-templates/OpenCTI_SearchObservable_1_0/short.html b/thehive-templates/OpenCTI_SearchObservable_1_0/short.html new file mode 100644 index 000000000..5fc0dabfb --- /dev/null +++ b/thehive-templates/OpenCTI_SearchObservable_1_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}="{{t.value}}" + From 8077569170daf233c96ba14c13a27dc8d9da7cbf Mon Sep 17 00:00:00 2001 From: MOA-AMR-COSSI Date: Sat, 21 Mar 2020 19:54:21 +0100 Subject: [PATCH 25/36] Fix template color variable and remove class on ExternalRefs --- .../OpenCTI_SearchObservable_1_0/long.html | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/thehive-templates/OpenCTI_SearchObservable_1_0/long.html b/thehive-templates/OpenCTI_SearchObservable_1_0/long.html index dbc802574..d3bc8717a 100644 --- a/thehive-templates/OpenCTI_SearchObservable_1_0/long.html +++ b/thehive-templates/OpenCTI_SearchObservable_1_0/long.html @@ -29,35 +29,35 @@
Marking Definitions:
- {{md.definition}} + {{md.definition}} - {{md.definition}} + {{md.definition}}
Tags:
- {{tag.tag_type}}:{{tag.value}} + {{tag.tag_type}}:{{tag.value}} - {{tag.tag_type}}:{{tag.value}} + {{tag.tag_type}}:{{tag.value}}
External refs:
- {{extref.source_name}} + {{extref.source_name}}
Indicators:
- {{ind.indicator_pattern}} + {{ind.indicator_pattern}}
@@ -93,29 +93,29 @@
Marking Definitions:
- {{md.definition}} + {{md.definition}} - {{md.definition}} + {{md.definition}}
Tags:
- {{tag.tag_type}}:{{tag.value}} + {{tag.tag_type}}:{{tag.value}} - {{tag.tag_type}}:{{tag.value}} + {{tag.tag_type}}:{{tag.value}}
External refs:
- {{extref.source_name}} + {{extref.source_name}}
From 091f2d57b63f1bb50a309afe593015d72272d217 Mon Sep 17 00:00:00 2001 From: Davide Arcuri Date: Tue, 21 Apr 2020 12:12:37 +0200 Subject: [PATCH 26/36] added api e emailrep lib to EmailRep analyzer --- analyzers/EmailRep/EmailRep.json | 11 ++++++++- analyzers/EmailRep/emailrep.py | 33 ------------------------- analyzers/EmailRep/emailrep_analyzer.py | 10 +++++--- analyzers/EmailRep/requirements.txt | 1 + 4 files changed, 17 insertions(+), 38 deletions(-) delete mode 100755 analyzers/EmailRep/emailrep.py diff --git a/analyzers/EmailRep/EmailRep.json b/analyzers/EmailRep/EmailRep.json index bc58c90fd..b6bd4b395 100644 --- a/analyzers/EmailRep/EmailRep.json +++ b/analyzers/EmailRep/EmailRep.json @@ -7,5 +7,14 @@ "description": "emailrep.io lookup.", "dataTypeList": ["mail"], "command": "EmailRep/emailrep_analyzer.py", - "baseConfig": "EmailRep" + "baseConfig": "EmailRep", + "configurationItems": [ + { + "name": "key", + "description": "Define the API Key", + "type": "string", + "multi": false, + "required": false + } + ] } diff --git a/analyzers/EmailRep/emailrep.py b/analyzers/EmailRep/emailrep.py deleted file mode 100755 index 6dc3c78ac..000000000 --- a/analyzers/EmailRep/emailrep.py +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env python3 - -import requests - - -class EmailRepException(Exception): - pass - - -class EmailRep(): - def __init__(self): - self.base_url = "https://emailrep.io" - - def get(self, email_address): - url = "{}/{}".format(self.base_url, email_address) - json = self._request(url) - json["mail"] = email_address - return json - - def _request(self, url): - res = requests.request("GET", url) - - if res.status_code != 200: - raise EmailRepException( - "emailrep returns {}".format(res.status_code)) - - json = res.json() - status = json.get("status") - if status == "fail": - reason = json.get("reason") - raise EmailRepException(reason) - - return json diff --git a/analyzers/EmailRep/emailrep_analyzer.py b/analyzers/EmailRep/emailrep_analyzer.py index 317505a94..34b09dcf6 100755 --- a/analyzers/EmailRep/emailrep_analyzer.py +++ b/analyzers/EmailRep/emailrep_analyzer.py @@ -2,12 +2,14 @@ # encoding: utf-8 from cortexutils.analyzer import Analyzer -from emailrep import EmailRepException, EmailRep +from emailrep import EmailRep class EmailRepAnalyzer(Analyzer): def __init__(self): Analyzer.__init__(self) + self.key = self.get_param('config.key', None) + def summary(self, raw): taxonomies = [] @@ -32,10 +34,10 @@ def run(self): data = self.get_data() try: - emailRep = EmailRep() - result = emailRep.get(data) + emailRep = EmailRep(self.key) + result = emailRep.query(data) self.report(result) - except EmailRepException as e: + except Exception as e: self.error(str(e)) diff --git a/analyzers/EmailRep/requirements.txt b/analyzers/EmailRep/requirements.txt index 6aabc3cfa..3b65a5907 100644 --- a/analyzers/EmailRep/requirements.txt +++ b/analyzers/EmailRep/requirements.txt @@ -1,2 +1,3 @@ cortexutils requests +emailrep \ No newline at end of file From 8c866e0979b76151c881ece52b851196e677ea6a Mon Sep 17 00:00:00 2001 From: Michael Davis Date: Thu, 10 Oct 2019 08:34:17 -0500 Subject: [PATCH 27/36] Add v1 files --- responders/RT4/README.md | 176 +++++++++ responders/RT4/__init__.py | 3 + responders/RT4/config.py | 95 +++++ responders/RT4/requirements.txt | 4 + responders/RT4/rt4.json | 91 +++++ responders/RT4/rt4.py | 387 +++++++++++++++++++ responders/RT4/template.py | 32 ++ responders/RT4/templates/malware.j2 | 24 ++ responders/RT4/templates/phishing_generic.j2 | 24 ++ 9 files changed, 836 insertions(+) create mode 100644 responders/RT4/README.md create mode 100644 responders/RT4/__init__.py create mode 100644 responders/RT4/config.py create mode 100644 responders/RT4/requirements.txt create mode 100644 responders/RT4/rt4.json create mode 100644 responders/RT4/rt4.py create mode 100644 responders/RT4/template.py create mode 100644 responders/RT4/templates/malware.j2 create mode 100644 responders/RT4/templates/phishing_generic.j2 diff --git a/responders/RT4/README.md b/responders/RT4/README.md new file mode 100644 index 000000000..602640276 --- /dev/null +++ b/responders/RT4/README.md @@ -0,0 +1,176 @@ +# Request Tracker 4 Cortex Responder +Summary: Creates RT tickets from TheHive + +Applies To: Case Observables (Artifacts) + +## Initial Responder Configuration + +The following need to be configured under **Organization --> Responders** prior to use: + +`server` - **Required** - RT4 base URL, e.g.: https://rt.domain.local + +`username` - **Required** - RT4 username for API authentication + +`password` - **Required** - RT4 password for user account above + +`Queue` - **Required** - Default queue in which to create new tickets (can be overriden by custom tag on observables) + +`Owner` - Default owner to assign newly created tickets (Optional - can be overriden by custom tags per observable) + +`Status` - Default status to assign newly created tickets (Optional - can be overriden by custom tags per observable) + +`custom_field_list` - Colon-separated Name:Value pairs of RT custom fields and values to set across all newly-created tickets (Optional - can be overriden by custom tags per observable) - adding a value of `How Reported:TheHive` would set the custom field named `How Reported` to `TheHive` on all newly created tickets + +`tag_to_template_map` - **Required** - Tags to Templates mapping (can be overriden by custom tag on observables). Should be colon-separated tag-to-template values. E.g. + +`thehive_cf_rtticket` - Name of a case custom field in TheHive in which RT ticket #s will be saved upon successful case-level Responder run (Optional - TheHive Custom Field should be of type 'String') + +`thehive_url` - TheHive Base URL, e.g., https://thehive.domain.local:9000 (Optional - only needed to process Cases) + +`thehive_token` - TheHive API token for authentication (Optional - only needed to process Cases) + +``` + +phishing:phishing_generic +spear_phishing:phishing_spear + +``` + +Any observable with a `phishing` tag would be assigned the template named `phishing_generic`. Any observale tagged `spear_phishing` would have its ticket created with a body from the `phishing_spear` template. + +## Workflow + +1. Set [Initial Responder Configuration](#Initial-Responder-Configuration) +2. [Create Template(s)](#Templates) +3. As new observables arrive, appropriately [tag](#Tags-to-Modify-RT4-Responder-Behavior) them +4. Run the RT4-CreateTicket responder +5. When complete, the ticket(s) should be created and the `thehive_cf_rtticket` custom field on TheHive cases (if present) should be populated with the URL to any created ticket + +## Templates + +Inside the `./templates` dir of the RT4 responder, you will need to create the templates for subjects and notification bodies that will be used on ticket creation. For the above example on an observable tagged to use the `phishing_generic` template, there should be a file inside ./templates/ called `phishing_generic.j2` (all templates should end in the .j2 extension since it uses Jinja2 templating) + +The .j2 files should be formatted like so: + +``` +{% block Subject %} +[SOC] ** Notification ** Phishing Site Targeting Your Organization +{% endblock %} + + +{% block Text %} +Greetings, + +We have recently discovered a potential phishing site targeting employees at your organization: + +Domain(s): +{{ indicator_list }} + +On behalf of the SOC, + +-- +soc@org.local +24x7 Watch Desk +https://www.org.local +{% endblock %} + +``` + +The mandatory blocks are `Subject` and `Text` inside which are the respective content for the ticket creation. You may reference any variables inside the template file which exist in the observable/artifact/alert/case for population of other data within the ticket notification (in the above case, ``indicator_list``). Those variables should be inside double curly-braces as is the format for Jinja. Example data available in the [Observable Object Data](#Observable-Object-Data) section. + +Inside the jinja2 template, all block names are passed at RT ticket variables with their respective block values upon ticket creation. Therefore, any number of blocks corresponding to RT fields can also be assigned to further customize setting ticket variables at the template level. + +*Example*: + +`{% block CF_Classification %}Phishing{% endblock %}` + +Every ticket created from that template will have the RT custom field CF_Classification set to "Phishing" upon ticket creation. + +## Tags to Modify RT4 Responder Behavior + +Set any of the following tags to modify behavior of the created ticket: + +`rt4_set_requestor:customer@domain.local` or `contact:customer@domain.local` - **Required** - This is the only tag that must be present. Without one of these, the ticket won't be created. + +`rt4_set_cf_Classification:phishing` - sets the CF.{Classification} = 'phishing' in RT ticket + +`rt4_set_cc:staff@domain.local` - adds staff@domain.local as Cc on ticket + +`rt4_set_admincc:emp@domain.local` - sets AdminCc of ticket to emp@domain.local + +`rt4_set_owner:staff@domain.local` - sets Owner of ticket to staff@domain.local (**must match person in RT or ticket creation will fail**) + +`rt4_set_queue:Incident Reports` - sets Queue of ticket created to _Incident Reports_ + +`rt4_set_subject:This is a test` - overrides the Subject line from the template with _This is a test_ + +`rt4_set_status:Resolved` - creates the ticket and then sets its status to _Resolved_ (can also use any other ticket status in your RT instance) + +`rt4_set_template:phishing_generic` - overrides any default template from tag_to_template_map setting when constructing the body of the notification, in this case instructing the Responder to use the `phishing_generic` template + +## Ticket customization order + +As already alluded to, there are 4 ways to customize ticket creation options: + +1. Global level + - Queue + - Owner + - Status + - Custom Fields + - Template +2. Template level + - All of the above except Template, plus: + - Requestor/Cc/AdminCc +3. Case/Alert level + - All RT options +4. Case artifact/observable level + - All RT options + +Greater numbered config options take precedence over smaller ones. + +*Example:* + +If a tag_to_template map at the Org Responder config in Cortex is set to map tags of `phishing` to the `phishing_generic` template, but a `set_rt4_template:phishing_spear` tag on the observable sets a different template, the observable tag takes precedence. + +## Observable Object Data + +Observables are a custom dictionary in which their properties are stored. In addition to the ticket properties passed to RT, each observable is also tagged with its case/artifact info which makes available the following info in each observable: + +``` +"owner": "michael", + "severity": 2, + "_routing": "AWxyhvveZCXO8BqIWSLs", + "flag": false, + "updatedBy": "michael", + "customFields": { + "RTTicket": { + "string": "http://192.168.0.2/Ticket/Display.html?id=141, http://192.168.0.2/Ticket/Display.html?id=142, http://192.168.0.2/Ticket/Display.html?id=143" + } + }, + "_type": "case", + "description": "test", + "title": "RT-testing", + "tags": [ + "contact:requestor@domain.tld", + "rt4:submitted" + ], + "createdAt": 1565289544365, + "_parent": null, + "createdBy": "michael", + "caseId": 1, + "tlp": 2, + "metrics": { + "seen_prior": 1 + }, + "_id": "AWxyhvveZCXO8BqIWSLs", + "id": "AWxyhvveZCXO8BqIWSLs", + "_version": 45, + "startDate": 1565289480000, + "pap": 2, + "status": "Open", + "updatedAt": 1570482005825, + "indicator_list": [ + "malicious.baddomain.tld" + ] +``` +Those properties can all be referenced as variables in the jinja2 template as mentioned in the [Templates section](#Templates). diff --git a/responders/RT4/__init__.py b/responders/RT4/__init__.py new file mode 100644 index 000000000..0785ed80f --- /dev/null +++ b/responders/RT4/__init__.py @@ -0,0 +1,3 @@ +""" +Allow imports from this dir +""" diff --git a/responders/RT4/config.py b/responders/RT4/config.py new file mode 100644 index 000000000..c3ce25461 --- /dev/null +++ b/responders/RT4/config.py @@ -0,0 +1,95 @@ +# Config item classes + +class RT4ResponderConfig(dict): + """Define what an RT4 Responder Config should allow and how it can be set (dict + that only takes certain keys). + Format courtesy of: https://stackoverflow.com/a/8187408 and https://stackoverflow.com/a/40631881 + + Configs should be init'd like so: config = RT4ResponderConfig(1, **data) where 1 = weight/rank and data is a dict of k,v's + Configs should be updated like so: config.update(1, **newdata) where 1 = weight/rank and newdata is a dict of k,v's. In this + case, the newdata would not be entered since its weight is not greater than the existing data. + """ + + def __init__(self, weight=None, **kwargs): + self.WEIGHTS = { + 'global': 1, + 'template': 2, + 'case': 3, + 'alert': 3, + 'case_artifact': 4, + 'observable': 4 + } + self.allowed_keys = set([ + 'Queue', + 'Status', + 'Owner', + 'Requestor', + 'Cc', + 'AdminCc', + 'Subject', + 'Text', + 'Priority', + 'InitialPriority', + 'FinalPriority', + 'TimeEstimated', + 'Starts', + 'Due', + 'Files', + 'template', + 'indicator_list' + ]) + + # 'normal' dict init, no weight but requires key_to_list_mapping + if 'key_to_list_mapping' in kwargs: + super().__init__(kwargs.get('key_to_list_mapping')) + # RT4 init, be sure we have weights + else: + super().__init__(self) + self.__setitem__(weight, **kwargs) + + + # override default 'set' method so users can't accidentally set config items without a corresponding weight + def __setitem__(self, weight, **kwargs): + for key, value in kwargs.items(): + if key in self.allowed_keys or key.startswith('CF_'): + weight_key = "{}_weight".format(key) + # map string weight to int if needed + if isinstance(weight, str): + weight = self.WEIGHTS[weight] + if weight_key not in self or weight >= self[weight_key]: + # update weight key value with new weight + super().__setitem__(key, value) + super().__setitem__(weight_key, weight) + # if we're not an RT4 setting, don't worry about weights + # e.g., for case/artifact details we store in a config object + else: + super().__setitem__(key, value) + + # override default 'update' method to include weighting + def update(self, weight, **kwargs): + self.__setitem__(weight, **kwargs) + + # override default 'keys' method to only display keys related to RT4 + def keys(self): + for key in super().keys(): + if key in self.allowed_keys: + yield key + + # override default 'items' method to only iterate items related to RT4 + def items(self): + for key in super().keys(): + if key in self.allowed_keys: + yield key, self[key] + + # function to provide all items + def fullitems(self): + for key in super().keys(): + yield key, self[key] + + # create custom '__copy__' method. we do this so that copies don't include all the case/artifact details + def __copy__(self): + return self.__class__(**{'key_to_list_mapping': self.items()}) + + def copy(self): + "Returns a copy of this object." + return self.__copy__() \ No newline at end of file diff --git a/responders/RT4/requirements.txt b/responders/RT4/requirements.txt new file mode 100644 index 000000000..f47373772 --- /dev/null +++ b/responders/RT4/requirements.txt @@ -0,0 +1,4 @@ +defang +jinja2 +rt +requests \ No newline at end of file diff --git a/responders/RT4/rt4.json b/responders/RT4/rt4.json new file mode 100644 index 000000000..8da59fb99 --- /dev/null +++ b/responders/RT4/rt4.json @@ -0,0 +1,91 @@ +{ + "name": "RT4-CreateTicket", + "version": "1.0", + "author": "Michael Davis, REN-ISAC", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers/tree/master/responders/RT4", + "license": "MIT", + "description": "Cortex Responder to create a ticket in RT4 from TheHive observables or alerts", + "dataTypeList": ["thehive:case_artifact", "thehive:alert", "thehive:case"], + "command": "RT4/rt4.py", + "baseConfig": "RT4", + "configurationItems": [ + { + "name": "server", + "description": "RT4 Base URL, e.g., https://rt.domain.local", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "username", + "description": "RT4 username for authentication", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "password", + "description": "RT4 password for user account", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "Queue", + "description": "Default queue in which to create new tickets", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "General" + }, + { + "name": "Owner", + "description": "Default owner to assign newly created tickets (optional)", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "Status", + "description": "Default ticket status to assign newly created tickets (optional)", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "custom_field_list", + "description": "Name:Value of Custom Fields in RT to set on every ticket created (e.g.: 'How Reported:TheHive' sets CF.{How Reported} = TheHive on every new ticket)", + "type": "string", + "multi": true, + "required": false + }, + { + "name": "tag_to_template_map", + "description": "Mapping table of tags to templates (e.g.: 'phishing:phish_letter' maps anything tagged as 'phishing' to the 'phish_letter' template)", + "type": "string", + "multi": true, + "required": true + }, + { + "name": "thehive_cf_rtticket", + "description": "Name of a case custom field in TheHive in which RT ticket #s will be saved upon successful case-level Responder run (optional)", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "thehive_url", + "description": "TheHive Base URL, e.g., https://thehive.domain.local:9000 (optional: only needed to process Cases)", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "thehive_token", + "description": "TheHive API token for authentication (optional: only needed to process Cases)", + "type": "string", + "multi": false, + "required": false + } + ] +} diff --git a/responders/RT4/rt4.py b/responders/RT4/rt4.py new file mode 100644 index 000000000..2fa01dfbb --- /dev/null +++ b/responders/RT4/rt4.py @@ -0,0 +1,387 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.responder import Responder +from rt import Rt +from rt import ConnectionError +from template import NotificationContext +from config import RT4ResponderConfig +from datetime import datetime +from collections import defaultdict +from defang import defang +import json + +class RT4(Responder): + + def __init__(self): + Responder.__init__(self) + self.server = self.get_param('config.server', None, 'Missing RT4 server') + self.server = self.server.rstrip('/') + self.username = self.get_param('config.username', None, 'Missing RT4 username') + self.password = self.get_param('config.password', None, 'Missing RT4 password') + self.tag_to_template_map = self.get_param('config.tag_to_template_map') + self.thehive_cf_rtticket = self.get_param('config.thehive_cf_rtticket') + + cf_list_tmp = self.get_param('config.custom_field_list', None) + + if cf_list_tmp is not None: + cf_dict_tmp = {} + for cf_item in cf_list_tmp: + if cf_item is not None: + cf_name, cf_value = cf_item.split(':', 1) + cf_dict_tmp['CF_'+ cf_name] = cf_value + else: + cf_dict_tmp = None + + global_config = { + 'Queue': self.get_param('config.Queue', None, 'Missing default queue'), + 'Owner': self.get_param('config.Owner', None), + 'Status': self.get_param('config.Status', None), + 'template': self.get_param('config.template', None) + } + global_config.update(cf_dict_tmp) + + # init global config + self.config = RT4ResponderConfig(weight='global', **global_config) + + # create map for ticket creation arguments that will convert case(capitalization) + # to what's expected by rt module + self.TICKET_ARGS_MAP = { + 'cc': 'Cc', + 'admincc': 'AdminCc', + 'subject': 'Subject', + 'owner': 'Owner', + 'queue': 'Queue', + 'status': 'Status', + 'requestor': 'Requestor', + 'requestors': 'Requestor' + } + + def run(self): + Responder.run(self) + self.instance_type = self.get_param('data._type') + observable_list = [] + + # case observable details + if self.instance_type == 'case_artifact': + instance_data = self.get_param('data', None, 'Missing indicator') + # process case tags first + case_tags = self.get_param('data.case.tags') + case_config = self.process_tags(case_tags) + self.config.update(weight='case', **case_config) + + + # case details + if self.instance_type == 'case': + """ + api GET for case details don't include references to its observables + POST to thehive/api/case/artifact/_search with json body + { + "query": { "_parent": { "_type": case", "_query": { "_id": "<>" } } }, + "range": "all" + } + should return a list of dicts which are populated with k,v characteristic of artifacts. + """ + import requests + thehive_url = self.get_param('config.thehive_url', None, """ + Missing URL for TheHive. Must have configured this Responder setting to process Cases.""") + thehive_token = self.get_param('config.thehive_token', None, """ + Missing API token for TheHive. Must have configured this Responder setting to process Cases.""") + case_id = self.get_param('data._id') + + payload = { + "query": { "_parent": { "_type": "case", "_query": { "_id": case_id } } }, + "range": "all" + } + headers = { 'Content-Type': 'application/json', 'Authorization': 'Bearer {}'.format(thehive_token) } + thehive_api_url_case_search = '{}/api/case/artifact/_search'.format(thehive_url) + r = requests.post(thehive_api_url_case_search, data=json.dumps(payload), headers=headers) + + if r.status_code != requests.codes.ok: + self.error(json.dumps(r.text)) + + instance_data = r.json() + + # alert details + if self.instance_type == 'alert': + instance_data = self.get_param('data.artifacts', None, 'Missing artifacts') + + # process artifact/observable/case tags + obs_tags = self.get_param('data.tags') + config_from_tags = self.process_tags(obs_tags) + self.config.update(weight=self.instance_type, **config_from_tags) + # only ever have one observable for cases, but could have multiples for other types + observable_list.extend(self.process_observables(instance_data)) + # should iterate the observable_list and merge the indicator_lists of any observables that share + # non-differing configs + observable_list = self.dedupe_and_merge(observable_list) + + # for each ticket creation, log return info to return_info dict in either the 'failures' key is failed, + # or the 'successes' key (which is a nested dict with k,v where k = rt_ticket # and v = ticket settings) + self.return_info = defaultdict(list) + for observable in observable_list: + new_ticket, rt_ticket_submission = self.create_rt_ticket(observable) + if new_ticket == -1: + msg = """RT ticket creation error. Possibly bad data such as non-existent Owner or Queue; + or data that does not correspond to an RT field. Observable info: {}""".format(observable) + self.return_info['failures'].append(msg) + else: + msg = """Ticket #{} created in Request Tracker with these settings: + \n{}""".format(new_ticket, rt_ticket_submission) + ticket_url = self.server + '/Ticket/Display.html?id={}'.format(new_ticket) + self.return_info['successes'].append({ 'id': new_ticket, 'msg': msg, 'ticket_url': ticket_url }) + + if 'successes' not in self.return_info: + self.error(json.dumps(self.return_info)) + else: + self.report({'message': json.dumps(self.return_info)}) + + + def operations(self, raw): + # if we had any successfully created tickets, get the corresponding RT ticket nums to add to a hive custom field + # convert 'successes' dict keys (ticket ids) to a list of ints, then ints to strings to join them as csv + created_tickets = [] + for ticket in self.return_info['successes']: + created_tickets.append(ticket['ticket_url']) + created_tickets = ', '.join([str(i) for i in created_tickets]) + + + if self.instance_type == 'case_artifact': + return [self.build_operation('AddTagToArtifact', tag='rt4:submitted'), + self.build_operation('AddCustomFields', name=self.thehive_cf_rtticket, value=created_tickets, tpe='string')] + elif self.instance_type == 'alert': + return [self.build_operation('AddTagToAlert', tag='rt4:submitted'), + self.build_operation('AddCustomFields', name=self.thehive_cf_rtticket, value=created_tickets, tpe='string')] + elif self.instance_type == 'case': + return [self.build_operation('AddTagToCase', tag='rt4:submitted'), + self.build_operation('AddCustomFields', name=self.thehive_cf_rtticket, value=created_tickets, tpe='string')] + + def process_observables(self, data): + observable_list = [] + # if we were handed a single dict instead of a list, make it a list of 1 + if not isinstance(data, list): + data = [data] + for i in data: + # setup a config for each observable + obs_config_tmp = { + 'indicator_list': [i['data']] + } + obs_config_from_tags = self.process_tags(i['tags']) + # merge all hive data on input object w/ config from tags + tmp_dict = ({**self.get_param('data'), **obs_config_tmp}) + tmp_dict = ({**tmp_dict, **obs_config_from_tags}) + # tmp_dict = ({**obs_config_tmp, **obs_config_from_tags}) + # merged into a dict but needs to be converted to RT4ResponderConfig obj + tmp_dict = ({**self.config, **tmp_dict}) + observable = RT4ResponderConfig('observable', **tmp_dict) + observable_list.append(observable) + + return observable_list + + def dedupe_and_merge(self, observable_list): + """Takes a list of dict observables and removes any duplicates while merging observables where the + only difference is the indicator (implying that if all other config settings are the same, they can + be sent in the same RT4 ticket notification). + Input: list of RT4ResponderConfig objects + Output: list of deduped/merged RT4ResponderConfig objects + """ + deduped_list = [] + seen = set() + for item in observable_list: + h = item.__copy__() + # pop off indicator_list key so as not to compare that one since if it's diff, we can just merge it later + h.pop('indicator_list') + # convert dict to hashable type (tuple, in this case) for comparison + h = tuple(h.items()) + if h not in seen: + seen.add(h) + deduped_list.append(item) + else: + for obs in deduped_list: + # check item against all observables in observable_list to see if the only diff is 'indicator_list' + compare_result = self._dict_compare(item, obs)[2] + if len(compare_result) == 1 and 'indicator_list' in compare_result: + # if we get here, the obs were the same, so see if value of indicator_list key is unique + if item['indicator_list'] not in obs['indicator_list']: + obs['indicator_list'].extend(item['indicator_list']) + + return deduped_list + + def process_tags(self, tags): + processed_tags = {} + tmpl_tag = None + template = None + mail_tags = [] + cc_tags = defaultdict(list) + + for tag in tags: + # snag any tag used for setting rt4 ticket values and split into name and value + # (except requestor which is handled elsewhere) + if tag.lower().startswith('rt4_set_') and not tag.lower().startswith('rt4_set_requestor'): + rt_setting_name, rt_setting_value = tag.split('rt4_set_')[1].split(':', 1) + # handle custom fields if present since the format is slightly different than other args + if rt_setting_name.lower().startswith('cf_'): + cf_name = 'CF_' + rt_setting_name.split('cf_')[1] + cf_value = rt_setting_value + processed_tags.update({cf_name : cf_value}) + elif rt_setting_name.lower().startswith('template'): + tmpl_tag = rt_setting_value + # cover cc, bcc, or admincc tags + elif rt_setting_name.lower().endswith('cc'): + rt_setting_name = self.TICKET_ARGS_MAP[rt_setting_name] + + cc_tags[rt_setting_name].append(rt_setting_value) + else: + try: + rt_setting_name = self.TICKET_ARGS_MAP[rt_setting_name] + except KeyError as e: + self.error('One of the rt4_set_ tags was not recognized: {}'.format(e)) + processed_tags.update({rt_setting_name : rt_setting_value}) + + elif tag.lower().startswith('contact:') or tag.lower().startswith('rt4_set_requestor'): + mail_tags.append(tag.split(':', 1)[1]) + + # map tags to a template if: + # (1) overriding rt4_set_template NOT present and + # (2) appropriate match found + if not tmpl_tag: + for mapping in self.tag_to_template_map: + map_tag, map_template = mapping.split(':', 1) + if map_tag == tag: + template = map_template + # allow overriding of template_name if appropriate rt4_set_template tag was present + else: + template = tmpl_tag + + # convert list of contacts to comma-separated string + if mail_tags: + requestor_list = u', '.join(mail_tags) + processed_tags.update({'Requestor' : requestor_list}) + + # convert list of admincc/cc/bcc to comma-separated string and merge into processed_tags + """processed_tags should be a dict of all tags and values that were processed, e.g.: + { "Owner": "root", + "CF_Classification": "phishing_generic", + "Queue": "Incident Reports", + "Requestor": "staff1@dom.org, staff2@dom.org" + } + """ + if cc_tags: + """cc_tags should be a dict of all admincc/bcc/cc tags and values that were processed, e.g.: + { "AdminCc": "staff3@dom.org, outsider@anotherdom.org" } + """ + for key, val in cc_tags.items(): + cc_tags[key] = u', '.join(val) + + # merge cc_tags into processed_tags + processed_tags.update(cc_tags) + + # see if template var was ever defined above; if not, do nothing; if so, add to dict + if template is not None: + processed_tags.update({'template' : template}) + + return processed_tags + + def create_rt_ticket(self, observable): + # create an observable config item that will be used to contain all observable and template info + # to pass along to RT during ticket creation + obs_config = RT4ResponderConfig(weight='case', **self.config) + obs_config.update(weight='observable', **observable) + # defang indicators and write them back as a single string joined together by newlines + if 'indicator_list' in observable: + indicator_list = defang(u'\n'.join(observable['indicator_list'])) + observable.update(weight='observable', **{ 'indicator_list': indicator_list} ) + else: + self.error("""Unable to find indicators on case/alert/observable: + {}""".format(json.dumps(observable, indent=1))) + + if 'template' in observable: + obs_config.update(weight='observable', **{ 'template': observable['template'] }) + if 'template' not in obs_config: + self.error(""" + Couldn't map a tag to a notification type. + Observable/alert/case must be tagged with one 'rt4_set_template:' tag, + where is the name of a file (without .j2 ext) in /templates dir""") + # render the notification template to be passed on to the observable config item + rendered_template = NotificationContext().render_blocks_to_dict( + template_name=obs_config['template'], + kwargs=observable + ) + obs_config.update(weight='template', **rendered_template) + + if 'Requestor' in observable: + obs_config.update(weight='observable', **{ 'Requestor': observable['Requestor'] }) + if 'Requestor' not in obs_config: + self.error(""" + Case/alert/observable must be tagged with at least one 'contact:abuse@domain.local' or + set_rt4_requestor:abuse@domain.local tag with an appropriate email address""") + + # build session dict + rt_session = { + 'url': self.server + "/REST/1.0/", + 'default_login': self.username, + 'default_password': self.password + } + + # create ticket dict + rt_ticket = {} + + # add additional k,v pairs (as long as it's not the template or indicator_list since those are not accepted + # as params to the Rt py module for RT ticket creation) + for key, value in obs_config.items(): + if obs_config[key] is not None and key != 'indicator_list' and key != 'template': + rt_ticket[key] = value + + # create rt session + try: + rt_session = Rt(**rt_session) + login_ret = rt_session.login() + except ConnectionError as e: + self.error("{}".format(e)) + except Exception as e: + self.error("Error: {}".format(e)) + if login_ret != True: + self.error('Authentication/Connection error to RT') + + # create ticket + try: + new_ticket = rt_session.create_ticket(**rt_ticket) + except Exception as e: + rt_session.logout() + self.error("""RT ticket creation error: {} Possibly bad data such as non-existent Owner or Queue; + or data that does not correspond to an RT field. + \nSent the following RT request: {}""".format(e, json.dumps(rt_ticket, indent=2))) + + rt_session.logout() + return new_ticket, rt_ticket + + def _dict_compare(self, d1, d2): + """Feed this function two dictionaries and it can return if there are any differences + Courtesy of: https://stackoverflow.com/a/18860653 + """ + try: + d1_keys = set(d1.keys()) + d2_keys = set(d2.keys()) + except: + self.error("""Could not get keys from dicts for comparison. dict1: + {}\ndict2: {}""".format(json.dumps(d1), json.dumps(d2)) + ) + intersect_keys = d1_keys.intersection(d2_keys) + added = d1_keys - d2_keys + removed = d2_keys - d1_keys + modified = {o : [d1[o], d2[o]] for o in intersect_keys if d1[o] != d2[o]} + same = set(o for o in intersect_keys if d1[o] == d2[o]) + return added, removed, modified, same + +def _flatten(arr: list): + """ Flattens arbitrarily-nested list `arr` into single-dimensional. + Courtesy of: https://stackoverflow.com/a/54306091 + """ + while arr: + if isinstance(arr[0], list): # Checks whether first element is a list + arr = arr[0] + arr[1:] # If so, flattens that first element one level + else: + yield arr.pop(0) # Otherwise yield as part of the flat array + +if __name__ == '__main__': + RT4().run() diff --git a/responders/RT4/template.py b/responders/RT4/template.py new file mode 100644 index 000000000..192ec17d4 --- /dev/null +++ b/responders/RT4/template.py @@ -0,0 +1,32 @@ +import os +from jinja2 import Environment, FileSystemLoader + +class NotificationContext(): + def __init__(self, template_dir = 'templates'): + if os.path.isdir(template_dir): + self.template_dir = template_dir + else: + self.template_dir = os.path.join(os.path.abspath(os.path.dirname(__file__)), template_dir) + self.env = Environment(loader=FileSystemLoader(self.template_dir), trim_blocks=True) + + def render_blocks_to_dict(self, template_name='', kwargs=''): + """Given a template name and kwargs, returns all blocks w/ rendered text + Inputs: + - template_name (str): name of template, will be appended with .j2 + - kwargs (ptr): any keyword variable from the template file + Outputs: + - return_dict (dict): dictionary of k,v where keys are template block names and values are the rendered + text within each + Example: + rendered_dict = NotificationContext().render_blocks_to_dict(template_name=mabna,domain='bad.domain.ml') + """ + template_path = template_name + '.j2' + template = self.env.get_template(template_path) + return_dict = {} + template_ctx = template.new_context + + # render and return the jinja tmpl blocks as strings with leading/trailing whitespace stripped + for block_name, block_text in template.blocks.items(): + return_dict[block_name] = u''.join(block_text(template_ctx(vars=kwargs))).strip() + + return return_dict diff --git a/responders/RT4/templates/malware.j2 b/responders/RT4/templates/malware.j2 new file mode 100644 index 000000000..0d025036d --- /dev/null +++ b/responders/RT4/templates/malware.j2 @@ -0,0 +1,24 @@ +{% block CF_Classification %} +malware +{% endblock %} + +{% block Subject %} +** Alert ** Malware Detected from Your IP Range +{% endblock %} + + +{% block Text %} +We have detected malware coming from your IP space: + +Malware Type(s): +{{ description }} + +Let us know if we can help you look into it. + +On behalf of the Great SOC Team, + +-- +team@greatsoc.tld +24x7 Watch Desk +1(555)555-1212 +https://www.greatsoc.tld +{% endblock %} diff --git a/responders/RT4/templates/phishing_generic.j2 b/responders/RT4/templates/phishing_generic.j2 new file mode 100644 index 000000000..5621bce06 --- /dev/null +++ b/responders/RT4/templates/phishing_generic.j2 @@ -0,0 +1,24 @@ +{% block CF_Classification %} +phishing +{% endblock %} + +{% block Subject %} +** Alert ** Phishing Site Targeting Your Users +{% endblock %} + + +{% block Text %} +We have discovered the following potential phishing site(s) targeting your users: + +Domain(s): +{{ indicator_list }} + +We've noticed bad people trying to do bad things. Be on the lookout for nefarious d'er-do-wells from the above domain(s). + +On behalf of the Great SOC Team, + +-- +team@greatsoc.tld +24x7 Watch Desk +1(555)555-1234 +https://www.greatsoc.tld +{% endblock %} From c71ecf0da9267ec88866183b7827aee44f30b64a Mon Sep 17 00:00:00 2001 From: Michael Davis Date: Thu, 10 Oct 2019 08:39:00 -0500 Subject: [PATCH 28/36] update "Applies To" section --- responders/RT4/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/responders/RT4/README.md b/responders/RT4/README.md index 602640276..24d203653 100644 --- a/responders/RT4/README.md +++ b/responders/RT4/README.md @@ -1,7 +1,7 @@ # Request Tracker 4 Cortex Responder Summary: Creates RT tickets from TheHive -Applies To: Case Observables (Artifacts) +Applies To: Case Observables (Artifacts), Alerts, Cases ## Initial Responder Configuration From fba016def1ebbc72c39bddad5a56138a463aeda5 Mon Sep 17 00:00:00 2001 From: Davide Arcuri Date: Thu, 26 Mar 2020 12:14:47 +0100 Subject: [PATCH 29/36] insert and use postgres as backend for mispwarninglist --- .../MISPWarningLists/MISPWarningLists.json | 9 +- .../MISPWarningLists/mispwarninglists.py | 185 +++++++++++----- analyzers/MISPWarningLists/requirements.txt | 1 + .../warninglists_create_db.py | 201 ++++++++++++++++++ .../long.html | 12 +- .../short.html | 0 6 files changed, 355 insertions(+), 53 deletions(-) create mode 100644 analyzers/MISPWarningLists/warninglists_create_db.py rename thehive-templates/{MISPWarningLists_1_0 => MISPWarningLists_2_0}/long.html (71%) rename thehive-templates/{MISPWarningLists_1_0 => MISPWarningLists_2_0}/short.html (100%) diff --git a/analyzers/MISPWarningLists/MISPWarningLists.json b/analyzers/MISPWarningLists/MISPWarningLists.json index 211d59534..b68f0b027 100644 --- a/analyzers/MISPWarningLists/MISPWarningLists.json +++ b/analyzers/MISPWarningLists/MISPWarningLists.json @@ -14,7 +14,14 @@ "description": "path to Warninglists folder", "type": "string", "multi": false, - "required": true + "required": false + }, + { + "name": "conn", + "description": "sqlalchemy connection string", + "multi": false, + "required": false, + "type": "string" } ] } diff --git a/analyzers/MISPWarningLists/mispwarninglists.py b/analyzers/MISPWarningLists/mispwarninglists.py index 911b9a424..1ac25178d 100755 --- a/analyzers/MISPWarningLists/mispwarninglists.py +++ b/analyzers/MISPWarningLists/mispwarninglists.py @@ -9,6 +9,14 @@ from glob import glob from os.path import exists +try: + import sqlalchemy as db + from tld import get_tld + + USE_DB = True +except ImportError: + USE_DB = False + class MISPWarninglistsAnalyzer(Analyzer): """ @@ -22,92 +30,171 @@ class MISPWarninglistsAnalyzer(Analyzer): } ``` """ + def __init__(self): Analyzer.__init__(self) self.data = self.get_data() - self.path = self.get_param('config.path', 'misp-warninglists') - if not exists(self.path): - self.error('Path to misp-warninglists does not exist.') - self.warninglists = self.readwarninglists() + self.path = self.get_param("config.path", "misp-warninglists") + conn = self.get_param("config.conn", None) + self.warninglists = self.readwarninglists() if not USE_DB else None + self.engine = db.create_engine(conn) if conn and USE_DB else None + if not exists(self.path) and not self.engine: + self.error("wrong configuration settings.") def readwarninglists(self): - files = glob('{}/lists/*/*.json'.format(self.path)) + files = glob("{}/lists/*/*.json".format(self.path)) listcontent = [] for file in files: - with io.open(file, 'r') as fh: + with io.open(file, "r") as fh: content = json.loads(fh.read()) - values = Extractor().check_iterable(content.get('list', [])) + values = Extractor().check_iterable(content.get("list", [])) obj = { - "name": content.get('name', 'Unknown'), - "values": [value['data'] for value in values], - "dataTypes": [value['dataType'] for value in values] + "name": content.get("name", "Unknown"), + "values": [value["data"] for value in values], + "dataTypes": [value["dataType"] for value in values], } listcontent.append(obj) return listcontent def lastlocalcommit(self): try: - with io.open('{}/.git/refs/heads/master'.format(self.path), 'r') as fh: - return fh.read().strip('\n') + with io.open("{}/.git/refs/heads/master".format(self.path), "r") as fh: + return fh.read().strip("\n") except Exception as e: - return 'Error: could not get local commit hash ({}).'.format(e) + return "Error: could not get local commit hash ({}).".format(e) @staticmethod def lastremotecommit(): - url = 'https://api.github.com/repos/misp/misp-warninglists/branches/master' + url = "https://api.github.com/repos/misp/misp-warninglists/branches/master" try: result_dict = requests.get(url).json() - return result_dict['commit']['sha'] + return result_dict["commit"]["sha"] except Exception as e: - return 'Error: could not get remote commit hash ({}).'.format(e) + return "Error: could not get remote commit hash ({}).".format(e) def run(self): results = [] data = self.data - if self.data_type == 'ip': + + if self.data_type == "ip": try: data = ipaddress.ip_address(self.data) except ValueError: - return self.error("{} is said to be an IP address but it isn't".format(self.data)) - for list in self.warninglists: - if self.data_type not in list.get('dataTypes'): - continue - - if self.data_type == 'ip': - for net in list.get('values', []): - try: - if data in ipaddress.ip_network(net): - results.append({"name": list.get('name')}) - break - except ValueError: - # Ignoring if net is not a valid IP network since we want to compare ip addresses - pass + return self.error( + "{} is said to be an IP address but it isn't".format(self.data) + ) + + if not self.engine: + for list in self.warninglists: + if self.data_type not in list.get("dataTypes"): + continue + + if self.data_type == "ip": + for net in list.get("values", []): + try: + if data in ipaddress.ip_network(net): + results.append({"name": list.get("name")}) + break + except ValueError: + # Ignoring if net is not a valid IP network since we want to compare ip addresses + pass + else: + if data.lower() in list.get("values", []): + results.append({"name": list.get("name")}) + + self.report( + { + "results": results, + "mode": "json", + "is_uptodate": self.lastlocalcommit() + == self.lastremotecommit(), + } + ) + else: + field = None + if self.data_type == "ip": + sql = ( + "SELECT list_name, list_version, address as value FROM warninglists WHERE address >>= inet '%s'" + % data + ) + elif self.data_type == "hash": + sql = ( + "SELECT list_name, list_version, hash as value FROM warninglists WHERE hash='%s'" + % data + ) else: - if data.lower() in list.get('values', []): - results.append({ - "name": list.get('name') - }) - - self.report({ - "results": results, - "is_uptodate": self.lastlocalcommit() == self.lastremotecommit() - }) + ext = get_tld(data, fix_protocol=True, as_object=True) + subdomain = ext.subdomain if ext.subdomain != "" else None + domain = ext.domain + tld = ext.tld + query = ext.parsed_url[2] if ext.parsed_url[2] != "" else None + + if not domain or not tld: + return self.error( + "{} is not a valid url/domain/fqdn".format(self.data) + ) + + if query: + if subdomain and subdomain != "*": + sql = ( + "SELECT list_name, list_version, concat(subdomain, '.', domain, '.', tld, query) as value FROM warninglists WHERE subdomain = '%s' and domain = '%s' and tld = '%s' and query = '%s'" + % (subdomain, domain, tld, query) + ) + else: + sql = ( + "SELECT list_name, list_version, concat(domain, '.', tld, query) as value FROM warninglists WHERE domain = '%s' and tld = '%s' and query = '%s'" + % (domain, tld, query) + ) + elif not subdomain: + sql = ( + "SELECT list_name, list_version, concat(domain, '.', tld) as value FROM warninglists WHERE subdomain is null and domain = '%s' and tld = '%s'" + % (domain, tld) + ) + elif subdomain == "*": + sql = ( + "SELECT list_name, list_version, concat(subdomain, '.', domain, '.', tld) as value FROM warninglists WHERE subdomain is not null and domain = '%s' and tld = '%s'" + % (domain, tld) + ) + else: + sql = ( + "SELECT list_name, list_version, concat(subdomain, '.', domain, '.', tld) as value FROM warninglists WHERE (subdomain = '%s' or subdomain = '*') and domain = '%s' and tld = '%s'" + % (subdomain, domain, tld) + ) + values = self.engine.execute(sql) + self.engine.dispose() + if values.rowcount > 0: + for row in values: + results.append( + { + key: value + for (key, value) in zip( + ["list_name", "list_version", "value"], row + ) + } + ) + self.report({"results": results, "mode": "db", "is_uptodate": "N/A"}) def summary(self, raw): taxonomies = [] - if len(raw['results']) > 0: - taxonomies.append(self.build_taxonomy('suspicious', 'MISP', 'Warninglists', 'Potential fp')) + if len(raw["results"]) > 0: + taxonomies.append( + self.build_taxonomy( + "suspicious", "MISP", "Warninglists", "Potential fp" + ) + ) else: - taxonomies.append(self.build_taxonomy('info', 'MISP', 'Warninglists', 'No hits')) + taxonomies.append( + self.build_taxonomy("info", "MISP", "Warninglists", "No hits") + ) - if not raw.get('is_uptodate', False): - taxonomies.append(self.build_taxonomy('info', 'MISP', 'Warninglists', 'Outdated')) + if raw.get("mode", None) == "json" and not raw.get("is_uptodate", False): + taxonomies.append( + self.build_taxonomy("info", "MISP", "Warninglists", "Outdated") + ) - return { - "taxonomies": taxonomies - } + return {"taxonomies": taxonomies} -if __name__ == '__main__': +if __name__ == "__main__": MISPWarninglistsAnalyzer().run() diff --git a/analyzers/MISPWarningLists/requirements.txt b/analyzers/MISPWarningLists/requirements.txt index e8d34eb7f..3492bd35f 100644 --- a/analyzers/MISPWarningLists/requirements.txt +++ b/analyzers/MISPWarningLists/requirements.txt @@ -1,3 +1,4 @@ cortexutils requests ipaddress +tld \ No newline at end of file diff --git a/analyzers/MISPWarningLists/warninglists_create_db.py b/analyzers/MISPWarningLists/warninglists_create_db.py new file mode 100644 index 000000000..663b19f0b --- /dev/null +++ b/analyzers/MISPWarningLists/warninglists_create_db.py @@ -0,0 +1,201 @@ +#!/usr/bin/env python +# coding: utf-8 + +import re +import json +import logging +import ipaddress +from glob import glob +from tqdm import tqdm +from tld import get_tld + +logging.basicConfig(filename='import.log',level=logging.DEBUG) + + +import psycopg2.extras +from sqlalchemy import Table, Column, Integer, String, MetaData, ForeignKey, Index, create_engine +from sqlalchemy.sql import select +from sqlalchemy.dialects.postgresql import CIDR + +conn_string = "" +warninglists_path = "misp-warninglists/**/list.json" + +engine = create_engine(conn_string, use_batch_mode=True) +conn = engine.connect() + +# UPDATE TLD FROM MOZILLA +from tld.utils import update_tld_names +update_tld_names() + + +# HASH REGEX +md5_re = re.compile(r"^[a-f0-9]{32}(:.+)?$", re.IGNORECASE) +sha1_re = re.compile(r"^[a-f0-9]{40}(:.+)?$", re.IGNORECASE) +sha224_re = re.compile(r"^[a-f0-9]{56}(:.+)?$", re.IGNORECASE) +sha256_re = re.compile(r"^[a-f0-9]{64}(:.+)?$", re.IGNORECASE) +sha512_re = re.compile(r"^[a-f0-9]{128}(:.+)?$", re.IGNORECASE) + + + +items = {} +avoid_list = [] + +file_list = [file for file in glob(warninglists_path, recursive=True) if file.split("/")[-2] not in avoid_list] +for file_item in file_list: + with open(file_item, 'r') as f: + json_data = json.load(f) + file_name = file_item.split("/")[-2] + items[file_name] = {} + items[file_name]['version'] = str(json_data['version']) + items[file_name]['list'] = {x:{} for x in json_data['list']} + +for k, v in items.items(): + logging.debug(f"NAME: {k} - VERSION: {v['version']} - ITEMS: {len(v['list'])}") + + +# In[7]: + +for k, v in tqdm(items.items()): + for item in v['list'].keys(): + new_item = item + if new_item.startswith('.'): + new_item = "*" + new_item + if new_item.endswith('.'): + new_item = new_item[:-1] + try: + ipaddress.ip_address(new_item) + items[k]['list'][item]['type'] = 'cidr' + items[k]['list'][item]['address'] = new_item + except: + try: + ipaddress.ip_network(new_item) + items[k]['list'][item]['type'] = 'cidr' + items[k]['list'][item]['address'] = new_item + except: + if md5_re.match(new_item): + items[k]['list'][item]['type'] = 'md5' + items[k]['list'][item]['hash'] = new_item + elif sha1_re.match(new_item): + items[k]['list'][item]['type'] = 'sha1' + items[k]['list'][item]['hash'] = new_item + elif sha224_re.match(new_item): + items[k]['list'][item]['type'] = 'sha224' + items[k]['list'][item]['hash'] = new_item + elif sha256_re.match(new_item): + items[k]['list'][item]['type'] = 'sha256' + items[k]['list'][item]['hash'] = new_item + elif sha512_re.match(new_item): + items[k]['list'][item]['type'] = 'sha512' + items[k]['list'][item]['hash'] = new_item + else: + if new_item.find(".") == -1: + logging.error(f"NOT VALID: {new_item} [{k}]") + continue + try: + ext = get_tld(new_item, fix_protocol=True, as_object=True) + items[k]['list'][item]['type'] = 'url-domain' + items[k]['list'][item]['subdomain'] = ext.subdomain if ext.subdomain != '' else None + items[k]['list'][item]['domain'] = ext.domain + items[k]['list'][item]['tld'] = ext.tld + items[k]['list'][item]['query'] = ext.parsed_url[2] if ext.parsed_url[2] != '' else None + except: + logging.error(f"NOT VALID: {new_item} [{k}]") + + +# CREATE OR USE DB +metadata = MetaData() + +warninglists = Table( + "warninglists", + metadata, + Column("id", Integer, primary_key=True, autoincrement=True), + Column("list_name", String), + Column("list_version", String), + Column("address", CIDR), + Column("hash", String), + Column("subdomain", String), + Column("domain", String), + Column("tld", String), + Column("query", String), +) + +warninglists_address_idx = Index("warninglists_address_idx", warninglists.c.address) +warninglists_hash_idx = Index("warninglists_hash_idx", warninglists.c.hash) +warninglists_domain_idx = Index("warninglists_domain_idx", warninglists.c.domain) + +try: + warninglists.create(engine) +except: + logging.error("DB already exists") + + +try: + warninglists_address_idx.drop(engine) +except: + logging.error("warninglists_address_idx does not exists") + + +try: + warninglists_hash_idx.drop(engine) +except: + logging.error("warninglists_hash_idx does not exists") + + +try: + warninglists_domain_idx.drop(engine) +except: + logging.error("warninglists_domain_idx does not exists") + + +# CHECK IF OLD RELEASE ARE IN DB +s = select([warninglists.c.list_name, warninglists.c.list_version]).distinct() +last_versions = [x for x in conn.execute(s)] +print(f"{len(last_versions)} list already available in db") + + +# INSERT, UPDATE OR SKIP +raw_conn = engine.raw_connection() +cursor = raw_conn.cursor() + +for k, v in tqdm(items.items()): + name = k + version = items[k]['version'] + if (name, version) not in last_versions: + if name in [x[0] for x in last_versions]: + logging.debug(f"{(name, version)} is an update - DELETE OLD RELEASE") + d = warninglists.delete().where(warninglists.c.list_name == name) + conn.execute(d) + + logging.debug(f"{(name, version)} not in db - BULK IMPORTING") + tbi = [{ + 'list_name': name, + 'list_version': version, + 'address': item.get('address', None), + 'hash': item.get('hash', None), + 'subdomain': item.get('subdomain', None), + 'domain': item.get('domain', None), + 'tld': item.get('tld', None), + 'query': item.get('query', None), + } for item_old_name, item in v['list'].items()] + psycopg2.extras.execute_batch(cursor, """INSERT INTO warninglists(list_name, list_version, address, hash, subdomain, domain, tld, query) VALUES (%(list_name)s, %(list_version)s, %(address)s, %(hash)s, %(subdomain)s, %(domain)s, %(tld)s, %(query)s)""", tbi) + raw_conn.commit() + else: + logging.debug(f"{name}, {version} already in db - SKIPPING") + +cursor.close() +conn.close() +raw_conn.close() + +try: + warninglists_address_idx.create(engine) +except: + logging.error(f"warninglists_address_idx already exists") +try: + warninglists_hash_idx.create(engine) +except: + logging.error(f"warninglists_hash_idx already exists") +try: + warninglists_domain_idx.create(engine) +except: + logging.error(f"warninglists_domain_idx already exists") +engine.dispose() diff --git a/thehive-templates/MISPWarningLists_1_0/long.html b/thehive-templates/MISPWarningLists_2_0/long.html similarity index 71% rename from thehive-templates/MISPWarningLists_1_0/long.html rename to thehive-templates/MISPWarningLists_2_0/long.html index a1af782d8..9dbb97d86 100644 --- a/thehive-templates/MISPWarningLists_1_0/long.html +++ b/thehive-templates/MISPWarningLists_2_0/long.html @@ -9,9 +9,12 @@

Observable was found in following MISP warning lists:

-
    +
    • {{list.name}}
    +
      +
    • {{list.value}} - {{list.list_name}} - ver. {{list.list_version}}
      • +

    @@ -20,12 +23,15 @@

    Warning lists status:
    - + Up-to-date - + Outdated + + N/A +
diff --git a/thehive-templates/MISPWarningLists_1_0/short.html b/thehive-templates/MISPWarningLists_2_0/short.html similarity index 100% rename from thehive-templates/MISPWarningLists_1_0/short.html rename to thehive-templates/MISPWarningLists_2_0/short.html From d3d06b19840e3081e5c4de7bdd237bbcd2a3524a Mon Sep 17 00:00:00 2001 From: Arcuri Davide Date: Mon, 6 Apr 2020 11:40:09 +0200 Subject: [PATCH 30/36] bump version to 2.0 --- analyzers/MISPWarningLists/MISPWarningLists.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/MISPWarningLists/MISPWarningLists.json b/analyzers/MISPWarningLists/MISPWarningLists.json index b68f0b027..89a7f936a 100644 --- a/analyzers/MISPWarningLists/MISPWarningLists.json +++ b/analyzers/MISPWarningLists/MISPWarningLists.json @@ -3,7 +3,7 @@ "author": "Nils Kuhnert, CERT-Bund", "license": "AGPL-V3", "url": "https://github.com/BSI-CERT-Bund/misp-warninglists-analyzer", - "version": "1.0", + "version": "2.0", "description": "Check IoCs/Observables against MISP Warninglists to filter false positives.", "dataTypeList": ["ip", "hash", "domain", "fqdn", "url"], "baseConfig": "MISPWarningLists", From 2a7742a20caed70d0f184beb1cb21cec475eea74 Mon Sep 17 00:00:00 2001 From: Arcuri Davide Date: Mon, 6 Apr 2020 11:40:45 +0200 Subject: [PATCH 31/36] add sqlalchemy in requirements --- analyzers/MISPWarningLists/requirements.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/analyzers/MISPWarningLists/requirements.txt b/analyzers/MISPWarningLists/requirements.txt index 3492bd35f..2702c3728 100644 --- a/analyzers/MISPWarningLists/requirements.txt +++ b/analyzers/MISPWarningLists/requirements.txt @@ -1,4 +1,5 @@ cortexutils requests ipaddress -tld \ No newline at end of file +tld +sqlalchemy From c7ed4be29d1c41c4ad36cbe8cd744ba055f078fb Mon Sep 17 00:00:00 2001 From: Arcuri Davide Date: Tue, 7 Apr 2020 10:34:45 +0200 Subject: [PATCH 32/36] added psycopg2-binary in requirements --- analyzers/MISPWarningLists/requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/analyzers/MISPWarningLists/requirements.txt b/analyzers/MISPWarningLists/requirements.txt index 2702c3728..10975ab77 100644 --- a/analyzers/MISPWarningLists/requirements.txt +++ b/analyzers/MISPWarningLists/requirements.txt @@ -3,3 +3,4 @@ requests ipaddress tld sqlalchemy +psycopg2-binary From 0e2102040eed63ccec412c944fc597dfec0b476a Mon Sep 17 00:00:00 2001 From: Nabil Adouani Date: Tue, 12 May 2020 14:28:27 +0200 Subject: [PATCH 33/36] Update changelog --- CHANGELOG.md | 332 +++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 243 insertions(+), 89 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0b90f3584..d8caefd51 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,215 @@ -# Changelog +# Change Log -## [2.3.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.3.0) (2019-12-05) +## [Unreleased](https://github.com/TheHive-Project/Cortex-Analyzers/tree/HEAD) +[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.6.0...HEAD) + +**Implemented enhancements:** + +- \[discussion\] Mispwarninglist analyzer speed issue and proposed improvement [\#731](https://github.com/TheHive-Project/Cortex-Analyzers/issues/731) +- Improvement: extract IOCs from EmlParser [\#710](https://github.com/TheHive-Project/Cortex-Analyzers/issues/710) +- \[FR\] Yeti Analyzer - SSL error with self signed certificate [\#468](https://github.com/TheHive-Project/Cortex-Analyzers/issues/468) +- BlueCoat Malware Analysis Sandbox Analyzer [\#145](https://github.com/TheHive-Project/Cortex-Analyzers/issues/145) + +**Fixed bugs:** + +- \[Bug\] MaxMind [\#752](https://github.com/TheHive-Project/Cortex-Analyzers/issues/752) +- \[Bug\] EmailRep [\#750](https://github.com/TheHive-Project/Cortex-Analyzers/issues/750) +- \[Bug\] Shodan Analyzer: Inconsistent Key References [\#748](https://github.com/TheHive-Project/Cortex-Analyzers/issues/748) +- json.dump \n and \" [\#743](https://github.com/TheHive-Project/Cortex-Analyzers/issues/743) +- \[Bug\] Yeti Analyzer docker images pip installing pyeti [\#708](https://github.com/TheHive-Project/Cortex-Analyzers/issues/708) +- \[Bug\] FireHOLBlocklists No such file or directory [\#707](https://github.com/TheHive-Project/Cortex-Analyzers/issues/707) +- \[Bug\] DNSDB Analyzer Python 3 incompatability [\#613](https://github.com/TheHive-Project/Cortex-Analyzers/issues/613) +- \[Bug\] Worker cannot be run [\#595](https://github.com/TheHive-Project/Cortex-Analyzers/issues/595) +- \[Bug\] Crt\_sh\_Transparency\_Logs\_1\_0 - No JSON object could be decoded [\#594](https://github.com/TheHive-Project/Cortex-Analyzers/issues/594) +- \[Bug\] TheHive isn't showing error messages from responders [\#429](https://github.com/TheHive-Project/Cortex-Analyzers/issues/429) + +**Closed issues:** + +- New Analyzer: ANY.RUN [\#734](https://github.com/TheHive-Project/Cortex-Analyzers/issues/734) +- New Analyzer: OpenCTI [\#723](https://github.com/TheHive-Project/Cortex-Analyzers/issues/723) +- New Analyzer: MalwareBazaar [\#722](https://github.com/TheHive-Project/Cortex-Analyzers/issues/722) +- New analyzer : Google Vision API [\#298](https://github.com/TheHive-Project/Cortex-Analyzers/issues/298) + +**Merged pull requests:** + +- added key to emailrep [\#751](https://github.com/TheHive-Project/Cortex-Analyzers/pull/751) ([dadokkio](https://github.com/dadokkio)) +- fix infos\_domain key in shodan [\#749](https://github.com/TheHive-Project/Cortex-Analyzers/pull/749) ([dadokkio](https://github.com/dadokkio)) +- fix on python3 compatibility for \#696 [\#745](https://github.com/TheHive-Project/Cortex-Analyzers/pull/745) ([dadokkio](https://github.com/dadokkio)) +- fix multuple yeti issues [\#740](https://github.com/TheHive-Project/Cortex-Analyzers/pull/740) ([dadokkio](https://github.com/dadokkio)) +- add analyzer for any.run sandbox [\#735](https://github.com/TheHive-Project/Cortex-Analyzers/pull/735) ([dadokkio](https://github.com/dadokkio)) +- Postgres as backend for mispwarninglist [\#732](https://github.com/TheHive-Project/Cortex-Analyzers/pull/732) ([dadokkio](https://github.com/dadokkio)) +- Fix bug emlparser when 'content-type' string in mail is in lower case [\#730](https://github.com/TheHive-Project/Cortex-Analyzers/pull/730) ([TofBaasken](https://github.com/TofBaasken)) +- malwarebazaar hash search [\#728](https://github.com/TheHive-Project/Cortex-Analyzers/pull/728) ([dadokkio](https://github.com/dadokkio)) +- Add OpenCTI Analyzer v1 [\#725](https://github.com/TheHive-Project/Cortex-Analyzers/pull/725) ([amr-cossi](https://github.com/amr-cossi)) + +## [2.6.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.6.0) (2020-03-25) +[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.5.0...2.6.0) + +**Implemented enhancements:** + +- New Analyzer: Mnemonic PDNS \(Public & Closed\) [\#255](https://github.com/TheHive-Project/Cortex-Analyzers/issues/255) +- \[Bug\] AbuseIPDB analyzer returns error [\#701](https://github.com/TheHive-Project/Cortex-Analyzers/issues/701) +- Update UmbrellaBlacklister [\#547](https://github.com/TheHive-Project/Cortex-Analyzers/pull/547) ([arnydo](https://github.com/arnydo)) +- Fix - updated cortexutil Extractor return keys [\#538](https://github.com/TheHive-Project/Cortex-Analyzers/pull/538) ([dadokkio](https://github.com/dadokkio)) +- Issue \#521 Fix - Talos Analyzer No Longer Works [\#522](https://github.com/TheHive-Project/Cortex-Analyzers/pull/522) ([colin-stubbs](https://github.com/colin-stubbs)) +- \[ThreatCrowd \] Fixing Unexpected Error: get\(\) takes exactly 1 argument \(2 given\) [\#518](https://github.com/TheHive-Project/Cortex-Analyzers/pull/518) ([presianbg](https://github.com/presianbg)) + +**Fixed bugs:** + +- \[Bug\] Importing Templates of Analyzers in Hive [\#704](https://github.com/TheHive-Project/Cortex-Analyzers/issues/704) +- \[Bug\] VMRay Returns Error [\#520](https://github.com/TheHive-Project/Cortex-Analyzers/issues/520) +- \[Bug\] FileInfo does not run Oletools submodule for a doc [\#705](https://github.com/TheHive-Project/Cortex-Analyzers/issues/705) +- \[Bug\] Investigate Analyzer Broken [\#703](https://github.com/TheHive-Project/Cortex-Analyzers/issues/703) +- \\[Bug\\] AbuseIPDB analyzer returns error [\#701](https://github.com/TheHive-Project/Cortex-Analyzers/issues/701) +- Analyzers missing cortexutils in requirements.txt [\#695](https://github.com/TheHive-Project/Cortex-Analyzers/issues/695) +- \[Bug\] abuselpdb stop stupport APIv1 [\#618](https://github.com/TheHive-Project/Cortex-Analyzers/issues/618) +- \[Bug\] All Onyphe analyzer return "Invalid output" [\#591](https://github.com/TheHive-Project/Cortex-Analyzers/issues/591) +- \[Bug\] Mailer 1\_0 [\#573](https://github.com/TheHive-Project/Cortex-Analyzers/issues/573) + +**Closed issues:** + +- Responder Cisco AMP for Endpoints [\#593](https://github.com/TheHive-Project/Cortex-Analyzers/issues/593) +- Analyzer Cisco Threat Response [\#592](https://github.com/TheHive-Project/Cortex-Analyzers/issues/592) +- MISP-Warninglists Analyzer Outdated [\#569](https://github.com/TheHive-Project/Cortex-Analyzers/issues/569) +- Invalid requirements in responder FalconCustomIOC requirements.txt [\#509](https://github.com/TheHive-Project/Cortex-Analyzers/issues/509) +- ClamAV New analyzer [\#311](https://github.com/TheHive-Project/Cortex-Analyzers/issues/311) +- CISCO AMP Sandbox Analyzer [\#146](https://github.com/TheHive-Project/Cortex-Analyzers/issues/146) +- Intezer Community analyzer [\#504](https://github.com/TheHive-Project/Cortex-Analyzers/issues/504) +- Analyzer Feature: URLScan.io "Scan" Service [\#405](https://github.com/TheHive-Project/Cortex-Analyzers/issues/405) +- New Analyzer: NSRL check [\#391](https://github.com/TheHive-Project/Cortex-Analyzers/issues/391) + +**Merged pull requests:** + +- abuseipdb update api to v2 [\#719](https://github.com/TheHive-Project/Cortex-Analyzers/pull/719) ([dadokkio](https://github.com/dadokkio)) +- Revert "\[ThreatCrowd \] Fixing Unexpected Error: get\(\) takes exactly 1 argument \(2 given\)" [\#716](https://github.com/TheHive-Project/Cortex-Analyzers/pull/716) ([dadokkio](https://github.com/dadokkio)) +- Revert "added IntezerCommunity analyzer" [\#713](https://github.com/TheHive-Project/Cortex-Analyzers/pull/713) ([garanews](https://github.com/garanews)) +- cortexutils in all requirements.txt [\#711](https://github.com/TheHive-Project/Cortex-Analyzers/pull/711) ([garanews](https://github.com/garanews)) +- fqdn support for Url haus [\#706](https://github.com/TheHive-Project/Cortex-Analyzers/pull/706) ([garanews](https://github.com/garanews)) +- Revert 726 revert 714 dt config clean up [\#727](https://github.com/TheHive-Project/Cortex-Analyzers/pull/727) ([jeromeleonard](https://github.com/jeromeleonard)) +- Revert "DomainToolsIris config cleanup" [\#726](https://github.com/TheHive-Project/Cortex-Analyzers/pull/726) ([jeromeleonard](https://github.com/jeromeleonard)) +- Revert "Bumped Investigate version" [\#721](https://github.com/TheHive-Project/Cortex-Analyzers/pull/721) ([jeromeleonard](https://github.com/jeromeleonard)) +- Bumped Investigate version [\#718](https://github.com/TheHive-Project/Cortex-Analyzers/pull/718) ([garanews](https://github.com/garanews)) +- fix some code for python3 compatibility [\#717](https://github.com/TheHive-Project/Cortex-Analyzers/pull/717) ([dadokkio](https://github.com/dadokkio)) +- DomainToolsIris config cleanup [\#714](https://github.com/TheHive-Project/Cortex-Analyzers/pull/714) ([ChuckWoodraska](https://github.com/ChuckWoodraska)) +- Feature/nsrl [\#712](https://github.com/TheHive-Project/Cortex-Analyzers/pull/712) ([dadokkio](https://github.com/dadokkio)) +- Added url scan feature [\#709](https://github.com/TheHive-Project/Cortex-Analyzers/pull/709) ([dadokkio](https://github.com/dadokkio)) +- DomainTools Iris - Malicious Tags Responder [\#588](https://github.com/TheHive-Project/Cortex-Analyzers/pull/588) ([ChuckWoodraska](https://github.com/ChuckWoodraska)) +- DomainTools Iris - Investigate Analyzer [\#572](https://github.com/TheHive-Project/Cortex-Analyzers/pull/572) ([ChuckWoodraska](https://github.com/ChuckWoodraska)) +- added IntezerCommunity analyzer [\#505](https://github.com/TheHive-Project/Cortex-Analyzers/pull/505) ([mlodic](https://github.com/mlodic)) + +## [2.5.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.5.0) (2020-02-24) +[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.4.1...2.5.0) + +**Fixed bugs:** + +- \[Bug\] Umbrella Investigate report error message 'Unknown Investigate service or invalid data type' [\#698](https://github.com/TheHive-Project/Cortex-Analyzers/issues/698) +- Virusshare analyzer: suggesting another way to retrieve hash file names [\#359](https://github.com/TheHive-Project/Cortex-Analyzers/issues/359) +- Cuckoo analyzer sometimes failes [\#114](https://github.com/TheHive-Project/Cortex-Analyzers/issues/114) + +**Closed issues:** + +- IPVoid IP reputation API [\#454](https://github.com/TheHive-Project/Cortex-Analyzers/issues/454) + +**Merged pull requests:** + +- Cisco Threat Response Analyzer [\#598](https://github.com/TheHive-Project/Cortex-Analyzers/pull/598) ([maugertg](https://github.com/maugertg)) +- Cisco Threat Grid Analyzer [\#597](https://github.com/TheHive-Project/Cortex-Analyzers/pull/597) ([maugertg](https://github.com/maugertg)) +- Cisco AMP for Endpoints Responder [\#596](https://github.com/TheHive-Project/Cortex-Analyzers/pull/596) ([maugertg](https://github.com/maugertg)) +- Added IPVoid IP reputation API analyzer [\#455](https://github.com/TheHive-Project/Cortex-Analyzers/pull/455) ([jdsnape](https://github.com/jdsnape)) +- Redmine responder [\#342](https://github.com/TheHive-Project/Cortex-Analyzers/pull/342) ([srilumpa](https://github.com/srilumpa)) + +## [2.4.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.4.1) (2020-02-11) +[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.4.0...2.4.1) + +**Implemented enhancements:** + +- Rename AUTOFOCUS analyzers to Autofocus [\#616](https://github.com/TheHive-Project/Cortex-Analyzers/issues/616) + +**Fixed bugs:** + +- \[Bug\] MaxMind\_GeoIP\_3\_0 [\#564](https://github.com/TheHive-Project/Cortex-Analyzers/issues/564) +- Error when building docker image for MalwareClustering [\#620](https://github.com/TheHive-Project/Cortex-Analyzers/issues/620) +- Abuse Finder not working with docker after force usage of python3 [\#619](https://github.com/TheHive-Project/Cortex-Analyzers/issues/619) +- \[Bug\] Permission Denied on Analyzer Execution [\#614](https://github.com/TheHive-Project/Cortex-Analyzers/issues/614) +- \[Bug\] VirusTotal script elif statement ends with semicolon typo [\#610](https://github.com/TheHive-Project/Cortex-Analyzers/issues/610) + +**Closed issues:** + +- Emailrep.io analyzer [\#466](https://github.com/TheHive-Project/Cortex-Analyzers/issues/466) +- IPinfo analyzer [\#462](https://github.com/TheHive-Project/Cortex-Analyzers/issues/462) +- Maltiverse Analyzer [\#440](https://github.com/TheHive-Project/Cortex-Analyzers/issues/440) +- \[FR\] Spamhaus DBL Analyzer [\#436](https://github.com/TheHive-Project/Cortex-Analyzers/issues/436) +- New Analyzer: SoltraEdge [\#264](https://github.com/TheHive-Project/Cortex-Analyzers/issues/264) + +## [2.4.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.4.0) (2020-02-10) +[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.3.0...2.4.0) + +**Implemented enhancements:** + +- Force python3 in all analyzers [\#361](https://github.com/TheHive-Project/Cortex-Analyzers/issues/361) +- fix: python3 compatibility for otxquery analyzer [\#590](https://github.com/TheHive-Project/Cortex-Analyzers/pull/590) ([iwitz](https://github.com/iwitz)) +- fix: OTXQuery Python3 compatibility [\#567](https://github.com/TheHive-Project/Cortex-Analyzers/pull/567) ([iwitz](https://github.com/iwitz)) +- Updating GreyNoise analyzer to use v2 API [\#562](https://github.com/TheHive-Project/Cortex-Analyzers/pull/562) ([shortstack](https://github.com/shortstack)) +- fix for Shodan [\#558](https://github.com/TheHive-Project/Cortex-Analyzers/pull/558) ([malwareowl](https://github.com/malwareowl)) +- fix for threatcrowd [\#557](https://github.com/TheHive-Project/Cortex-Analyzers/pull/557) ([malwareowl](https://github.com/malwareowl)) +- fix for virus total [\#555](https://github.com/TheHive-Project/Cortex-Analyzers/pull/555) ([malwareowl](https://github.com/malwareowl)) +- Fix for the Abuse\_Finder and Fortiguard [\#541](https://github.com/TheHive-Project/Cortex-Analyzers/pull/541) ([phpsystems](https://github.com/phpsystems)) +- fix some typo [\#537](https://github.com/TheHive-Project/Cortex-Analyzers/pull/537) ([garanews](https://github.com/garanews)) +- PassiveTotal Analyzer: Added support for additional data sets [\#497](https://github.com/TheHive-Project/Cortex-Analyzers/pull/497) ([9b](https://github.com/9b)) +- Abuse\_Finder : Add support to Python3.6 [\#469](https://github.com/TheHive-Project/Cortex-Analyzers/pull/469) ([LetMeR00t](https://github.com/LetMeR00t)) + +**Fixed bugs:** + +- \[Bug\] SSL verification failing for majority of analyzers. [\#605](https://github.com/TheHive-Project/Cortex-Analyzers/issues/605) +- \[Bug\] JoeSandbox analyzer fails if terms and conditions are not accepted [\#565](https://github.com/TheHive-Project/Cortex-Analyzers/issues/565) +- \[Bug\] MISP 2.0 analyzer search crashes the MISP instance [\#602](https://github.com/TheHive-Project/Cortex-Analyzers/issues/602) +- OTXQuery Error - No module named requests [\#574](https://github.com/TheHive-Project/Cortex-Analyzers/issues/574) +- \[Bug\] Abuse\_Finder\_2\_0 [\#566](https://github.com/TheHive-Project/Cortex-Analyzers/issues/566) + +**Closed issues:** + +- Cisco Umbrella Investigate Analyzer \[FR\] [\#583](https://github.com/TheHive-Project/Cortex-Analyzers/issues/583) +- Add Wazuh Responder [\#578](https://github.com/TheHive-Project/Cortex-Analyzers/issues/578) +- \[FR\] Palo Alto Minemeld Responder [\#577](https://github.com/TheHive-Project/Cortex-Analyzers/issues/577) +- \[FR\] Team Cymru Malware Hash Registry Analyzer [\#576](https://github.com/TheHive-Project/Cortex-Analyzers/issues/576) +- New Responder: KnowBe4 \(WIP\) [\#548](https://github.com/TheHive-Project/Cortex-Analyzers/issues/548) +- \[FR\] Analyzer for PaloAltoNetworks Autofocus service [\#472](https://github.com/TheHive-Project/Cortex-Analyzers/issues/472) + +**Merged pull requests:** + +- DomainTools Iris - Risky DNS Responder [\#587](https://github.com/TheHive-Project/Cortex-Analyzers/pull/587) ([ChuckWoodraska](https://github.com/ChuckWoodraska)) +- DomainTools Iris - Pivot Analyzer [\#586](https://github.com/TheHive-Project/Cortex-Analyzers/pull/586) ([ChuckWoodraska](https://github.com/ChuckWoodraska)) +- Add Spamhaus DBL analyzer [\#585](https://github.com/TheHive-Project/Cortex-Analyzers/pull/585) ([weslambert](https://github.com/weslambert)) +- Add Wazuh responder [\#582](https://github.com/TheHive-Project/Cortex-Analyzers/pull/582) ([weslambert](https://github.com/weslambert)) +- Add Palo Alto Minemeld Responder [\#581](https://github.com/TheHive-Project/Cortex-Analyzers/pull/581) ([weslambert](https://github.com/weslambert)) +- Add TeamCymruMHR Analyzer [\#580](https://github.com/TheHive-Project/Cortex-Analyzers/pull/580) ([weslambert](https://github.com/weslambert)) +- Update EmailRep analyzer [\#575](https://github.com/TheHive-Project/Cortex-Analyzers/pull/575) ([ninoseki](https://github.com/ninoseki)) +- New Responder KnowBe4 [\#549](https://github.com/TheHive-Project/Cortex-Analyzers/pull/549) ([arnydo](https://github.com/arnydo)) +- Autofocus analyzer v1 [\#473](https://github.com/TheHive-Project/Cortex-Analyzers/pull/473) ([amr-cossi](https://github.com/amr-cossi)) +- add Emailrep analyzer [\#467](https://github.com/TheHive-Project/Cortex-Analyzers/pull/467) ([ninoseki](https://github.com/ninoseki)) +- Add IPinfo analyzer [\#463](https://github.com/TheHive-Project/Cortex-Analyzers/pull/463) ([ninoseki](https://github.com/ninoseki)) +- remove builtin modules from requirements.txt [\#457](https://github.com/TheHive-Project/Cortex-Analyzers/pull/457) ([ag-michael](https://github.com/ag-michael)) +- Malware clustering [\#351](https://github.com/TheHive-Project/Cortex-Analyzers/pull/351) ([garanews](https://github.com/garanews)) + +## [2.3.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.3.0) (2019-11-28) [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.2.0...2.3.0) **Implemented enhancements:** -- Metadefender analyzer [\#510](https://github.com/TheHive-Project/Cortex-Analyzers/issues/510) -- updated joe sandbox analyzer [\#512](https://github.com/TheHive-Project/Cortex-Analyzers/issues/512) +- fix when hash not found [\#485](https://github.com/TheHive-Project/Cortex-Analyzers/pull/485) ([garanews](https://github.com/garanews)) +- fixed Talos analyzer [\#546](https://github.com/TheHive-Project/Cortex-Analyzers/pull/546) ([0xmilkmix](https://github.com/0xmilkmix)) +- removed python builtins from requirements.txt [\#517](https://github.com/TheHive-Project/Cortex-Analyzers/pull/517) ([github-pba](https://github.com/github-pba)) +- Support for Cuckoo 2.0.7 and custom CA [\#514](https://github.com/TheHive-Project/Cortex-Analyzers/pull/514) ([1earch](https://github.com/1earch)) +- updated joesandbox analyzer [\#512](https://github.com/TheHive-Project/Cortex-Analyzers/pull/512) ([garanews](https://github.com/garanews)) **Fixed bugs:** +- Old non-existent analysers showing in Cortex \[Bug\] [\#553](https://github.com/TheHive-Project/Cortex-Analyzers/issues/553) +- \[Bug\] Custom responder not working after upgrade to cortex 3 [\#542](https://github.com/TheHive-Project/Cortex-Analyzers/issues/542) +- \[Bug\] ThreatCrowd analyzer not respecting Max TLP value [\#527](https://github.com/TheHive-Project/Cortex-Analyzers/issues/527) +- \[Bug\]Missing baseConfig in two Analyzsers [\#508](https://github.com/TheHive-Project/Cortex-Analyzers/issues/508) +- \[Bug\] MISP analyzer does not connect to MISP [\#480](https://github.com/TheHive-Project/Cortex-Analyzers/issues/480) - \[Bug\] Missing module dependencies on responders [\#561](https://github.com/TheHive-Project/Cortex-Analyzers/issues/561) - \[Bug\] [\#552](https://github.com/TheHive-Project/Cortex-Analyzers/issues/552) - \[Bug\] Requests module is missing in PhishTank checkurl analyzer docker image [\#551](https://github.com/TheHive-Project/Cortex-Analyzers/issues/551) @@ -18,15 +217,19 @@ - \[Bug\] Cuckoo Sandbox 2.0.7 [\#544](https://github.com/TheHive-Project/Cortex-Analyzers/issues/544) - \[Bug\] Docker build fails due to spaces in some responders [\#540](https://github.com/TheHive-Project/Cortex-Analyzers/issues/540) - Talos Analyzer No Longer Works [\#521](https://github.com/TheHive-Project/Cortex-Analyzers/issues/521) -- \[Bug\]Missing baseConfig in two Analyzsers [\#508](https://github.com/TheHive-Project/Cortex-Analyzers/issues/508) - \[Bug\] Fortiguard: Category parsing does not handle "-" [\#493](https://github.com/TheHive-Project/Cortex-Analyzers/issues/493) +- fix when hash not found [\#485](https://github.com/TheHive-Project/Cortex-Analyzers/pull/485) ([garanews](https://github.com/garanews)) +- Fix category parsing forom Fortiguard URLCategory [\#494](https://github.com/TheHive-Project/Cortex-Analyzers/pull/494) ([srilumpa](https://github.com/srilumpa)) **Closed issues:** - MaxMind Analyzer: Use commercial databases with geoipupdate [\#474](https://github.com/TheHive-Project/Cortex-Analyzers/issues/474) -## [2.2.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.2.0) (2019-10-01) +**Merged pull requests:** + +- Metadefender analyzer [\#510](https://github.com/TheHive-Project/Cortex-Analyzers/pull/510) ([garanews](https://github.com/garanews)) +## [2.2.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.2.0) (2019-10-01) [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.1.8...2.2.0) **Implemented enhancements:** @@ -60,7 +263,6 @@ - New analyser : Google Vision API [\#297](https://github.com/TheHive-Project/Cortex-Analyzers/pull/297) ([0xswitch](https://github.com/0xswitch)) ## [2.1.8](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.1.8) (2019-07-12) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.1.7...2.1.8) **Fixed bugs:** @@ -68,7 +270,6 @@ - \[Bug\] PassiveTotal SSL Certificate History analyzer always report at least one record, even if there isn't one [\#513](https://github.com/TheHive-Project/Cortex-Analyzers/issues/513) ## [2.1.7](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.1.7) (2019-07-10) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.1.6...2.1.7) **Implemented enhancements:** @@ -86,19 +287,13 @@ - New analyzer: Talos Reputation [\#426](https://github.com/TheHive-Project/Cortex-Analyzers/issues/426) ## [2.1.6](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.1.6) (2019-06-21) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.1.5...2.1.6) -**Implemented enhancements:** - -- Use req.text instead of req.content [\#492](https://github.com/TheHive-Project/Cortex-Analyzers/pull/492) ([srilumpa](https://github.com/srilumpa)) - **Fixed bugs:** - Missing request lib in the docker of Fortiguard analyzer [\#503](https://github.com/TheHive-Project/Cortex-Analyzers/issues/503) ## [2.1.5](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.1.5) (2019-06-20) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.1.4...2.1.5) **Fixed bugs:** @@ -106,7 +301,6 @@ - Docker for EmlParser is not working, python-magic is missing [\#502](https://github.com/TheHive-Project/Cortex-Analyzers/issues/502) ## [2.1.4](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.1.4) (2019-06-20) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.1.3...2.1.4) **Fixed bugs:** @@ -114,7 +308,6 @@ - TalosReputation : not cortexutils in requirements.txt [\#501](https://github.com/TheHive-Project/Cortex-Analyzers/issues/501) ## [2.1.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.1.3) (2019-06-17) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.1.2...2.1.3) **Fixed bugs:** @@ -122,15 +315,12 @@ - Problem with iocp requirement [\#500](https://github.com/TheHive-Project/Cortex-Analyzers/issues/500) ## [2.1.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.1.2) (2019-06-16) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.1.1...2.1.2) ## [2.1.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.1.1) (2019-06-16) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.1.0...2.1.1) ## [2.1.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.1.0) (2019-06-09) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.0.1...2.1.0) **Implemented enhancements:** @@ -138,6 +328,7 @@ - FileInfo : extract URL from documents like PDF or Office [\#465](https://github.com/TheHive-Project/Cortex-Analyzers/issues/465) - Use up to date msg-Extract lib in FileInfo [\#464](https://github.com/TheHive-Project/Cortex-Analyzers/issues/464) - \[FR\] Updated crt.sh Analyzer [\#438](https://github.com/TheHive-Project/Cortex-Analyzers/issues/438) +- Use req.text instead of req.content [\#492](https://github.com/TheHive-Project/Cortex-Analyzers/pull/492) ([srilumpa](https://github.com/srilumpa)) - remove extra slash [\#488](https://github.com/TheHive-Project/Cortex-Analyzers/pull/488) ([garanews](https://github.com/garanews)) - EmlParser - Fixed headers and displayTo [\#486](https://github.com/TheHive-Project/Cortex-Analyzers/pull/486) ([mgabriel-silva](https://github.com/mgabriel-silva)) - Crtsh updates [\#432](https://github.com/TheHive-Project/Cortex-Analyzers/pull/432) ([kx499](https://github.com/kx499)) @@ -149,6 +340,10 @@ - \[Bug\] EmlParser has incomplete header [\#484](https://github.com/TheHive-Project/Cortex-Analyzers/issues/484) - \[Bug\] OpenXML files detected as zip but ignored by Oletools. [\#475](https://github.com/TheHive-Project/Cortex-Analyzers/issues/475) - \[Bug\] Malwares\_GetReport\_1\_0 [\#470](https://github.com/TheHive-Project/Cortex-Analyzers/issues/470) +- Use req.text instead of req.content [\#492](https://github.com/TheHive-Project/Cortex-Analyzers/pull/492) ([srilumpa](https://github.com/srilumpa)) +- Umbrella analyzer: query\_limit: error if no data provided [\#479](https://github.com/TheHive-Project/Cortex-Analyzers/pull/479) ([siisar](https://github.com/siisar)) +- remove extra slash [\#488](https://github.com/TheHive-Project/Cortex-Analyzers/pull/488) ([garanews](https://github.com/garanews)) +- EmlParser - Fixed headers and displayTo [\#486](https://github.com/TheHive-Project/Cortex-Analyzers/pull/486) ([mgabriel-silva](https://github.com/mgabriel-silva)) - Use VirusTotal with python3 \(issue \#361\) [\#446](https://github.com/TheHive-Project/Cortex-Analyzers/pull/446) ([Nergie](https://github.com/Nergie)) - Fix emlParser crash [\#439](https://github.com/TheHive-Project/Cortex-Analyzers/pull/439) ([agix](https://github.com/agix)) @@ -168,7 +363,6 @@ - New analyzer: Talos Reputation [\#427](https://github.com/TheHive-Project/Cortex-Analyzers/pull/427) ([mgabriel-silva](https://github.com/mgabriel-silva)) ## [2.0.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.0.1) (2019-04-05) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.0.0...2.0.1) **Fixed bugs:** @@ -176,7 +370,6 @@ - \[Bug\] Invalid version for stable Docker image [\#453](https://github.com/TheHive-Project/Cortex-Analyzers/issues/453) ## [2.0.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.0.0) (2019-04-05) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.16.0...2.0.0) **Closed issues:** @@ -185,7 +378,6 @@ - \[FR\] Add support to dockerized analyzers [\#450](https://github.com/TheHive-Project/Cortex-Analyzers/issues/450) ## [1.16.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.16.0) (2019-03-27) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.15.3...1.16.0) **Implemented enhancements:** @@ -211,7 +403,6 @@ - Added AbuseIPDB analyzer [\#400](https://github.com/TheHive-Project/Cortex-Analyzers/pull/400) ([mlodic](https://github.com/mlodic)) ## [1.15.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.15.3) (2019-02-28) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.15.2...1.15.3) **Implemented enhancements:** @@ -224,7 +415,6 @@ - Proofpoint analyzer fails Unexpected Error: Unicode-objects must be encoded before hashing [\#417](https://github.com/TheHive-Project/Cortex-Analyzers/issues/417) ## [1.15.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.15.2) (2019-02-11) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.15.1...1.15.2) **Implemented enhancements:** @@ -251,7 +441,6 @@ - Fix a broken link in the Cymon\_Check\_IP report [\#407](https://github.com/TheHive-Project/Cortex-Analyzers/pull/407) ([ninoseki](https://github.com/ninoseki)) ## [1.15.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.15.1) (2019-01-09) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.15.0...1.15.1) **Fixed bugs:** @@ -268,7 +457,6 @@ - make code python 3.4 compatible [\#403](https://github.com/TheHive-Project/Cortex-Analyzers/pull/403) ([dadokkio](https://github.com/dadokkio)) ## [1.15.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.15.0) (2018-12-20) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.14.4...1.15.0) **Implemented enhancements:** @@ -280,7 +468,7 @@ - Improvement: Eml\_Parser Analyzer & Template [\#393](https://github.com/TheHive-Project/Cortex-Analyzers/pull/393) ([arnydo](https://github.com/arnydo)) - Analyzer/Umbrella & Templates [\#392](https://github.com/TheHive-Project/Cortex-Analyzers/pull/392) ([arnydo](https://github.com/arnydo)) - Improve/mailer [\#376](https://github.com/TheHive-Project/Cortex-Analyzers/pull/376) ([arnydo](https://github.com/arnydo)) -- Additional features for IBM X-force plug-in [\#368](https://github.com/TheHive-Project/Cortex-Analyzers/pull/368) ([gekkeharry13](https://github.com/gekkeharry13)) +- Additional features for IBM X-force plug-in [\#368](https://github.com/TheHive-Project/Cortex-Analyzers/pull/368) ([jeffrey-e](https://github.com/jeffrey-e)) - Revamp Shodan analyzer [\#328](https://github.com/TheHive-Project/Cortex-Analyzers/pull/328) ([amr-cossi](https://github.com/amr-cossi)) - Feature/domain tools more flavors [\#321](https://github.com/TheHive-Project/Cortex-Analyzers/pull/321) ([amr-cossi](https://github.com/amr-cossi)) @@ -309,7 +497,6 @@ - Add DNSDB API parameters [\#319](https://github.com/TheHive-Project/Cortex-Analyzers/pull/319) ([amr-cossi](https://github.com/amr-cossi)) ## [1.14.4](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.14.4) (2018-12-05) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.14.3...1.14.4) **Implemented enhancements:** @@ -319,10 +506,10 @@ **Fixed bugs:** +- Virustotal: update short reports to distinguish Scan from GetReport flavors [\#389](https://github.com/TheHive-Project/Cortex-Analyzers/issues/389) - msg-extractor library has been updated and brakes FileInfo analyzer [\#384](https://github.com/TheHive-Project/Cortex-Analyzers/issues/384) ## [1.14.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.14.3) (2018-11-28) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.14.2...1.14.3) **Fixed bugs:** @@ -334,7 +521,6 @@ - CERTatPassiveDNS\_2\_0 Invalid File for WHOIS.sh [\#349](https://github.com/TheHive-Project/Cortex-Analyzers/issues/349) ## [1.14.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.14.2) (2018-11-16) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.14.1...1.14.2) **Fixed bugs:** @@ -342,7 +528,6 @@ - Fix URLHaus long template [\#375](https://github.com/TheHive-Project/Cortex-Analyzers/issues/375) ## [1.14.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.14.1) (2018-11-09) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.14.0...1.14.1) **Implemented enhancements:** @@ -360,7 +545,6 @@ - FileInfo 5.0 Dockerized .exe analysis [\#369](https://github.com/TheHive-Project/Cortex-Analyzers/issues/369) ## [1.14.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.14.0) (2018-10-26) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.13.2...1.14.0) **Implemented enhancements:** @@ -382,6 +566,7 @@ **Fixed bugs:** - Cortex Responder - Invalid Output [\#331](https://github.com/TheHive-Project/Cortex-Analyzers/issues/331) +- Fixes file not found issue and empty result set in CERT.at passive dns analyzer [\#362](https://github.com/TheHive-Project/Cortex-Analyzers/issues/362) - Force python3 for MISP-Analyzer [\#356](https://github.com/TheHive-Project/Cortex-Analyzers/issues/356) - HybridAnalysis analyzer does not properly handle filenames on some cases [\#323](https://github.com/TheHive-Project/Cortex-Analyzers/issues/323) @@ -397,7 +582,6 @@ - Proofpoint Forensics Lookup [\#117](https://github.com/TheHive-Project/Cortex-Analyzers/issues/117) ## [1.13.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.13.2) (2018-10-16) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.13.1...1.13.2) **Fixed bugs:** @@ -405,7 +589,6 @@ - Cuckoo file submission Analyzer error [\#177](https://github.com/TheHive-Project/Cortex-Analyzers/issues/177) ## [1.13.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.13.1) (2018-09-19) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.13.0...1.13.1) **Fixed bugs:** @@ -413,7 +596,6 @@ - Wrong datatype in artifact\(\) in DShield analyzer [\#344](https://github.com/TheHive-Project/Cortex-Analyzers/issues/344) ## [1.13.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.13.0) (2018-09-18) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.12.0...1.13.0) **Implemented enhancements:** @@ -448,7 +630,6 @@ - Manalyze submodule for FileInfo analyzer [\#333](https://github.com/TheHive-Project/Cortex-Analyzers/pull/333) ([3c7](https://github.com/3c7)) ## [1.12.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.12.0) (2018-07-31) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.11.0...1.12.0) **Merged pull requests:** @@ -456,7 +637,6 @@ - Eml Parser analyzer [\#260](https://github.com/TheHive-Project/Cortex-Analyzers/pull/260) ([ninSmith](https://github.com/ninSmith)) ## [1.11.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.11.0) (2018-07-13) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.10.4...1.11.0) **Implemented enhancements:** @@ -487,7 +667,6 @@ - Add hashdd analyzer [\#284](https://github.com/TheHive-Project/Cortex-Analyzers/pull/284) ([iosonogio](https://github.com/iosonogio)) ## [1.10.4](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.10.4) (2018-06-23) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.10.3...1.10.4) **Fixed bugs:** @@ -495,7 +674,6 @@ - IBM X-Force and Abuse finder problems found in shorts and long report [\#290](https://github.com/TheHive-Project/Cortex-Analyzers/issues/290) ## [1.10.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.10.3) (2018-06-18) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.10.2...1.10.3) **Implemented enhancements:** @@ -514,7 +692,6 @@ - API Keys to be submitted through Cortex for Analyzers [\#7](https://github.com/TheHive-Project/Cortex-Analyzers/issues/7) ## [1.10.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.10.2) (2018-06-08) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.10.1...1.10.2) **Fixed bugs:** @@ -531,7 +708,6 @@ - Yara config for multi pathes is not parsing correctly in platform [\#274](https://github.com/TheHive-Project/Cortex-Analyzers/issues/274) ## [1.10.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.10.1) (2018-06-06) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.10.0...1.10.1) **Fixed bugs:** @@ -539,7 +715,6 @@ - Wrong name for Staxx report template [\#272](https://github.com/TheHive-Project/Cortex-Analyzers/issues/272) ## [1.10.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.10.0) (2018-06-06) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.9.7...1.10.0) **Implemented enhancements:** @@ -552,7 +727,6 @@ - URLhaus analyzer [\#226](https://github.com/TheHive-Project/Cortex-Analyzers/issues/226) - cybercrime-tracker.net analyzer [\#220](https://github.com/TheHive-Project/Cortex-Analyzers/issues/220) - Anomali Staxx Analyzer [\#180](https://github.com/TheHive-Project/Cortex-Analyzers/issues/180) -- Download only new hash files [\#242](https://github.com/TheHive-Project/Cortex-Analyzers/pull/242) ([ktneely](https://github.com/ktneely)) - Develop branch, add Staxx Analyzer [\#263](https://github.com/TheHive-Project/Cortex-Analyzers/pull/263) ([robertnixon2003](https://github.com/robertnixon2003)) - Improve EmergingThreats analyzers [\#259](https://github.com/TheHive-Project/Cortex-Analyzers/pull/259) ([ant1](https://github.com/ant1)) - Created Mnemonic PDNS public and closed analyzers [\#256](https://github.com/TheHive-Project/Cortex-Analyzers/pull/256) ([NFCERT](https://github.com/NFCERT)) @@ -566,27 +740,26 @@ **Fixed bugs:** +- Release 1.10.0 [\#270](https://github.com/TheHive-Project/Cortex-Analyzers/issues/270) +- No short report in Hybrid-Analysis when there is no result [\#267](https://github.com/TheHive-Project/Cortex-Analyzers/issues/267) - Payloadsecurity [\#262](https://github.com/TheHive-Project/Cortex-Analyzers/issues/262) - Bug in EmergingThreats\_MalwareInfo analyzer [\#258](https://github.com/TheHive-Project/Cortex-Analyzers/issues/258) - Error in permalink in Cymon long report template [\#238](https://github.com/TheHive-Project/Cortex-Analyzers/issues/238) - Added the executable flag to cuckoosandbox\_analyzer.py [\#266](https://github.com/TheHive-Project/Cortex-Analyzers/pull/266) ([Jack28](https://github.com/Jack28)) +- JoeSandbox analyzers: use a sane analysis timeout [\#239](https://github.com/TheHive-Project/Cortex-Analyzers/pull/239) ([ant1](https://github.com/ant1)) - MISP WarningLists - Handling IP address lookup in CIDR IP ranges [\#200](https://github.com/TheHive-Project/Cortex-Analyzers/pull/200) ([srilumpa](https://github.com/srilumpa)) **Closed issues:** - Create GreyNoise analyzer template [\#269](https://github.com/TheHive-Project/Cortex-Analyzers/issues/269) -**Merged pull requests:** - -- Add URLhaus analyzer [\#227](https://github.com/TheHive-Project/Cortex-Analyzers/pull/227) ([ninoseki](https://github.com/ninoseki)) - ## [1.9.7](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.9.7) (2018-05-29) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.9.6...1.9.7) **Implemented enhancements:** - Update analyzers configuration for Cortex2 [\#172](https://github.com/TheHive-Project/Cortex-Analyzers/issues/172) +- Download only new hash files [\#242](https://github.com/TheHive-Project/Cortex-Analyzers/pull/242) ([ktneely](https://github.com/ktneely)) **Fixed bugs:** @@ -598,7 +771,6 @@ - Bluecoat Analyzer [\#85](https://github.com/TheHive-Project/Cortex-Analyzers/issues/85) ## [1.9.6](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.9.6) (2018-04-25) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.9.5...1.9.6) **Fixed bugs:** @@ -606,7 +778,6 @@ - Yeti pyton lib fails to install for python\_version \> 2.7 [\#241](https://github.com/TheHive-Project/Cortex-Analyzers/issues/241) ## [1.9.5](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.9.5) (2018-04-18) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.9.4...1.9.5) **Fixed bugs:** @@ -615,7 +786,6 @@ - Censys analyzer : no uid given but the parameter is set [\#232](https://github.com/TheHive-Project/Cortex-Analyzers/issues/232) ## [1.9.4](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.9.4) (2018-04-13) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.9.3...1.9.4) **Implemented enhancements:** @@ -627,8 +797,11 @@ - Hybrid Analysis returns success when filename query didn't work [\#223](https://github.com/TheHive-Project/Cortex-Analyzers/issues/223) - Fix JSB Url Analysis template [\#207](https://github.com/TheHive-Project/Cortex-Analyzers/pull/207) ([ant1](https://github.com/ant1)) -## [1.9.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.9.3) (2018-04-09) +**Merged pull requests:** +- Add URLhaus analyzer [\#227](https://github.com/TheHive-Project/Cortex-Analyzers/pull/227) ([ninoseki](https://github.com/ninoseki)) + +## [1.9.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.9.3) (2018-04-09) [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.9.2...1.9.3) **Implemented enhancements:** @@ -648,7 +821,6 @@ - Feature Request: haveibeenpwned.com [\#189](https://github.com/TheHive-Project/Cortex-Analyzers/issues/189) ## [1.9.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.9.2) (2018-04-04) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.9.1...1.9.2) **Fixed bugs:** @@ -662,11 +834,9 @@ - OTXQuery\_2\_0 failes with Cortex2 [\#217](https://github.com/TheHive-Project/Cortex-Analyzers/issues/217) ## [1.9.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.9.1) (2018-03-30) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.9.0...1.9.1) ## [1.9.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.9.0) (2018-03-29) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.8.3...1.9.0) **Implemented enhancements:** @@ -676,20 +846,18 @@ - Manage fqdn datatype in domain\_name service of DNSDB analyzer [\#182](https://github.com/TheHive-Project/Cortex-Analyzers/issues/182) - Improve Phishtank maliciousness results [\#181](https://github.com/TheHive-Project/Cortex-Analyzers/issues/181) - IP type for CIRCL Passive DNS and others [\#99](https://github.com/TheHive-Project/Cortex-Analyzers/issues/99) -- WIP: PEP8 all the things [\#165](https://github.com/TheHive-Project/Cortex-Analyzers/pull/165) ([3c7](https://github.com/3c7)) - added Malpedia Analyzer [\#168](https://github.com/TheHive-Project/Cortex-Analyzers/pull/168) ([garanews](https://github.com/garanews)) **Fixed bugs:** - Fortiguard analyzer : use HTTPS to request fortiguard service [\#201](https://github.com/TheHive-Project/Cortex-Analyzers/issues/201) +- DomainTools\\_ReverseIP should accept fqdn and/or domain as datatype [\#193](https://github.com/TheHive-Project/Cortex-Analyzers/issues/193) **Merged pull requests:** -- Fixes some problems with automatic artifact extraction [\#184](https://github.com/TheHive-Project/Cortex-Analyzers/pull/184) ([3c7](https://github.com/3c7)) - Addedd cymon cortex analyzers [\#133](https://github.com/TheHive-Project/Cortex-Analyzers/pull/133) ([ST2Labs](https://github.com/ST2Labs)) ## [1.8.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.8.3) (2018-03-23) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.8.2...1.8.3) **Fixed bugs:** @@ -698,7 +866,6 @@ - Bug in Abuse\_Finder Analyzer [\#161](https://github.com/TheHive-Project/Cortex-Analyzers/issues/161) ## [1.8.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.8.2) (2018-03-21) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.8.1...1.8.2) **Fixed bugs:** @@ -716,8 +883,11 @@ - MISP WarningLists long report does not display results [\#195](https://github.com/TheHive-Project/Cortex-Analyzers/issues/195) - error in MISP/requirements.txt [\#179](https://github.com/TheHive-Project/Cortex-Analyzers/issues/179) -## [1.8.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.8.1) (2018-02-05) +**Merged pull requests:** + +- Fixes some problems with automatic artifact extraction [\#184](https://github.com/TheHive-Project/Cortex-Analyzers/pull/184) ([3c7](https://github.com/3c7)) +## [1.8.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.8.1) (2018-02-05) [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.8.0...1.8.1) **Implemented enhancements:** @@ -733,12 +903,12 @@ - Malpedia \(yara\) Analyzer [\#166](https://github.com/TheHive-Project/Cortex-Analyzers/issues/166) ## [1.8.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.8.0) (2018-01-11) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.7.1...1.8.0) **Implemented enhancements:** - VirusTotal ignores Environment Proxies [\#130](https://github.com/TheHive-Project/Cortex-Analyzers/issues/130) +- WIP: PEP8 all the things [\#165](https://github.com/TheHive-Project/Cortex-Analyzers/pull/165) ([3c7](https://github.com/3c7)) - Feature/bluecoat [\#84](https://github.com/TheHive-Project/Cortex-Analyzers/pull/84) ([0xswitch](https://github.com/0xswitch)) - Fixes \#149, removes download\_hashes.py [\#155](https://github.com/TheHive-Project/Cortex-Analyzers/pull/155) ([3c7](https://github.com/3c7)) - Joe Sandbox API version 2 support [\#141](https://github.com/TheHive-Project/Cortex-Analyzers/pull/141) ([ant1](https://github.com/ant1)) @@ -766,7 +936,6 @@ - Fixed requirements parsing MsgParser/requirements.txt [\#159](https://github.com/TheHive-Project/Cortex-Analyzers/pull/159) ([peasead](https://github.com/peasead)) - Censys.io analyzer [\#153](https://github.com/TheHive-Project/Cortex-Analyzers/pull/153) ([3c7](https://github.com/3c7)) -- C1fApp Initial version [\#119](https://github.com/TheHive-Project/Cortex-Analyzers/pull/119) ([etz69](https://github.com/etz69)) - Fix mode when creating FireHOL ipset directory [\#158](https://github.com/TheHive-Project/Cortex-Analyzers/pull/158) ([srilumpa](https://github.com/srilumpa)) - Add Onyphe analyzers [\#152](https://github.com/TheHive-Project/Cortex-Analyzers/pull/152) ([Pierre-Baudry](https://github.com/Pierre-Baudry)) - Tor blutmagie [\#139](https://github.com/TheHive-Project/Cortex-Analyzers/pull/139) ([srilumpa](https://github.com/srilumpa)) @@ -776,7 +945,6 @@ - Robtex API Analyzer [\#105](https://github.com/TheHive-Project/Cortex-Analyzers/pull/105) ([3c7](https://github.com/3c7)) ## [1.7.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.7.1) (2017-12-06) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.7.0...1.7.1) **Closed issues:** @@ -790,7 +958,6 @@ - Rename hybridanalysis\_analyzer.py to HybridAnalysis\_analyzer.py [\#151](https://github.com/TheHive-Project/Cortex-Analyzers/pull/151) ([treed593](https://github.com/treed593)) ## [1.7.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.7.0) (2017-11-08) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.6.5...1.7.0) **Implemented enhancements:** @@ -806,20 +973,15 @@ **Merged pull requests:** -- add Analyzers Shodan [\#125](https://github.com/TheHive-Project/Cortex-Analyzers/pull/125) ([sebdraven](https://github.com/sebdraven)) -- Updated VT Links in Long Report [\#111](https://github.com/TheHive-Project/Cortex-Analyzers/pull/111) ([saadkadhi](https://github.com/saadkadhi)) -- Adding netaddr to requirements for nessus analyzer [\#83](https://github.com/TheHive-Project/Cortex-Analyzers/pull/83) ([drewstinnett](https://github.com/drewstinnett)) - Fix PhishTank analyzer [\#128](https://github.com/TheHive-Project/Cortex-Analyzers/pull/128) ([ilyaglow](https://github.com/ilyaglow)) - Fixed: hide empty panel from template [\#108](https://github.com/TheHive-Project/Cortex-Analyzers/pull/108) ([dadokkio](https://github.com/dadokkio)) - Fixes MISP Analyzer name bug [\#95](https://github.com/TheHive-Project/Cortex-Analyzers/pull/95) ([3c7](https://github.com/3c7)) - Added VxStream Sandbox \(Hybrid Analysis\) Analyzer [\#73](https://github.com/TheHive-Project/Cortex-Analyzers/pull/73) ([yugoslavskiy](https://github.com/yugoslavskiy)) ## [1.6.5](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.6.5) (2017-11-05) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.6.4...1.6.5) ## [1.6.4](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.6.4) (2017-11-04) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.6.3...1.6.4) **Fixed bugs:** @@ -837,11 +999,14 @@ **Merged pull requests:** +- add Analyzers Shodan [\#125](https://github.com/TheHive-Project/Cortex-Analyzers/pull/125) ([sebdraven](https://github.com/sebdraven)) +- ProofPoint Threat Insight Forensics Analyzer [\#123](https://github.com/TheHive-Project/Cortex-Analyzers/pull/123) ([typonino](https://github.com/typonino)) +- C1fApp Initial version [\#119](https://github.com/TheHive-Project/Cortex-Analyzers/pull/119) ([etz69](https://github.com/etz69)) +- Updated VT Links in Long Report [\#111](https://github.com/TheHive-Project/Cortex-Analyzers/pull/111) ([saadkadhi](https://github.com/saadkadhi)) - Revert "Updated VT links in Long report" [\#110](https://github.com/TheHive-Project/Cortex-Analyzers/pull/110) ([saadkadhi](https://github.com/saadkadhi)) - Updated VT links in Long report [\#98](https://github.com/TheHive-Project/Cortex-Analyzers/pull/98) ([mthlvt](https://github.com/mthlvt)) ## [1.6.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.6.3) (2017-09-10) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.6.2...1.6.3) **Merged pull requests:** @@ -849,7 +1014,6 @@ - MISP Analyzer: forgot to add same procedure if using just one MISP-Server [\#91](https://github.com/TheHive-Project/Cortex-Analyzers/pull/91) ([3c7](https://github.com/3c7)) ## [1.6.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.6.2) (2017-09-04) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.6.1...1.6.2) **Closed issues:** @@ -861,7 +1025,6 @@ - Updates to Virusshare analyzer [\#80](https://github.com/TheHive-Project/Cortex-Analyzers/pull/80) ([colinvanniekerk](https://github.com/colinvanniekerk)) ## [1.6.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.6.1) (2017-09-04) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.6.0...1.6.1) **Closed issues:** @@ -871,9 +1034,9 @@ **Merged pull requests:** - Fixes bug in MISP client [\#88](https://github.com/TheHive-Project/Cortex-Analyzers/pull/88) ([3c7](https://github.com/3c7)) +- Adding netaddr to requirements for nessus analyzer [\#83](https://github.com/TheHive-Project/Cortex-Analyzers/pull/83) ([drewstinnett](https://github.com/drewstinnett)) ## [1.6.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.6.0) (2017-07-27) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.5.1...1.6.0) **Closed issues:** @@ -884,11 +1047,10 @@ **Merged pull requests:** +- Feature/fireeye\_ax [\#78](https://github.com/TheHive-Project/Cortex-Analyzers/pull/78) ([BrevilleBro](https://github.com/BrevilleBro)) - added WOT analyzer & fixed cuckoo templates issue [\#77](https://github.com/TheHive-Project/Cortex-Analyzers/pull/77) ([garanews](https://github.com/garanews)) -- Cuckoo Sandbox Analyzer [\#50](https://github.com/TheHive-Project/Cortex-Analyzers/pull/50) ([garanews](https://github.com/garanews)) ## [1.5.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.5.1) (2017-07-13) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.5.0...1.5.1) **Fixed bugs:** @@ -899,8 +1061,11 @@ - Virustotal Scan returning incorrect taxonomy on URL scan [\#74](https://github.com/TheHive-Project/Cortex-Analyzers/issues/74) -## [1.5.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.5.0) (2017-07-05) +**Merged pull requests:** +- Cuckoo Sandbox Analyzer [\#50](https://github.com/TheHive-Project/Cortex-Analyzers/pull/50) ([garanews](https://github.com/garanews)) + +## [1.5.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.5.0) (2017-07-05) [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.4.4...1.5.0) **Implemented enhancements:** @@ -926,7 +1091,6 @@ - There were no carriage returns so it would break if you wanted to mass install the analyzer requirements [\#61](https://github.com/TheHive-Project/Cortex-Analyzers/pull/61) ([Popsiclestick](https://github.com/Popsiclestick)) ## [1.4.4](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.4.4) (2017-06-15) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.4.3...1.4.4) **Fixed bugs:** @@ -934,7 +1098,6 @@ - Inconsistance between long and short reports in MISP analyzer [\#59](https://github.com/TheHive-Project/Cortex-Analyzers/issues/59) ## [1.4.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.4.3) (2017-06-15) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.4.2...1.4.3) **Fixed bugs:** @@ -943,15 +1106,12 @@ - Encoding problem in cortexutils [\#54](https://github.com/TheHive-Project/Cortex-Analyzers/issues/54) ## [1.4.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.4.2) (2017-05-24) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.4.1...1.4.2) ## [1.4.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.4.1) (2017-05-23) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.4.0...1.4.1) ## [1.4.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.4.0) (2017-05-22) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.3.1...1.4.0) **Fixed bugs:** @@ -968,11 +1128,9 @@ - corrected for change to fortiguard portal [\#51](https://github.com/TheHive-Project/Cortex-Analyzers/pull/51) ([ecapuano](https://github.com/ecapuano)) ## [1.3.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.3.1) (2017-05-12) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.3.0...1.3.1) ## [1.3.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.3.0) (2017-05-08) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.2.0...1.3.0) **Implemented enhancements:** @@ -1000,7 +1158,6 @@ - Use StringIO.StringIO\(\) with python2 [\#36](https://github.com/TheHive-Project/Cortex-Analyzers/pull/36) ([3c7](https://github.com/3c7)) ## [1.2.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.2.0) (2017-03-31) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.1.0...1.2.0) **Closed issues:** @@ -1015,7 +1172,6 @@ - Nessus Analyzer [\#20](https://github.com/TheHive-Project/Cortex-Analyzers/pull/20) ([guillomovitch](https://github.com/guillomovitch)) ## [1.1.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.1.0) (2017-03-07) - [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/1.0.0...1.1.0) **Implemented enhancements:** @@ -1027,6 +1183,7 @@ **Fixed bugs:** - OTX Query error when processing a file in Cortex [\#21](https://github.com/TheHive-Project/Cortex-Analyzers/issues/21) +- VirusTotal GetReport can't get report for files from Cortex [\#9](https://github.com/TheHive-Project/Cortex-Analyzers/issues/9) **Closed issues:** @@ -1034,13 +1191,10 @@ - Working on analyzers: CIRCL.lu PassiveSSL/DNS, CERT.AT PassiveDNS, MISP, IntelMQ, VMRay, Google Safebrowsing, URLQuery, yara [\#3](https://github.com/TheHive-Project/Cortex-Analyzers/issues/3) ## [1.0.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/1.0.0) (2017-02-17) - -[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/bafbe44f28b3f8d8dddd9bac3f16f2b0416f740c...1.0.0) - **Closed issues:** - "VirusTotal\_Scan" analyzer is not checking for TLP [\#2](https://github.com/TheHive-Project/Cortex-Analyzers/issues/2) -\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* +\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file From a8cd905e37f30b8fd3c6fc95631a3930648f36ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Leonard?= Date: Tue, 12 May 2020 16:20:28 +0200 Subject: [PATCH 34/36] add version to Changelog --- CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d8caefd51..a346e5a1c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,8 @@ # Change Log -## [Unreleased](https://github.com/TheHive-Project/Cortex-Analyzers/tree/HEAD) +## [Unreleased](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.7.0) (2020-05-14) -[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.6.0...HEAD) +[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.6.0...2.7.0) **Implemented enhancements:** @@ -1197,4 +1197,4 @@ -\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file +\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* From 8b74836bd17b1460622c22551e4aa1c377aa8de7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Leonard?= Date: Tue, 12 May 2020 16:49:04 +0200 Subject: [PATCH 35/36] add version to Changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a346e5a1c..c825ca8ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Change Log -## [Unreleased](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.7.0) (2020-05-14) +## [2.7.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/2.7.0) (2020-05-14) [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/2.6.0...2.7.0) From f5daf3b144350d1208ed26425522ae79d2a1f76d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Leonard?= Date: Thu, 11 Jun 2020 08:35:20 +0200 Subject: [PATCH 36/36] #789 catalogs removed --- analyzers/catalog-devel.json | 3735 -------------------------------- analyzers/catalog-stable.json | 3735 -------------------------------- analyzers/catalog.json | 3735 -------------------------------- responders/catalog-devel.json | 102 - responders/catalog-stable.json | 102 - responders/catalog.json | 102 - 6 files changed, 11511 deletions(-) delete mode 100644 analyzers/catalog-devel.json delete mode 100644 analyzers/catalog-stable.json delete mode 100644 analyzers/catalog.json delete mode 100644 responders/catalog-devel.json delete mode 100644 responders/catalog-stable.json delete mode 100644 responders/catalog.json diff --git a/analyzers/catalog-devel.json b/analyzers/catalog-devel.json deleted file mode 100644 index bc71d756c..000000000 --- a/analyzers/catalog-devel.json +++ /dev/null @@ -1,3735 +0,0 @@ -[ -{ - "name": "AbuseIPDB", - "version": "1.0", - "author": "Matteo Lodi", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-v3", - "description": "Determine whether an IP was reported or not as malicious by AbuseIPDB", - "dataTypeList": [ - "ip" - ], - "baseConfig": "AbuseIPDB", - "configurationItems": [ - { - "name": "key", - "description": "API key for AbuseIPDB", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "days", - "description": "Check for IP Reports in the last X days", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 30 - } - ], - "config": { - "check_tlp": true, - "max_tlp": 2, - "auto_extract": false - }, - "dockerImage": "cortexneurons/abuseipdb:devel" -} -, -{ - "name": "Abuse_Finder", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Find abuse contacts associated with domain names, URLs, IPs and email addresses.", - "dataTypeList": [ - "ip", - "domain", - "url", - "mail" - ], - "baseConfig": "Abuse_Finder", - "dockerImage": "cortexneurons/abuse_finder:devel" -} -, -{ - "name": "BackscatterIO_Enrichment", - "version": "1.0", - "author": "brandon@backscatter.io", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "APLv2", - "description": "Enrich values using Backscatter.io data.", - "dataTypeList": [ - "ip", - "network", - "autonomous-system", - "port" - ], - "baseConfig": "BackscatterIO", - "configurationItems": [ - { - "name": "key", - "description": "API key for Backscatter.io", - "type": "string", - "multi": false, - "required": true - } - ], - "config": { - "check_tlp": true, - "max_tlp": 2, - "auto_extract": true, - "service": "enrichment" - }, - "dockerImage": "cortexneurons/backscatterio_enrichment:devel" -} -, -{ - "name": "BackscatterIO_GetObservations", - "version": "1.0", - "author": "brandon@backscatter.io", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "APLv2", - "description": "Determine whether a value has known scanning activity using Backscatter.io data.", - "dataTypeList": [ - "ip", - "network", - "autonomous-system" - ], - "baseConfig": "BackscatterIO", - "configurationItems": [ - { - "name": "key", - "description": "API key for Backscatter.io", - "type": "string", - "multi": false, - "required": true - } - ], - "config": { - "check_tlp": true, - "max_tlp": 2, - "auto_extract": true, - "service": "observations" - }, - "dockerImage": "cortexneurons/backscatterio_getobservations:devel" -} -, -{ - "name": "C1fApp", - "version": "1.0", - "author": "etz69", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query C1fApp OSINT Aggregator for IPs, domains and URLs", - "dataTypeList": [ - "url", - "domain", - "ip" - ], - "baseConfig": "C1fApp", - "configurationItems": [ - { - "name": "url", - "description": "URL of C1fApp service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/c1fapp:devel" -} -, -{ - "name": "CERTatPassiveDNS", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Checks CERT.at Passive DNS for a given domain.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "CERTatPassiveDNS", - "configurationItems": [ - { - "name": "limit", - "description": "Define the maximum number of results per request", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 100 - } - ], - "dockerImage": "cortexneurons/certatpassivedns:devel" -} -, -{ - "name": "CIRCLPassiveDNS", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Check CIRCL's Passive DNS for a given domain or URL.", - "dataTypeList": [ - "domain", - "url", - "ip" - ], - "baseConfig": "CIRCL", - "configurationItems": [ - { - "name": "user", - "description": "Username", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "Password", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/circlpassivedns:devel" -} -, -{ - "name": "CIRCLPassiveSSL", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Check CIRCL's Passive SSL for a given IP address or a X509 certificate hash.", - "dataTypeList": [ - "ip", - "certificate_hash", - "hash" - ], - "baseConfig": "CIRCL", - "configurationItems": [ - { - "name": "user", - "description": "Username", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "Password", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/circlpassivessl:devel" -} -, -{ - "name": "Censys", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/censys-analyzer", - "version": "1.0", - "description": "Check IPs, certificate hashes or domains against censys.io.", - "dataTypeList": [ - "ip", - "hash", - "domain" - ], - "baseConfig": "Censys", - "configurationItems": [ - { - "name": "uid", - "description": "UID for Censys", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/censys:devel" -} -, -{ - "name": "Crt_sh_Transparency_Logs", - "author": "crackytsi", - "license": "AGPL-V3", - "url": "https://crt.sh", - "version": "1.0", - "baseConfig": "Crtsh", - "config": { - "check_tlp": false, - "max_tlp": 3 - }, - "description": "Query domains against the certificate transparency lists available at crt.sh.", - "dataTypeList": [ - "domain" - ], - "configurationItems": [], - "dockerImage": "cortexneurons/crt_sh_transparency_logs:devel" -} -, -{ - "name": "CuckooSandbox_File_Analysis_Inet", - "version": "1.1", - "author": "Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/garanews/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Cuckoo Sandbox file analysis with Internet access.", - "dataTypeList": [ - "file" - ], - "baseConfig": "CuckooSandbox", - "configurationItems": [ - { - "name": "url", - "description": "URL", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "token", - "description": "API token", - "type": "string", - "multi": false, - "required": false - }, - { - "name": "cert_check", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "cert_path", - "description": "Path to the CA on the system used to check server certificate", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/cuckoosandbox_file_analysis_inet:devel" -} -, -{ - "name": "CuckooSandbox_Url_Analysis", - "version": "1.1", - "author": "Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/garanews/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Cuckoo Sandbox URL analysis.", - "dataTypeList": [ - "url" - ], - "baseConfig": "CuckooSandbox", - "configurationItems": [ - { - "name": "url", - "description": "URL", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "token", - "description": "API token", - "type": "string", - "multi": false, - "required": false - }, - { - "name": "cert_check", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "cert_path", - "description": "Path to the CA on the system used to check server certificate", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/cuckoosandbox_url_analysis:devel" -} -, -{ - "name": "CyberCrime-Tracker", - "author": "ph34tur3", - "license": "AGPL-V3", - "url": "https://github.com/ph34tur3/Cortex-Analyzers", - "version": "1.0", - "description": "Search cybercrime-tracker.net for C2 servers.", - "dataTypeList": [ - "domain", - "fqdn", - "ip", - "url", - "other" - ], - "baseConfig": "CyberCrimeTracker", - "config": { - "check_tlp": true, - "max_tlp": 2 - }, - "configurationItems": [], - "dockerImage": "cortexneurons/cybercrime-tracker:devel" -} -, -{ - "name": "Cyberprotect_ThreatScore", - "author": "Rémi Allain, Cyberprotect", - "license": "AGPL-V3", - "url": "https://github.com/Cyberprotect/Cortex-Analyzers", - "version": "1.0", - "description": "ThreatScore is a cyber threat scoring system provided by Cyberprotect", - "dataTypeList": [ - "domain", - "ip" - ], - "baseConfig": "Cyberprotect", - "config": { - "service": "ThreatScore", - "check_tlp": true - }, - "dockerImage": "cortexneurons/cyberprotect_threatscore:devel" -} -, -{ - "name": "Cymon_Check_IP", - "version": "2.1", - "author": "Julian Gonzalez", - "url": "https://github.com/ST2labs/Analyzers", - "license": "AGPL-V3", - "description": "Check an IP addr against Cymon.io.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Cymon", - "config": { - "service": "Check_IP" - }, - "configurationItems": [ - { - "name": "key", - "description": "API key for Cymon.io", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/cymon_check_ip:devel" -} -, -{ - "name": "DNSDB_DomainName", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DNSDB to fetch historical records for a domain.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "DNSDB", - "config": { - "service": "domain_name" - }, - "configurationItems": [ - { - "name": "server", - "description": "DNSDB server name", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "https://api.dnsdb.info" - }, - { - "name": "key", - "description": "Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/dnsdb_domainname:devel" -} -, -{ - "name": "DNSDB_IPHistory", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DNSDB to fetch historical records for an IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "DNSDB", - "config": { - "service": "ip_history" - }, - "configurationItems": [ - { - "name": "server", - "description": "DNSDB server name", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "https://api.dnsdb.info" - }, - { - "name": "key", - "description": "Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/dnsdb_iphistory:devel" -} -, -{ - "name": "DNSDB_NameHistory", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DNSDB to fetch historical records for a fully-qualified domain name.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "DNSDB", - "config": { - "service": "name_history" - }, - "configurationItems": [ - { - "name": "server", - "description": "DNSDB server name", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "https://api.dnsdb.info" - }, - { - "name": "key", - "description": "Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/dnsdb_namehistory:devel" -} -, -{ - "name": "DNSSinkhole", - "author": "Andrea Garavaglia, LDO-CERT", - "license": "AGPL-V3", - "url": "https://github.com/LDO-CERT/cortex-analyzer", - "version": "1.0", - "description": "Check if a domain is sinkholed via DNS Sinkhole server", - "dataTypeList": [ - "domain" - ], - "baseConfig": "DNSSinkhole", - "configurationItems": [ - { - "name": "ip", - "description": "Define the DNS Sinkhole Server IP", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "sink_ip", - "description": "Define the sinkholed response address IP", - "required": true, - "multi": false, - "type": "string" - } - ], - "dockerImage": "cortexneurons/dnssinkhole:devel" -} -, -{ - "name": "DShield_lookup", - "version": "1.0", - "author": "Xavier Xavier, SANS ISC", - "url": "https://github.com/xme/thehive/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query the SANS ISC DShield API to check for an IP address reputation.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "DShield", - "config": { - "service": "query" - }, - "dockerImage": "cortexneurons/dshield_lookup:devel" -} -, -{ - "name": "DomainTools_HostingHistory", - "version": "2.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of historical registrant, name servers and IP addresses for a domain name.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "DomainTools", - "config": { - "service": "hosting-history" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_hostinghistory:devel" -} -, -{ - "name": "DomainTools_Reputation", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a reputation score on a domain or fqdn", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "DomainTools", - "config": { - "service": "reputation" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reputation:devel" -} -, -{ - "name": "DomainTools_ReverseIP", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of domain names sharing the same IP address.", - "dataTypeList": [ - "ip", - "domain", - "fqdn" - ], - "baseConfig": "DomainTools", - "config": { - "service": "reverse-ip" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reverseip:devel" -} -, -{ - "name": "DomainTools_ReverseIPWhois", - "version": "2.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of IP addresses which share the same registrant information.", - "dataTypeList": [ - "mail", - "ip", - "domain", - "other" - ], - "baseConfig": "DomainTools", - "config": { - "service": "reverse-ip-whois" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reverseipwhois:devel" -} -, -{ - "name": "DomainTools_ReverseNameServer", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of domain names that share the same primary or secondary name server.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "DomainTools", - "config": { - "service": "name-server-domains" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reversenameserver:devel" -} -, -{ - "name": "DomainTools_ReverseWhois", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of domain names which share the same registrant information.", - "dataTypeList": [ - "mail", - "ip", - "domain", - "other" - ], - "baseConfig": "DomainTools", - "config": { - "service": "reverse-whois" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reversewhois:devel" -} -, -{ - "name": "DomainTools_Risk", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a risk score and evidence details on a domain or fqdn", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "DomainTools", - "config": { - "service": "risk_evidence" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_risk:devel" -} -, -{ - "name": "DomainTools_WhoisHistory", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of historical Whois records associated with a domain name.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "DomainTools", - "config": { - "service": "whois/history" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_whoishistory:devel" -} -, -{ - "name": "DomainTools_WhoisLookup", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get the ownership record for a domain or an IP address with basic registration details parsed.", - "dataTypeList": [ - "domain", - "ip" - ], - "baseConfig": "DomainTools", - "config": { - "service": "whois/parsed" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_whoislookup:devel" -} -, -{ - "name": "DomainTools_WhoisLookupUnparsed", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get the ownership record for an IP address or a domain without parsing.", - "dataTypeList": [ - "ip", - "domain" - ], - "baseConfig": "DomainTools", - "config": { - "service": "whois" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_whoislookupunparsed:devel" -} -, -{ - "name": "EmergingThreats_DomainInfo", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/dadokkio/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve ET reputation, related malware, and IDS requests for a given domain.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "EmergingThreats", - "configurationItems": [ - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/emergingthreats_domaininfo:devel" -} -, -{ - "name": "EmergingThreats_IPInfo", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/dadokkio/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve ET reputation, related malware, and IDS requests for a given IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "EmergingThreats", - "configurationItems": [ - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/emergingthreats_ipinfo:devel" -} -, -{ - "name": "EmergingThreats_MalwareInfo", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/dadokkio/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve ET details and info related to a malware hash.", - "dataTypeList": [ - "file", - "hash" - ], - "baseConfig": "EmergingThreats", - "configurationItems": [ - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/emergingthreats_malwareinfo:devel" -} -, -{ - "name": "EmlParser", - "version": "1.2", - "author": "ninsmith", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "baseConfig": "EmlParser", - "config": { - "check_tlp": false, - "max_tlp": 3, - "service": "" - }, - "description": "Parse Eml message", - "dataTypeList": [ - "file" - ], - "dockerImage": "cortexneurons/emlparser:devel" -} -, -{ - "name": "FileInfo", - "version": "6.0", - "author": "TheHive-Project", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Parse files in several formats such as OLE and OpenXML to detect VBA macros, extract their source code, generate useful information on PE, PDF files...", - "dataTypeList": [ - "file" - ], - "baseConfig": "FileInfo", - "configurationItems": [ - { - "name": "manalyze_enable", - "description": "Wether to enable manalyze submodule or not.", - "type": "boolean", - "required": true, - "multi": false - }, - { - "name": "manalyze_enable_docker", - "description": "Use docker to run Manalyze.", - "type": "boolean", - "required": false, - "multi": false, - "default": false - }, - { - "name": "manalyze_enable_binary", - "description": "Use local binary to run Manalyze. Need to compile it before!", - "type": "boolean", - "required": false, - "multi": false, - "default": true - }, - { - "name": "manalyze_binary_path", - "description": "Path to the Manalyze binary that was compiled before", - "type": "string", - "required": false, - "multi": false, - "default": "/opt/Cortex-Analyzers/utils/manalyze/bin/manalyze" - } - ], - "dockerImage": "cortexneurons/fileinfo:devel" -} -, -{ - "name": "FireEyeiSight", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/LDO-CERT/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query domains, IPs, hashes and URLs on FireEye's iSIGHT threat intelligence service.", - "dataTypeList": [ - "domain", - "ip", - "hash", - "url" - ], - "baseConfig": "FireEyeiSight", - "config": { - "check_tlp": true, - "max_tlp": 2, - "service": "query" - }, - "configurationItems": [ - { - "name": "key", - "description": "API key for FireEye iSIGHT.", - "required": true, - "type": "string", - "multi": false - }, - { - "name": "pwd", - "description": "Password associated to the API key.", - "required": true, - "type": "string", - "multi": false - } - ], - "dockerImage": "cortexneurons/fireeyeisight:devel" -} -, -{ - "name": "FireHOLBlocklists", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Check IP addresses against the FireHOL blocklists", - "dataTypeList": [ - "ip" - ], - "baseConfig": "FireHOLBlocklists", - "configurationItems": [ - { - "name": "blocklistpath", - "description": "Path to blocklists", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/fireholblocklists:devel" -} -, -{ - "name": "Fortiguard_URLCategory", - "version": "2.1", - "author": "Eric Capuano", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "dataTypeList": [ - "domain", - "url", - "fqdn" - ], - "description": "Check the Fortiguard category of a URL, FQDN or a domain. Check the full available list at https://fortiguard.com/webfilter/categories", - "baseConfig": "Fortiguard", - "configurationItems": [ - { - "name": "malicious_categories", - "description": "List of FortiGuard categories to be considered as malicious", - "type": "string", - "multi": true, - "required": true, - "defaultValue": [ - "Malicious Websites", - "Phishing", - "Spam URLs" - ] - }, - { - "name": "suspicious_categories", - "description": "List of FortiGuard categories to be considered as suspicious", - "type": "string", - "multi": true, - "required": true, - "defaultValue": [ - "Newly Observed Domain", - "Newly Registered Domain", - "Dynamic DNS", - "Proxy Avoidance", - "Hacking" - ] - } - ], - "dockerImage": "cortexneurons/fortiguard_urlcategory:devel" -} -, -{ - "name": "GoogleDNS_resolve", - "version": "1.0.0", - "author": "CERT-LaPoste", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Request Google DNS over HTTPS service", - "dataTypeList": [ - "domain", - "ip", - "fqdn" - ], - "baseConfig": "GoogleDNS", - "config": { - "service": "get" - }, - "configurationItems": [], - "dockerImage": "cortexneurons/googledns_resolve:devel" -} -, -{ - "name": "GoogleSafebrowsing", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Use Google Safebrowing to check URLs and domain names.", - "dataTypeList": [ - "url", - "domain" - ], - "baseConfig": "GoogleSafebrowsing", - "configurationItems": [ - { - "name": "client_id", - "description": "Client identifier", - "type": "string", - "multi": false, - "required": false, - "defaultValue": "cortex" - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/googlesafebrowsing:devel" -} -, -{ - "name": "GreyNoise", - "version": "2.3", - "author": "Nclose", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "APLv2", - "description": "Determine whether an IP has known scanning activity using GreyNoise.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "GreyNoise", - "configurationItems": [ - { - "name": "key", - "description": "API key for GreyNoise", - "type": "string", - "multi": false, - "required": false - } - ], - "config": { - "check_tlp": true, - "max_tlp": 2, - "auto_extract": false - }, - "dockerImage": "cortexneurons/greynoise:devel" -} -, -{ - "name": "HIBP_Query", - "version": "1.0", - "author": "Matt Erasmus", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query haveibeenpwned.com for a compromised email address", - "dataTypeList": [ - "mail" - ], - "baseConfig": "HIBP", - "config": { - "service": "query", - "url": "https://haveibeenpwned.com/api/v2/breachedaccount/" - }, - "configurationItems": [ - { - "name": "unverified", - "description": "Include unverified breaches", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/hibp_query:devel" -} -, -{ - "name": "Hashdd_Detail", - "version": "1.0", - "author": "iosonogio", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPLv3", - "description": "Determine whether a hash is good or bad; if good then list what it is.", - "dataTypeList": [ - "hash" - ], - "baseConfig": "Hashdd", - "config": { - "service": "detail" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "API key for hashdd", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hashdd_detail:devel" -} -, -{ - "name": "Hashdd_Status", - "version": "1.0", - "author": "iosonogio", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPLv3", - "description": "Determine whether a hash is good or bad.", - "dataTypeList": [ - "hash" - ], - "baseConfig": "Hashdd", - "config": { - "service": "status" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "API key for hashdd", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/hashdd_status:devel" -} -, -{ - "name": "Hipposcore", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the Hippocampe Score report associated with an IP address, a domain or a URL.", - "dataTypeList": [ - "ip", - "domain", - "fqdn", - "url" - ], - "baseConfig": "Hippocampe", - "config": { - "service": "hipposcore" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hipposcore:devel" -} -, -{ - "name": "HippoMore", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the Hippocampe detailed report for an IP address, a domain or a URL.", - "dataTypeList": [ - "ip", - "domain", - "fqdn", - "url" - ], - "baseConfig": "Hippocampe", - "config": { - "service": "more" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hippomore:devel" -} -, -{ - "name": "Hunterio_DomainSearch", - "author": "Rémi Allain, Cyberprotect", - "license": "AGPL-V3", - "url": "https://github.com/Cyberprotect/Cortex-Analyzers", - "version": "1.0", - "description": "hunter.io is a service to find email addresses from a domain.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "Hunterio", - "config": { - "service": "domainsearch", - "check_tlp": false - }, - "configurationItems": [ - { - "name": "key", - "description": "api key of hunter.io", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hunterio_domainsearch:devel" -} -, -{ - "name": "HybridAnalysis_GetReport", - "version": "1.0", - "author": "Daniil Yugoslavskiy, Tieto", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "dataTypeList": [ - "hash", - "file", - "filename" - ], - "description": "Fetch Hybrid Analysis reports associated with hashes and filenames.", - "baseConfig": "HybridAnalysis", - "configurationItems": [ - { - "name": "secret", - "description": "HybridAnalysis secret", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hybridanalysis_getreport:devel" -} -, -{ - "name": "IBMXForce_Lookup", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/LDO-CERT/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query domains, IPs, hashes and URLs against IBM X-Force threat intelligence sharing platform.", - "dataTypeList": [ - "domain", - "ip", - "hash", - "url" - ], - "baseConfig": "IBMXForce", - "config": { - "service": "query" - }, - "configurationItems": [ - { - "name": "url", - "description": "X-Force API URL", - "required": true, - "multi": false, - "type": "string" - }, - { - "name": "key", - "description": "X-Force API Key", - "required": true, - "multi": false, - "type": "string" - }, - { - "name": "pwd", - "description": "X-Force API Password", - "required": true, - "multi": false, - "type": "string" - }, - { - "name": "verify", - "description": "Enable/Disable certificate verification", - "required": false, - "multi": false, - "type": "boolean", - "default": true - } - ], - "dockerImage": "cortexneurons/ibmxforce_lookup:devel" -} -, -{ - "name": "Investigate_Categorization", - "version": "1.0", - "author": "Cisco Umbrella Research @opendns", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Investigate", - "license": "AGPL-V3", - "description": "Retrieve Investigate categorization and security features for a domain.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "Investigate", - "config": { - "service": "categorization" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the Investigate API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/investigate_categorization:devel" -} -, -{ - "name": "Investigate_Sample", - "version": "1.0", - "author": "Cisco Umbrella Research @opendns", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Investigate", - "license": "AGPL-V3", - "description": "Retrieve sample data from Investigate for a hash. (Sample data provided by ThreatGrid)", - "dataTypeList": [ - "hash" - ], - "baseConfig": "Investigate", - "config": { - "service": "sample" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the Investigate API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/investigate_sample:devel" -} -, -{ - "name": "JoeSandbox_File_Analysis_Inet", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Joe Sandbox file analysis with Internet access.", - "dataTypeList": [ - "file" - ], - "baseConfig": "JoeSandbox", - "config": { - "service": "file_analysis_inet" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of JoeSandbox service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "analysistimeout", - "description": "Analysis timeout (seconds)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 1800 - }, - { - "name": "networktimeout", - "description": "Network timeout (second)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 30 - } - ], - "dockerImage": "cortexneurons/joesandbox_file_analysis_inet:devel" -} -, -{ - "name": "JoeSandbox_File_Analysis_Noinet", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Joe Sandbox file analysis without Internet access.", - "dataTypeList": [ - "file" - ], - "baseConfig": "JoeSandbox", - "config": { - "service": "file_analysis_noinet" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of JoeSandbox service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "analysistimeout", - "description": "Analysis timeout (seconds)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 1800 - }, - { - "name": "networktimeout", - "description": "Network timeout (second)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 30 - } - ], - "dockerImage": "cortexneurons/joesandbox_file_analysis_noinet:devel" -} -, -{ - "name": "JoeSandbox_Url_Analysis", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Joe Sandbox URL analysis.", - "dataTypeList": [ - "url" - ], - "baseConfig": "JoeSandbox", - "config": { - "service": "url_analysis" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of JoeSandbox service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "analysistimeout", - "description": "Analysis timeout (seconds)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 1800 - }, - { - "name": "networktimeout", - "description": "Network timeout (second)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 30 - } - ], - "dockerImage": "cortexneurons/joesandbox_url_analysis:devel" -} -, -{ - "name": "MISP", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Query multiple MISP instances for events containing an observable.", - "dataTypeList": [ - "domain", - "ip", - "url", - "fqdn", - "uri_path", - "user-agent", - "hash", - "email", - "mail", - "mail_subject", - "registry", - "regexp", - "other", - "filename" - ], - "baseConfig": "MISP", - "configurationItems": [ - { - "name": "name", - "description": "Name of MISP servers", - "multi": true, - "required": false, - "type": "string" - }, - { - "name": "url", - "description": "URL of MISP servers", - "type": "string", - "multi": true, - "required": true - }, - { - "name": "key", - "description": "API key for each server", - "type": "string", - "multi": true, - "required": true - }, - { - "name": "cert_check", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "cert_path", - "description": "Path to the CA on the system used to check server certificate", - "type": "string", - "multi": true, - "required": false - } - ], - "dockerImage": "cortexneurons/misp:devel" -} -, -{ - "name": "MISPWarningLists", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/misp-warninglists-analyzer", - "version": "1.0", - "description": "Check IoCs/Observables against MISP Warninglists to filter false positives.", - "dataTypeList": [ - "ip", - "hash", - "domain", - "fqdn", - "url" - ], - "baseConfig": "MISPWarningLists", - "configurationItems": [ - { - "name": "path", - "description": "path to Warninglists folder", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/mispwarninglists:devel" -} -, -{ - "name": "Malpedia", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "license": "AGPL-V3", - "url": "https://github.com/LDO-CERT/cortex-analyzers", - "version": "1.0", - "description": "Check files against Malpedia YARA rules.", - "dataTypeList": [ - "file" - ], - "baseConfig": "Malpedia", - "configurationItems": [ - { - "name": "path", - "description": "Rulepath", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "username", - "description": "Username", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "Password", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/malpedia:devel" -} -, -{ - "name": "Malwares_GetReport", - "version": "1.0", - "author": "LDO-CERT", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the latest Malwares report for a file, hash, domain or an IP address.", - "dataTypeList": [ - "file", - "hash", - "domain", - "ip" - ], - "baseConfig": "Malwares", - "config": { - "check_tlp": true, - "max_tlp": 3, - "service": "get" - }, - "configurationItems": [ - { - "name": "key", - "description": "Malwares.com API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/malwares_getreport:devel" -} -, -{ - "name": "Malwares_Scan", - "version": "1.0", - "author": "LDO-CERT", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Malwares' API to scan a file or URL.", - "dataTypeList": [ - "file", - "url" - ], - "baseConfig": "Malwares", - "config": { - "check_tlp": true, - "service": "scan", - "max_tlp": 1 - }, - "configurationItems": [ - { - "name": "key", - "description": "Malwares.com API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/malwares_scan:devel" -} -, -{ - "name": "MaxMind_GeoIP", - "version": "3.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use MaxMind to geolocate an IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "MaxMind", - "dockerImage": "cortexneurons/maxmind_geoip:devel" -} -, -{ - "name": "Mnemonic_pDNS_Closed", - "version": "3.0", - "author": "Michael Stensrud, Nordic Financial CERT", - "url": "https://passivedns.mnemonic.no/search", - "license": "AGPL-V3", - "description": "Query IP addresses and domains against Mnemonic pDNS restricted service.", - "dataTypeList": [ - "ip", - "domain" - ], - "baseConfig": "Mnemonic_pDNS", - "config": { - "check_tlp": true, - "service": "closed" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/mnemonic_pdns_closed:devel" -} -, -{ - "name": "Mnemonic_pDNS_Public", - "version": "3.0", - "author": "Michael Stensrud, Nordic Financial CERT", - "url": "https://passivedns.mnemonic.no/search", - "license": "AGPL-V3", - "description": "Query IP addresses and domains against Mnemonic pDNS public service.", - "dataTypeList": [ - "ip", - "domain" - ], - "baseConfig": "Mnemonic_pDNS", - "config": { - "check_tlp": true, - "service": "public" - }, - "configurationItems": [], - "dockerImage": "cortexneurons/mnemonic_pdns_public:devel" -} -, -{ - "name": "Msg_Parser", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Parse Outlook MSG files and extract the main artifacts.", - "dataTypeList": [ - "file" - ], - "baseConfig": "MsgParser", - "dockerImage": "cortexneurons/msg_parser:devel" -} -, -{ - "name": "Nessus", - "version": "2.0", - "author": "Guillaume Rousse", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Nessus Professional to scan hosts.", - "dataTypeList": [ - "ip", - "fqdn" - ], - "baseConfig": "Nessus", - "configurationItems": [ - { - "name": "url", - "description": "Define the URL to the Nessus service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "login", - "description": "Define the login to Nessus", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "Define the password to the Nessus account", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "policy", - "description": "Define the policy used to run scans", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "ca_bundle", - "description": "Define the path to the Nessus CA", - "type": "string", - "multi": false, - "required": false - }, - { - "name": "allowed_network", - "description": "Define networks allowed to be scanned", - "type": "string", - "multi": true, - "required": true - } - ], - "dockerImage": "cortexneurons/nessus:devel" -} -, -{ - "name": "OTXQuery", - "version": "2.0", - "author": "Eric Capuano", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query AlienVault OTX for IPs, domains, URLs, or file hashes.", - "dataTypeList": [ - "url", - "domain", - "file", - "hash", - "ip" - ], - "baseConfig": "OTXQuery", - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/otxquery:devel" -} -, -{ - "name": "Onyphe_Datascan", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve datascan information Onyphe has for the given IPv{4,6} address with history of changes or search a string.", - "dataTypeList": [ - "ip", - "other" - ], - "baseConfig": "Onyphe", - "config": { - "service": "datascan" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_datascan:devel" -} -, -{ - "name": "Onyphe_Forward", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve forward DNS lookup information Onyphe has for the given IPv{4,6} address with history of changes.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "forward" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_forward:devel" -} -, -{ - "name": "Onyphe_Geolocate", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve geolocation information for the given IPv{4,6} address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "geolocate" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_geolocate:devel" -} -, -{ - "name": "Onyphe_Inetnum", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve Onyphe Inetnum information on an IPv{4,6} address with history.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "inetnum" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_inetnum:devel" -} -, -{ - "name": "Onyphe_Ports", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve synscan information Onyphe has for the given IPv{4,6} address with history of changes.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "ports" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_ports:devel" -} -, -{ - "name": "Onyphe_Reverse", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve reverse DNS lookup information Onyphe has for the given IPv{4,6} address with history of changes.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "reverse" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_reverse:devel" -} -, -{ - "name": "Onyphe_Threats", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve Onyphe threat information for the given IPv{4,6} address with history.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "threats" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_threats:devel" -} -, -{ - "name": "PassiveTotal_Enrichment", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Enrichment Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "enrichment" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_enrichment:devel" -} -, -{ - "name": "PassiveTotal_Malware", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Malware Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "malware" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_malware:devel" -} -, -{ - "name": "PassiveTotal_Osint", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal OSINT Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "osint" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_osint:devel" -} -, -{ - "name": "PassiveTotal_Passive_Dns", - "version": "2.1", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Passive DNS Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "passive_dns" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_passive_dns:devel" -} -, -{ - "name": "PassiveTotal_Ssl_Certificate_Details", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal SSL Certificate Details Lookup.", - "dataTypeList": [ - "hash", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "ssl_certificate_details" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_ssl_certificate_details:devel" -} -, -{ - "name": "PassiveTotal_Ssl_Certificate_History", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal SSL Certificate History Lookup.", - "dataTypeList": [ - "hash", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "ssl_certificate_history" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_ssl_certificate_history:devel" -} -, -{ - "name": "PassiveTotal_Unique_Resolutions", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Unique Resolutions Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "unique_resolutions" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_unique_resolutions:devel" -} -, -{ - "name": "PassiveTotal_Whois_Details", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Whois Details Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "whois_details" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_whois_details:devel" -} -, -{ - "name": "Patrowl_GetReport", - "version": "1.0", - "author": "Nicolas Mattiocco", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the current Patrowl report for a fdqn, a domain or an IP address.", - "dataTypeList": [ - "fqdn", - "domain", - "ip" - ], - "baseConfig": "Patrowl", - "config": { - "service": "getreport" - }, - "configurationItems": [ - { - "name": "url", - "description": "Define the PatrOwl url", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "api_key", - "description": "Define the PatrOwl API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/patrowl_getreport:devel" -} -, -{ - "name": "PayloadSecurity_File_Analysis", - "version": "1.0", - "author": "Emmanuel Torquato", - "url": "https://github.com/notset/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PayloadSecurity Sandbox File Analysis", - "dataTypeList": [ - "file" - ], - "baseConfig": "PayloadSecurity", - "configurationItems": [ - { - "name": "url", - "description": "Define the url of the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "secret", - "description": "Define the secret used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "environmentId", - "description": "Define the environment Id used by the service", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 100 - }, - { - "name": "timeout", - "description": "Define the timeout of requests to the service", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 15 - }, - { - "name": "verifyssl", - "description": "Verify SSL certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/payloadsecurity_file_analysis:devel" -} -, -{ - "name": "PayloadSecurity_Url_Analysis", - "version": "1.0", - "author": "Emmanuel Torquato", - "url": "https://github.com/notset/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PayloadSecurity Sandbox Url Analysis", - "dataTypeList": [ - "url" - ], - "baseConfig": "PayloadSecurity", - "configurationItems": [ - { - "name": "url", - "description": "Define the url of the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "secret", - "description": "Define the secret used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "environmentId", - "description": "Define the environment Id used by the service", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 100 - }, - { - "name": "timeout", - "description": "Define the timeout of requests to the service", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 15 - }, - { - "name": "verifyssl", - "description": "Verify SSL certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/payloadsecurity_url_analysis:devel" -} -, -{ - "name": "PhishTank_CheckURL", - "version": "2.1", - "author": "Eric Capuano", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use PhishTank to check if a URL is a verified phishing site.", - "dataTypeList": [ - "url" - ], - "baseConfig": "PhishTank", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/phishtank_checkurl:devel" -} -, -{ - "name": "PhishingInitiative_Lookup", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Phishing Initiative to check if a URL is a verified phishing site.", - "dataTypeList": [ - "url" - ], - "baseConfig": "PhishingInitiative", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/phishinginitiative_lookup:devel" -} -, -{ - "name": "PhishingInitiative_Scan", - "version": "1.0", - "author": "Remi Pointel", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Phishing Initiative to scan a URL.", - "dataTypeList": [ - "url" - ], - "baseConfig": "PhishingInitiative", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/phishinginitiative_scan:devel" -} -, -{ - "name": "ProofPoint_Lookup", - "version": "1.0", - "author": "Emmanuel Torquato", - "url": "https://github.com/CERT-BDF/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Check URL, file, SHA256 against ProofPoint forensics", - "dataTypeList": [ - "url", - "file", - "hash" - ], - "baseConfig": "ProofPoint", - "config": { - "service": "query", - "max_tlp": 1, - "check_tlp": true - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of the Proofpoint API, the default should be okay.", - "type": "string", - "required": true, - "defaultValue": "https://tap-api-v2.proofpoint.com", - "multi": false - }, - { - "name": "apikey", - "description": "API key to use", - "type": "string", - "required": true, - "multi": false - }, - { - "name": "secret", - "description": "Secret to the API key", - "type": "string", - "required": true, - "multi": false - }, - { - "name": "verifyssl", - "description": "Verify server's SSL certificate", - "type": "boolean", - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/proofpoint_lookup:devel" -} -, -{ - "name": "Pulsedive_GetIndicator", - "version": "1.0", - "author": "Nils Kuhnert", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Search Pulsedive.com for a giver domain name, hash, ip or url", - "dataTypeList": [ - "url", - "domain", - "ip", - "hash" - ], - "baseConfig": "Pulsedive", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/pulsedive_getindicator:devel" -} -, -{ - "name": "RecordedFuture_risk", - "version": "1.0", - "author": "KAPSCH-CDC", - "url": "https://github.com/kapschcdc/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the latest risk data from RecordedFuture for a hash, domain or an IP address.", - "dataTypeList": [ - "domain", - "ip", - "hash" - ], - "baseConfig": "RecordedFuture", - "configurationItems": [ - { - "name": "key", - "description": "API key for RecordedFuture", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/recordedfuture_risk:devel" -} -, -{ - "name": "Robtex_Forward_PDNS_Query", - "version": "1.0", - "author": "Nils Kuhnert", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Check domains and FQDNs using the Robtex passive DNS API.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "Robtex", - "config": { - "service": "fpdnsquery" - }, - "dockerImage": "cortexneurons/robtex_forward_pdns_query:devel" -} -, -{ - "name": "Robtex_IP_Query", - "version": "1.0", - "author": "Nils Kuhnert", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Check IPs using the Robtex IP API.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Robtex", - "config": { - "service": "ipquery" - }, - "dockerImage": "cortexneurons/robtex_ip_query:devel" -} -, -{ - "name": "Robtex_Reverse_PDNS_Query", - "version": "1.0", - "author": "Nils Kuhnert", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Check IPs using the Robtex reverse passive DNS API.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Robtex", - "config": { - "service": "rpdnsquery" - }, - "dockerImage": "cortexneurons/robtex_reverse_pdns_query:devel" -} -, -{ - "name": "SecurityTrails_Passive_DNS", - "version": "1.0", - "author": "Manabu Niseki, @ninoseki", - "url": "https://github.com/ninoseki/cortex-securitytrails", - "license": "MIT", - "description": "SecurityTrails Passive DNS Lookup.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "SecurityTrails", - "config": { - "service": "passive_dns" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/securitytrails_passive_dns:devel" -} -, -{ - "name": "SecurityTrails_Whois", - "version": "1.0", - "author": "Manabu Niseki, @ninoseki", - "url": "https://github.com/ninoseki/cortex-securitytrails", - "license": "MIT", - "description": "SecurityTrails Whois Lookup.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "SecurityTrails", - "config": { - "service": "whois" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/securitytrails_whois:devel" -} -, -{ - "name": "Shodan_DNSResolve", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve domain resolutions on Shodan.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "Shodan", - "config": { - "service": "dns_resolve" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_dnsresolve:devel" -} -, -{ - "name": "Shodan_Host", - "version": "1.0", - "author": "Sebastien Larinier @Sebdraven", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve key Shodan information on an IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Shodan", - "config": { - "service": "host" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_host:devel" -} -, -{ - "name": "Shodan_Host_History", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve Shodan history scan results for an IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Shodan", - "config": { - "service": "host_history" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_host_history:devel" -} -, -{ - "name": "Shodan_InfoDomain", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve key Shodan information on a domain.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "Shodan", - "config": { - "service": "info_domain" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_infodomain:devel" -} -, -{ - "name": "Shodan_ReverseDNS", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve ip reverse DNS resolutions on Shodan.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Shodan", - "config": { - "service": "reverse_dns" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_reversedns:devel" -} -, -{ - "name": "Shodan_Search", - "version": "2.0", - "author": "Sebastien Larinier @Sebdraven", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Search query on Shodan", - "dataTypeList": [ - "other" - ], - "baseConfig": "Shodan", - "config": { - "service": "search" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_search:devel" -} -, -{ - "name": "SinkDB", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/sinkdb-analyzer", - "version": "1.0", - "description": "Check if ip is sinkholed via sinkdb.abuse.ch", - "dataTypeList": [ - "ip" - ], - "baseConfig": "SinkDB", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/sinkdb:devel" -} -, -{ - "name": "SoltraEdge", - "version": "1.0", - "author": "Michael Stensrud, Nordic Financial CERT", - "url": "http://soltra.com/en/", - "license": "AGPL-V3", - "description": "Query against Soltra Edge.", - "dataTypeList": [ - "domain", - "ip", - "url", - "fqdn", - "uri_path", - "user-agent", - "hash", - "email", - "mail", - "mail_subject", - "registry", - "regexp", - "other", - "filename" - ], - "baseConfig": "Soltra_Edge", - "config": { - "check_tlp": true, - "service": "search" - }, - "configurationItems": [ - { - "name": "token", - "description": "Define the Token Key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "username", - "description": "Define the Username", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "base_url", - "description": "Base API URL for Soltra Edge Server. (Example: https://test.soltra.com/api/stix)", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "https://feed.yourdomain./api/stix" - }, - { - "name": "verify_ssl", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/soltraedge:devel" -} -, -{ - "name": "StaxxSearch", - "author": "Robert Nixon", - "license": "AGPL-V3", - "url": "https://github.com/robertnixon2003/Cortex-Analyzers", - "version": "1.0", - "description": "Fetch observable details from an Anomali STAXX instance.", - "dataTypeList": [ - "domain", - "fqdn", - "ip", - "url", - "hash", - "mail" - ], - "baseConfig": "staxx", - "configurationItems": [ - { - "name": "auth_url", - "description": "Define the URL of the auth endpoint", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "query_url", - "description": "Define the URL of the intelligence endpoint", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "username", - "description": "STAXX User Name", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "STAXX Password", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "cert_check", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "cert_path", - "description": "Path to the CA on the system used to check the server certificate", - "type": "string", - "multi": true, - "required": false - } - ], - "dockerImage": "cortexneurons/staxxsearch:devel" -} -, -{ - "name": "StopForumSpam", - "author": "Marc-Andre Doll, STARC by EXAPROBE", - "license": "AGPL-V3", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "version": "1.0", - "baseConfig": "StopForumSpam", - "config": { - "check_tlp": true, - "max_tlp": 2 - }, - "configurationItems": [ - { - "name": "suspicious_confidence_level", - "description": "Confidence threshold above which the artifact should be marked as suspicious", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 0 - }, - { - "name": "malicious_confidence_level", - "description": "Confidence threshold above which the artifact should be marked as malicious", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 90 - } - ], - "description": "Query http://www.stopforumspam.com to check if an IP or email address is a known spammer.", - "dataTypeList": [ - "ip", - "mail" - ], - "dockerImage": "cortexneurons/stopforumspam:devel" -} -, -{ - "name": "TalosReputation", - "version": "1.0", - "author": "Gabriel Antonio da Silva", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the Talos IP reputation", - "dataTypeList": [ - "ip" - ], - "baseConfig": "TalosReputation", - "dockerImage": "cortexneurons/talosreputation:devel" -} -, -{ - "name": "Threatcrowd", - "author": "Rémi Allain, Cyberprotect", - "license": "AGPL-V3", - "url": "https://github.com/Cyberprotect/Cortex-Analyzers", - "version": "1.0", - "description": "Look up domains, mail and IP addresses on ThreatCrowd.", - "dataTypeList": [ - "mail", - "ip", - "domain" - ], - "baseConfig": "Threatcrowd", - "config": { - "check_tlp": false, - "service": "get" - }, - "dockerImage": "cortexneurons/threatcrowd:devel" -} -, -{ - "name": "TorBlutmagie", - "author": "Marc-André DOLL, STARC by EXAPROBE", - "license": "AGPL-V3", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "version": "1.0", - "description": "Query http://torstatus.blutmagie.de/query_export.php/Tor_query_EXPORT.csv for TOR exit nodes IP addresses or names.", - "dataTypeList": [ - "ip", - "domain", - "fqdn" - ], - "baseConfig": "TorBlutmagie", - "configurationItems": [ - { - "name": "cache.duration", - "description": "Define the cache duration", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 3600 - }, - { - "name": "cache.root", - "description": "Define the path to the stored data", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/torblutmagie:devel" -} -, -{ - "name": "TorProject", - "author": "Marc-André DOLL, STARC by EXAPROBE", - "license": "AGPL-V3", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "version": "1.0", - "description": "Query https://check.torproject.org/exit-addresses for TOR exit nodes IP addresses.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "TorProject", - "configurationItems": [ - { - "name": "ttl", - "description": "Define the TTL", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 86400 - }, - { - "name": "cache.duration", - "description": "Define the cache duration", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 3600 - }, - { - "name": "cache.root", - "description": "Define the path to the stored data", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/torproject:devel" -} -, -{ - "name": "URLhaus", - "author": "ninoseki, Nils Kuhnert", - "license": "MIT", - "url": "https://github.com/ninoseki/cortex_URLhaus_analyzer", - "version": "2.0", - "description": "Search domains, IPs, URLs or hashes on URLhaus.", - "dataTypeList": [ - "domain", - "url", - "hash", - "ip" - ], - "configurationItems": [], - "dockerImage": "cortexneurons/urlhaus:devel" -} -, -{ - "name": "Umbrella_Report", - "version": "1.0", - "author": "Kyle Parrish", - "url": "https://github.com/arnydo/thehive/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query the Umbrella Reporting API for recent DNS queries and their status.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "Umbrella", - "config": { - "service": "get" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "Api Key provided by Umbrella Admin Console.", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "api_secret", - "description": "Api Secret provided by Umbrella Admin Console.", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "organization_id", - "description": "Organization ID provided by Umbrella Admin Console.", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "query_limit", - "description": "Maximum number of results to return.", - "type": "number", - "multi": false, - "required": false, - "default": 20 - } - ], - "dockerImage": "cortexneurons/umbrella_report:devel" -} -, -{ - "name": "UnshortenLink", - "version": "1.1", - "author": "Remi Pointel, CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use UnshortenLink to reveal the real URL.", - "dataTypeList": [ - "url" - ], - "baseConfig": "UnshortenLink", - "dockerImage": "cortexneurons/unshortenlink:devel" -} -, -{ - "name": "Urlscan.io_Search", - "author": "ninoseki", - "license": "MIT", - "url": "https://github.com/ninoseki/cortex_urlscan_analyzer", - "version": "0.1.0", - "description": "Search IPs, domains, hashes or URLs on urlscan.io", - "dataTypeList": [ - "ip", - "domain", - "hash", - "url" - ], - "dockerImage": "cortexneurons/urlscan.io_search:devel" -} -, -{ - "name": "VMRay", - "license": "AGPL-V3", - "author": "Nils Kuhnert, CERT-Bund", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "3.0", - "description": "VMRay Sandbox file analysis.", - "dataTypeList": [ - "hash", - "file" - ], - "baseConfig": "VMRay", - "configurationItems": [ - { - "name": "url", - "description": "Define the URL of the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "certverify", - "description": "Verify certificates", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "certpath", - "description": "Path to certificate file, in case of self-signed etc.", - "type": "string", - "multi": false, - "required": false - }, - { - "name": "disablereanalyze", - "description": "If set to true, samples won't get re-analyzed.", - "type": "boolean", - "multi": false, - "required": false, - "defaultValue": false - } - ], - "dockerImage": "cortexneurons/vmray:devel" -} -, -{ - "name": "VirusTotal_GetReport", - "version": "3.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the latest VirusTotal report for a file, hash, domain or an IP address.", - "dataTypeList": [ - "file", - "hash", - "domain", - "ip", - "url" - ], - "baseConfig": "VirusTotal", - "config": { - "service": "get" - }, - "configurationItems": [ - { - "name": "key", - "description": "API key for Virustotal", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "polling_interval", - "description": "Define time interval between two requests attempts for the report", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 60 - } - ], - "dockerImage": "cortexneurons/virustotal_getreport:devel" -} -, -{ - "name": "VirusTotal_Scan", - "version": "3.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use VirusTotal to scan a file or URL.", - "dataTypeList": [ - "file", - "url" - ], - "baseConfig": "VirusTotal", - "config": { - "service": "scan" - }, - "configurationItems": [ - { - "name": "key", - "description": "API key for Virustotal", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "polling_interval", - "description": "Define time interval between two requests attempts for the report", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 60 - } - ], - "dockerImage": "cortexneurons/virustotal_scan:devel" -} -, -{ - "name": "Virusshare", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Search for MD5 hashes in Virusshare.com hash list", - "dataTypeList": [ - "hash", - "file" - ], - "baseConfig": "Virusshare", - "configurationItems": [ - { - "name": "path", - "description": "Define the path to the stored data", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/virusshare:devel" -} -, -{ - "name": "WOT_Lookup", - "version": "1.0", - "author": "Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/garanews/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Web of Trust to check a domain's reputation.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "WOT", - "config": { - "service": "query" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/wot_lookup:devel" -} -, -{ - "name": "Yara", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Check files against YARA rules.", - "dataTypeList": [ - "file" - ], - "baseConfig": "Yara", - "configurationItems": [ - { - "name": "rules", - "description": "Define the path rules folder", - "type": "string", - "multi": true, - "required": true - } - ], - "dockerImage": "cortexneurons/yara:devel" -} -, -{ - "name": "Yeti", - "author": "CERT-BDF", - "license": "AGPL-V3", - "url": "https://github.com/CERT/cortex-analyzers", - "version": "1.0", - "description": "Fetch observable details from a YETI instance.", - "dataTypeList": [ - "domain", - "fqdn", - "ip", - "url", - "hash" - ], - "baseConfig": "Yeti", - "configurationItems": [ - { - "name": "url", - "description": "Define the URL of the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "api_key", - "description": "Define the api key of the service", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/yeti:devel" -} -] diff --git a/analyzers/catalog-stable.json b/analyzers/catalog-stable.json deleted file mode 100644 index e4d9cfeb4..000000000 --- a/analyzers/catalog-stable.json +++ /dev/null @@ -1,3735 +0,0 @@ -[ -{ - "name": "AbuseIPDB", - "version": "1.0", - "author": "Matteo Lodi", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-v3", - "description": "Determine whether an IP was reported or not as malicious by AbuseIPDB", - "dataTypeList": [ - "ip" - ], - "baseConfig": "AbuseIPDB", - "configurationItems": [ - { - "name": "key", - "description": "API key for AbuseIPDB", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "days", - "description": "Check for IP Reports in the last X days", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 30 - } - ], - "config": { - "check_tlp": true, - "max_tlp": 2, - "auto_extract": false - }, - "dockerImage": "cortexneurons/abuseipdb:1.0" -} -, -{ - "name": "Abuse_Finder", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Find abuse contacts associated with domain names, URLs, IPs and email addresses.", - "dataTypeList": [ - "ip", - "domain", - "url", - "mail" - ], - "baseConfig": "Abuse_Finder", - "dockerImage": "cortexneurons/abuse_finder:2.0" -} -, -{ - "name": "BackscatterIO_Enrichment", - "version": "1.0", - "author": "brandon@backscatter.io", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "APLv2", - "description": "Enrich values using Backscatter.io data.", - "dataTypeList": [ - "ip", - "network", - "autonomous-system", - "port" - ], - "baseConfig": "BackscatterIO", - "configurationItems": [ - { - "name": "key", - "description": "API key for Backscatter.io", - "type": "string", - "multi": false, - "required": true - } - ], - "config": { - "check_tlp": true, - "max_tlp": 2, - "auto_extract": true, - "service": "enrichment" - }, - "dockerImage": "cortexneurons/backscatterio_enrichment:1.0" -} -, -{ - "name": "BackscatterIO_GetObservations", - "version": "1.0", - "author": "brandon@backscatter.io", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "APLv2", - "description": "Determine whether a value has known scanning activity using Backscatter.io data.", - "dataTypeList": [ - "ip", - "network", - "autonomous-system" - ], - "baseConfig": "BackscatterIO", - "configurationItems": [ - { - "name": "key", - "description": "API key for Backscatter.io", - "type": "string", - "multi": false, - "required": true - } - ], - "config": { - "check_tlp": true, - "max_tlp": 2, - "auto_extract": true, - "service": "observations" - }, - "dockerImage": "cortexneurons/backscatterio_getobservations:1.0" -} -, -{ - "name": "C1fApp", - "version": "1.0", - "author": "etz69", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query C1fApp OSINT Aggregator for IPs, domains and URLs", - "dataTypeList": [ - "url", - "domain", - "ip" - ], - "baseConfig": "C1fApp", - "configurationItems": [ - { - "name": "url", - "description": "URL of C1fApp service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/c1fapp:1.0" -} -, -{ - "name": "CERTatPassiveDNS", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Checks CERT.at Passive DNS for a given domain.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "CERTatPassiveDNS", - "configurationItems": [ - { - "name": "limit", - "description": "Define the maximum number of results per request", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 100 - } - ], - "dockerImage": "cortexneurons/certatpassivedns:2.0" -} -, -{ - "name": "CIRCLPassiveDNS", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Check CIRCL's Passive DNS for a given domain or URL.", - "dataTypeList": [ - "domain", - "url", - "ip" - ], - "baseConfig": "CIRCL", - "configurationItems": [ - { - "name": "user", - "description": "Username", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "Password", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/circlpassivedns:2.0" -} -, -{ - "name": "CIRCLPassiveSSL", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Check CIRCL's Passive SSL for a given IP address or a X509 certificate hash.", - "dataTypeList": [ - "ip", - "certificate_hash", - "hash" - ], - "baseConfig": "CIRCL", - "configurationItems": [ - { - "name": "user", - "description": "Username", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "Password", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/circlpassivessl:2.0" -} -, -{ - "name": "Censys", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/censys-analyzer", - "version": "1.0", - "description": "Check IPs, certificate hashes or domains against censys.io.", - "dataTypeList": [ - "ip", - "hash", - "domain" - ], - "baseConfig": "Censys", - "configurationItems": [ - { - "name": "uid", - "description": "UID for Censys", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/censys:1.0" -} -, -{ - "name": "Crt_sh_Transparency_Logs", - "author": "crackytsi", - "license": "AGPL-V3", - "url": "https://crt.sh", - "version": "1.0", - "baseConfig": "Crtsh", - "config": { - "check_tlp": false, - "max_tlp": 3 - }, - "description": "Query domains against the certificate transparency lists available at crt.sh.", - "dataTypeList": [ - "domain" - ], - "configurationItems": [], - "dockerImage": "cortexneurons/crt_sh_transparency_logs:1.0" -} -, -{ - "name": "CuckooSandbox_File_Analysis_Inet", - "version": "1.1", - "author": "Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/garanews/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Cuckoo Sandbox file analysis with Internet access.", - "dataTypeList": [ - "file" - ], - "baseConfig": "CuckooSandbox", - "configurationItems": [ - { - "name": "url", - "description": "URL", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "token", - "description": "API token", - "type": "string", - "multi": false, - "required": false - }, - { - "name": "cert_check", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "cert_path", - "description": "Path to the CA on the system used to check server certificate", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/cuckoosandbox_file_analysis_inet:1.1" -} -, -{ - "name": "CuckooSandbox_Url_Analysis", - "version": "1.1", - "author": "Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/garanews/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Cuckoo Sandbox URL analysis.", - "dataTypeList": [ - "url" - ], - "baseConfig": "CuckooSandbox", - "configurationItems": [ - { - "name": "url", - "description": "URL", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "token", - "description": "API token", - "type": "string", - "multi": false, - "required": false - }, - { - "name": "cert_check", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "cert_path", - "description": "Path to the CA on the system used to check server certificate", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/cuckoosandbox_url_analysis:1.1" -} -, -{ - "name": "CyberCrime-Tracker", - "author": "ph34tur3", - "license": "AGPL-V3", - "url": "https://github.com/ph34tur3/Cortex-Analyzers", - "version": "1.0", - "description": "Search cybercrime-tracker.net for C2 servers.", - "dataTypeList": [ - "domain", - "fqdn", - "ip", - "url", - "other" - ], - "baseConfig": "CyberCrimeTracker", - "config": { - "check_tlp": true, - "max_tlp": 2 - }, - "configurationItems": [], - "dockerImage": "cortexneurons/cybercrime-tracker:1.0" -} -, -{ - "name": "Cyberprotect_ThreatScore", - "author": "Rémi Allain, Cyberprotect", - "license": "AGPL-V3", - "url": "https://github.com/Cyberprotect/Cortex-Analyzers", - "version": "1.0", - "description": "ThreatScore is a cyber threat scoring system provided by Cyberprotect", - "dataTypeList": [ - "domain", - "ip" - ], - "baseConfig": "Cyberprotect", - "config": { - "service": "ThreatScore", - "check_tlp": true - }, - "dockerImage": "cortexneurons/cyberprotect_threatscore:1.0" -} -, -{ - "name": "Cymon_Check_IP", - "version": "2.1", - "author": "Julian Gonzalez", - "url": "https://github.com/ST2labs/Analyzers", - "license": "AGPL-V3", - "description": "Check an IP addr against Cymon.io.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Cymon", - "config": { - "service": "Check_IP" - }, - "configurationItems": [ - { - "name": "key", - "description": "API key for Cymon.io", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/cymon_check_ip:2.1" -} -, -{ - "name": "DNSDB_DomainName", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DNSDB to fetch historical records for a domain.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "DNSDB", - "config": { - "service": "domain_name" - }, - "configurationItems": [ - { - "name": "server", - "description": "DNSDB server name", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "https://api.dnsdb.info" - }, - { - "name": "key", - "description": "Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/dnsdb_domainname:2.0" -} -, -{ - "name": "DNSDB_IPHistory", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DNSDB to fetch historical records for an IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "DNSDB", - "config": { - "service": "ip_history" - }, - "configurationItems": [ - { - "name": "server", - "description": "DNSDB server name", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "https://api.dnsdb.info" - }, - { - "name": "key", - "description": "Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/dnsdb_iphistory:2.0" -} -, -{ - "name": "DNSDB_NameHistory", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DNSDB to fetch historical records for a fully-qualified domain name.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "DNSDB", - "config": { - "service": "name_history" - }, - "configurationItems": [ - { - "name": "server", - "description": "DNSDB server name", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "https://api.dnsdb.info" - }, - { - "name": "key", - "description": "Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/dnsdb_namehistory:2.0" -} -, -{ - "name": "DNSSinkhole", - "author": "Andrea Garavaglia, LDO-CERT", - "license": "AGPL-V3", - "url": "https://github.com/LDO-CERT/cortex-analyzer", - "version": "1.0", - "description": "Check if a domain is sinkholed via DNS Sinkhole server", - "dataTypeList": [ - "domain" - ], - "baseConfig": "DNSSinkhole", - "configurationItems": [ - { - "name": "ip", - "description": "Define the DNS Sinkhole Server IP", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "sink_ip", - "description": "Define the sinkholed response address IP", - "required": true, - "multi": false, - "type": "string" - } - ], - "dockerImage": "cortexneurons/dnssinkhole:1.0" -} -, -{ - "name": "DShield_lookup", - "version": "1.0", - "author": "Xavier Xavier, SANS ISC", - "url": "https://github.com/xme/thehive/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query the SANS ISC DShield API to check for an IP address reputation.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "DShield", - "config": { - "service": "query" - }, - "dockerImage": "cortexneurons/dshield_lookup:1.0" -} -, -{ - "name": "DomainTools_HostingHistory", - "version": "2.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of historical registrant, name servers and IP addresses for a domain name.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "DomainTools", - "config": { - "service": "hosting-history" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_hostinghistory:2.0" -} -, -{ - "name": "DomainTools_Reputation", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a reputation score on a domain or fqdn", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "DomainTools", - "config": { - "service": "reputation" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reputation:2.0" -} -, -{ - "name": "DomainTools_ReverseIP", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of domain names sharing the same IP address.", - "dataTypeList": [ - "ip", - "domain", - "fqdn" - ], - "baseConfig": "DomainTools", - "config": { - "service": "reverse-ip" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reverseip:2.0" -} -, -{ - "name": "DomainTools_ReverseIPWhois", - "version": "2.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of IP addresses which share the same registrant information.", - "dataTypeList": [ - "mail", - "ip", - "domain", - "other" - ], - "baseConfig": "DomainTools", - "config": { - "service": "reverse-ip-whois" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reverseipwhois:2.0" -} -, -{ - "name": "DomainTools_ReverseNameServer", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of domain names that share the same primary or secondary name server.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "DomainTools", - "config": { - "service": "name-server-domains" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reversenameserver:2.0" -} -, -{ - "name": "DomainTools_ReverseWhois", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of domain names which share the same registrant information.", - "dataTypeList": [ - "mail", - "ip", - "domain", - "other" - ], - "baseConfig": "DomainTools", - "config": { - "service": "reverse-whois" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reversewhois:2.0" -} -, -{ - "name": "DomainTools_Risk", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a risk score and evidence details on a domain or fqdn", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "DomainTools", - "config": { - "service": "risk_evidence" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_risk:2.0" -} -, -{ - "name": "DomainTools_WhoisHistory", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of historical Whois records associated with a domain name.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "DomainTools", - "config": { - "service": "whois/history" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_whoishistory:2.0" -} -, -{ - "name": "DomainTools_WhoisLookup", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get the ownership record for a domain or an IP address with basic registration details parsed.", - "dataTypeList": [ - "domain", - "ip" - ], - "baseConfig": "DomainTools", - "config": { - "service": "whois/parsed" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_whoislookup:2.0" -} -, -{ - "name": "DomainTools_WhoisLookupUnparsed", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get the ownership record for an IP address or a domain without parsing.", - "dataTypeList": [ - "ip", - "domain" - ], - "baseConfig": "DomainTools", - "config": { - "service": "whois" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_whoislookupunparsed:2.0" -} -, -{ - "name": "EmergingThreats_DomainInfo", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/dadokkio/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve ET reputation, related malware, and IDS requests for a given domain.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "EmergingThreats", - "configurationItems": [ - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/emergingthreats_domaininfo:1.0" -} -, -{ - "name": "EmergingThreats_IPInfo", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/dadokkio/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve ET reputation, related malware, and IDS requests for a given IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "EmergingThreats", - "configurationItems": [ - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/emergingthreats_ipinfo:1.0" -} -, -{ - "name": "EmergingThreats_MalwareInfo", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/dadokkio/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve ET details and info related to a malware hash.", - "dataTypeList": [ - "file", - "hash" - ], - "baseConfig": "EmergingThreats", - "configurationItems": [ - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/emergingthreats_malwareinfo:1.0" -} -, -{ - "name": "EmlParser", - "version": "1.2", - "author": "ninsmith", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "baseConfig": "EmlParser", - "config": { - "check_tlp": false, - "max_tlp": 3, - "service": "" - }, - "description": "Parse Eml message", - "dataTypeList": [ - "file" - ], - "dockerImage": "cortexneurons/emlparser:1.2" -} -, -{ - "name": "FileInfo", - "version": "6.0", - "author": "TheHive-Project", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Parse files in several formats such as OLE and OpenXML to detect VBA macros, extract their source code, generate useful information on PE, PDF files...", - "dataTypeList": [ - "file" - ], - "baseConfig": "FileInfo", - "configurationItems": [ - { - "name": "manalyze_enable", - "description": "Wether to enable manalyze submodule or not.", - "type": "boolean", - "required": true, - "multi": false - }, - { - "name": "manalyze_enable_docker", - "description": "Use docker to run Manalyze.", - "type": "boolean", - "required": false, - "multi": false, - "default": false - }, - { - "name": "manalyze_enable_binary", - "description": "Use local binary to run Manalyze. Need to compile it before!", - "type": "boolean", - "required": false, - "multi": false, - "default": true - }, - { - "name": "manalyze_binary_path", - "description": "Path to the Manalyze binary that was compiled before", - "type": "string", - "required": false, - "multi": false, - "default": "/opt/Cortex-Analyzers/utils/manalyze/bin/manalyze" - } - ], - "dockerImage": "cortexneurons/fileinfo:6.0" -} -, -{ - "name": "FireEyeiSight", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/LDO-CERT/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query domains, IPs, hashes and URLs on FireEye's iSIGHT threat intelligence service.", - "dataTypeList": [ - "domain", - "ip", - "hash", - "url" - ], - "baseConfig": "FireEyeiSight", - "config": { - "check_tlp": true, - "max_tlp": 2, - "service": "query" - }, - "configurationItems": [ - { - "name": "key", - "description": "API key for FireEye iSIGHT.", - "required": true, - "type": "string", - "multi": false - }, - { - "name": "pwd", - "description": "Password associated to the API key.", - "required": true, - "type": "string", - "multi": false - } - ], - "dockerImage": "cortexneurons/fireeyeisight:1.0" -} -, -{ - "name": "FireHOLBlocklists", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Check IP addresses against the FireHOL blocklists", - "dataTypeList": [ - "ip" - ], - "baseConfig": "FireHOLBlocklists", - "configurationItems": [ - { - "name": "blocklistpath", - "description": "Path to blocklists", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/fireholblocklists:2.0" -} -, -{ - "name": "Fortiguard_URLCategory", - "version": "2.1", - "author": "Eric Capuano", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "dataTypeList": [ - "domain", - "url", - "fqdn" - ], - "description": "Check the Fortiguard category of a URL, FQDN or a domain. Check the full available list at https://fortiguard.com/webfilter/categories", - "baseConfig": "Fortiguard", - "configurationItems": [ - { - "name": "malicious_categories", - "description": "List of FortiGuard categories to be considered as malicious", - "type": "string", - "multi": true, - "required": true, - "defaultValue": [ - "Malicious Websites", - "Phishing", - "Spam URLs" - ] - }, - { - "name": "suspicious_categories", - "description": "List of FortiGuard categories to be considered as suspicious", - "type": "string", - "multi": true, - "required": true, - "defaultValue": [ - "Newly Observed Domain", - "Newly Registered Domain", - "Dynamic DNS", - "Proxy Avoidance", - "Hacking" - ] - } - ], - "dockerImage": "cortexneurons/fortiguard_urlcategory:2.1" -} -, -{ - "name": "GoogleDNS_resolve", - "version": "1.0.0", - "author": "CERT-LaPoste", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Request Google DNS over HTTPS service", - "dataTypeList": [ - "domain", - "ip", - "fqdn" - ], - "baseConfig": "GoogleDNS", - "config": { - "service": "get" - }, - "configurationItems": [], - "dockerImage": "cortexneurons/googledns_resolve:1.0.0" -} -, -{ - "name": "GoogleSafebrowsing", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Use Google Safebrowing to check URLs and domain names.", - "dataTypeList": [ - "url", - "domain" - ], - "baseConfig": "GoogleSafebrowsing", - "configurationItems": [ - { - "name": "client_id", - "description": "Client identifier", - "type": "string", - "multi": false, - "required": false, - "defaultValue": "cortex" - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/googlesafebrowsing:2.0" -} -, -{ - "name": "GreyNoise", - "version": "2.3", - "author": "Nclose", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "APLv2", - "description": "Determine whether an IP has known scanning activity using GreyNoise.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "GreyNoise", - "configurationItems": [ - { - "name": "key", - "description": "API key for GreyNoise", - "type": "string", - "multi": false, - "required": false - } - ], - "config": { - "check_tlp": true, - "max_tlp": 2, - "auto_extract": false - }, - "dockerImage": "cortexneurons/greynoise:2.3" -} -, -{ - "name": "HIBP_Query", - "version": "1.0", - "author": "Matt Erasmus", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query haveibeenpwned.com for a compromised email address", - "dataTypeList": [ - "mail" - ], - "baseConfig": "HIBP", - "config": { - "service": "query", - "url": "https://haveibeenpwned.com/api/v2/breachedaccount/" - }, - "configurationItems": [ - { - "name": "unverified", - "description": "Include unverified breaches", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/hibp_query:1.0" -} -, -{ - "name": "Hashdd_Detail", - "version": "1.0", - "author": "iosonogio", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPLv3", - "description": "Determine whether a hash is good or bad; if good then list what it is.", - "dataTypeList": [ - "hash" - ], - "baseConfig": "Hashdd", - "config": { - "service": "detail" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "API key for hashdd", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hashdd_detail:1.0" -} -, -{ - "name": "Hashdd_Status", - "version": "1.0", - "author": "iosonogio", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPLv3", - "description": "Determine whether a hash is good or bad.", - "dataTypeList": [ - "hash" - ], - "baseConfig": "Hashdd", - "config": { - "service": "status" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "API key for hashdd", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/hashdd_status:1.0" -} -, -{ - "name": "Hipposcore", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the Hippocampe Score report associated with an IP address, a domain or a URL.", - "dataTypeList": [ - "ip", - "domain", - "fqdn", - "url" - ], - "baseConfig": "Hippocampe", - "config": { - "service": "hipposcore" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hipposcore:2.0" -} -, -{ - "name": "HippoMore", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the Hippocampe detailed report for an IP address, a domain or a URL.", - "dataTypeList": [ - "ip", - "domain", - "fqdn", - "url" - ], - "baseConfig": "Hippocampe", - "config": { - "service": "more" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hippomore:2.0" -} -, -{ - "name": "Hunterio_DomainSearch", - "author": "Rémi Allain, Cyberprotect", - "license": "AGPL-V3", - "url": "https://github.com/Cyberprotect/Cortex-Analyzers", - "version": "1.0", - "description": "hunter.io is a service to find email addresses from a domain.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "Hunterio", - "config": { - "service": "domainsearch", - "check_tlp": false - }, - "configurationItems": [ - { - "name": "key", - "description": "api key of hunter.io", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hunterio_domainsearch:1.0" -} -, -{ - "name": "HybridAnalysis_GetReport", - "version": "1.0", - "author": "Daniil Yugoslavskiy, Tieto", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "dataTypeList": [ - "hash", - "file", - "filename" - ], - "description": "Fetch Hybrid Analysis reports associated with hashes and filenames.", - "baseConfig": "HybridAnalysis", - "configurationItems": [ - { - "name": "secret", - "description": "HybridAnalysis secret", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hybridanalysis_getreport:1.0" -} -, -{ - "name": "IBMXForce_Lookup", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/LDO-CERT/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query domains, IPs, hashes and URLs against IBM X-Force threat intelligence sharing platform.", - "dataTypeList": [ - "domain", - "ip", - "hash", - "url" - ], - "baseConfig": "IBMXForce", - "config": { - "service": "query" - }, - "configurationItems": [ - { - "name": "url", - "description": "X-Force API URL", - "required": true, - "multi": false, - "type": "string" - }, - { - "name": "key", - "description": "X-Force API Key", - "required": true, - "multi": false, - "type": "string" - }, - { - "name": "pwd", - "description": "X-Force API Password", - "required": true, - "multi": false, - "type": "string" - }, - { - "name": "verify", - "description": "Enable/Disable certificate verification", - "required": false, - "multi": false, - "type": "boolean", - "default": true - } - ], - "dockerImage": "cortexneurons/ibmxforce_lookup:1.0" -} -, -{ - "name": "Investigate_Categorization", - "version": "1.0", - "author": "Cisco Umbrella Research @opendns", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Investigate", - "license": "AGPL-V3", - "description": "Retrieve Investigate categorization and security features for a domain.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "Investigate", - "config": { - "service": "categorization" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the Investigate API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/investigate_categorization:1.0" -} -, -{ - "name": "Investigate_Sample", - "version": "1.0", - "author": "Cisco Umbrella Research @opendns", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Investigate", - "license": "AGPL-V3", - "description": "Retrieve sample data from Investigate for a hash. (Sample data provided by ThreatGrid)", - "dataTypeList": [ - "hash" - ], - "baseConfig": "Investigate", - "config": { - "service": "sample" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the Investigate API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/investigate_sample:1.0" -} -, -{ - "name": "JoeSandbox_File_Analysis_Inet", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Joe Sandbox file analysis with Internet access.", - "dataTypeList": [ - "file" - ], - "baseConfig": "JoeSandbox", - "config": { - "service": "file_analysis_inet" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of JoeSandbox service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "analysistimeout", - "description": "Analysis timeout (seconds)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 1800 - }, - { - "name": "networktimeout", - "description": "Network timeout (second)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 30 - } - ], - "dockerImage": "cortexneurons/joesandbox_file_analysis_inet:2.0" -} -, -{ - "name": "JoeSandbox_File_Analysis_Noinet", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Joe Sandbox file analysis without Internet access.", - "dataTypeList": [ - "file" - ], - "baseConfig": "JoeSandbox", - "config": { - "service": "file_analysis_noinet" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of JoeSandbox service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "analysistimeout", - "description": "Analysis timeout (seconds)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 1800 - }, - { - "name": "networktimeout", - "description": "Network timeout (second)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 30 - } - ], - "dockerImage": "cortexneurons/joesandbox_file_analysis_noinet:2.0" -} -, -{ - "name": "JoeSandbox_Url_Analysis", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Joe Sandbox URL analysis.", - "dataTypeList": [ - "url" - ], - "baseConfig": "JoeSandbox", - "config": { - "service": "url_analysis" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of JoeSandbox service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "analysistimeout", - "description": "Analysis timeout (seconds)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 1800 - }, - { - "name": "networktimeout", - "description": "Network timeout (second)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 30 - } - ], - "dockerImage": "cortexneurons/joesandbox_url_analysis:2.0" -} -, -{ - "name": "MISP", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Query multiple MISP instances for events containing an observable.", - "dataTypeList": [ - "domain", - "ip", - "url", - "fqdn", - "uri_path", - "user-agent", - "hash", - "email", - "mail", - "mail_subject", - "registry", - "regexp", - "other", - "filename" - ], - "baseConfig": "MISP", - "configurationItems": [ - { - "name": "name", - "description": "Name of MISP servers", - "multi": true, - "required": false, - "type": "string" - }, - { - "name": "url", - "description": "URL of MISP servers", - "type": "string", - "multi": true, - "required": true - }, - { - "name": "key", - "description": "API key for each server", - "type": "string", - "multi": true, - "required": true - }, - { - "name": "cert_check", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "cert_path", - "description": "Path to the CA on the system used to check server certificate", - "type": "string", - "multi": true, - "required": false - } - ], - "dockerImage": "cortexneurons/misp:2.0" -} -, -{ - "name": "MISPWarningLists", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/misp-warninglists-analyzer", - "version": "1.0", - "description": "Check IoCs/Observables against MISP Warninglists to filter false positives.", - "dataTypeList": [ - "ip", - "hash", - "domain", - "fqdn", - "url" - ], - "baseConfig": "MISPWarningLists", - "configurationItems": [ - { - "name": "path", - "description": "path to Warninglists folder", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/mispwarninglists:1.0" -} -, -{ - "name": "Malpedia", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "license": "AGPL-V3", - "url": "https://github.com/LDO-CERT/cortex-analyzers", - "version": "1.0", - "description": "Check files against Malpedia YARA rules.", - "dataTypeList": [ - "file" - ], - "baseConfig": "Malpedia", - "configurationItems": [ - { - "name": "path", - "description": "Rulepath", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "username", - "description": "Username", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "Password", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/malpedia:1.0" -} -, -{ - "name": "Malwares_GetReport", - "version": "1.0", - "author": "LDO-CERT", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the latest Malwares report for a file, hash, domain or an IP address.", - "dataTypeList": [ - "file", - "hash", - "domain", - "ip" - ], - "baseConfig": "Malwares", - "config": { - "check_tlp": true, - "max_tlp": 3, - "service": "get" - }, - "configurationItems": [ - { - "name": "key", - "description": "Malwares.com API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/malwares_getreport:1.0" -} -, -{ - "name": "Malwares_Scan", - "version": "1.0", - "author": "LDO-CERT", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Malwares' API to scan a file or URL.", - "dataTypeList": [ - "file", - "url" - ], - "baseConfig": "Malwares", - "config": { - "check_tlp": true, - "service": "scan", - "max_tlp": 1 - }, - "configurationItems": [ - { - "name": "key", - "description": "Malwares.com API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/malwares_scan:1.0" -} -, -{ - "name": "MaxMind_GeoIP", - "version": "3.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use MaxMind to geolocate an IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "MaxMind", - "dockerImage": "cortexneurons/maxmind_geoip:3.0" -} -, -{ - "name": "Mnemonic_pDNS_Closed", - "version": "3.0", - "author": "Michael Stensrud, Nordic Financial CERT", - "url": "https://passivedns.mnemonic.no/search", - "license": "AGPL-V3", - "description": "Query IP addresses and domains against Mnemonic pDNS restricted service.", - "dataTypeList": [ - "ip", - "domain" - ], - "baseConfig": "Mnemonic_pDNS", - "config": { - "check_tlp": true, - "service": "closed" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/mnemonic_pdns_closed:3.0" -} -, -{ - "name": "Mnemonic_pDNS_Public", - "version": "3.0", - "author": "Michael Stensrud, Nordic Financial CERT", - "url": "https://passivedns.mnemonic.no/search", - "license": "AGPL-V3", - "description": "Query IP addresses and domains against Mnemonic pDNS public service.", - "dataTypeList": [ - "ip", - "domain" - ], - "baseConfig": "Mnemonic_pDNS", - "config": { - "check_tlp": true, - "service": "public" - }, - "configurationItems": [], - "dockerImage": "cortexneurons/mnemonic_pdns_public:3.0" -} -, -{ - "name": "Msg_Parser", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Parse Outlook MSG files and extract the main artifacts.", - "dataTypeList": [ - "file" - ], - "baseConfig": "MsgParser", - "dockerImage": "cortexneurons/msg_parser:2.0" -} -, -{ - "name": "Nessus", - "version": "2.0", - "author": "Guillaume Rousse", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Nessus Professional to scan hosts.", - "dataTypeList": [ - "ip", - "fqdn" - ], - "baseConfig": "Nessus", - "configurationItems": [ - { - "name": "url", - "description": "Define the URL to the Nessus service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "login", - "description": "Define the login to Nessus", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "Define the password to the Nessus account", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "policy", - "description": "Define the policy used to run scans", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "ca_bundle", - "description": "Define the path to the Nessus CA", - "type": "string", - "multi": false, - "required": false - }, - { - "name": "allowed_network", - "description": "Define networks allowed to be scanned", - "type": "string", - "multi": true, - "required": true - } - ], - "dockerImage": "cortexneurons/nessus:2.0" -} -, -{ - "name": "OTXQuery", - "version": "2.0", - "author": "Eric Capuano", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query AlienVault OTX for IPs, domains, URLs, or file hashes.", - "dataTypeList": [ - "url", - "domain", - "file", - "hash", - "ip" - ], - "baseConfig": "OTXQuery", - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/otxquery:2.0" -} -, -{ - "name": "Onyphe_Datascan", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve datascan information Onyphe has for the given IPv{4,6} address with history of changes or search a string.", - "dataTypeList": [ - "ip", - "other" - ], - "baseConfig": "Onyphe", - "config": { - "service": "datascan" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_datascan:1.0" -} -, -{ - "name": "Onyphe_Forward", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve forward DNS lookup information Onyphe has for the given IPv{4,6} address with history of changes.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "forward" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_forward:1.0" -} -, -{ - "name": "Onyphe_Geolocate", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve geolocation information for the given IPv{4,6} address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "geolocate" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_geolocate:1.0" -} -, -{ - "name": "Onyphe_Inetnum", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve Onyphe Inetnum information on an IPv{4,6} address with history.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "inetnum" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_inetnum:1.0" -} -, -{ - "name": "Onyphe_Ports", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve synscan information Onyphe has for the given IPv{4,6} address with history of changes.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "ports" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_ports:1.0" -} -, -{ - "name": "Onyphe_Reverse", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve reverse DNS lookup information Onyphe has for the given IPv{4,6} address with history of changes.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "reverse" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_reverse:1.0" -} -, -{ - "name": "Onyphe_Threats", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve Onyphe threat information for the given IPv{4,6} address with history.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "threats" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_threats:1.0" -} -, -{ - "name": "PassiveTotal_Enrichment", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Enrichment Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "enrichment" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_enrichment:2.0" -} -, -{ - "name": "PassiveTotal_Malware", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Malware Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "malware" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_malware:2.0" -} -, -{ - "name": "PassiveTotal_Osint", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal OSINT Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "osint" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_osint:2.0" -} -, -{ - "name": "PassiveTotal_Passive_Dns", - "version": "2.1", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Passive DNS Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "passive_dns" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_passive_dns:2.1" -} -, -{ - "name": "PassiveTotal_Ssl_Certificate_Details", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal SSL Certificate Details Lookup.", - "dataTypeList": [ - "hash", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "ssl_certificate_details" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_ssl_certificate_details:2.0" -} -, -{ - "name": "PassiveTotal_Ssl_Certificate_History", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal SSL Certificate History Lookup.", - "dataTypeList": [ - "hash", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "ssl_certificate_history" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_ssl_certificate_history:2.0" -} -, -{ - "name": "PassiveTotal_Unique_Resolutions", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Unique Resolutions Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "unique_resolutions" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_unique_resolutions:2.0" -} -, -{ - "name": "PassiveTotal_Whois_Details", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Whois Details Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "whois_details" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_whois_details:2.0" -} -, -{ - "name": "Patrowl_GetReport", - "version": "1.0", - "author": "Nicolas Mattiocco", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the current Patrowl report for a fdqn, a domain or an IP address.", - "dataTypeList": [ - "fqdn", - "domain", - "ip" - ], - "baseConfig": "Patrowl", - "config": { - "service": "getreport" - }, - "configurationItems": [ - { - "name": "url", - "description": "Define the PatrOwl url", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "api_key", - "description": "Define the PatrOwl API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/patrowl_getreport:1.0" -} -, -{ - "name": "PayloadSecurity_File_Analysis", - "version": "1.0", - "author": "Emmanuel Torquato", - "url": "https://github.com/notset/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PayloadSecurity Sandbox File Analysis", - "dataTypeList": [ - "file" - ], - "baseConfig": "PayloadSecurity", - "configurationItems": [ - { - "name": "url", - "description": "Define the url of the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "secret", - "description": "Define the secret used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "environmentId", - "description": "Define the environment Id used by the service", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 100 - }, - { - "name": "timeout", - "description": "Define the timeout of requests to the service", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 15 - }, - { - "name": "verifyssl", - "description": "Verify SSL certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/payloadsecurity_file_analysis:1.0" -} -, -{ - "name": "PayloadSecurity_Url_Analysis", - "version": "1.0", - "author": "Emmanuel Torquato", - "url": "https://github.com/notset/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PayloadSecurity Sandbox Url Analysis", - "dataTypeList": [ - "url" - ], - "baseConfig": "PayloadSecurity", - "configurationItems": [ - { - "name": "url", - "description": "Define the url of the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "secret", - "description": "Define the secret used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "environmentId", - "description": "Define the environment Id used by the service", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 100 - }, - { - "name": "timeout", - "description": "Define the timeout of requests to the service", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 15 - }, - { - "name": "verifyssl", - "description": "Verify SSL certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/payloadsecurity_url_analysis:1.0" -} -, -{ - "name": "PhishTank_CheckURL", - "version": "2.1", - "author": "Eric Capuano", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use PhishTank to check if a URL is a verified phishing site.", - "dataTypeList": [ - "url" - ], - "baseConfig": "PhishTank", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/phishtank_checkurl:2.1" -} -, -{ - "name": "PhishingInitiative_Lookup", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Phishing Initiative to check if a URL is a verified phishing site.", - "dataTypeList": [ - "url" - ], - "baseConfig": "PhishingInitiative", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/phishinginitiative_lookup:2.0" -} -, -{ - "name": "PhishingInitiative_Scan", - "version": "1.0", - "author": "Remi Pointel", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Phishing Initiative to scan a URL.", - "dataTypeList": [ - "url" - ], - "baseConfig": "PhishingInitiative", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/phishinginitiative_scan:1.0" -} -, -{ - "name": "ProofPoint_Lookup", - "version": "1.0", - "author": "Emmanuel Torquato", - "url": "https://github.com/CERT-BDF/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Check URL, file, SHA256 against ProofPoint forensics", - "dataTypeList": [ - "url", - "file", - "hash" - ], - "baseConfig": "ProofPoint", - "config": { - "service": "query", - "max_tlp": 1, - "check_tlp": true - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of the Proofpoint API, the default should be okay.", - "type": "string", - "required": true, - "defaultValue": "https://tap-api-v2.proofpoint.com", - "multi": false - }, - { - "name": "apikey", - "description": "API key to use", - "type": "string", - "required": true, - "multi": false - }, - { - "name": "secret", - "description": "Secret to the API key", - "type": "string", - "required": true, - "multi": false - }, - { - "name": "verifyssl", - "description": "Verify server's SSL certificate", - "type": "boolean", - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/proofpoint_lookup:1.0" -} -, -{ - "name": "Pulsedive_GetIndicator", - "version": "1.0", - "author": "Nils Kuhnert", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Search Pulsedive.com for a giver domain name, hash, ip or url", - "dataTypeList": [ - "url", - "domain", - "ip", - "hash" - ], - "baseConfig": "Pulsedive", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/pulsedive_getindicator:1.0" -} -, -{ - "name": "RecordedFuture_risk", - "version": "1.0", - "author": "KAPSCH-CDC", - "url": "https://github.com/kapschcdc/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the latest risk data from RecordedFuture for a hash, domain or an IP address.", - "dataTypeList": [ - "domain", - "ip", - "hash" - ], - "baseConfig": "RecordedFuture", - "configurationItems": [ - { - "name": "key", - "description": "API key for RecordedFuture", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/recordedfuture_risk:1.0" -} -, -{ - "name": "Robtex_Forward_PDNS_Query", - "version": "1.0", - "author": "Nils Kuhnert", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Check domains and FQDNs using the Robtex passive DNS API.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "Robtex", - "config": { - "service": "fpdnsquery" - }, - "dockerImage": "cortexneurons/robtex_forward_pdns_query:1.0" -} -, -{ - "name": "Robtex_IP_Query", - "version": "1.0", - "author": "Nils Kuhnert", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Check IPs using the Robtex IP API.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Robtex", - "config": { - "service": "ipquery" - }, - "dockerImage": "cortexneurons/robtex_ip_query:1.0" -} -, -{ - "name": "Robtex_Reverse_PDNS_Query", - "version": "1.0", - "author": "Nils Kuhnert", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Check IPs using the Robtex reverse passive DNS API.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Robtex", - "config": { - "service": "rpdnsquery" - }, - "dockerImage": "cortexneurons/robtex_reverse_pdns_query:1.0" -} -, -{ - "name": "SecurityTrails_Passive_DNS", - "version": "1.0", - "author": "Manabu Niseki, @ninoseki", - "url": "https://github.com/ninoseki/cortex-securitytrails", - "license": "MIT", - "description": "SecurityTrails Passive DNS Lookup.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "SecurityTrails", - "config": { - "service": "passive_dns" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/securitytrails_passive_dns:1.0" -} -, -{ - "name": "SecurityTrails_Whois", - "version": "1.0", - "author": "Manabu Niseki, @ninoseki", - "url": "https://github.com/ninoseki/cortex-securitytrails", - "license": "MIT", - "description": "SecurityTrails Whois Lookup.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "SecurityTrails", - "config": { - "service": "whois" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/securitytrails_whois:1.0" -} -, -{ - "name": "Shodan_DNSResolve", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve domain resolutions on Shodan.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "Shodan", - "config": { - "service": "dns_resolve" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_dnsresolve:1.0" -} -, -{ - "name": "Shodan_Host", - "version": "1.0", - "author": "Sebastien Larinier @Sebdraven", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve key Shodan information on an IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Shodan", - "config": { - "service": "host" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_host:1.0" -} -, -{ - "name": "Shodan_Host_History", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve Shodan history scan results for an IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Shodan", - "config": { - "service": "host_history" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_host_history:1.0" -} -, -{ - "name": "Shodan_InfoDomain", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve key Shodan information on a domain.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "Shodan", - "config": { - "service": "info_domain" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_infodomain:1.0" -} -, -{ - "name": "Shodan_ReverseDNS", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve ip reverse DNS resolutions on Shodan.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Shodan", - "config": { - "service": "reverse_dns" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_reversedns:1.0" -} -, -{ - "name": "Shodan_Search", - "version": "2.0", - "author": "Sebastien Larinier @Sebdraven", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Search query on Shodan", - "dataTypeList": [ - "other" - ], - "baseConfig": "Shodan", - "config": { - "service": "search" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_search:2.0" -} -, -{ - "name": "SinkDB", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/sinkdb-analyzer", - "version": "1.0", - "description": "Check if ip is sinkholed via sinkdb.abuse.ch", - "dataTypeList": [ - "ip" - ], - "baseConfig": "SinkDB", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/sinkdb:1.0" -} -, -{ - "name": "SoltraEdge", - "version": "1.0", - "author": "Michael Stensrud, Nordic Financial CERT", - "url": "http://soltra.com/en/", - "license": "AGPL-V3", - "description": "Query against Soltra Edge.", - "dataTypeList": [ - "domain", - "ip", - "url", - "fqdn", - "uri_path", - "user-agent", - "hash", - "email", - "mail", - "mail_subject", - "registry", - "regexp", - "other", - "filename" - ], - "baseConfig": "Soltra_Edge", - "config": { - "check_tlp": true, - "service": "search" - }, - "configurationItems": [ - { - "name": "token", - "description": "Define the Token Key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "username", - "description": "Define the Username", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "base_url", - "description": "Base API URL for Soltra Edge Server. (Example: https://test.soltra.com/api/stix)", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "https://feed.yourdomain./api/stix" - }, - { - "name": "verify_ssl", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/soltraedge:1.0" -} -, -{ - "name": "StaxxSearch", - "author": "Robert Nixon", - "license": "AGPL-V3", - "url": "https://github.com/robertnixon2003/Cortex-Analyzers", - "version": "1.0", - "description": "Fetch observable details from an Anomali STAXX instance.", - "dataTypeList": [ - "domain", - "fqdn", - "ip", - "url", - "hash", - "mail" - ], - "baseConfig": "staxx", - "configurationItems": [ - { - "name": "auth_url", - "description": "Define the URL of the auth endpoint", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "query_url", - "description": "Define the URL of the intelligence endpoint", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "username", - "description": "STAXX User Name", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "STAXX Password", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "cert_check", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "cert_path", - "description": "Path to the CA on the system used to check the server certificate", - "type": "string", - "multi": true, - "required": false - } - ], - "dockerImage": "cortexneurons/staxxsearch:1.0" -} -, -{ - "name": "StopForumSpam", - "author": "Marc-Andre Doll, STARC by EXAPROBE", - "license": "AGPL-V3", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "version": "1.0", - "baseConfig": "StopForumSpam", - "config": { - "check_tlp": true, - "max_tlp": 2 - }, - "configurationItems": [ - { - "name": "suspicious_confidence_level", - "description": "Confidence threshold above which the artifact should be marked as suspicious", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 0 - }, - { - "name": "malicious_confidence_level", - "description": "Confidence threshold above which the artifact should be marked as malicious", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 90 - } - ], - "description": "Query http://www.stopforumspam.com to check if an IP or email address is a known spammer.", - "dataTypeList": [ - "ip", - "mail" - ], - "dockerImage": "cortexneurons/stopforumspam:1.0" -} -, -{ - "name": "TalosReputation", - "version": "1.0", - "author": "Gabriel Antonio da Silva", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the Talos IP reputation", - "dataTypeList": [ - "ip" - ], - "baseConfig": "TalosReputation", - "dockerImage": "cortexneurons/talosreputation:1.0" -} -, -{ - "name": "Threatcrowd", - "author": "Rémi Allain, Cyberprotect", - "license": "AGPL-V3", - "url": "https://github.com/Cyberprotect/Cortex-Analyzers", - "version": "1.0", - "description": "Look up domains, mail and IP addresses on ThreatCrowd.", - "dataTypeList": [ - "mail", - "ip", - "domain" - ], - "baseConfig": "Threatcrowd", - "config": { - "check_tlp": false, - "service": "get" - }, - "dockerImage": "cortexneurons/threatcrowd:1.0" -} -, -{ - "name": "TorBlutmagie", - "author": "Marc-André DOLL, STARC by EXAPROBE", - "license": "AGPL-V3", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "version": "1.0", - "description": "Query http://torstatus.blutmagie.de/query_export.php/Tor_query_EXPORT.csv for TOR exit nodes IP addresses or names.", - "dataTypeList": [ - "ip", - "domain", - "fqdn" - ], - "baseConfig": "TorBlutmagie", - "configurationItems": [ - { - "name": "cache.duration", - "description": "Define the cache duration", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 3600 - }, - { - "name": "cache.root", - "description": "Define the path to the stored data", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/torblutmagie:1.0" -} -, -{ - "name": "TorProject", - "author": "Marc-André DOLL, STARC by EXAPROBE", - "license": "AGPL-V3", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "version": "1.0", - "description": "Query https://check.torproject.org/exit-addresses for TOR exit nodes IP addresses.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "TorProject", - "configurationItems": [ - { - "name": "ttl", - "description": "Define the TTL", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 86400 - }, - { - "name": "cache.duration", - "description": "Define the cache duration", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 3600 - }, - { - "name": "cache.root", - "description": "Define the path to the stored data", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/torproject:1.0" -} -, -{ - "name": "URLhaus", - "author": "ninoseki, Nils Kuhnert", - "license": "MIT", - "url": "https://github.com/ninoseki/cortex_URLhaus_analyzer", - "version": "2.0", - "description": "Search domains, IPs, URLs or hashes on URLhaus.", - "dataTypeList": [ - "domain", - "url", - "hash", - "ip" - ], - "configurationItems": [], - "dockerImage": "cortexneurons/urlhaus:2.0" -} -, -{ - "name": "Umbrella_Report", - "version": "1.0", - "author": "Kyle Parrish", - "url": "https://github.com/arnydo/thehive/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query the Umbrella Reporting API for recent DNS queries and their status.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "Umbrella", - "config": { - "service": "get" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "Api Key provided by Umbrella Admin Console.", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "api_secret", - "description": "Api Secret provided by Umbrella Admin Console.", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "organization_id", - "description": "Organization ID provided by Umbrella Admin Console.", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "query_limit", - "description": "Maximum number of results to return.", - "type": "number", - "multi": false, - "required": false, - "default": 20 - } - ], - "dockerImage": "cortexneurons/umbrella_report:1.0" -} -, -{ - "name": "UnshortenLink", - "version": "1.1", - "author": "Remi Pointel, CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use UnshortenLink to reveal the real URL.", - "dataTypeList": [ - "url" - ], - "baseConfig": "UnshortenLink", - "dockerImage": "cortexneurons/unshortenlink:1.1" -} -, -{ - "name": "Urlscan.io_Search", - "author": "ninoseki", - "license": "MIT", - "url": "https://github.com/ninoseki/cortex_urlscan_analyzer", - "version": "0.1.0", - "description": "Search IPs, domains, hashes or URLs on urlscan.io", - "dataTypeList": [ - "ip", - "domain", - "hash", - "url" - ], - "dockerImage": "cortexneurons/urlscan.io_search:0.1.0" -} -, -{ - "name": "VMRay", - "license": "AGPL-V3", - "author": "Nils Kuhnert, CERT-Bund", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "3.0", - "description": "VMRay Sandbox file analysis.", - "dataTypeList": [ - "hash", - "file" - ], - "baseConfig": "VMRay", - "configurationItems": [ - { - "name": "url", - "description": "Define the URL of the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "certverify", - "description": "Verify certificates", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "certpath", - "description": "Path to certificate file, in case of self-signed etc.", - "type": "string", - "multi": false, - "required": false - }, - { - "name": "disablereanalyze", - "description": "If set to true, samples won't get re-analyzed.", - "type": "boolean", - "multi": false, - "required": false, - "defaultValue": false - } - ], - "dockerImage": "cortexneurons/vmray:3.0" -} -, -{ - "name": "VirusTotal_GetReport", - "version": "3.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the latest VirusTotal report for a file, hash, domain or an IP address.", - "dataTypeList": [ - "file", - "hash", - "domain", - "ip", - "url" - ], - "baseConfig": "VirusTotal", - "config": { - "service": "get" - }, - "configurationItems": [ - { - "name": "key", - "description": "API key for Virustotal", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "polling_interval", - "description": "Define time interval between two requests attempts for the report", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 60 - } - ], - "dockerImage": "cortexneurons/virustotal_getreport:3.0" -} -, -{ - "name": "VirusTotal_Scan", - "version": "3.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use VirusTotal to scan a file or URL.", - "dataTypeList": [ - "file", - "url" - ], - "baseConfig": "VirusTotal", - "config": { - "service": "scan" - }, - "configurationItems": [ - { - "name": "key", - "description": "API key for Virustotal", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "polling_interval", - "description": "Define time interval between two requests attempts for the report", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 60 - } - ], - "dockerImage": "cortexneurons/virustotal_scan:3.0" -} -, -{ - "name": "Virusshare", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Search for MD5 hashes in Virusshare.com hash list", - "dataTypeList": [ - "hash", - "file" - ], - "baseConfig": "Virusshare", - "configurationItems": [ - { - "name": "path", - "description": "Define the path to the stored data", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/virusshare:2.0" -} -, -{ - "name": "WOT_Lookup", - "version": "1.0", - "author": "Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/garanews/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Web of Trust to check a domain's reputation.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "WOT", - "config": { - "service": "query" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/wot_lookup:1.0" -} -, -{ - "name": "Yara", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Check files against YARA rules.", - "dataTypeList": [ - "file" - ], - "baseConfig": "Yara", - "configurationItems": [ - { - "name": "rules", - "description": "Define the path rules folder", - "type": "string", - "multi": true, - "required": true - } - ], - "dockerImage": "cortexneurons/yara:2.0" -} -, -{ - "name": "Yeti", - "author": "CERT-BDF", - "license": "AGPL-V3", - "url": "https://github.com/CERT/cortex-analyzers", - "version": "1.0", - "description": "Fetch observable details from a YETI instance.", - "dataTypeList": [ - "domain", - "fqdn", - "ip", - "url", - "hash" - ], - "baseConfig": "Yeti", - "configurationItems": [ - { - "name": "url", - "description": "Define the URL of the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "api_key", - "description": "Define the api key of the service", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/yeti:1.0" -} -] diff --git a/analyzers/catalog.json b/analyzers/catalog.json deleted file mode 100644 index a8b9e4951..000000000 --- a/analyzers/catalog.json +++ /dev/null @@ -1,3735 +0,0 @@ -[ -{ - "name": "AbuseIPDB", - "version": "1.0", - "author": "Matteo Lodi", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-v3", - "description": "Determine whether an IP was reported or not as malicious by AbuseIPDB", - "dataTypeList": [ - "ip" - ], - "baseConfig": "AbuseIPDB", - "configurationItems": [ - { - "name": "key", - "description": "API key for AbuseIPDB", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "days", - "description": "Check for IP Reports in the last X days", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 30 - } - ], - "config": { - "check_tlp": true, - "max_tlp": 2, - "auto_extract": false - }, - "dockerImage": "cortexneurons/abuseipdb:1" -} -, -{ - "name": "Abuse_Finder", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Find abuse contacts associated with domain names, URLs, IPs and email addresses.", - "dataTypeList": [ - "ip", - "domain", - "url", - "mail" - ], - "baseConfig": "Abuse_Finder", - "dockerImage": "cortexneurons/abuse_finder:2" -} -, -{ - "name": "BackscatterIO_Enrichment", - "version": "1.0", - "author": "brandon@backscatter.io", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "APLv2", - "description": "Enrich values using Backscatter.io data.", - "dataTypeList": [ - "ip", - "network", - "autonomous-system", - "port" - ], - "baseConfig": "BackscatterIO", - "configurationItems": [ - { - "name": "key", - "description": "API key for Backscatter.io", - "type": "string", - "multi": false, - "required": true - } - ], - "config": { - "check_tlp": true, - "max_tlp": 2, - "auto_extract": true, - "service": "enrichment" - }, - "dockerImage": "cortexneurons/backscatterio_enrichment:1" -} -, -{ - "name": "BackscatterIO_GetObservations", - "version": "1.0", - "author": "brandon@backscatter.io", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "APLv2", - "description": "Determine whether a value has known scanning activity using Backscatter.io data.", - "dataTypeList": [ - "ip", - "network", - "autonomous-system" - ], - "baseConfig": "BackscatterIO", - "configurationItems": [ - { - "name": "key", - "description": "API key for Backscatter.io", - "type": "string", - "multi": false, - "required": true - } - ], - "config": { - "check_tlp": true, - "max_tlp": 2, - "auto_extract": true, - "service": "observations" - }, - "dockerImage": "cortexneurons/backscatterio_getobservations:1" -} -, -{ - "name": "C1fApp", - "version": "1.0", - "author": "etz69", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query C1fApp OSINT Aggregator for IPs, domains and URLs", - "dataTypeList": [ - "url", - "domain", - "ip" - ], - "baseConfig": "C1fApp", - "configurationItems": [ - { - "name": "url", - "description": "URL of C1fApp service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/c1fapp:1" -} -, -{ - "name": "CERTatPassiveDNS", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Checks CERT.at Passive DNS for a given domain.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "CERTatPassiveDNS", - "configurationItems": [ - { - "name": "limit", - "description": "Define the maximum number of results per request", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 100 - } - ], - "dockerImage": "cortexneurons/certatpassivedns:2" -} -, -{ - "name": "CIRCLPassiveDNS", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Check CIRCL's Passive DNS for a given domain or URL.", - "dataTypeList": [ - "domain", - "url", - "ip" - ], - "baseConfig": "CIRCL", - "configurationItems": [ - { - "name": "user", - "description": "Username", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "Password", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/circlpassivedns:2" -} -, -{ - "name": "CIRCLPassiveSSL", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Check CIRCL's Passive SSL for a given IP address or a X509 certificate hash.", - "dataTypeList": [ - "ip", - "certificate_hash", - "hash" - ], - "baseConfig": "CIRCL", - "configurationItems": [ - { - "name": "user", - "description": "Username", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "Password", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/circlpassivessl:2" -} -, -{ - "name": "Censys", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/censys-analyzer", - "version": "1.0", - "description": "Check IPs, certificate hashes or domains against censys.io.", - "dataTypeList": [ - "ip", - "hash", - "domain" - ], - "baseConfig": "Censys", - "configurationItems": [ - { - "name": "uid", - "description": "UID for Censys", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/censys:1" -} -, -{ - "name": "Crt_sh_Transparency_Logs", - "author": "crackytsi", - "license": "AGPL-V3", - "url": "https://crt.sh", - "version": "1.0", - "baseConfig": "Crtsh", - "config": { - "check_tlp": false, - "max_tlp": 3 - }, - "description": "Query domains against the certificate transparency lists available at crt.sh.", - "dataTypeList": [ - "domain" - ], - "configurationItems": [], - "dockerImage": "cortexneurons/crt_sh_transparency_logs:1" -} -, -{ - "name": "CuckooSandbox_File_Analysis_Inet", - "version": "1.1", - "author": "Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/garanews/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Cuckoo Sandbox file analysis with Internet access.", - "dataTypeList": [ - "file" - ], - "baseConfig": "CuckooSandbox", - "configurationItems": [ - { - "name": "url", - "description": "URL", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "token", - "description": "API token", - "type": "string", - "multi": false, - "required": false - }, - { - "name": "cert_check", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "cert_path", - "description": "Path to the CA on the system used to check server certificate", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/cuckoosandbox_file_analysis_inet:1" -} -, -{ - "name": "CuckooSandbox_Url_Analysis", - "version": "1.1", - "author": "Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/garanews/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Cuckoo Sandbox URL analysis.", - "dataTypeList": [ - "url" - ], - "baseConfig": "CuckooSandbox", - "configurationItems": [ - { - "name": "url", - "description": "URL", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "token", - "description": "API token", - "type": "string", - "multi": false, - "required": false - }, - { - "name": "cert_check", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "cert_path", - "description": "Path to the CA on the system used to check server certificate", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/cuckoosandbox_url_analysis:1" -} -, -{ - "name": "CyberCrime-Tracker", - "author": "ph34tur3", - "license": "AGPL-V3", - "url": "https://github.com/ph34tur3/Cortex-Analyzers", - "version": "1.0", - "description": "Search cybercrime-tracker.net for C2 servers.", - "dataTypeList": [ - "domain", - "fqdn", - "ip", - "url", - "other" - ], - "baseConfig": "CyberCrimeTracker", - "config": { - "check_tlp": true, - "max_tlp": 2 - }, - "configurationItems": [], - "dockerImage": "cortexneurons/cybercrime-tracker:1" -} -, -{ - "name": "Cyberprotect_ThreatScore", - "author": "Rémi Allain, Cyberprotect", - "license": "AGPL-V3", - "url": "https://github.com/Cyberprotect/Cortex-Analyzers", - "version": "1.0", - "description": "ThreatScore is a cyber threat scoring system provided by Cyberprotect", - "dataTypeList": [ - "domain", - "ip" - ], - "baseConfig": "Cyberprotect", - "config": { - "service": "ThreatScore", - "check_tlp": true - }, - "dockerImage": "cortexneurons/cyberprotect_threatscore:1" -} -, -{ - "name": "Cymon_Check_IP", - "version": "2.1", - "author": "Julian Gonzalez", - "url": "https://github.com/ST2labs/Analyzers", - "license": "AGPL-V3", - "description": "Check an IP addr against Cymon.io.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Cymon", - "config": { - "service": "Check_IP" - }, - "configurationItems": [ - { - "name": "key", - "description": "API key for Cymon.io", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/cymon_check_ip:2" -} -, -{ - "name": "DNSDB_DomainName", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DNSDB to fetch historical records for a domain.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "DNSDB", - "config": { - "service": "domain_name" - }, - "configurationItems": [ - { - "name": "server", - "description": "DNSDB server name", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "https://api.dnsdb.info" - }, - { - "name": "key", - "description": "Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/dnsdb_domainname:2" -} -, -{ - "name": "DNSDB_IPHistory", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DNSDB to fetch historical records for an IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "DNSDB", - "config": { - "service": "ip_history" - }, - "configurationItems": [ - { - "name": "server", - "description": "DNSDB server name", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "https://api.dnsdb.info" - }, - { - "name": "key", - "description": "Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/dnsdb_iphistory:2" -} -, -{ - "name": "DNSDB_NameHistory", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DNSDB to fetch historical records for a fully-qualified domain name.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "DNSDB", - "config": { - "service": "name_history" - }, - "configurationItems": [ - { - "name": "server", - "description": "DNSDB server name", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "https://api.dnsdb.info" - }, - { - "name": "key", - "description": "Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/dnsdb_namehistory:2" -} -, -{ - "name": "DNSSinkhole", - "author": "Andrea Garavaglia, LDO-CERT", - "license": "AGPL-V3", - "url": "https://github.com/LDO-CERT/cortex-analyzer", - "version": "1.0", - "description": "Check if a domain is sinkholed via DNS Sinkhole server", - "dataTypeList": [ - "domain" - ], - "baseConfig": "DNSSinkhole", - "configurationItems": [ - { - "name": "ip", - "description": "Define the DNS Sinkhole Server IP", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "sink_ip", - "description": "Define the sinkholed response address IP", - "required": true, - "multi": false, - "type": "string" - } - ], - "dockerImage": "cortexneurons/dnssinkhole:1" -} -, -{ - "name": "DShield_lookup", - "version": "1.0", - "author": "Xavier Xavier, SANS ISC", - "url": "https://github.com/xme/thehive/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query the SANS ISC DShield API to check for an IP address reputation.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "DShield", - "config": { - "service": "query" - }, - "dockerImage": "cortexneurons/dshield_lookup:1" -} -, -{ - "name": "DomainTools_HostingHistory", - "version": "2.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of historical registrant, name servers and IP addresses for a domain name.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "DomainTools", - "config": { - "service": "hosting-history" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_hostinghistory:2" -} -, -{ - "name": "DomainTools_Reputation", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a reputation score on a domain or fqdn", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "DomainTools", - "config": { - "service": "reputation" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reputation:2" -} -, -{ - "name": "DomainTools_ReverseIP", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of domain names sharing the same IP address.", - "dataTypeList": [ - "ip", - "domain", - "fqdn" - ], - "baseConfig": "DomainTools", - "config": { - "service": "reverse-ip" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reverseip:2" -} -, -{ - "name": "DomainTools_ReverseIPWhois", - "version": "2.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of IP addresses which share the same registrant information.", - "dataTypeList": [ - "mail", - "ip", - "domain", - "other" - ], - "baseConfig": "DomainTools", - "config": { - "service": "reverse-ip-whois" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reverseipwhois:2" -} -, -{ - "name": "DomainTools_ReverseNameServer", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of domain names that share the same primary or secondary name server.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "DomainTools", - "config": { - "service": "name-server-domains" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reversenameserver:2" -} -, -{ - "name": "DomainTools_ReverseWhois", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of domain names which share the same registrant information.", - "dataTypeList": [ - "mail", - "ip", - "domain", - "other" - ], - "baseConfig": "DomainTools", - "config": { - "service": "reverse-whois" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_reversewhois:2" -} -, -{ - "name": "DomainTools_Risk", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a risk score and evidence details on a domain or fqdn", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "DomainTools", - "config": { - "service": "risk_evidence" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_risk:2" -} -, -{ - "name": "DomainTools_WhoisHistory", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get a list of historical Whois records associated with a domain name.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "DomainTools", - "config": { - "service": "whois/history" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_whoishistory:2" -} -, -{ - "name": "DomainTools_WhoisLookup", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get the ownership record for a domain or an IP address with basic registration details parsed.", - "dataTypeList": [ - "domain", - "ip" - ], - "baseConfig": "DomainTools", - "config": { - "service": "whois/parsed" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_whoislookup:2" -} -, -{ - "name": "DomainTools_WhoisLookupUnparsed", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use DomainTools to get the ownership record for an IP address or a domain without parsing.", - "dataTypeList": [ - "ip", - "domain" - ], - "baseConfig": "DomainTools", - "config": { - "service": "whois" - }, - "configurationItems": [ - { - "name": "username", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "DomainTools API credentials", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/domaintools_whoislookupunparsed:2" -} -, -{ - "name": "EmergingThreats_DomainInfo", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/dadokkio/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve ET reputation, related malware, and IDS requests for a given domain.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "EmergingThreats", - "configurationItems": [ - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/emergingthreats_domaininfo:1" -} -, -{ - "name": "EmergingThreats_IPInfo", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/dadokkio/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve ET reputation, related malware, and IDS requests for a given IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "EmergingThreats", - "configurationItems": [ - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/emergingthreats_ipinfo:1" -} -, -{ - "name": "EmergingThreats_MalwareInfo", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/dadokkio/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve ET details and info related to a malware hash.", - "dataTypeList": [ - "file", - "hash" - ], - "baseConfig": "EmergingThreats", - "configurationItems": [ - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/emergingthreats_malwareinfo:1" -} -, -{ - "name": "EmlParser", - "version": "1.2", - "author": "ninsmith", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "baseConfig": "EmlParser", - "config": { - "check_tlp": false, - "max_tlp": 3, - "service": "" - }, - "description": "Parse Eml message", - "dataTypeList": [ - "file" - ], - "dockerImage": "cortexneurons/emlparser:1" -} -, -{ - "name": "FileInfo", - "version": "6.0", - "author": "TheHive-Project", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Parse files in several formats such as OLE and OpenXML to detect VBA macros, extract their source code, generate useful information on PE, PDF files...", - "dataTypeList": [ - "file" - ], - "baseConfig": "FileInfo", - "configurationItems": [ - { - "name": "manalyze_enable", - "description": "Wether to enable manalyze submodule or not.", - "type": "boolean", - "required": true, - "multi": false - }, - { - "name": "manalyze_enable_docker", - "description": "Use docker to run Manalyze.", - "type": "boolean", - "required": false, - "multi": false, - "default": false - }, - { - "name": "manalyze_enable_binary", - "description": "Use local binary to run Manalyze. Need to compile it before!", - "type": "boolean", - "required": false, - "multi": false, - "default": true - }, - { - "name": "manalyze_binary_path", - "description": "Path to the Manalyze binary that was compiled before", - "type": "string", - "required": false, - "multi": false, - "default": "/opt/Cortex-Analyzers/utils/manalyze/bin/manalyze" - } - ], - "dockerImage": "cortexneurons/fileinfo:6" -} -, -{ - "name": "FireEyeiSight", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/LDO-CERT/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query domains, IPs, hashes and URLs on FireEye's iSIGHT threat intelligence service.", - "dataTypeList": [ - "domain", - "ip", - "hash", - "url" - ], - "baseConfig": "FireEyeiSight", - "config": { - "check_tlp": true, - "max_tlp": 2, - "service": "query" - }, - "configurationItems": [ - { - "name": "key", - "description": "API key for FireEye iSIGHT.", - "required": true, - "type": "string", - "multi": false - }, - { - "name": "pwd", - "description": "Password associated to the API key.", - "required": true, - "type": "string", - "multi": false - } - ], - "dockerImage": "cortexneurons/fireeyeisight:1" -} -, -{ - "name": "FireHOLBlocklists", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Check IP addresses against the FireHOL blocklists", - "dataTypeList": [ - "ip" - ], - "baseConfig": "FireHOLBlocklists", - "configurationItems": [ - { - "name": "blocklistpath", - "description": "Path to blocklists", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/fireholblocklists:2" -} -, -{ - "name": "Fortiguard_URLCategory", - "version": "2.1", - "author": "Eric Capuano", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "dataTypeList": [ - "domain", - "url", - "fqdn" - ], - "description": "Check the Fortiguard category of a URL, FQDN or a domain. Check the full available list at https://fortiguard.com/webfilter/categories", - "baseConfig": "Fortiguard", - "configurationItems": [ - { - "name": "malicious_categories", - "description": "List of FortiGuard categories to be considered as malicious", - "type": "string", - "multi": true, - "required": true, - "defaultValue": [ - "Malicious Websites", - "Phishing", - "Spam URLs" - ] - }, - { - "name": "suspicious_categories", - "description": "List of FortiGuard categories to be considered as suspicious", - "type": "string", - "multi": true, - "required": true, - "defaultValue": [ - "Newly Observed Domain", - "Newly Registered Domain", - "Dynamic DNS", - "Proxy Avoidance", - "Hacking" - ] - } - ], - "dockerImage": "cortexneurons/fortiguard_urlcategory:2" -} -, -{ - "name": "GoogleDNS_resolve", - "version": "1.0.0", - "author": "CERT-LaPoste", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Request Google DNS over HTTPS service", - "dataTypeList": [ - "domain", - "ip", - "fqdn" - ], - "baseConfig": "GoogleDNS", - "config": { - "service": "get" - }, - "configurationItems": [], - "dockerImage": "cortexneurons/googledns_resolve:1" -} -, -{ - "name": "GoogleSafebrowsing", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Use Google Safebrowing to check URLs and domain names.", - "dataTypeList": [ - "url", - "domain" - ], - "baseConfig": "GoogleSafebrowsing", - "configurationItems": [ - { - "name": "client_id", - "description": "Client identifier", - "type": "string", - "multi": false, - "required": false, - "defaultValue": "cortex" - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/googlesafebrowsing:2" -} -, -{ - "name": "GreyNoise", - "version": "2.3", - "author": "Nclose", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "APLv2", - "description": "Determine whether an IP has known scanning activity using GreyNoise.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "GreyNoise", - "configurationItems": [ - { - "name": "key", - "description": "API key for GreyNoise", - "type": "string", - "multi": false, - "required": false - } - ], - "config": { - "check_tlp": true, - "max_tlp": 2, - "auto_extract": false - }, - "dockerImage": "cortexneurons/greynoise:2" -} -, -{ - "name": "HIBP_Query", - "version": "1.0", - "author": "Matt Erasmus", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query haveibeenpwned.com for a compromised email address", - "dataTypeList": [ - "mail" - ], - "baseConfig": "HIBP", - "config": { - "service": "query", - "url": "https://haveibeenpwned.com/api/v2/breachedaccount/" - }, - "configurationItems": [ - { - "name": "unverified", - "description": "Include unverified breaches", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/hibp_query:1" -} -, -{ - "name": "Hashdd_Detail", - "version": "1.0", - "author": "iosonogio", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPLv3", - "description": "Determine whether a hash is good or bad; if good then list what it is.", - "dataTypeList": [ - "hash" - ], - "baseConfig": "Hashdd", - "config": { - "service": "detail" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "API key for hashdd", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hashdd_detail:1" -} -, -{ - "name": "Hashdd_Status", - "version": "1.0", - "author": "iosonogio", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPLv3", - "description": "Determine whether a hash is good or bad.", - "dataTypeList": [ - "hash" - ], - "baseConfig": "Hashdd", - "config": { - "service": "status" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "API key for hashdd", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/hashdd_status:1" -} -, -{ - "name": "Hipposcore", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the Hippocampe Score report associated with an IP address, a domain or a URL.", - "dataTypeList": [ - "ip", - "domain", - "fqdn", - "url" - ], - "baseConfig": "Hippocampe", - "config": { - "service": "hipposcore" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hipposcore:2" -} -, -{ - "name": "HippoMore", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the Hippocampe detailed report for an IP address, a domain or a URL.", - "dataTypeList": [ - "ip", - "domain", - "fqdn", - "url" - ], - "baseConfig": "Hippocampe", - "config": { - "service": "more" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hippomore:2" -} -, -{ - "name": "Hunterio_DomainSearch", - "author": "Rémi Allain, Cyberprotect", - "license": "AGPL-V3", - "url": "https://github.com/Cyberprotect/Cortex-Analyzers", - "version": "1.0", - "description": "hunter.io is a service to find email addresses from a domain.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "Hunterio", - "config": { - "service": "domainsearch", - "check_tlp": false - }, - "configurationItems": [ - { - "name": "key", - "description": "api key of hunter.io", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hunterio_domainsearch:1" -} -, -{ - "name": "HybridAnalysis_GetReport", - "version": "1.0", - "author": "Daniil Yugoslavskiy, Tieto", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "dataTypeList": [ - "hash", - "file", - "filename" - ], - "description": "Fetch Hybrid Analysis reports associated with hashes and filenames.", - "baseConfig": "HybridAnalysis", - "configurationItems": [ - { - "name": "secret", - "description": "HybridAnalysis secret", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/hybridanalysis_getreport:1" -} -, -{ - "name": "IBMXForce_Lookup", - "version": "1.0", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/LDO-CERT/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query domains, IPs, hashes and URLs against IBM X-Force threat intelligence sharing platform.", - "dataTypeList": [ - "domain", - "ip", - "hash", - "url" - ], - "baseConfig": "IBMXForce", - "config": { - "service": "query" - }, - "configurationItems": [ - { - "name": "url", - "description": "X-Force API URL", - "required": true, - "multi": false, - "type": "string" - }, - { - "name": "key", - "description": "X-Force API Key", - "required": true, - "multi": false, - "type": "string" - }, - { - "name": "pwd", - "description": "X-Force API Password", - "required": true, - "multi": false, - "type": "string" - }, - { - "name": "verify", - "description": "Enable/Disable certificate verification", - "required": false, - "multi": false, - "type": "boolean", - "default": true - } - ], - "dockerImage": "cortexneurons/ibmxforce_lookup:1" -} -, -{ - "name": "Investigate_Categorization", - "version": "1.0", - "author": "Cisco Umbrella Research @opendns", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Investigate", - "license": "AGPL-V3", - "description": "Retrieve Investigate categorization and security features for a domain.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "Investigate", - "config": { - "service": "categorization" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the Investigate API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/investigate_categorization:1" -} -, -{ - "name": "Investigate_Sample", - "version": "1.0", - "author": "Cisco Umbrella Research @opendns", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Investigate", - "license": "AGPL-V3", - "description": "Retrieve sample data from Investigate for a hash. (Sample data provided by ThreatGrid)", - "dataTypeList": [ - "hash" - ], - "baseConfig": "Investigate", - "config": { - "service": "sample" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the Investigate API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/investigate_sample:1" -} -, -{ - "name": "JoeSandbox_File_Analysis_Inet", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Joe Sandbox file analysis with Internet access.", - "dataTypeList": [ - "file" - ], - "baseConfig": "JoeSandbox", - "config": { - "service": "file_analysis_inet" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of JoeSandbox service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "analysistimeout", - "description": "Analysis timeout (seconds)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 1800 - }, - { - "name": "networktimeout", - "description": "Network timeout (second)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 30 - } - ], - "dockerImage": "cortexneurons/joesandbox_file_analysis_inet:2" -} -, -{ - "name": "JoeSandbox_File_Analysis_Noinet", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Joe Sandbox file analysis without Internet access.", - "dataTypeList": [ - "file" - ], - "baseConfig": "JoeSandbox", - "config": { - "service": "file_analysis_noinet" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of JoeSandbox service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "analysistimeout", - "description": "Analysis timeout (seconds)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 1800 - }, - { - "name": "networktimeout", - "description": "Network timeout (second)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 30 - } - ], - "dockerImage": "cortexneurons/joesandbox_file_analysis_noinet:2" -} -, -{ - "name": "JoeSandbox_Url_Analysis", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Joe Sandbox URL analysis.", - "dataTypeList": [ - "url" - ], - "baseConfig": "JoeSandbox", - "config": { - "service": "url_analysis" - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of JoeSandbox service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "API key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "analysistimeout", - "description": "Analysis timeout (seconds)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 1800 - }, - { - "name": "networktimeout", - "description": "Network timeout (second)", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 30 - } - ], - "dockerImage": "cortexneurons/joesandbox_url_analysis:2" -} -, -{ - "name": "MISP", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Query multiple MISP instances for events containing an observable.", - "dataTypeList": [ - "domain", - "ip", - "url", - "fqdn", - "uri_path", - "user-agent", - "hash", - "email", - "mail", - "mail_subject", - "registry", - "regexp", - "other", - "filename" - ], - "baseConfig": "MISP", - "configurationItems": [ - { - "name": "name", - "description": "Name of MISP servers", - "multi": true, - "required": false, - "type": "string" - }, - { - "name": "url", - "description": "URL of MISP servers", - "type": "string", - "multi": true, - "required": true - }, - { - "name": "key", - "description": "API key for each server", - "type": "string", - "multi": true, - "required": true - }, - { - "name": "cert_check", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "cert_path", - "description": "Path to the CA on the system used to check server certificate", - "type": "string", - "multi": true, - "required": false - } - ], - "dockerImage": "cortexneurons/misp:2" -} -, -{ - "name": "MISPWarningLists", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/misp-warninglists-analyzer", - "version": "1.0", - "description": "Check IoCs/Observables against MISP Warninglists to filter false positives.", - "dataTypeList": [ - "ip", - "hash", - "domain", - "fqdn", - "url" - ], - "baseConfig": "MISPWarningLists", - "configurationItems": [ - { - "name": "path", - "description": "path to Warninglists folder", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/mispwarninglists:1" -} -, -{ - "name": "Malpedia", - "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", - "license": "AGPL-V3", - "url": "https://github.com/LDO-CERT/cortex-analyzers", - "version": "1.0", - "description": "Check files against Malpedia YARA rules.", - "dataTypeList": [ - "file" - ], - "baseConfig": "Malpedia", - "configurationItems": [ - { - "name": "path", - "description": "Rulepath", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "username", - "description": "Username", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "Password", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/malpedia:1" -} -, -{ - "name": "Malwares_GetReport", - "version": "1.0", - "author": "LDO-CERT", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the latest Malwares report for a file, hash, domain or an IP address.", - "dataTypeList": [ - "file", - "hash", - "domain", - "ip" - ], - "baseConfig": "Malwares", - "config": { - "check_tlp": true, - "max_tlp": 3, - "service": "get" - }, - "configurationItems": [ - { - "name": "key", - "description": "Malwares.com API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/malwares_getreport:1" -} -, -{ - "name": "Malwares_Scan", - "version": "1.0", - "author": "LDO-CERT", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Malwares' API to scan a file or URL.", - "dataTypeList": [ - "file", - "url" - ], - "baseConfig": "Malwares", - "config": { - "check_tlp": true, - "service": "scan", - "max_tlp": 1 - }, - "configurationItems": [ - { - "name": "key", - "description": "Malwares.com API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/malwares_scan:1" -} -, -{ - "name": "MaxMind_GeoIP", - "version": "3.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use MaxMind to geolocate an IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "MaxMind", - "dockerImage": "cortexneurons/maxmind_geoip:3" -} -, -{ - "name": "Mnemonic_pDNS_Closed", - "version": "3.0", - "author": "Michael Stensrud, Nordic Financial CERT", - "url": "https://passivedns.mnemonic.no/search", - "license": "AGPL-V3", - "description": "Query IP addresses and domains against Mnemonic pDNS restricted service.", - "dataTypeList": [ - "ip", - "domain" - ], - "baseConfig": "Mnemonic_pDNS", - "config": { - "check_tlp": true, - "service": "closed" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/mnemonic_pdns_closed:3" -} -, -{ - "name": "Mnemonic_pDNS_Public", - "version": "3.0", - "author": "Michael Stensrud, Nordic Financial CERT", - "url": "https://passivedns.mnemonic.no/search", - "license": "AGPL-V3", - "description": "Query IP addresses and domains against Mnemonic pDNS public service.", - "dataTypeList": [ - "ip", - "domain" - ], - "baseConfig": "Mnemonic_pDNS", - "config": { - "check_tlp": true, - "service": "public" - }, - "configurationItems": [], - "dockerImage": "cortexneurons/mnemonic_pdns_public:3" -} -, -{ - "name": "Msg_Parser", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Parse Outlook MSG files and extract the main artifacts.", - "dataTypeList": [ - "file" - ], - "baseConfig": "MsgParser", - "dockerImage": "cortexneurons/msg_parser:2" -} -, -{ - "name": "Nessus", - "version": "2.0", - "author": "Guillaume Rousse", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Nessus Professional to scan hosts.", - "dataTypeList": [ - "ip", - "fqdn" - ], - "baseConfig": "Nessus", - "configurationItems": [ - { - "name": "url", - "description": "Define the URL to the Nessus service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "login", - "description": "Define the login to Nessus", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "Define the password to the Nessus account", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "policy", - "description": "Define the policy used to run scans", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "ca_bundle", - "description": "Define the path to the Nessus CA", - "type": "string", - "multi": false, - "required": false - }, - { - "name": "allowed_network", - "description": "Define networks allowed to be scanned", - "type": "string", - "multi": true, - "required": true - } - ], - "dockerImage": "cortexneurons/nessus:2" -} -, -{ - "name": "OTXQuery", - "version": "2.0", - "author": "Eric Capuano", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query AlienVault OTX for IPs, domains, URLs, or file hashes.", - "dataTypeList": [ - "url", - "domain", - "file", - "hash", - "ip" - ], - "baseConfig": "OTXQuery", - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/otxquery:2" -} -, -{ - "name": "Onyphe_Datascan", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve datascan information Onyphe has for the given IPv{4,6} address with history of changes or search a string.", - "dataTypeList": [ - "ip", - "other" - ], - "baseConfig": "Onyphe", - "config": { - "service": "datascan" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_datascan:1" -} -, -{ - "name": "Onyphe_Forward", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve forward DNS lookup information Onyphe has for the given IPv{4,6} address with history of changes.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "forward" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_forward:1" -} -, -{ - "name": "Onyphe_Geolocate", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve geolocation information for the given IPv{4,6} address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "geolocate" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_geolocate:1" -} -, -{ - "name": "Onyphe_Inetnum", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve Onyphe Inetnum information on an IPv{4,6} address with history.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "inetnum" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_inetnum:1" -} -, -{ - "name": "Onyphe_Ports", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve synscan information Onyphe has for the given IPv{4,6} address with history of changes.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "ports" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_ports:1" -} -, -{ - "name": "Onyphe_Reverse", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/cybernardo/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve reverse DNS lookup information Onyphe has for the given IPv{4,6} address with history of changes.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "reverse" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_reverse:1" -} -, -{ - "name": "Onyphe_Threats", - "version": "1.0", - "author": "Pierre Baudry, Adrien Barchapt", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Retrieve Onyphe threat information for the given IPv{4,6} address with history.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Onyphe", - "config": { - "service": "threats" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/onyphe_threats:1" -} -, -{ - "name": "PassiveTotal_Enrichment", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Enrichment Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "enrichment" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_enrichment:2" -} -, -{ - "name": "PassiveTotal_Malware", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Malware Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "malware" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_malware:2" -} -, -{ - "name": "PassiveTotal_Osint", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal OSINT Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "osint" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_osint:2" -} -, -{ - "name": "PassiveTotal_Passive_Dns", - "version": "2.1", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Passive DNS Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "passive_dns" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_passive_dns:2" -} -, -{ - "name": "PassiveTotal_Ssl_Certificate_Details", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal SSL Certificate Details Lookup.", - "dataTypeList": [ - "hash", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "ssl_certificate_details" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_ssl_certificate_details:2" -} -, -{ - "name": "PassiveTotal_Ssl_Certificate_History", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal SSL Certificate History Lookup.", - "dataTypeList": [ - "hash", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "ssl_certificate_history" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_ssl_certificate_history:2" -} -, -{ - "name": "PassiveTotal_Unique_Resolutions", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Unique Resolutions Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "unique_resolutions" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_unique_resolutions:2" -} -, -{ - "name": "PassiveTotal_Whois_Details", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PassiveTotal Whois Details Lookup.", - "dataTypeList": [ - "domain", - "fqdn", - "ip" - ], - "baseConfig": "PassiveTotal", - "config": { - "service": "whois_details" - }, - "configurationItems": [ - { - "name": "username", - "description": "Define the username of the account used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/passivetotal_whois_details:2" -} -, -{ - "name": "Patrowl_GetReport", - "version": "1.0", - "author": "Nicolas Mattiocco", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the current Patrowl report for a fdqn, a domain or an IP address.", - "dataTypeList": [ - "fqdn", - "domain", - "ip" - ], - "baseConfig": "Patrowl", - "config": { - "service": "getreport" - }, - "configurationItems": [ - { - "name": "url", - "description": "Define the PatrOwl url", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "api_key", - "description": "Define the PatrOwl API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/patrowl_getreport:1" -} -, -{ - "name": "PayloadSecurity_File_Analysis", - "version": "1.0", - "author": "Emmanuel Torquato", - "url": "https://github.com/notset/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PayloadSecurity Sandbox File Analysis", - "dataTypeList": [ - "file" - ], - "baseConfig": "PayloadSecurity", - "configurationItems": [ - { - "name": "url", - "description": "Define the url of the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "secret", - "description": "Define the secret used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "environmentId", - "description": "Define the environment Id used by the service", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 100 - }, - { - "name": "timeout", - "description": "Define the timeout of requests to the service", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 15 - }, - { - "name": "verifyssl", - "description": "Verify SSL certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/payloadsecurity_file_analysis:1" -} -, -{ - "name": "PayloadSecurity_Url_Analysis", - "version": "1.0", - "author": "Emmanuel Torquato", - "url": "https://github.com/notset/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "PayloadSecurity Sandbox Url Analysis", - "dataTypeList": [ - "url" - ], - "baseConfig": "PayloadSecurity", - "configurationItems": [ - { - "name": "url", - "description": "Define the url of the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "secret", - "description": "Define the secret used to connect the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "environmentId", - "description": "Define the environment Id used by the service", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 100 - }, - { - "name": "timeout", - "description": "Define the timeout of requests to the service", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 15 - }, - { - "name": "verifyssl", - "description": "Verify SSL certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/payloadsecurity_url_analysis:1" -} -, -{ - "name": "PhishTank_CheckURL", - "version": "2.1", - "author": "Eric Capuano", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use PhishTank to check if a URL is a verified phishing site.", - "dataTypeList": [ - "url" - ], - "baseConfig": "PhishTank", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/phishtank_checkurl:2" -} -, -{ - "name": "PhishingInitiative_Lookup", - "version": "2.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Phishing Initiative to check if a URL is a verified phishing site.", - "dataTypeList": [ - "url" - ], - "baseConfig": "PhishingInitiative", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/phishinginitiative_lookup:2" -} -, -{ - "name": "PhishingInitiative_Scan", - "version": "1.0", - "author": "Remi Pointel", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Phishing Initiative to scan a URL.", - "dataTypeList": [ - "url" - ], - "baseConfig": "PhishingInitiative", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/phishinginitiative_scan:1" -} -, -{ - "name": "ProofPoint_Lookup", - "version": "1.0", - "author": "Emmanuel Torquato", - "url": "https://github.com/CERT-BDF/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Check URL, file, SHA256 against ProofPoint forensics", - "dataTypeList": [ - "url", - "file", - "hash" - ], - "baseConfig": "ProofPoint", - "config": { - "service": "query", - "max_tlp": 1, - "check_tlp": true - }, - "configurationItems": [ - { - "name": "url", - "description": "URL of the Proofpoint API, the default should be okay.", - "type": "string", - "required": true, - "defaultValue": "https://tap-api-v2.proofpoint.com", - "multi": false - }, - { - "name": "apikey", - "description": "API key to use", - "type": "string", - "required": true, - "multi": false - }, - { - "name": "secret", - "description": "Secret to the API key", - "type": "string", - "required": true, - "multi": false - }, - { - "name": "verifyssl", - "description": "Verify server's SSL certificate", - "type": "boolean", - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/proofpoint_lookup:1" -} -, -{ - "name": "Pulsedive_GetIndicator", - "version": "1.0", - "author": "Nils Kuhnert", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Search Pulsedive.com for a giver domain name, hash, ip or url", - "dataTypeList": [ - "url", - "domain", - "ip", - "hash" - ], - "baseConfig": "Pulsedive", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/pulsedive_getindicator:1" -} -, -{ - "name": "RecordedFuture_risk", - "version": "1.0", - "author": "KAPSCH-CDC", - "url": "https://github.com/kapschcdc/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the latest risk data from RecordedFuture for a hash, domain or an IP address.", - "dataTypeList": [ - "domain", - "ip", - "hash" - ], - "baseConfig": "RecordedFuture", - "configurationItems": [ - { - "name": "key", - "description": "API key for RecordedFuture", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/recordedfuture_risk:1" -} -, -{ - "name": "Robtex_Forward_PDNS_Query", - "version": "1.0", - "author": "Nils Kuhnert", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Check domains and FQDNs using the Robtex passive DNS API.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "Robtex", - "config": { - "service": "fpdnsquery" - }, - "dockerImage": "cortexneurons/robtex_forward_pdns_query:1" -} -, -{ - "name": "Robtex_IP_Query", - "version": "1.0", - "author": "Nils Kuhnert", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Check IPs using the Robtex IP API.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Robtex", - "config": { - "service": "ipquery" - }, - "dockerImage": "cortexneurons/robtex_ip_query:1" -} -, -{ - "name": "Robtex_Reverse_PDNS_Query", - "version": "1.0", - "author": "Nils Kuhnert", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Check IPs using the Robtex reverse passive DNS API.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Robtex", - "config": { - "service": "rpdnsquery" - }, - "dockerImage": "cortexneurons/robtex_reverse_pdns_query:1" -} -, -{ - "name": "SecurityTrails_Passive_DNS", - "version": "1.0", - "author": "Manabu Niseki, @ninoseki", - "url": "https://github.com/ninoseki/cortex-securitytrails", - "license": "MIT", - "description": "SecurityTrails Passive DNS Lookup.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "SecurityTrails", - "config": { - "service": "passive_dns" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/securitytrails_passive_dns:1" -} -, -{ - "name": "SecurityTrails_Whois", - "version": "1.0", - "author": "Manabu Niseki, @ninoseki", - "url": "https://github.com/ninoseki/cortex-securitytrails", - "license": "MIT", - "description": "SecurityTrails Whois Lookup.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "SecurityTrails", - "config": { - "service": "whois" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "Define the API key to use to connect the service", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/securitytrails_whois:1" -} -, -{ - "name": "Shodan_DNSResolve", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve domain resolutions on Shodan.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "Shodan", - "config": { - "service": "dns_resolve" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_dnsresolve:1" -} -, -{ - "name": "Shodan_Host", - "version": "1.0", - "author": "Sebastien Larinier @Sebdraven", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve key Shodan information on an IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Shodan", - "config": { - "service": "host" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_host:1" -} -, -{ - "name": "Shodan_Host_History", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve Shodan history scan results for an IP address.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Shodan", - "config": { - "service": "host_history" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_host_history:1" -} -, -{ - "name": "Shodan_InfoDomain", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve key Shodan information on a domain.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "Shodan", - "config": { - "service": "info_domain" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_infodomain:1" -} -, -{ - "name": "Shodan_ReverseDNS", - "version": "1.0", - "author": "ANSSI", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Retrieve ip reverse DNS resolutions on Shodan.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "Shodan", - "config": { - "service": "reverse_dns" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_reversedns:1" -} -, -{ - "name": "Shodan_Search", - "version": "2.0", - "author": "Sebastien Larinier @Sebdraven", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", - "license": "AGPL-V3", - "description": "Search query on Shodan", - "dataTypeList": [ - "other" - ], - "baseConfig": "Shodan", - "config": { - "service": "search" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/shodan_search:2" -} -, -{ - "name": "SinkDB", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/sinkdb-analyzer", - "version": "1.0", - "description": "Check if ip is sinkholed via sinkdb.abuse.ch", - "dataTypeList": [ - "ip" - ], - "baseConfig": "SinkDB", - "configurationItems": [ - { - "name": "key", - "description": "Define the API Key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/sinkdb:1" -} -, -{ - "name": "SoltraEdge", - "version": "1.0", - "author": "Michael Stensrud, Nordic Financial CERT", - "url": "http://soltra.com/en/", - "license": "AGPL-V3", - "description": "Query against Soltra Edge.", - "dataTypeList": [ - "domain", - "ip", - "url", - "fqdn", - "uri_path", - "user-agent", - "hash", - "email", - "mail", - "mail_subject", - "registry", - "regexp", - "other", - "filename" - ], - "baseConfig": "Soltra_Edge", - "config": { - "check_tlp": true, - "service": "search" - }, - "configurationItems": [ - { - "name": "token", - "description": "Define the Token Key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "username", - "description": "Define the Username", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "base_url", - "description": "Base API URL for Soltra Edge Server. (Example: https://test.soltra.com/api/stix)", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "https://feed.yourdomain./api/stix" - }, - { - "name": "verify_ssl", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - } - ], - "dockerImage": "cortexneurons/soltraedge:1" -} -, -{ - "name": "StaxxSearch", - "author": "Robert Nixon", - "license": "AGPL-V3", - "url": "https://github.com/robertnixon2003/Cortex-Analyzers", - "version": "1.0", - "description": "Fetch observable details from an Anomali STAXX instance.", - "dataTypeList": [ - "domain", - "fqdn", - "ip", - "url", - "hash", - "mail" - ], - "baseConfig": "staxx", - "configurationItems": [ - { - "name": "auth_url", - "description": "Define the URL of the auth endpoint", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "query_url", - "description": "Define the URL of the intelligence endpoint", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "username", - "description": "STAXX User Name", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "password", - "description": "STAXX Password", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "cert_check", - "description": "Verify server certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "cert_path", - "description": "Path to the CA on the system used to check the server certificate", - "type": "string", - "multi": true, - "required": false - } - ], - "dockerImage": "cortexneurons/staxxsearch:1" -} -, -{ - "name": "StopForumSpam", - "author": "Marc-Andre Doll, STARC by EXAPROBE", - "license": "AGPL-V3", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "version": "1.0", - "baseConfig": "StopForumSpam", - "config": { - "check_tlp": true, - "max_tlp": 2 - }, - "configurationItems": [ - { - "name": "suspicious_confidence_level", - "description": "Confidence threshold above which the artifact should be marked as suspicious", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 0 - }, - { - "name": "malicious_confidence_level", - "description": "Confidence threshold above which the artifact should be marked as malicious", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 90 - } - ], - "description": "Query http://www.stopforumspam.com to check if an IP or email address is a known spammer.", - "dataTypeList": [ - "ip", - "mail" - ], - "dockerImage": "cortexneurons/stopforumspam:1" -} -, -{ - "name": "TalosReputation", - "version": "1.0", - "author": "Gabriel Antonio da Silva", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the Talos IP reputation", - "dataTypeList": [ - "ip" - ], - "baseConfig": "TalosReputation", - "dockerImage": "cortexneurons/talosreputation:1" -} -, -{ - "name": "Threatcrowd", - "author": "Rémi Allain, Cyberprotect", - "license": "AGPL-V3", - "url": "https://github.com/Cyberprotect/Cortex-Analyzers", - "version": "1.0", - "description": "Look up domains, mail and IP addresses on ThreatCrowd.", - "dataTypeList": [ - "mail", - "ip", - "domain" - ], - "baseConfig": "Threatcrowd", - "config": { - "check_tlp": false, - "service": "get" - }, - "dockerImage": "cortexneurons/threatcrowd:1" -} -, -{ - "name": "TorBlutmagie", - "author": "Marc-André DOLL, STARC by EXAPROBE", - "license": "AGPL-V3", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "version": "1.0", - "description": "Query http://torstatus.blutmagie.de/query_export.php/Tor_query_EXPORT.csv for TOR exit nodes IP addresses or names.", - "dataTypeList": [ - "ip", - "domain", - "fqdn" - ], - "baseConfig": "TorBlutmagie", - "configurationItems": [ - { - "name": "cache.duration", - "description": "Define the cache duration", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 3600 - }, - { - "name": "cache.root", - "description": "Define the path to the stored data", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/torblutmagie:1" -} -, -{ - "name": "TorProject", - "author": "Marc-André DOLL, STARC by EXAPROBE", - "license": "AGPL-V3", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "version": "1.0", - "description": "Query https://check.torproject.org/exit-addresses for TOR exit nodes IP addresses.", - "dataTypeList": [ - "ip" - ], - "baseConfig": "TorProject", - "configurationItems": [ - { - "name": "ttl", - "description": "Define the TTL", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 86400 - }, - { - "name": "cache.duration", - "description": "Define the cache duration", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 3600 - }, - { - "name": "cache.root", - "description": "Define the path to the stored data", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/torproject:1" -} -, -{ - "name": "URLhaus", - "author": "ninoseki, Nils Kuhnert", - "license": "MIT", - "url": "https://github.com/ninoseki/cortex_URLhaus_analyzer", - "version": "2.0", - "description": "Search domains, IPs, URLs or hashes on URLhaus.", - "dataTypeList": [ - "domain", - "url", - "hash", - "ip" - ], - "configurationItems": [], - "dockerImage": "cortexneurons/urlhaus:2" -} -, -{ - "name": "Umbrella_Report", - "version": "1.0", - "author": "Kyle Parrish", - "url": "https://github.com/arnydo/thehive/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Query the Umbrella Reporting API for recent DNS queries and their status.", - "dataTypeList": [ - "domain" - ], - "baseConfig": "Umbrella", - "config": { - "service": "get" - }, - "configurationItems": [ - { - "name": "api_key", - "description": "Api Key provided by Umbrella Admin Console.", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "api_secret", - "description": "Api Secret provided by Umbrella Admin Console.", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "organization_id", - "description": "Organization ID provided by Umbrella Admin Console.", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "query_limit", - "description": "Maximum number of results to return.", - "type": "number", - "multi": false, - "required": false, - "default": 20 - } - ], - "dockerImage": "cortexneurons/umbrella_report:1" -} -, -{ - "name": "UnshortenLink", - "version": "1.1", - "author": "Remi Pointel, CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use UnshortenLink to reveal the real URL.", - "dataTypeList": [ - "url" - ], - "baseConfig": "UnshortenLink", - "dockerImage": "cortexneurons/unshortenlink:1" -} -, -{ - "name": "Urlscan.io_Search", - "author": "ninoseki", - "license": "MIT", - "url": "https://github.com/ninoseki/cortex_urlscan_analyzer", - "version": "0.1.0", - "description": "Search IPs, domains, hashes or URLs on urlscan.io", - "dataTypeList": [ - "ip", - "domain", - "hash", - "url" - ], - "dockerImage": "cortexneurons/urlscan.io_search:0" -} -, -{ - "name": "VMRay", - "license": "AGPL-V3", - "author": "Nils Kuhnert, CERT-Bund", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "3.0", - "description": "VMRay Sandbox file analysis.", - "dataTypeList": [ - "hash", - "file" - ], - "baseConfig": "VMRay", - "configurationItems": [ - { - "name": "url", - "description": "Define the URL of the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "key", - "description": "Define the API key", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "certverify", - "description": "Verify certificates", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "certpath", - "description": "Path to certificate file, in case of self-signed etc.", - "type": "string", - "multi": false, - "required": false - }, - { - "name": "disablereanalyze", - "description": "If set to true, samples won't get re-analyzed.", - "type": "boolean", - "multi": false, - "required": false, - "defaultValue": false - } - ], - "dockerImage": "cortexneurons/vmray:3" -} -, -{ - "name": "VirusTotal_GetReport", - "version": "3.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Get the latest VirusTotal report for a file, hash, domain or an IP address.", - "dataTypeList": [ - "file", - "hash", - "domain", - "ip", - "url" - ], - "baseConfig": "VirusTotal", - "config": { - "service": "get" - }, - "configurationItems": [ - { - "name": "key", - "description": "API key for Virustotal", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "polling_interval", - "description": "Define time interval between two requests attempts for the report", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 60 - } - ], - "dockerImage": "cortexneurons/virustotal_getreport:3" -} -, -{ - "name": "VirusTotal_Scan", - "version": "3.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use VirusTotal to scan a file or URL.", - "dataTypeList": [ - "file", - "url" - ], - "baseConfig": "VirusTotal", - "config": { - "service": "scan" - }, - "configurationItems": [ - { - "name": "key", - "description": "API key for Virustotal", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "polling_interval", - "description": "Define time interval between two requests attempts for the report", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 60 - } - ], - "dockerImage": "cortexneurons/virustotal_scan:3" -} -, -{ - "name": "Virusshare", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Search for MD5 hashes in Virusshare.com hash list", - "dataTypeList": [ - "hash", - "file" - ], - "baseConfig": "Virusshare", - "configurationItems": [ - { - "name": "path", - "description": "Define the path to the stored data", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/virusshare:2" -} -, -{ - "name": "WOT_Lookup", - "version": "1.0", - "author": "Andrea Garavaglia, LDO-CERT", - "url": "https://github.com/garanews/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Use Web of Trust to check a domain's reputation.", - "dataTypeList": [ - "domain", - "fqdn" - ], - "baseConfig": "WOT", - "config": { - "service": "query" - }, - "configurationItems": [ - { - "name": "key", - "description": "Define the API key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/wot_lookup:1" -} -, -{ - "name": "Yara", - "author": "Nils Kuhnert, CERT-Bund", - "license": "AGPL-V3", - "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", - "version": "2.0", - "description": "Check files against YARA rules.", - "dataTypeList": [ - "file" - ], - "baseConfig": "Yara", - "configurationItems": [ - { - "name": "rules", - "description": "Define the path rules folder", - "type": "string", - "multi": true, - "required": true - } - ], - "dockerImage": "cortexneurons/yara:2" -} -, -{ - "name": "Yeti", - "author": "CERT-BDF", - "license": "AGPL-V3", - "url": "https://github.com/CERT/cortex-analyzers", - "version": "1.0", - "description": "Fetch observable details from a YETI instance.", - "dataTypeList": [ - "domain", - "fqdn", - "ip", - "url", - "hash" - ], - "baseConfig": "Yeti", - "configurationItems": [ - { - "name": "url", - "description": "Define the URL of the service", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "api_key", - "description": "Define the api key of the service", - "type": "string", - "multi": false, - "required": false - } - ], - "dockerImage": "cortexneurons/yeti:1" -} -] diff --git a/responders/catalog-devel.json b/responders/catalog-devel.json deleted file mode 100644 index 054d1a284..000000000 --- a/responders/catalog-devel.json +++ /dev/null @@ -1,102 +0,0 @@ -[ -{ - "name": "Crowdstrike Falcon Custom IOC API", - "version": "1.0", - "author": "Michael", - "url": "https://www.crowdstrike.com/blog/tech-center/import-iocs-crowdstrike-falcon-host-platform-via-api/", - "license": "MIT", - "description": "Submit observables to the Crowdstrike Falcon Custom IOC api", - "dataTypeList": [ - "thehive:alert", - "thehive:case_artifact" - ], - "baseConfig": "FalconCustomIOC", - "configurationItems": [ - { - "name": "falconapi_url", - "description": "Crowdstrike Falcon host url", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "falconapi_user", - "description": "Crowdstrike Falcon query api user", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "falconapi_key", - "description": "Crowdstrike Falcon query api key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/crowdstrike falcon custom ioc api:devel" -} -, -{ - "name": "Mailer", - "version": "1.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Send an email with information from a TheHive case or alert", - "dataTypeList": [ - "thehive:case", - "thehive:alert" - ], - "baseConfig": "Mailer", - "configurationItems": [ - { - "name": "from", - "description": "email address from which the mail is send", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "smtp_host", - "description": "SMTP server used to send mail", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "localhost" - }, - { - "name": "smtp_port", - "description": "SMTP server port", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 25 - } - ], - "dockerImage": "cortexneurons/mailer:devel" -} -, -{ - "name": "Umbrella Blacklister", - "version": "1.0", - "author": "Kyle Parrish", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Add domain to Umbrella blacklist via Enforcement API.", - "dataTypeList": [ - "thehive:case_artifact" - ], - "baseConfig": "UmbrellaBlacklister", - "configurationItems": [ - { - "name": "integration_url", - "description": "Custom integration url", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/umbrella blacklister:devel" -} -] diff --git a/responders/catalog-stable.json b/responders/catalog-stable.json deleted file mode 100644 index 95557fb0a..000000000 --- a/responders/catalog-stable.json +++ /dev/null @@ -1,102 +0,0 @@ -[ -{ - "name": "Crowdstrike Falcon Custom IOC API", - "version": "1.0", - "author": "Michael", - "url": "https://www.crowdstrike.com/blog/tech-center/import-iocs-crowdstrike-falcon-host-platform-via-api/", - "license": "MIT", - "description": "Submit observables to the Crowdstrike Falcon Custom IOC api", - "dataTypeList": [ - "thehive:alert", - "thehive:case_artifact" - ], - "baseConfig": "FalconCustomIOC", - "configurationItems": [ - { - "name": "falconapi_url", - "description": "Crowdstrike Falcon host url", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "falconapi_user", - "description": "Crowdstrike Falcon query api user", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "falconapi_key", - "description": "Crowdstrike Falcon query api key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/crowdstrike falcon custom ioc api:1.0" -} -, -{ - "name": "Mailer", - "version": "1.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Send an email with information from a TheHive case or alert", - "dataTypeList": [ - "thehive:case", - "thehive:alert" - ], - "baseConfig": "Mailer", - "configurationItems": [ - { - "name": "from", - "description": "email address from which the mail is send", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "smtp_host", - "description": "SMTP server used to send mail", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "localhost" - }, - { - "name": "smtp_port", - "description": "SMTP server port", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 25 - } - ], - "dockerImage": "cortexneurons/mailer:1.0" -} -, -{ - "name": "Umbrella Blacklister", - "version": "1.0", - "author": "Kyle Parrish", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Add domain to Umbrella blacklist via Enforcement API.", - "dataTypeList": [ - "thehive:case_artifact" - ], - "baseConfig": "UmbrellaBlacklister", - "configurationItems": [ - { - "name": "integration_url", - "description": "Custom integration url", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/umbrella blacklister:1.0" -} -] diff --git a/responders/catalog.json b/responders/catalog.json deleted file mode 100644 index 2545f51dd..000000000 --- a/responders/catalog.json +++ /dev/null @@ -1,102 +0,0 @@ -[ -{ - "name": "Crowdstrike Falcon Custom IOC API", - "version": "1.0", - "author": "Michael", - "url": "https://www.crowdstrike.com/blog/tech-center/import-iocs-crowdstrike-falcon-host-platform-via-api/", - "license": "MIT", - "description": "Submit observables to the Crowdstrike Falcon Custom IOC api", - "dataTypeList": [ - "thehive:alert", - "thehive:case_artifact" - ], - "baseConfig": "FalconCustomIOC", - "configurationItems": [ - { - "name": "falconapi_url", - "description": "Crowdstrike Falcon host url", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "falconapi_user", - "description": "Crowdstrike Falcon query api user", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "falconapi_key", - "description": "Crowdstrike Falcon query api key", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/crowdstrike falcon custom ioc api:1" -} -, -{ - "name": "Mailer", - "version": "1.0", - "author": "CERT-BDF", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Send an email with information from a TheHive case or alert", - "dataTypeList": [ - "thehive:case", - "thehive:alert" - ], - "baseConfig": "Mailer", - "configurationItems": [ - { - "name": "from", - "description": "email address from which the mail is send", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "smtp_host", - "description": "SMTP server used to send mail", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "localhost" - }, - { - "name": "smtp_port", - "description": "SMTP server port", - "type": "number", - "multi": false, - "required": true, - "defaultValue": 25 - } - ], - "dockerImage": "cortexneurons/mailer:1" -} -, -{ - "name": "Umbrella Blacklister", - "version": "1.0", - "author": "Kyle Parrish", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Add domain to Umbrella blacklist via Enforcement API.", - "dataTypeList": [ - "thehive:case_artifact" - ], - "baseConfig": "UmbrellaBlacklister", - "configurationItems": [ - { - "name": "integration_url", - "description": "Custom integration url", - "type": "string", - "multi": false, - "required": true - } - ], - "dockerImage": "cortexneurons/umbrella blacklister:1" -} -]