Skip to content

Commit

Permalink
Merge branch 'release/3.4.2'
Browse files Browse the repository at this point in the history
  • Loading branch information
nusantara-self committed Dec 26, 2024
2 parents d7a0609 + 844984c commit 974b359
Show file tree
Hide file tree
Showing 28 changed files with 1,514 additions and 16 deletions.
21 changes: 21 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,26 @@
# Changelog

## [3.4.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.2) (2024-12-24)

[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.4.1...3.4.2)

**Closed issues:**

- \[FR\] CrowdStrike Falcon - Implement TheHive custom user-agent [\#1306](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1306)
- \[FR\] Analyzer for observable validation [\#1305](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1305)
- \[FR\] New Analyzer: Axur Ioc's \(WIP\) [\#1190](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1190)

## [3.4.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.1) (2024-12-17)

[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.4.0...3.4.1)

**Merged pull requests:**

- Capa Analyzer - auto-download latest capa binary [\#1301](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1301) ([nusantara-self](https://github.com/nusantara-self))
- Domaintools dependency issues [\#1300](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1300) ([nusantara-self](https://github.com/nusantara-self))
- Fix anyrun\_analyzer.py for submit file [\#1299](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1299) ([winl0gon](https://github.com/winl0gon))
- add proxies to phishtank\_checkurl.py [\#1298](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1298) ([Labuiga](https://github.com/Labuiga))

## [3.4.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.0) (2024-12-09)

[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.3.8...3.4.0)
Expand Down
104 changes: 104 additions & 0 deletions analyzers/Axur/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
### Axur Ioc's analyzer

The Axur IOC Analyzer is a tool for identifying and value potential threats in your data. It uses Axur's services and databases to perform analysis on a variety of data types.

The Analyzer provides an efficient solution to evaluate potential threats by examining various data types including:

* _domain_
* _url_
* _ip_
* _fqdn_
* _hash_

With the Axur IOC Analyzer, Axur clients have an easy way to make their data environment safer and more secure.

#### Requirements
You need a valid Axur API key to use the analyzer. Available exclusively to our Axur clients.

- Provide your API key as values for the `api_key` header.

### Return example

```
{
"success": true,
"summary": {
"taxonomies": [
{
"level": "suspicious",
"namespace": "Axur",
"predicate": "IOC_FEED",
"value": 2
},
{
"level": "suspicious",
"namespace": "Axur",
"predicate": "EXPLORE",
"value": 1
},
{
"level": "suspicious",
"namespace": "Axur",
"predicate": "MALICIOUS_URL",
"value": 1
}
]
},
"artifacts": [],
"operations": [],
"full": {
"type": "URL",
"value": "https://sso.ecometrica.com/accounts/login",
"results": [
{
"source": "IOC_FEED",
"score": 2,
"hits": 2,
"context": [
{
"tags": [
"phishing"
],
"detection": 1683945464000,
"risk": "UNDEFINED",
"platform": "AXUR"
},
{
"tags": [],
"detection": 1642009957000,
"risk": "MEDIUM",
"platform": "AXUR"
}
]
},
{
"source": "EXPLORE",
"score": 2,
"hits": 1,
"context": [
{
"content": "texto",
"detection": 1687187006704,
"platform": "AXUR"
}
]
},
{
"source": "MALICIOUS_URL",
"score": 2,
"hits": 1,
"context": [
{
"riskLevel": 0.49,
"collectorName": "urlscan",
"detection": 1687187006704,
"ticketStatus": "open",
"platform": "AXUR"
}
]
}
],
"searchDate": 1687292305787
}
}
```
24 changes: 24 additions & 0 deletions analyzers/Axur/axur_analyzer.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"name": "Axur",
"author": "Axur",
"version": "1.0",
"license": "AGPL-V3",
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
"description": "Search IPs, domains, hashes or URLs on axur.com",
"dataTypeList": ["domain", "fqdn", "ip", "url", "hash"],
"command": "Axur/axur_analyzer.py",
"baseConfig": "Axur",
"configurationItems": [
{
"name": "api_key",
"description": "Define the API key",
"type": "string",
"multi": false,
"required": true
}
],
"registration_required": true,
"subscription_required": true,
"free_subscription": false,
"service_homepage": "https://www.axur.com"
}
47 changes: 47 additions & 0 deletions analyzers/Axur/axur_analyzer.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
#!/usr/bin/env python3
# encoding: utf-8

from cortexutils.analyzer import Analyzer
from urllib.parse import quote_plus
import requests


class AxurAnalyzer(Analyzer):

def __init__(self):
Analyzer.__init__(self)
self.api_key = self.get_param(
'config.api_key', None, 'Missing Axur API key'
)

def run(self):
if self.data_type not in ['domain', 'fqdn', 'ip', 'url', 'hash']:
self.error('Wrong data type')

encoded_data = quote_plus(self.get_data())
url = f'https://api.axur.com/gateway/1.0/api/ioc-search/search/{self.data_type}/{encoded_data}'

try:
response = requests.get(url, headers={'Authorization': f'Bearer {self.api_key}'})
response.raise_for_status()
self.report(response.json())
except requests.HTTPError as http_err:
self.error('HTTP error occurred: {}'.format(http_err))
except Exception as err:
self.error('Error occurred: {}'.format(err))

def summary(self, raw):
taxonomies = []
levels = ['info', 'safe', 'suspicious', 'malicious']

for data in raw['results']:
level = levels[data.get('score', 0)]
taxonomies.append(
self.build_taxonomy(level, 'Axur', data['source'], data.get('hits', 0))
)

return {'taxonomies': taxonomies}


if __name__ == '__main__':
AxurAnalyzer().run()
2 changes: 2 additions & 0 deletions analyzers/Axur/requirements.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
cortexutils
requests
53 changes: 53 additions & 0 deletions analyzers/Cluster25/C25CortexAnalyzer_investigate.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
{
"name": "C25CortexAnalyzer_Investigate",
"version": "1.0",
"author": "Cluster25",
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Use Cluster25's CTI API to investigate an observable.",
"dataTypeList": ["domain", "file", "hash", "ip", "mail", "url"],
"command": "c25-cortex-analyzer/c25_cortex_analyzer.py",
"baseConfig": "c25-cortex-analyzer",
"config": {
"check_tlp": false,
"check_pap": false,
"auto_extract_artifacts": true,
"service": "investigate"
},
"configurationItems": [
{
"name": "client_id",
"description": "Cluster25 CTI API credentials",
"type": "string",
"multi": false,
"required": true
},
{
"name": "client_key",
"description": "Cluster25 CTI API credentials",
"type": "string",
"multi": false,
"required": true
},
{
"name": "base_url",
"description": "Cluster25 CTI API base url",
"type": "string",
"multi": false,
"required": true
}
],
"registration_required": true,
"subscription_required": true,
"free_subscription": false,
"service_homepage": "https://www.duskrise.com/the-c25-intelligence/",
"service_logo": {"path":"assets/cluster25_logo.png", "caption": "logo"},
"screenshots": [
{"path":"assets/short_report_sample.png",
"caption":"report sample"
},
{
"path": "assets/long_report_sample.png",
"caption:":"report sample"
}]
}
7 changes: 7 additions & 0 deletions analyzers/Cluster25/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
FROM python:3.11

WORKDIR /worker
COPY . c25_analyzer

RUN pip install --no-cache-dir -r c25_analyzer/requirements.txt
ENTRYPOINT c25_analyzer/c25_cortex_analyzer.py
101 changes: 101 additions & 0 deletions analyzers/Cluster25/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
# Cluster25 Cortex Analyzer

Allows to query Cluster25's CTI API investigation service.
Running the analyzer will return a short report with taxonomies,
as well as a long report and extracted artefacts.

## Requirements:
* C25 API KEY
* C25 CLIENT ID
* C25 BASE URL

Raw investigate result query example:
```json
{
"indicator": "211.56.98.146",
"indicator_type": "ipv4",
"whitelisted": false,
"tags": [],
"score": 70,
"is_known": false,
"actors": [],
"related_indicators": {
"by_file": [],
"by_content": []
},
"related_contexts": [],
"created_dt": null,
"modified_dt": null,
"attacker_activities": [],
"targeted_sectors": [],
"targeted_countries": [],
"file_info": null,
"cve_info": null,
"asn_info": null,
"btcaddress_info": null,
"family_info": null,
"stats": {
"harmless": 61,
"malicious": 5,
"suspicious": 0,
"undetected": 23
},
"communicating_files": [],
"contacted_ips": [],
"contacted_domains": [],
"contacted_urls": [],
"dropped_files": [],
"passive_dns": {
"resolutions": [
{
"record_name": "c3kr.simonxu.cc",
"record_value": "211.56.98.146",
"record_type": "A",
"first_seen": "2021-03-26T14:16:15",
"last_seen": "2021-03-26T14:16:55",
"country_name": "South Korea",
"$$hashKey": "object:64"
},
{
"record_name": "counter.yadro.ru",
"record_value": "211.56.98.146",
"record_type": "A",
"first_seen": "2018-10-19T22:00:00",
"last_seen": "2018-10-19T22:00:00",
"country_name": "South Korea",
"$$hashKey": "object:65"
}
]
},
"whois": {
"ip": null,
"created_date": null,
"updated_date": "hostmaster@nic.or.kr",
"expires_date": null,
"registrant": {
"name": "IP Manager",
"organization": "Korea Telecom",
"street1": "Gyeonggi-do Bundang-gu, Seongnam-si Buljeong-ro 90",
"street2": null,
"city": null,
"state": null,
"country": null,
"country_code": null,
"postal_code": "13606",
"raw_text": null,
"unparsable": null
},
"registrar_name": null,
"name_servers_hostnames": null,
"name_servers_ips": null,
"email_provider": null,
"email_registrant": null,
"status": null
},
"guessed_types": [],
"intelligence": null,
"first_seen": null,
"last_seen": null,
"dns_resolutions": null
}
```
Binary file added analyzers/Cluster25/assets/cluster25_logo.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit 974b359

Please sign in to comment.