-
Notifications
You must be signed in to change notification settings - Fork 378
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
28 changed files
with
1,514 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
### Axur Ioc's analyzer | ||
|
||
The Axur IOC Analyzer is a tool for identifying and value potential threats in your data. It uses Axur's services and databases to perform analysis on a variety of data types. | ||
|
||
The Analyzer provides an efficient solution to evaluate potential threats by examining various data types including: | ||
|
||
* _domain_ | ||
* _url_ | ||
* _ip_ | ||
* _fqdn_ | ||
* _hash_ | ||
|
||
With the Axur IOC Analyzer, Axur clients have an easy way to make their data environment safer and more secure. | ||
|
||
#### Requirements | ||
You need a valid Axur API key to use the analyzer. Available exclusively to our Axur clients. | ||
|
||
- Provide your API key as values for the `api_key` header. | ||
|
||
### Return example | ||
|
||
``` | ||
{ | ||
"success": true, | ||
"summary": { | ||
"taxonomies": [ | ||
{ | ||
"level": "suspicious", | ||
"namespace": "Axur", | ||
"predicate": "IOC_FEED", | ||
"value": 2 | ||
}, | ||
{ | ||
"level": "suspicious", | ||
"namespace": "Axur", | ||
"predicate": "EXPLORE", | ||
"value": 1 | ||
}, | ||
{ | ||
"level": "suspicious", | ||
"namespace": "Axur", | ||
"predicate": "MALICIOUS_URL", | ||
"value": 1 | ||
} | ||
] | ||
}, | ||
"artifacts": [], | ||
"operations": [], | ||
"full": { | ||
"type": "URL", | ||
"value": "https://sso.ecometrica.com/accounts/login", | ||
"results": [ | ||
{ | ||
"source": "IOC_FEED", | ||
"score": 2, | ||
"hits": 2, | ||
"context": [ | ||
{ | ||
"tags": [ | ||
"phishing" | ||
], | ||
"detection": 1683945464000, | ||
"risk": "UNDEFINED", | ||
"platform": "AXUR" | ||
}, | ||
{ | ||
"tags": [], | ||
"detection": 1642009957000, | ||
"risk": "MEDIUM", | ||
"platform": "AXUR" | ||
} | ||
] | ||
}, | ||
{ | ||
"source": "EXPLORE", | ||
"score": 2, | ||
"hits": 1, | ||
"context": [ | ||
{ | ||
"content": "texto", | ||
"detection": 1687187006704, | ||
"platform": "AXUR" | ||
} | ||
] | ||
}, | ||
{ | ||
"source": "MALICIOUS_URL", | ||
"score": 2, | ||
"hits": 1, | ||
"context": [ | ||
{ | ||
"riskLevel": 0.49, | ||
"collectorName": "urlscan", | ||
"detection": 1687187006704, | ||
"ticketStatus": "open", | ||
"platform": "AXUR" | ||
} | ||
] | ||
} | ||
], | ||
"searchDate": 1687292305787 | ||
} | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
{ | ||
"name": "Axur", | ||
"author": "Axur", | ||
"version": "1.0", | ||
"license": "AGPL-V3", | ||
"url": "https://github.com/TheHive-Project/Cortex-Analyzers", | ||
"description": "Search IPs, domains, hashes or URLs on axur.com", | ||
"dataTypeList": ["domain", "fqdn", "ip", "url", "hash"], | ||
"command": "Axur/axur_analyzer.py", | ||
"baseConfig": "Axur", | ||
"configurationItems": [ | ||
{ | ||
"name": "api_key", | ||
"description": "Define the API key", | ||
"type": "string", | ||
"multi": false, | ||
"required": true | ||
} | ||
], | ||
"registration_required": true, | ||
"subscription_required": true, | ||
"free_subscription": false, | ||
"service_homepage": "https://www.axur.com" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
#!/usr/bin/env python3 | ||
# encoding: utf-8 | ||
|
||
from cortexutils.analyzer import Analyzer | ||
from urllib.parse import quote_plus | ||
import requests | ||
|
||
|
||
class AxurAnalyzer(Analyzer): | ||
|
||
def __init__(self): | ||
Analyzer.__init__(self) | ||
self.api_key = self.get_param( | ||
'config.api_key', None, 'Missing Axur API key' | ||
) | ||
|
||
def run(self): | ||
if self.data_type not in ['domain', 'fqdn', 'ip', 'url', 'hash']: | ||
self.error('Wrong data type') | ||
|
||
encoded_data = quote_plus(self.get_data()) | ||
url = f'https://api.axur.com/gateway/1.0/api/ioc-search/search/{self.data_type}/{encoded_data}' | ||
|
||
try: | ||
response = requests.get(url, headers={'Authorization': f'Bearer {self.api_key}'}) | ||
response.raise_for_status() | ||
self.report(response.json()) | ||
except requests.HTTPError as http_err: | ||
self.error('HTTP error occurred: {}'.format(http_err)) | ||
except Exception as err: | ||
self.error('Error occurred: {}'.format(err)) | ||
|
||
def summary(self, raw): | ||
taxonomies = [] | ||
levels = ['info', 'safe', 'suspicious', 'malicious'] | ||
|
||
for data in raw['results']: | ||
level = levels[data.get('score', 0)] | ||
taxonomies.append( | ||
self.build_taxonomy(level, 'Axur', data['source'], data.get('hits', 0)) | ||
) | ||
|
||
return {'taxonomies': taxonomies} | ||
|
||
|
||
if __name__ == '__main__': | ||
AxurAnalyzer().run() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
cortexutils | ||
requests |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
{ | ||
"name": "C25CortexAnalyzer_Investigate", | ||
"version": "1.0", | ||
"author": "Cluster25", | ||
"url": "https://github.com/TheHive-Project/Cortex-Analyzers", | ||
"license": "AGPL-V3", | ||
"description": "Use Cluster25's CTI API to investigate an observable.", | ||
"dataTypeList": ["domain", "file", "hash", "ip", "mail", "url"], | ||
"command": "c25-cortex-analyzer/c25_cortex_analyzer.py", | ||
"baseConfig": "c25-cortex-analyzer", | ||
"config": { | ||
"check_tlp": false, | ||
"check_pap": false, | ||
"auto_extract_artifacts": true, | ||
"service": "investigate" | ||
}, | ||
"configurationItems": [ | ||
{ | ||
"name": "client_id", | ||
"description": "Cluster25 CTI API credentials", | ||
"type": "string", | ||
"multi": false, | ||
"required": true | ||
}, | ||
{ | ||
"name": "client_key", | ||
"description": "Cluster25 CTI API credentials", | ||
"type": "string", | ||
"multi": false, | ||
"required": true | ||
}, | ||
{ | ||
"name": "base_url", | ||
"description": "Cluster25 CTI API base url", | ||
"type": "string", | ||
"multi": false, | ||
"required": true | ||
} | ||
], | ||
"registration_required": true, | ||
"subscription_required": true, | ||
"free_subscription": false, | ||
"service_homepage": "https://www.duskrise.com/the-c25-intelligence/", | ||
"service_logo": {"path":"assets/cluster25_logo.png", "caption": "logo"}, | ||
"screenshots": [ | ||
{"path":"assets/short_report_sample.png", | ||
"caption":"report sample" | ||
}, | ||
{ | ||
"path": "assets/long_report_sample.png", | ||
"caption:":"report sample" | ||
}] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
FROM python:3.11 | ||
|
||
WORKDIR /worker | ||
COPY . c25_analyzer | ||
|
||
RUN pip install --no-cache-dir -r c25_analyzer/requirements.txt | ||
ENTRYPOINT c25_analyzer/c25_cortex_analyzer.py |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
# Cluster25 Cortex Analyzer | ||
|
||
Allows to query Cluster25's CTI API investigation service. | ||
Running the analyzer will return a short report with taxonomies, | ||
as well as a long report and extracted artefacts. | ||
|
||
## Requirements: | ||
* C25 API KEY | ||
* C25 CLIENT ID | ||
* C25 BASE URL | ||
|
||
Raw investigate result query example: | ||
```json | ||
{ | ||
"indicator": "211.56.98.146", | ||
"indicator_type": "ipv4", | ||
"whitelisted": false, | ||
"tags": [], | ||
"score": 70, | ||
"is_known": false, | ||
"actors": [], | ||
"related_indicators": { | ||
"by_file": [], | ||
"by_content": [] | ||
}, | ||
"related_contexts": [], | ||
"created_dt": null, | ||
"modified_dt": null, | ||
"attacker_activities": [], | ||
"targeted_sectors": [], | ||
"targeted_countries": [], | ||
"file_info": null, | ||
"cve_info": null, | ||
"asn_info": null, | ||
"btcaddress_info": null, | ||
"family_info": null, | ||
"stats": { | ||
"harmless": 61, | ||
"malicious": 5, | ||
"suspicious": 0, | ||
"undetected": 23 | ||
}, | ||
"communicating_files": [], | ||
"contacted_ips": [], | ||
"contacted_domains": [], | ||
"contacted_urls": [], | ||
"dropped_files": [], | ||
"passive_dns": { | ||
"resolutions": [ | ||
{ | ||
"record_name": "c3kr.simonxu.cc", | ||
"record_value": "211.56.98.146", | ||
"record_type": "A", | ||
"first_seen": "2021-03-26T14:16:15", | ||
"last_seen": "2021-03-26T14:16:55", | ||
"country_name": "South Korea", | ||
"$$hashKey": "object:64" | ||
}, | ||
{ | ||
"record_name": "counter.yadro.ru", | ||
"record_value": "211.56.98.146", | ||
"record_type": "A", | ||
"first_seen": "2018-10-19T22:00:00", | ||
"last_seen": "2018-10-19T22:00:00", | ||
"country_name": "South Korea", | ||
"$$hashKey": "object:65" | ||
} | ||
] | ||
}, | ||
"whois": { | ||
"ip": null, | ||
"created_date": null, | ||
"updated_date": "hostmaster@nic.or.kr", | ||
"expires_date": null, | ||
"registrant": { | ||
"name": "IP Manager", | ||
"organization": "Korea Telecom", | ||
"street1": "Gyeonggi-do Bundang-gu, Seongnam-si Buljeong-ro 90", | ||
"street2": null, | ||
"city": null, | ||
"state": null, | ||
"country": null, | ||
"country_code": null, | ||
"postal_code": "13606", | ||
"raw_text": null, | ||
"unparsable": null | ||
}, | ||
"registrar_name": null, | ||
"name_servers_hostnames": null, | ||
"name_servers_ips": null, | ||
"email_provider": null, | ||
"email_registrant": null, | ||
"status": null | ||
}, | ||
"guessed_types": [], | ||
"intelligence": null, | ||
"first_seen": null, | ||
"last_seen": null, | ||
"dns_resolutions": null | ||
} | ||
``` |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.