TheHive-Project · jeromeleonard · Jan 26, 2022 · Dec 15, 2021
diff --git a/analyzers/SEKOIAIntelligenceCenter/IntelligenceCenter_observables.json b/analyzers/SEKOIAIntelligenceCenter/IntelligenceCenter_observables.json
@@ -0,0 +1,50 @@
+{
+    "name": "SEKOIAIntelligenceCenter_Observables",
+    "version": "1.0",
+    "author": "SEKOIA",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Query the Intelligence Center to retrieve known observables",
+    "dataTypeList": [
+        "domain",
+        "fqdn",
+        "url",
+        "hash",
+        "ip"
+    ],
+    "command": "SEKOIAIntelligenceCenter/sekoia_intelligence_center_analyzer.py",
+    "baseConfig": "SEKOIAIntelligenceCenter",
+    "config": {
+        "service": "observables"
+    },
+    "configurationItems": [
+        {
+            "name": "api_key",
+            "description": "Intelligence center API key",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "url",
+            "description": "Intelligence center URL",
+            "type": "string",
+            "multi": false,
+            "required": false
+        }
+    ],
+    "registration_required": true,
+    "subscription_required": true,
+    "free_subscription": false,
+    "service_homepage": "https://sekoia.io/",
+    "service_logo": {
+        "path": "assets/sekoia_logo.png",
+        "caption": "logo"
+    },
+    "screenshots": [
+        {
+            "path": "assets/SEKOIAIntelligenceCenter_Context_long.png",
+            "caption": "SEKOIAIntelligenceCenter_Context long report sample"
+        }
+    ]
+}
diff --git a/analyzers/SEKOIAIntelligenceCenter/README.md b/analyzers/SEKOIAIntelligenceCenter/README.md
@@ -1,10 +1,11 @@
  Get more context around domain names, IP adresses, urls and file hashes using the
  [SEKOIA.IO](https://sekoia.io) Intelligence Database.
 
- The analyzer comes in 2 flavors:
+ The analyzer comes in 3 flavors:
 
  - SEKOIAIntelligenceCenter_**Indicators**: Find indicators matching the observable provided.
  - SEKOIAIntelligenceCenter_**Context**: Get indicators and their context for the observable provided.
+ - SEKOIAIntelligenceCenter_**Observables**: Query the Intelligence Center to retrieve known observables.
 
 #### Requirements
  You need an active [SEKOIA.IO Intelligence Center](https://sekoia.io/) subscription to use the analyzer:

diff --git a/...s/SEKOIAIntelligenceCenter/assets/SEKOIAIntelligenceCenter_Observables_long.png b/...s/SEKOIAIntelligenceCenter/assets/SEKOIAIntelligenceCenter_Observables_long.png
diff --git a/analyzers/SEKOIAIntelligenceCenter/sekoia_intelligence_center_analyzer.py b/analyzers/SEKOIAIntelligenceCenter/sekoia_intelligence_center_analyzer.py
@@ -21,6 +21,8 @@ class IntelligenceCenterAnalyzer(Analyzer):
 
     @property
     def url(self):
+        if self.service == "observables":
+            return "{}/api/v2/inthreat/observables/search?with_indicated_threats=1".format(self.base_url)
         path = ""
         if self.service == "context":
             path = "/context"
@@ -36,20 +38,30 @@ def __init__(self):
             self.base_url = self.DEFAULT_URL
 
     def run(self):
-        ic_type = self.get_ic_type()
-        value = self.get_data()
-        results = self.perform_request({"type": ic_type, "value": value})
+        payload = self.get_payload()
+        results = self.perform_request(payload)
         self.report({"results": results})
 
     def summary(self, raw):
         count = len(raw.get("results", []))
         value = "{} result{}".format(count, "s" if count > 1 else "")
+
+        taxonomies = []
         if count == 0:
-            level = "safe"
+            taxonomies.append(self.build_taxonomy("safe", "SEKOIA", self.service, value))
+        elif self.service == "observables":
+            has_threats = any(res.get("x_ic_indicated_threats") for res in raw["results"])
+            if has_threats:
+                taxonomies.append(self.build_taxonomy("malicious", "SEKOIA", self.service, value))
         else:
-            level = "malicious"
+            taxonomies.append(self.build_taxonomy("malicious", "SEKOIA", self.service, value))
+
+        return {"taxonomies": taxonomies}
 
-        return {"taxonomies": [self.build_taxonomy(level, "SEKOIA", self.service, value)]}
+    def get_payload(self):
+        if self.service == "observables":
+            return {"term": self.get_data()}
+        return {"type": self.get_ic_type(), "value": self.get_data()}
 
     def get_ic_type(self):
         if self.data_type not in self.TYPES_MAPPING.keys():
@@ -70,11 +82,8 @@ def perform_request(self, payload):
 
         The main error codes are handled here
         """
-        headers = {"Authorization": "Bearer {}".format(self.api_key)}
         try:
-            response = requests.get(self.url, params=payload, headers=headers)
-            response.raise_for_status()
-            return response.json()["items"]
+            return self._send_request(payload)
         except HTTPError as ex:
             if ex.response.status_code == 401:
                 self.error("Unauthorized to query the API. Is the API key valid ?")
@@ -86,6 +95,15 @@ def perform_request(self, payload):
                 self.error("Quota exhausted.")
             self.error("API returned with the error code {}".format(str(ex.response.status_code)))
 
+    def _send_request(self, payload):
+        headers = {"Authorization": "Bearer {}".format(self.api_key)}
+        if self.service == "observables":
+            response = requests.post(self.url, json=payload, headers=headers)
+        else: 
+            response = requests.get(self.url, params=payload, headers=headers)
+        response.raise_for_status()
+        return response.json()["items"]
+
 
 if __name__ == "__main__":
     IntelligenceCenterAnalyzer().run()
diff --git a/thehive-templates/SEKOIAIntelligenceCenter_Observables_1_0/long.html b/thehive-templates/SEKOIAIntelligenceCenter_Observables_1_0/long.html
@@ -0,0 +1,75 @@
+<div class="sekoia-report" ng-if="success">
+    <div ng-if="content.results.length === 0">
+        No results found
+    </div>
+    <h2 ng-if="content.results.length > 0">{{content.results.length}} Observable(s)</h2>
+    <div class="panel panel-info" ng-if="content.results.length > 0" ng-repeat="observable in content.results track by 'id'">
+        <div class="panel-heading">
+            <strong>{{observable.x_inthreat_short_display | fang}}</strong>
+        </div>
+        <div class="panel-body">
+            <div>
+                <dl class="dl-horizontal" ng-if="observable.value">
+                    <dt>Value</dt>
+                    <dd class="wrap">{{observable.value | fang}}</dd>
+                </dl>
+                <dl class="dl-horizontal" ng-if="observable.hashes['MD5']">
+                    <dt>MD5</dt>
+                    <dd class="wrap">{{observable.hashes.MD5}}</dd>
+                </dl>
+                <dl class="dl-horizontal" ng-if="observable.hashes['SHA-1']">
+                    <dt>SHA-1</dt>
+                    <dd class="wrap">{{observable.hashes['SHA-1']}}</dd>
+                </dl>
+                <dl class="dl-horizontal" ng-if="observable.hashes['SHA-256']">
+                    <dt>SHA-256</dt>
+                    <dd class="wrap">{{observable.hashes['SHA-256']}}</dd>
+                </dl>
+                <dl class="dl-horizontal" ng-if="observable.hashes['SHA-512']">
+                    <dt>SHA-512</dt>
+                    <dd class="wrap">{{observable.hashes['SHA-512']}}</dd>
+                </dl>
+                <dl class="dl-horizontal" ng-if="observable.hashes['SSDEEP']">
+                    <dt>SSDEEP</dt>
+                    <dd class="wrap">{{observable.hashes['SSDEEP']}}</dd>
+                </dl>
+                <dl class="dl-horizontal" ng-if="observable.x_inthreat_tags">
+                    <dt>Tags</dt>
+                    <dd>
+                        <div ng-if="observable.x_inthreat_tags.length === 0">No tags defined</div>
+                        <div ng-if="observable.x_inthreat_tags.length > 0">
+                            <span class="label label-info" style="margin: 2px;" ng-repeat="tag in observable.x_inthreat_tags">{{tag.name}}</span> 
+                        </div>
+                    </dd>
+                </dl>
+                <dl class="dl-horizontal" ng-if="observable.x_ic_indicated_threats && observable.x_ic_indicated_threats.length > 0">
+                    <dt>Threats</dt>
+                    <dd>
+                        <span class="label label-danger" style="margin: 2px;" ng-repeat="threat in observable.x_ic_indicated_threats">{{threat.name}}</span> 
+                    </dd>
+                </dl>
+                <dl class="dl-horizontal">
+                    <dt>Created</dt>
+                    <dd class="wrap">{{observable.created}}</dd>
+                </dl>
+                <dl class="dl-horizontal">
+                    <dt>Modified</dt>
+                    <dd class="wrap">{{observable.modified}}</dd>
+                </dl>
+            </div>
+        </div>
+    </div>
+</div>
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        <dl class="dl-horizontal" ng-if="content.errorMessage">
+            <dt><i class="fa fa-warning"></i> SEKOIA: </dt>
+            <dd class="wrap">{{content.errorMessage}}</dd>
+        </dl>
+    </div>
+</div>
diff --git a/thehive-templates/SEKOIAIntelligenceCenter_Observables_1_0/short.html b/thehive-templates/SEKOIAIntelligenceCenter_Observables_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>