Feature/domain tools more flavors (#321)

* Add HostingHistory and ReverseIPWhois flavors
Split Whois flavor in parsed and unparsed, and group IP and domain
Add support for Reverse-Whois scope parameter

* Remove flavor WhoisLookupIP

* Update taxonomies and TheHive templates

* Add taxonomies for new flavors

analyzers/DomainTools/DomainTools_HostingHistory.json

@@ -0,0 +1,30 @@
+{
+  "name": "DomainTools_HostingHistory",
+  "version": "2.0",
+  "author": "CERT-BDF",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Use DomainTools to get a list of historical registrant, name servers and IP addresses for a domain name.",
+  "dataTypeList": ["domain"],
+  "command": "DomainTools/domaintools_analyzer.py",
+  "baseConfig": "DomainTools",
+  "config": {
+      "service": "hosting-history"
+  },
+  "configurationItems": [
+    {
+      "name": "username",
+      "description": "DomainTools API credentials",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "key",
+      "description": "DomainTools API credentials",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ]
+}

analyzers/DomainTools/DomainTools_Reputation.json

@@ -1,17 +1,17 @@
 {
-    "name": "DomainTools_Reputation",
-    "version": "2.0",
-    "author": "CERT-BDF",
-    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
-    "license": "AGPL-V3",
-    "description": "Use DomainTools to get a reputation score on a domain or fqdn",
-    "dataTypeList": ["domain","fqdn"],
-    "command": "DomainTools/domaintools_analyzer.py",
-    "baseConfig": "DomainTools",
-    "config": {
-        "service": "reputation"
-    },
-    "configurationItems": [
+  "name": "DomainTools_Reputation",
+  "version": "2.0",
+  "author": "CERT-BDF",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Use DomainTools to get a reputation score on a domain or fqdn",
+  "dataTypeList": ["domain","fqdn"],
+  "command": "DomainTools/domaintools_analyzer.py",
+  "baseConfig": "DomainTools",
+  "config": {
+      "service": "reputation"
+  },
+  "configurationItems": [
     {
       "name": "username",
       "description": "DomainTools API credentials",

analyzers/DomainTools/DomainTools_ReverseIP.json

@@ -1,17 +1,17 @@
 {
-    "name": "DomainTools_ReverseIP",
-    "version": "2.0",
-    "author": "CERT-BDF",
-    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
-    "license": "AGPL-V3",
-    "description": "Use DomainTools to get a list of domain names sharing the same IP address.",
-    "dataTypeList": ["ip", "domain","fqdn"],
-    "command": "DomainTools/domaintools_analyzer.py",
-    "baseConfig": "DomainTools",
-    "config": {
-        "service": "reverse-ip"
-    },
-    "configurationItems": [
+  "name": "DomainTools_ReverseIP",
+  "version": "2.0",
+  "author": "CERT-BDF",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Use DomainTools to get a list of domain names sharing the same IP address.",
+  "dataTypeList": ["ip", "domain","fqdn"],
+  "command": "DomainTools/domaintools_analyzer.py",
+  "baseConfig": "DomainTools",
+  "config": {
+      "service": "reverse-ip"
+  },
+  "configurationItems": [
     {
       "name": "username",
       "description": "DomainTools API credentials",

analyzers/DomainTools/DomainTools_ReverseIPWhois.json

@@ -0,0 +1,30 @@
+{
+  "name": "DomainTools_ReverseIPWhois",
+  "version": "2.0",
+  "author": "CERT-BDF",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Use DomainTools to get a list of IP addresses which share the same registrant information.",
+  "dataTypeList": ["mail", "ip", "domain", "other"],
+  "command": "DomainTools/domaintools_analyzer.py",
+  "baseConfig": "DomainTools",
+  "config": {
+      "service": "reverse-ip-whois"
+  },
+  "configurationItems": [
+    {
+      "name": "username",
+      "description": "DomainTools API credentials",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "key",
+      "description": "DomainTools API credentials",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ]
+}

analyzers/DomainTools/DomainTools_Risk.json

@@ -1,17 +1,17 @@
 {
-    "name": "DomainTools_Risk",
-    "version": "2.0",
-    "author": "CERT-BDF",
-    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
-    "license": "AGPL-V3",
-    "description": "Use DomainTools to get a risk score and evidence details on a domain or fqdn",
-    "dataTypeList": ["domain","fqdn"],
-    "command": "DomainTools/domaintools_analyzer.py",
-    "baseConfig": "DomainTools",
-    "config": {
-        "service": "risk_evidence"
-    },
-    "configurationItems": [
+  "name": "DomainTools_Risk",
+  "version": "2.0",
+  "author": "CERT-BDF",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Use DomainTools to get a risk score and evidence details on a domain or fqdn",
+  "dataTypeList": ["domain","fqdn"],
+  "command": "DomainTools/domaintools_analyzer.py",
+  "baseConfig": "DomainTools",
+  "config": {
+      "service": "risk_evidence"
+  },
+  "configurationItems": [
     {
       "name": "username",
       "description": "DomainTools API credentials",

analyzers/DomainTools/DomainTools_WhoisLookup.json

@@ -4,8 +4,8 @@
   "author": "CERT-BDF",
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-V3",
-  "description": "Use DomainTools to get the ownership record for a domain with basic registration details.",
-  "dataTypeList": ["domain"],
+  "description": "Use DomainTools to get the ownership record for a domain or an IP address with basic registration details parsed.",
+  "dataTypeList": ["domain", "ip"],
   "command": "DomainTools/domaintools_analyzer.py",
   "baseConfig": "DomainTools",
   "config": {

analyzers/DomainTools/DomainTools_WhoisLookupIP.json → analyzers/DomainTools/DomainTools_WhoisLookupUnparsed.json

@@ -1,11 +1,11 @@
 {
-  "name": "DomainTools_WhoisLookup_IP",
+  "name": "DomainTools_WhoisLookupUnparsed",
   "version": "2.0",
   "author": "CERT-BDF",
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-V3",
-  "description": "Use DomainTools to get the ownership record for an IP address with basic registration details.",
-  "dataTypeList": ["ip"],
+  "description": "Use DomainTools to get the ownership record for an IP address or a domain without parsing.",
+  "dataTypeList": ["ip", "domain"],
   "command": "DomainTools/domaintools_analyzer.py",
   "baseConfig": "DomainTools",
   "config": {

analyzers/DomainTools/domaintools_analyzer.py

@@ -42,30 +42,38 @@ def domaintools(self, data):
         elif self.service == 'whois/history' and self.data_type == 'domain':
             response = api.whois_history(data).response()
 
-        elif self.service == 'whois/parsed' and self.data_type == 'domain':
+        elif self.service == 'whois/parsed' and self.data_type in ['domain','ip']:
             response = api.parsed_whois(data).response()
 
+        elif self.service == 'hosting-history' and self.data_type == 'domain':
+            response = api.hosting_history(data).response()
+
         elif self.service == 'risk_evidence' and self.data_type in ['domain', 'fqdn']:
             response = api.risk_evidence(data).response()
 
         elif self.service == 'reputation' and self.data_type in ['domain', 'fqdn']:
             response = api.reputation(data, include_reasons=True).response()
 
         elif self.service == 'reverse-whois':
-            response = api.reverse_whois(data, mode='purchase').response()
+            scope = self.getParam('parameters.scope', 'current', None)
+            response = api.reverse_whois(data, mode='purchase', scope=scope).response()
 
-        elif self.service == 'whois' and self.data_type == 'ip':
+        elif self.service == 'reverse-ip-whois':
+            response = api.reverse_ip_whois(data).response()
+
+        elif self.service == 'whois' and self.data_type in ['domain', 'ip']:
             response = api.whois(data).response()
 
         return response
 
 
     def summary(self, raw):
+
         r = {
             "service": self.service,
             "dataType": self.data_type
         }
-
+        
         if "ip_addresses" in raw:
             if type(raw["ip_addresses"]) == dict:
                 r["ip"] = {
@@ -87,14 +95,23 @@ def summary(self, raw):
                 "historic": raw["domain_count"]["historic"]
             }
 
+        if "registrar_history" in raw:
+            r["registrar_history"] = len(raw["registrar_history"])
+        if "ip_history" in raw:
+            r["ip_history"] = len(raw["ip_history"])
+        if "nameserver_history" in raw:
+            r["ns_history"] = len(raw["nameserver_history"])
+
+        if "record_count" in raw:
+            r["record_count"] = raw["record_count"]
+
         if "registrant" in raw:
             r["registrant"] = raw["registrant"]
         elif "response" in raw and "registrant" in raw["response"]:
             r["registrant"] = raw["response"]["registrant"]
 
         if "parsed_whois" in raw:
             r["registrar"] = raw["parsed_whois"]["registrar"]["name"]
-            #
 
         if "name_server" in raw:
             r["name_server"] = raw["name_server"]["hostname"]
@@ -123,6 +140,16 @@ def summary(self, raw):
                                                                                          r["domain_count"][
                                                                                              "historic"])))
 
+        if r["service"] == "reverse-ip-whois":
+            taxonomies.append(self.build_taxonomy("info", "DT", "Reverse_IP_Whois",
+                                                  "records:{}".format(r["record_count"])))
+
+        if r["service"] == "hosting-history":
+            taxonomies.append(self.build_taxonomy("info", "DT", "Hosting_History",
+                                                  "registrars:{} / ips:{} / ns:{}".format(r["registrar_history"],
+                                                                                              r["ip_history"],
+                                                                                                  r["ns_history"])))
+
         if r["service"] == "whois/history":
             taxonomies.append(self.build_taxonomy("info", "DT", "Whois_History",
                                                   "{} {}".format(r["record_count"], "records" if r["record_count"] > 1 else "record")))

thehive-templates/DomainTools_HostingHistory_2_0/long.html

@@ -0,0 +1,83 @@
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
+
+<div class="panel panel-info" ng-if="success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        <p>
+            Registrar History
+        </p>
+        <table class="table">
+            <thead>
+                <tr>
+                    <th>domain</th>
+                    <th>registrar</th>
+                    <th>date_created</th>
+                    <th>date_updated</th>
+                    <th>date_expires</th>
+                </tr>
+            </thead>
+            <tbody ng-repeat="row in content.registrar_history">
+                <td>{{row.domain}}</td>
+                <td>{{row.registrar}}</td>
+                <td>{{row.date_created | shortDate}}</td>
+                <td>{{row.date_updated | shortDate}}</td>
+                <td>{{row.date_expires | shortDate}}</td>
+            </tbody>
+        </table>
+    </div>
+    <div class="panel-body">
+        <p>
+            IP History
+        </p>
+        <table class="table">
+            <thead>
+                <tr>
+                    <th>domain</th>
+                    <th>actiondate</th>
+                    <th>action</th>
+                    <th>pre_ip</th>
+                    <th>post_ip</th>
+                </tr>
+            </thead>
+            <tbody ng-repeat="row in content.ip_history">
+                <td>{{row.domain}}</td>
+                <td>{{row.actiondate | shortDate}}</td>
+                <td>{{row.action_in_words}}</td>
+                <td>{{row.pre_ip}}</td>
+                <td>{{row.post_ip}}</td>
+            </tbody>
+        </table>
+    </div>
+    <div class="panel-body">
+        <p>
+            IP History
+        </p>
+        <table class="table">
+            <thead>
+                <tr>
+                    <th>domain</th>
+                    <th>actiondate</th>
+                    <th>action</th>
+                    <th>pre_mns</th>
+                    <th>post_mns</th>
+                </tr>
+            </thead>
+            <tbody ng-repeat="row in content.nameserver_history">
+                <td>{{row.domain}}</td>
+                <td>{{row.actiondate | shortDate}}</td>
+                <td>{{row.action_in_words}}</td>
+                <td>{{row.pre_mns}}</td>
+                <td>{{row.post_mns}}</td>
+            </tbody>
+        </table>
+    </div>
+</div>

thehive-templates/DomainTools_ReverseIPWhois_2_0/long.html

@@ -0,0 +1,40 @@
+<div class="panel panel-info" ng-if="success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>-
+    <div class="panel-body">
+        <dl class="dl-horizontal">
+            <dt>Number of records</dt>
+            <dd>{{content.record_count}}</dd>
+        </dl>
+    </div>
+    <div class="panel-body">
+        <table class="table">
+            <thead>
+                <tr>
+                    <th>range</th>
+                    <th>organization</th>
+                    <th>country</th>
+                    <th>server</th>
+                    <th>record_date</th>
+                </tr>
+            </thead>
+            <tbody ng-repeat="row in content.records">
+                <td>{{row.range}}</td>
+                <td>{{row.organization}}</td>
+                <td>{{row.country}}</td>
+                <td>{{row.server}}</td>
+                <td>{{row.record_date | shortDate}}</td>
+            </tbody>
+        </table>
+    </div>
+</div>
+
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>

thehive-templates/DomainTools_ReverseIPWhois_2_0/short.html

@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>

thehive-templates/DomainTools_WhoisLookupUnparsed_2_0/short.html

@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>