Merge pull request #959 from vmray/develop

Updated VMRay Analyzer

analyzers/VMRay/VMRay.json

@@ -3,8 +3,8 @@
   "license": "AGPL-V3",
   "author": "Nils Kuhnert, CERT-Bund",
   "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
-  "version": "3.1",
-  "description": "VMRay Sandbox file analysis.",
+  "version": "4.1",
+  "description": "VMRay Sandbox file and URL analysis.",
   "dataTypeList": [
     "hash",
     "file",
@@ -42,6 +42,14 @@
       "multi": false,
       "required": false
     },
+    {
+      "name": "verdict_only",
+      "description": "If set to true, only the verdict (or the score for VMRay versions < 4.0) will be added as labels.",
+      "type": "boolean",
+      "multi": false,
+      "required": false,
+      "defaultValue": false
+    },
     {
       "name": "query_retry_wait",
       "description": "The amount of seconds to wait before trying to fetch the results.",

analyzers/VMRay/vmray.py

@@ -13,6 +13,7 @@ class VMRayAnalyzer(Analyzer):
     _namespace = "VMRay"
 
     _severity_mapping = {
+        "clean": "safe",
         "whitelisted": "safe",
         "suspicious": "suspicious",
         "malicious": "malicious",
@@ -33,6 +34,7 @@ class VMRayAnalyzer(Analyzer):
     def __init__(self):
         Analyzer.__init__(self)
         self.reanalyze = self.get_param("config.reanalyze", True)
+        self.verdict_only = self.get_param("config.verdict_only", False)
         self.shareable = self.get_param("config.shareable", False)
         self.tags = self.get_param("config.tags", ["TheHive"])
         self.user_config = {
@@ -168,42 +170,56 @@ def run(self):
     def _taxonomies_for_samples(self, samples):
         taxonomies = []
         for sample in samples:
-            level = self._severity_mapping.get(sample["sample_severity"], "info")
-            value = "{}".format(sample["sample_score"])
+            has_verdict = "sample_verdict" in sample
+            level = (
+                self._severity_mapping.get(sample["sample_verdict"], "info")
+                if has_verdict
+                else self._severity_mapping.get(sample["sample_severity"], "info")
+            )
+            value = "{}".format(
+                sample["sample_verdict"] if has_verdict else sample["sample_score"]
+            )
             if len(samples) > 1:
                 value += " (from sample {})".format(sample["sample_id"])
             taxonomies.append(
-                self.build_taxonomy(level, self._namespace, "Score", value)
+                self.build_taxonomy(level, self._namespace, "Verdict", value)
+                if has_verdict
+                else self.build_taxonomy(level, self._namespace, "Score", value)
             )
 
-            for threat_indicator in sample.get("sample_threat_indicators", {}).get(
-                "threat_indicators", []
-            ):
-                predicate = threat_indicator.get("category", None)
-                value = threat_indicator.get("operation", "")
-                if predicate:
-                    taxonomies.append(
-                        self.build_taxonomy(level, self._namespace, predicate, value)
-                    )
+            if not self.verdict_only:
+                for threat_indicator in sample.get("sample_threat_indicators", {}).get(
+                    "threat_indicators", []
+                ):
+                    predicate = threat_indicator.get("category", None)
+                    value = threat_indicator.get("operation", "")
+                    if predicate:
+                        taxonomies.append(
+                            self.build_taxonomy(
+                                level, self._namespace, predicate, value
+                            )
+                        )
 
-            for mitre_technique in sample.get("sample_mitre_attack", {}).get(
-                "mitre_attack_techniques", []
-            ):
-                predicate = mitre_technique.get("technique_id", None)
-                value = mitre_technique.get("technique", "Unknown MITRE technique")
-                if "tactics" in mitre_technique:
-                    value += " using tactics: {}".format(
-                        ", ".join(mitre_technique["tactics"])
-                    )
-                if predicate:
-                    taxonomies.append(
-                        self.build_taxonomy(level, self._namespace, predicate, value)
-                    )
+                for mitre_technique in sample.get("sample_mitre_attack", {}).get(
+                    "mitre_attack_techniques", []
+                ):
+                    predicate = mitre_technique.get("technique_id", None)
+                    value = mitre_technique.get("technique", "Unknown MITRE technique")
+                    if "tactics" in mitre_technique:
+                        value += " using tactics: {}".format(
+                            ", ".join(mitre_technique["tactics"])
+                        )
+                    if predicate:
+                        taxonomies.append(
+                            self.build_taxonomy(
+                                level, self._namespace, predicate, value
+                            )
+                        )
 
-            # add child sample taxonomies if they have been added
-            taxonomies.extend(
-                self._taxonomies_for_samples(sample.get("sample_child_samples", []))
-            )
+                # add child sample taxonomies if they have been added
+                taxonomies.extend(
+                    self._taxonomies_for_samples(sample.get("sample_child_samples", []))
+                )
         return taxonomies
 
     def _sandbox_reports_for_samples(self, samples):

thehive-templates/VMRay_3_1/long.html → thehive-templates/VMRay_4_1/long.html

@@ -3,26 +3,29 @@
         VMRay Report
     </div>
     <div class="panel-body" ng-repeat="sample in content.samples">
-        <dl class="dl-horizontal">
-            <dt>Score</dt>
-            <dd><a href="{{sample.sample_webif_url}}">{{sample.sample_score}}</a></dd>
-        </dl>
-        <dl class="dl-horizontal">
-            <dt ng-if="sample.sample_severity">Severity</dt>
+        <dl class="dl-horizontal" ng-if="sample.sample_verdict">
+            <dt>Verdict</dt>
             <dd>
-                <span class="label" ng-class="{'label-success':sample.sample_severity === 'not_suspicious',
-					'label-danger': sample.sample_severity==='malicious',
-					'label-info': sample.sample_severity!='not_suspicious' && sample.sample_severity!='malicious'}">
-                    {{sample.sample_severity}}
+                <span class="label"
+                    ng-class="{'label-success':sample.sample_verdict === 'clean',
+					'label-danger': sample.sample_verdict==='malicious',
+					'label-warning': sample.sample_verdict==='suspicious',
+					'label-info': sample.sample_verdict!='clean' && sample.sample_verdict!='suspicious' && sample.sample_verdict!='suspicious'}">
+                    {{sample.sample_verdict}}
                 </span>
             </dd>
         </dl>
+        <dl class="dl-horizontal">
+            <dt>Score</dt>
+            <dd>{{sample.sample_score}}</dd>
+        </dl>
         <dl class="dl-horizontal">
             <dt>Last reputation</dt>
             <dd>
                 <span class="label" ng-class="{'label-info':sample.sample_last_reputation_severity === 'unknown',
-					'label-danger': sample.sample_last_reputation_severity==='blacklisted',
-					'label-info': sample.sample_last_reputation_severity!='blacklisted'}">
+					'label-danger': sample.sample_last_reputation_severity==='malicious',
+                    'label-success':sample.sample_last_reputation_severity === 'clean',
+					'label-info': sample.sample_last_reputation_severity!='malicious'}">
                     {{sample.sample_last_reputation_severity}}
                 </span>
             </dd>