Add RecordedFuture Analyzer

TheHive-Project · Sep 28, 2018 · 1deb0e4 · 1deb0e4
1 parent 925df9b
commit 1deb0e4
Show file tree

Hide file tree

Showing 5 changed files with 135 additions and 0 deletions.
diff --git a/analyzers/RecordedFuture/RecordedFuture_risk.json b/analyzers/RecordedFuture/RecordedFuture_risk.json
@@ -0,0 +1,20 @@
+{
+  "name": "RecordedFuture_risk",
+  "version": "1.0",
+  "author": "KAPSCH-CDC",
+  "url": "https://github.com/kapschcdc/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Get the latest risk data from RecordedFuture for a hash, domain or an IP address.",
+  "dataTypeList": ["domain", "ip", "hash"],
+  "command": "RecordedFuture/recordedfuture.py",
+  "baseConfig": "RecordedFuture",
+  "configurationItems": [
+    {
+      "name": "key",
+      "description": "API key for RecordedFuture",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ]
+}
diff --git a/analyzers/RecordedFuture/recordedfuture.py b/analyzers/RecordedFuture/recordedfuture.py
@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+from cortexutils.analyzer import Analyzer
+
+import urllib.request
+import json
+
+class RecordedFutureAnalyzer(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.recordedfuture_key = self.get_param('config.key', None, 'Missing RecordedFuture API key')
+        self.proxies = self.get_param('config.proxy', None)
+
+    def summary(self, raw):
+        taxonomies = []
+        namespace = 'RF'
+
+        level = 'info'
+        predicate = 'score'
+        value = '{}/100'.format(raw['data']['risk']['score'])
+        criticality = raw['data']['risk']['criticality']
+        if criticality == 0:
+            level = 'safe'
+        elif criticality == 1:
+            level = 'info'
+        elif criticality == 2:
+            level = 'suspicious'
+        elif criticality >= 3:
+            level = 'malicious'
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+
+        level = 'info'
+        predicate = '#evidenceDetails'
+        value = str(len(raw['data']['risk']['evidenceDetails']))
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+
+        return {"taxonomies": taxonomies}
+
+    def run(self):
+        if self.data_type in ['domain', 'ip', 'hash']:
+            data = self.get_param('data', None, 'Data is missing')
+            url = 'https://api.recordedfuture.com/v2/{}/{}?fields=risk%2CintelCard'.format(self.data_type, data)
+            req = urllib.request.Request(url, None, {'X-RFToken': self.recordedfuture_key})
+            try:
+                with urllib.request.urlopen(req) as res:
+                    j = json.loads(res.read().decode("utf-8"))
+                    self.summary(j)
+                    return self.report(j)
+            except IOError as e:
+                self.error(str(e))
+        else:
+            self.error('Invalid data type')
+
+if __name__ == '__main__':
+    RecordedFutureAnalyzer().run()
diff --git a/analyzers/RecordedFuture/requirements.txt b/analyzers/RecordedFuture/requirements.txt
@@ -0,0 +1 @@
+cortexutils
diff --git a/thehive-templates/RecordedFuture_risk_1_0/long.html b/thehive-templates/RecordedFuture_risk_1_0/long.html
@@ -0,0 +1,55 @@
+<!-- Success -->
+<div class="panel panel-info" ng-if="success">
+    <div class="panel-heading">
+        <strong>Summary</strong>
+    </div>
+    <div class="panel-body">
+        <dl class="dl-horizontal">
+            <dt>Score</dt>
+            <dd>{{content.data.risk.score}}/100</dd>
+        </dl>
+        <dl class="dl-horizontal">
+            <dt>Criticality</dt>
+            <dd>{{content.data.risk.criticalityLabel}} ({{content.data.risk.criticality}})</dd>
+        </dl>
+        <dl class="dl-horizontal">
+            <dt>Risk summary</dt>
+            <dd>{{content.data.risk.riskSummary}}</dd>
+        </dl>
+        <a href="{{content.data.intelCard}}" target="_blank" class="btn btn-primary" role="button">Intel Card</a>
+    </div>
+    <div class="panel-heading">
+        <strong>Triggered Risk Rules</strong>
+    </div>
+    <div class="panel-body">
+        <table class="table table-hover">
+            <tr>
+                <th>Criticality</th>
+                <th>Rule</th>
+                <th>Evidence</th>
+            </tr>
+            <tr ng-repeat="evidence in content.data.risk.evidenceDetails">
+                <td>
+                    <span ng-class="{'text-success': evidence.criticality == 0, 'text-warning': evidence.criticality > 0, 'text-danger': evidence.criticality > 2}">
+                        {{evidence.criticalityLabel}}
+                    </span>
+                </td>
+                <td>{{evidence.rule}}</td>
+                <td class="wrap">{{evidence.evidenceString}}</td>
+            </tr>
+        </table>
+    </div>
+</div>
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        <dl class="dl-horizontal" ng-if="content.errorMessage">
+            <dt><i class="fa fa-warning"></i>Error:</dt>
+            <dd class="wrap">{{content.errorMessage}}</dd>
+        </dl>
+    </div>
+</div>
diff --git a/thehive-templates/RecordedFuture_risk_1_0/short.html b/thehive-templates/RecordedFuture_risk_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>