Merge pull request #754 from lastinfosec/master

new LastInfoSec analyzers for hash and domain

analyzers/LIS_GetReport/LIS_GetReport.json

@@ -0,0 +1,23 @@
+{
+  "name": "LIS_Get_Report",
+  "version": "1.0",
+  "author": "LastInfoSec",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-3.0",
+  "description": "Get LastInfoSec Report",
+  "dataTypeList": ["hash", "domain"],
+  "command": "LIS_GetReport/LIS_GetReport.py",
+  "baseConfig": "LastInfoSec",
+  "config": {
+    "service": "get_report"
+  },
+  "configurationItems": [
+    {
+      "name": "apiKey",
+      "description": "LastInfoSec Api Key",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ]
+}

analyzers/LIS_GetReport/LIS_GetReport.py

@@ -0,0 +1,120 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*
+from cortexutils.analyzer import Analyzer
+import requests
+
+
+class LIS_GetReport(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.api_key = self.get_param(
+            "config.apiKey", None, "LastInfoSec API KEY is required"
+        )
+        self.observable_value = self.get_param("data", None, "Data is missing")
+
+    def run(self):
+        if self.data_type == "hash":
+            url = "https://api.client.lastinfosec.com/v2/lis/search_hash/{0}?api_key={1}".format(
+                self.observable_value, self.api_key
+            )
+        elif self.data_type == "domain":
+            url = "https://api.client.lastinfosec.com/v2/lis/search_host/{0}?api_key={1}".format(
+                self.observable_value, self.api_key
+            )
+        else:
+            self.error("{} not supported".format(self.data_type))
+        useragent = {
+            "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0"
+        }
+        response = requests.get(url, headers=useragent)
+        info = self.check_response(response)
+
+        additional = {}
+        main = {}
+        main_hash = {}
+        urls = []
+        records = {"IOCs": []}
+
+        if self.data_type == "hash":
+            for item in info["message"][0]["IOCs"]:
+                item.update(item.pop("MetaData", None))
+                if item["Value"] == self.observable_value:
+                    main = item
+                elif item["Type"] in ["MD5", "SHA1", "SHA256"]:
+                    additional[item["Type"]] = item["Value"]
+                else:
+                    records["IOCs"].append(item)
+            main.update(additional)
+            records["IOCs"].append(main)
+        elif self.data_type == "domain":
+            for item in info["message"][0]["IOCs"]:
+                item.update(item.pop("MetaData", None))
+                if item["Value"] == self.observable_value:
+                    main = item
+                elif item["Type"] == "URL":
+                    urls.append({"url": item["Value"], "tags": item["Tags"]})
+                elif item["Type"] in ["MD5", "SHA1", "SHA256"]:
+                    if len(main_hash) == 0:
+                        main_hash = item
+                    else:
+                        additional[item["Type"]] = item["Value"]
+
+            main["urls"] = urls
+            records["IOCs"].append(main)
+            if len(main_hash) > 0:
+                main_hash.update(additional)
+                records["IOCs"].append(main_hash)
+
+        self.report(records)
+
+    def check_response(self, response):
+        if response.status_code != 200:
+            try:
+                result = response.json()
+                if (
+                    "detail" in result
+                    and "details" in result["detail"]
+                    and "error" in result["detail"]["details"][0]
+                ):
+                    self.error(
+                        "Bad status: {0}. {1}".format(
+                            response.status_code,
+                            result["detail"]["details"][0]["error"],
+                        )
+                    )
+                else:
+                    self.error("Bad status: {0}".format(response.status_code))
+            except Exception as ex:
+                self.error("Bad status: {0}".format(response.status_code))
+        else:
+            try:
+                result = response.json()
+                return result
+            except Exception as ex:
+                self.error("Bad Response: {0}".format(ex))
+
+    def summary(self, raw):
+        taxonomies = []
+        level = "info"
+        namespace = "LastInfoSec"
+        predicate = "GetReport"
+        value = 0
+        data = next(
+            (ioc for ioc in raw["IOCs"] if ioc["Value"] == self.observable_value), None
+        )
+        if data is not None:
+            level = data["Risk"].lower()
+            if level == "malicious":
+                value = 86
+            elif level == "high suspicious":
+                value = 71
+                level = "suspicious"
+            else:
+                value = 31
+
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        return {"taxonomies": taxonomies}
+
+
+if __name__ == "__main__":
+    LIS_GetReport().run()

analyzers/LIS_GetReport/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+requests

thehive-templates/LIS_GetReport_1_0/long.html

@@ -0,0 +1,91 @@
+<div class="panel panel-danger" ng-if="!success">
+  <div class="panel-heading">
+    <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+  </div>
+  <div class="panel-body">
+    {{content.errorMessage}}
+  </div>
+</div>
+
+<div ng-if="success">
+  <div class="panel panel-info" ng-repeat="ioc in content.IOCs">
+    <div class="panel-heading">
+      <strong>LastInfoSec Report for {{ioc.Type}}: {{ioc.Value}}</strong>
+    </div>
+    <div class="panel-body">
+      <dl class="dl-horizontal" ng-if="ioc.Value == artifact.data && ioc.MD5">
+        <dt>MD5</dt>
+        <dd class="wrap">{{ioc.MD5}}</dd>
+      </dl>
+      <dl class="dl-horizontal" ng-if="ioc.Value == artifact.data && ioc.SHA1">
+        <dt>SHA1</dt>
+        <dd class="wrap">{{ioc.SHA1}}</dd>
+      </dl>
+      <dl
+        class="dl-horizontal"
+        ng-if="ioc.Value == artifact.data && ioc.SHA256"
+      >
+        <dt>SHA256</dt>
+        <dd class="wrap">{{ioc.SHA256}}</dd>
+      </dl>
+
+      <dl class="dl-horizontal" ng-if="ioc.CreationDate">
+        <dt>Creation Date</dt>
+        <dd class="wrap">{{ioc.CreationDate}}</dd>
+      </dl>
+      <dl class="dl-horizontal" ng-if="ioc.Risk">
+        <dt>Risk</dt>
+        <dd class="wrap">{{ioc.Risk}}</dd>
+      </dl>
+      <dl
+        class="dl-horizontal"
+        ng-if="ioc.description && ioc.description.length>0"
+      >
+        <dt>Description</dt>
+        <dd class="wrap">{{ioc.description}}</dd>
+      </dl>
+      <dl class="dl-horizontal" ng-if="ioc.cwe && ioc.cwe.length>0">
+        <dt>Cwe</dt>
+        <dd class="wrap">{{ioc.Cwe}}</dd>
+      </dl>
+      <dl class="dl-horizontal" ng-if="ioc.filetype">
+        <dt>Filetype</dt>
+        <dd class="wrap">{{ioc.filetype}}</dd>
+      </dl>
+      <dl class="dl-horizontal" ng-if="ioc.Categories.length>0">
+        <dt>Categories</dt>
+        <dd class="wrap">{{ioc.Categories.join(", ")}}</dd>
+      </dl>
+      <dl class="dl-horizontal" ng-if="ioc.Families.length>0">
+        <dt>Families</dt>
+        <dd class="wrap">{{ioc.Families.join(", ")}}</dd>
+      </dl>
+      <dl class="dl-horizontal" ng-if="ioc.TTP.length>0">
+        <dt>TTP</dt>
+        <dd class="wrap">{{ioc.TTP.join(", ")}}</dd>
+      </dl>
+      <dl class="dl-horizontal" ng-if="ioc.TLP">
+        <dt>TLP</dt>
+        <dd class="wrap">{{ioc.TLP}}</dd>
+      </dl>
+      <dl class="dl-horizontal" ng-if="ioc.Relations.length>0">
+        <dt>Relations</dt>
+        <dd class="wrap">{{ioc.Relations.join(", ")}}</dd>
+      </dl>
+      <dl class="dl-horizontal" ng-if="ioc.Tags.length>0">
+        <dt>Tags</dt>
+        <dd class="wrap">{{ioc.Tags.join(", ")}}</dd>
+      </dl>
+      <dl class="dl-horizontal" ng-if="ioc.urls.length>0">
+        <dt>Urls</dt>
+        <dd class="wrap">
+          <ul>
+            <li ng-repeat="url in ioc.urls">
+              {{url.url}} [{{url.tags.join(", ")}}]
+            </li>
+          </ul>
+        </dd>
+      </dl>
+    </div>
+  </div>
+</div>

thehive-templates/LIS_GetReport_1_0/short.html

@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>