New analyzers and templates for RiskIQ Illuminate (#1013)

* New RiskIQ Illuminate analyzers.

* Analyzer transformations for UI hints. New RiskIQ responders to push indicators to RiskIQ projects.

* New templates for RiskIQ Analyzers (Reputation and Summary)

* Report templates for RiskIQ Illuminate analyzers.

* Handle 404 responses from the API more gracefully.

* Subdomains analyzer and report template.

* Set context headers for metrics and troubleshooting.

* Set responder context headers.

analyzers/RiskIQ/RiskIQ_Articles.json

@@ -0,0 +1,43 @@
+{
+  "author": "RiskIQ",
+  "baseConfig": "RiskIQ",
+  "command": "RiskIQ/_analyzer.py",
+  "config": {
+    "auto_extract": true,
+    "property": "articles"
+  },
+  "configurationItems": [
+    {
+      "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)",
+      "multi": false,
+      "name": "username",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "description": "API key of the RiskIQ Illuminate or PassiveTotal account",
+      "multi": false,
+      "name": "api_key",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "defaultValue": 180,
+      "description": "Number of days back to search for date-bounded historical queries",
+      "multi": false,
+      "name": "days_back",
+      "required": false,
+      "type": "number"
+    }
+  ],
+  "dataTypeList": [
+    "domain",
+    "fqdn",
+    "ip"
+  ],
+  "description": "RiskIQ: OSINT articles that reference an indicator.",
+  "license": "AGPL-V3",
+  "name": "RiskIQ_Articles",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "version": "1.0"
+}

analyzers/RiskIQ/RiskIQ_Artifacts.json

@@ -0,0 +1,43 @@
+{
+  "author": "RiskIQ",
+  "baseConfig": "RiskIQ",
+  "command": "RiskIQ/_analyzer.py",
+  "config": {
+    "auto_extract": true,
+    "property": "artifacts"
+  },
+  "configurationItems": [
+    {
+      "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)",
+      "multi": false,
+      "name": "username",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "description": "API key of the RiskIQ Illuminate or PassiveTotal account",
+      "multi": false,
+      "name": "api_key",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "defaultValue": 180,
+      "description": "Number of days back to search for date-bounded historical queries",
+      "multi": false,
+      "name": "days_back",
+      "required": false,
+      "type": "number"
+    }
+  ],
+  "dataTypeList": [
+    "domain",
+    "fqdn",
+    "ip"
+  ],
+  "description": "RiskIQ: Illuminate / PassiveTotal project artifacts that match an indicator.",
+  "license": "AGPL-V3",
+  "name": "RiskIQ_Artifacts",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "version": "1.0"
+}

analyzers/RiskIQ/RiskIQ_Certificates.json

@@ -0,0 +1,43 @@
+{
+  "author": "RiskIQ",
+  "baseConfig": "RiskIQ",
+  "command": "RiskIQ/_analyzer.py",
+  "config": {
+    "auto_extract": true,
+    "property": "certificates"
+  },
+  "configurationItems": [
+    {
+      "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)",
+      "multi": false,
+      "name": "username",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "description": "API key of the RiskIQ Illuminate or PassiveTotal account",
+      "multi": false,
+      "name": "api_key",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "defaultValue": 180,
+      "description": "Number of days back to search for date-bounded historical queries",
+      "multi": false,
+      "name": "days_back",
+      "required": false,
+      "type": "number"
+    }
+  ],
+  "dataTypeList": [
+    "domain",
+    "fqdn",
+    "ip"
+  ],
+  "description": "RiskIQ: SSL/TLS certificates associated with an indicator.",
+  "license": "AGPL-V3",
+  "name": "RiskIQ_Certificates",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "version": "1.0"
+}

analyzers/RiskIQ/RiskIQ_Components.json

@@ -0,0 +1,43 @@
+{
+  "author": "RiskIQ",
+  "baseConfig": "RiskIQ",
+  "command": "RiskIQ/_analyzer.py",
+  "config": {
+    "auto_extract": true,
+    "property": "components"
+  },
+  "configurationItems": [
+    {
+      "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)",
+      "multi": false,
+      "name": "username",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "description": "API key of the RiskIQ Illuminate or PassiveTotal account",
+      "multi": false,
+      "name": "api_key",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "defaultValue": 180,
+      "description": "Number of days back to search for date-bounded historical queries",
+      "multi": false,
+      "name": "days_back",
+      "required": false,
+      "type": "number"
+    }
+  ],
+  "dataTypeList": [
+    "domain",
+    "fqdn",
+    "ip"
+  ],
+  "description": "RiskIQ: web components observed during crawls on a hostname.",
+  "license": "AGPL-V3",
+  "name": "RiskIQ_Components",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "version": "1.0"
+}

analyzers/RiskIQ/RiskIQ_Cookies.json

@@ -0,0 +1,43 @@
+{
+  "author": "RiskIQ",
+  "baseConfig": "RiskIQ",
+  "command": "RiskIQ/_analyzer.py",
+  "config": {
+    "auto_extract": true,
+    "property": "cookies"
+  },
+  "configurationItems": [
+    {
+      "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)",
+      "multi": false,
+      "name": "username",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "description": "API key of the RiskIQ Illuminate or PassiveTotal account",
+      "multi": false,
+      "name": "api_key",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "defaultValue": 180,
+      "description": "Number of days back to search for date-bounded historical queries",
+      "multi": false,
+      "name": "days_back",
+      "required": false,
+      "type": "number"
+    }
+  ],
+  "dataTypeList": [
+    "domain",
+    "fqdn",
+    "ip"
+  ],
+  "description": "RiskIQ: cookies observed during crawls on a hostname.",
+  "license": "AGPL-V3",
+  "name": "RiskIQ_Cookies",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "version": "1.0"
+}

analyzers/RiskIQ/RiskIQ_HostpairChildren.json

@@ -0,0 +1,43 @@
+{
+  "author": "RiskIQ",
+  "baseConfig": "RiskIQ",
+  "command": "RiskIQ/_analyzer.py",
+  "config": {
+    "auto_extract": true,
+    "property": "hostpair_children"
+  },
+  "configurationItems": [
+    {
+      "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)",
+      "multi": false,
+      "name": "username",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "description": "API key of the RiskIQ Illuminate or PassiveTotal account",
+      "multi": false,
+      "name": "api_key",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "defaultValue": 180,
+      "description": "Number of days back to search for date-bounded historical queries",
+      "multi": false,
+      "name": "days_back",
+      "required": false,
+      "type": "number"
+    }
+  ],
+  "dataTypeList": [
+    "domain",
+    "fqdn",
+    "ip"
+  ],
+  "description": "RiskIQ: hosts with a child web component relationship to an IOC.",
+  "license": "AGPL-V3",
+  "name": "RiskIQ_HostpairChildren",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "version": "1.0"
+}

analyzers/RiskIQ/RiskIQ_HostpairParents.json

@@ -0,0 +1,43 @@
+{
+  "author": "RiskIQ",
+  "baseConfig": "RiskIQ",
+  "command": "RiskIQ/_analyzer.py",
+  "config": {
+    "auto_extract": true,
+    "property": "hostpair_parents"
+  },
+  "configurationItems": [
+    {
+      "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)",
+      "multi": false,
+      "name": "username",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "description": "API key of the RiskIQ Illuminate or PassiveTotal account",
+      "multi": false,
+      "name": "api_key",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "defaultValue": 180,
+      "description": "Number of days back to search for date-bounded historical queries",
+      "multi": false,
+      "name": "days_back",
+      "required": false,
+      "type": "number"
+    }
+  ],
+  "dataTypeList": [
+    "domain",
+    "fqdn",
+    "ip"
+  ],
+  "description": "RiskIQ: hosts with a parent web component relationship to an IOC.",
+  "license": "AGPL-V3",
+  "name": "RiskIQ_HostpairParents",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "version": "1.0"
+}

analyzers/RiskIQ/RiskIQ_Malware.json

@@ -0,0 +1,43 @@
+{
+  "author": "RiskIQ",
+  "baseConfig": "RiskIQ",
+  "command": "RiskIQ/_analyzer.py",
+  "config": {
+    "auto_extract": true,
+    "property": "malware"
+  },
+  "configurationItems": [
+    {
+      "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)",
+      "multi": false,
+      "name": "username",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "description": "API key of the RiskIQ Illuminate or PassiveTotal account",
+      "multi": false,
+      "name": "api_key",
+      "required": true,
+      "type": "string"
+    },
+    {
+      "defaultValue": 180,
+      "description": "Number of days back to search for date-bounded historical queries",
+      "multi": false,
+      "name": "days_back",
+      "required": false,
+      "type": "number"
+    }
+  ],
+  "dataTypeList": [
+    "domain",
+    "fqdn",
+    "ip"
+  ],
+  "description": "RiskIQ: malware hashes from various sources associated with an IOC.",
+  "license": "AGPL-V3",
+  "name": "RiskIQ_Malware",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "version": "1.0"
+}