Merge pull request #1008 from pjuhas/develop

Verifalia analyzer
TheHive-Project · Jul 22, 2022 · 66070de · 66070de
2 parents 51ab5a3 + ef5d707
commit 66070de
Show file tree

Hide file tree

Showing 5 changed files with 132 additions and 0 deletions.
diff --git a/analyzers/Verifalia/Verifalia.json b/analyzers/Verifalia/Verifalia.json
@@ -0,0 +1,27 @@
+{
+  "name": "Verifalia",
+  "version": "1.0",
+  "author": "Peter Juhas",
+  "url": "https://github.com/pjuhas/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Analyze e-mail address via Verifalia",
+  "dataTypeList": ["mail"],
+  "baseConfig": "Verifalia",
+  "configurationItems": [
+    {
+      "name": "login",
+      "description": "Username for Verifalia",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "password",
+      "description": "Password for Verifalia",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ],
+  "command": "Verifalia/Verifalia.py"
+}
diff --git a/analyzers/Verifalia/Verifalia.py b/analyzers/Verifalia/Verifalia.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python
+import time
+import requests
+from cortexutils.analyzer import Analyzer
+
+
+class Verifalia(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.login_key = self.get_param('config.login', None, 'Missing username for Verifalia')
+        self.password_key = self.get_param('config.password', None, 'Missing password for Verifalia')
+
+    def summary(self, raw):
+        taxonomies = []
+        level = 'info'
+        namespace = 'Verifalia'
+        predicate = ':'
+        value = ''
+        if "entries" in raw:
+            value = "{}".format(raw["classification"])
+        if value == "Risky":
+            level = "suspicious"
+        elif value == "Deliverable":
+            level = "safe"
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        return {'taxonomies': taxonomies}
+
+    def run(self):
+        Analyzer.run(self)
+        if self.data_type == 'mail':
+            try:
+                input_data = self.get_data()
+                with requests.Session() as s:
+                    headers = {
+                        'Content-Type': 'application/json',
+                    }
+                    data = '{ entries: [ { inputData: \'%s\' } ] }' % input_data
+                    response = s.post('https://api.verifalia.com/v2.2/email-validations', headers=headers, data=data,
+                                      auth=('{}'.format(self.login_key), '{}'.format(self.password_key)))
+                    id_of_case = response.json()['overview']['id']
+                    time.sleep(10)
+                    response_details = s.get('https://api.verifalia.com/v2.2/email-validations/{}'.format(id_of_case),
+                                             auth=('{}'.format(self.login_key), '{}'.format(self.password_key)))
+
+                if response_details.status_code == 200:
+                    result = response_details.json()
+                    self.report(result if len(result) > 0 else {})
+                else:
+                    self.error('Failed to query Verifalia details. Status_code {}'.format(
+                        response_details.status_code))
+            except Exception as e:
+                self.unexpectedError(e)
+        else:
+            self.notSupported()
+
+
+if __name__ == '__main__':
+    Verifalia().run()
diff --git a/analyzers/Verifalia/requirements.txt b/analyzers/Verifalia/requirements.txt
@@ -0,0 +1,3 @@
+cortexutils
+requests
+time
diff --git a/thehive-templates/Verifalia_1_0/long.html b/thehive-templates/Verifalia_1_0/long.html
@@ -0,0 +1,41 @@
+<div class="panel panel-info" ng-if="::content.entries">
+    <div class="panel-heading">
+        <strong>Summary</strong>
+    </div>
+    <div class="panel-body">
+        <table class="table table-hover">
+            <tr>
+                <th>E-mail address</th>
+                <th>Local part</th>
+                <th>Domain part</th>
+                <th>Disposable e-mail</th>
+                <th>Free</th>
+                <th>Classification</th>
+            </tr>
+            <tr ng-repeat="r in content.entries.data">
+                <td>{{r.emailAddress}}</td>
+                <td>{{r.emailAddressLocalPart}}</td>
+                <td>{{r.emailAddressDomainPart}}</td>
+                <td>{{r.isDisposableEmailAddress}}</td>
+                <td>{{r.isFreeEmailAddress}}</td>
+                <td>{{r.classification}}</td>
+            </tr>
+        </table>
+    </div>
+</div>
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        <dl class="dl-horizontal" ng-if="content.errorMessage">
+            <dt>
+                <i class="fa fa-warning"></i> urlscan.io:
+            </dt>
+            <dd class="wrap">{{content.errorMessage}}</dd>
+        </dl>
+    </div>
+</div>
+
diff --git a/thehive-templates/Verifalia_1_0/short.html b/thehive-templates/Verifalia_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>