Merge pull request #497 from 9b/pt-only

PassiveTotal Analyzer: Added support for additional data sets
TheHive-Project · Dec 17, 2019 · 699f410 · 699f410
2 parents 43f5e26 + 84102e7
commit 699f410
Show file tree

Hide file tree

Showing 15 changed files with 370 additions and 8 deletions.
diff --git a/analyzers/PassiveTotal/PassiveTotal_Components.json b/analyzers/PassiveTotal/PassiveTotal_Components.json
@@ -0,0 +1,31 @@
+{
+  "name": "PassiveTotal_Components",
+  "version": "2.0",
+  "author": "Brandon Dixon (9bplus)",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "PassiveTotal Components Lookup.",
+  "dataTypeList": ["domain", "fqdn", "ip"],
+  "command": "PassiveTotal/passivetotal_analyzer.py",
+  "baseConfig": "PassiveTotal",
+  "config": {
+    "service": "components",
+    "auto_extract": true
+  },
+  "configurationItems": [
+    {
+      "name": "username",
+      "description": "Define the username of the account used to connect the service",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "key",
+      "description": "Define the API key to use to connect the service",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ]
+}
diff --git a/analyzers/PassiveTotal/PassiveTotal_Enrichment.json b/analyzers/PassiveTotal/PassiveTotal_Enrichment.json
@@ -9,7 +9,8 @@
   "command": "PassiveTotal/passivetotal_analyzer.py",
   "baseConfig": "PassiveTotal",
   "config": {
-    "service": "enrichment"
+    "service": "enrichment",
+    "auto_extract": true
   },
   "configurationItems": [
     {

diff --git a/analyzers/PassiveTotal/PassiveTotal_Host_Pairs.json b/analyzers/PassiveTotal/PassiveTotal_Host_Pairs.json
@@ -0,0 +1,31 @@
+{
+  "name": "PassiveTotal_Host_Pairs",
+  "version": "2.0",
+  "author": "Brandon Dixon (9bplus)",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "PassiveTotal Host Pairs Lookup.",
+  "dataTypeList": ["domain", "fqdn", "ip"],
+  "command": "PassiveTotal/passivetotal_analyzer.py",
+  "baseConfig": "PassiveTotal",
+  "config": {
+    "service": "host_pairs",
+    "auto_extract": true
+  },
+  "configurationItems": [
+    {
+      "name": "username",
+      "description": "Define the username of the account used to connect the service",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "key",
+      "description": "Define the API key to use to connect the service",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ]
+}
diff --git a/analyzers/PassiveTotal/PassiveTotal_Malware.json b/analyzers/PassiveTotal/PassiveTotal_Malware.json
@@ -9,7 +9,8 @@
   "command": "PassiveTotal/passivetotal_analyzer.py",
   "baseConfig": "PassiveTotal",
   "config": {
-    "service": "malware"
+    "service": "malware",
+    "auto_extract": true
   },
   "configurationItems": [
     {

diff --git a/analyzers/PassiveTotal/PassiveTotal_Osint.json b/analyzers/PassiveTotal/PassiveTotal_Osint.json
@@ -9,7 +9,8 @@
   "command": "PassiveTotal/passivetotal_analyzer.py",
   "baseConfig": "PassiveTotal",
   "config": {
-    "service": "osint"
+    "service": "osint",
+    "auto_extract": true
   },
   "configurationItems": [
     {

diff --git a/analyzers/PassiveTotal/PassiveTotal_Passive_Dns.json b/analyzers/PassiveTotal/PassiveTotal_Passive_Dns.json
@@ -9,7 +9,8 @@
   "command": "PassiveTotal/passivetotal_analyzer.py",
   "baseConfig": "PassiveTotal",
   "config": {
-    "service": "passive_dns"
+    "service": "passive_dns",
+    "auto_extract": true
   },
   "configurationItems": [
     {

diff --git a/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_Details.json b/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_Details.json
@@ -9,7 +9,8 @@
   "command": "PassiveTotal/passivetotal_analyzer.py",
   "baseConfig": "PassiveTotal",
   "config": {
-    "service": "ssl_certificate_details"
+    "service": "ssl_certificate_details",
+    "auto_extract": true
   },
   "configurationItems": [
     {

diff --git a/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_History.json b/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_History.json
@@ -9,7 +9,8 @@
   "command": "PassiveTotal/passivetotal_analyzer.py",
   "baseConfig": "PassiveTotal",
   "config": {
-    "service": "ssl_certificate_history"
+    "service": "ssl_certificate_history",
+    "auto_extract": true
   },
   "configurationItems": [
     {

diff --git a/analyzers/PassiveTotal/PassiveTotal_Trackers.json b/analyzers/PassiveTotal/PassiveTotal_Trackers.json
@@ -0,0 +1,31 @@
+{
+  "name": "PassiveTotal_Trackers",
+  "version": "2.0",
+  "author": "Brandon Dixon (9bplus)",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "PassiveTotal Trackers Lookup.",
+  "dataTypeList": ["domain", "fqdn", "ip"],
+  "command": "PassiveTotal/passivetotal_analyzer.py",
+  "baseConfig": "PassiveTotal",
+  "config": {
+    "service": "trackers",
+    "auto_extract": true
+  },
+  "configurationItems": [
+    {
+      "name": "username",
+      "description": "Define the username of the account used to connect the service",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "key",
+      "description": "Define the API key to use to connect the service",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ]
+}
diff --git a/analyzers/PassiveTotal/PassiveTotal_Unique_Resolutions.json b/analyzers/PassiveTotal/PassiveTotal_Unique_Resolutions.json
@@ -9,7 +9,8 @@
   "command": "PassiveTotal/passivetotal_analyzer.py",
   "baseConfig": "PassiveTotal",
   "config": {
-    "service": "unique_resolutions"
+    "service": "unique_resolutions",
+    "auto_extract": true
   },
   "configurationItems": [
     {

diff --git a/analyzers/PassiveTotal/PassiveTotal_Whois_Details.json b/analyzers/PassiveTotal/PassiveTotal_Whois_Details.json
@@ -9,7 +9,8 @@
   "command": "PassiveTotal/passivetotal_analyzer.py",
   "baseConfig": "PassiveTotal",
   "config": {
-      "service": "whois_details"
+      "service": "whois_details",
+    "auto_extract": true
   },
   "configurationItems": [
     {

diff --git a/analyzers/PassiveTotal/passivetotal_analyzer.py b/analyzers/PassiveTotal/passivetotal_analyzer.py
@@ -7,6 +7,7 @@
 from passivetotal.libs.enrichment import EnrichmentRequest
 from passivetotal.libs.ssl import SslRequest
 from passivetotal.libs.whois import WhoisRequest
+from passivetotal.libs.host_attributes import HostAttributeRequest
 
 
 class PassiveTotalAnalyzer(Analyzer):
@@ -98,6 +99,51 @@ def summary(self, raw):
                 value = "REGISTRAR: {}".format(result['registrar'])
                 taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
 
+        # component service
+        elif self.service == 'component':
+            predicate = "WebComponent"
+            if 'totalRecords' in raw and raw['totalRecords']:
+                result['total'] = raw['totalRecords']
+            else:
+                result['total'] = 0
+
+            if result['total'] < 2:
+                value = "{} record".format(result['total'])
+            else:
+                value = "{} records".format(result['total'])
+
+            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+
+        # tracker service
+        elif self.service == 'trackers':
+            predicate = "Tracker"
+            if 'totalRecords' in raw and raw['totalRecords']:
+                result['total'] = raw['totalRecords']
+            else:
+                result['total'] = 0
+
+            if result['total'] < 2:
+                value = "{} record".format(result['total'])
+            else:
+                value = "{} records".format(result['total'])
+
+            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+
+        # host pair service
+        elif self.service == 'host_pairs':
+            predicate = "HostPairs"
+            if 'totalRecords' in raw and raw['totalRecords']:
+                result['total'] = raw['totalRecords']
+            else:
+                result['total'] = 0
+
+            if result['total'] < 2:
+                value = "{} record".format(result['total'])
+            else:
+                value = "{} records".format(result['total'])
+
+            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+
         return {"taxonomies": taxonomies}
 
     def run(self):
@@ -157,6 +203,27 @@ def run(self):
                 result = whois_request.get_whois_details(query=data)
                 self.report(result)
 
+            # components service
+            elif self.service == 'components':
+                host_attr_request = HostAttributeRequest(username=self.username, api_key=self.api_key)
+                result = host_attr_request.get_components(query=data)
+                self.report(result)
+
+            # trackers service
+            elif self.service == 'trackers':
+                host_attr_request = HostAttributeRequest(username=self.username, api_key=self.api_key)
+                result = host_attr_request.get_trackers(query=data)
+                self.report(result)
+
+            # host pairs service
+            elif self.service == 'host_pairs':
+                host_attr_request = HostAttributeRequest(username=self.username, api_key=self.api_key)
+                result = host_attr_request.get_host_pairs(query=data, direction='parents')
+                children = host_attr_request.get_host_pairs(query=data, direction='children')
+                result['totalRecords'] += children['totalRecords']
+                result['results'] = result['results'] + children['results']
+                self.report(result)
+
             else:
                 self.error('Unknown PassiveTotal service')
 

diff --git a/thehive-templates/PassiveTotal_Components_2_0/long.html b/thehive-templates/PassiveTotal_Components_2_0/long.html
@@ -0,0 +1,66 @@
+<div class="report-PT" ng-if="success">
+    <style>
+        .report-PT dl {
+            margin-bottom: 2px;
+        }
+    </style>
+
+
+    <div class="panel panel-info">
+        <div class="panel-heading">
+            <strong>PassiveTotal Components Report</strong>
+        </div>
+        <div class="panel-body">
+            <div ng-if="content.result.length === 0">
+                No records found
+            </div>
+            <div ng-if="content.result.length !== 0" class="panel panel-default">
+                <div class="panel-heading">
+                    Summary Information
+                </div>
+                <div class="panel-body">
+                    <dl class="dl-horizontal">
+                        <dt>Total Records:</dt>
+                        <dd>{{content.totalRecords}}</dd>
+                    </dl>
+                </div>
+            </div>
+            <div ng-if="content.result.length !== 0" class="panel panel-default">
+                <div class="panel-heading">
+                    Records
+                </div>
+                <div class="panel-body">
+                    <table class="table table-hover" ng-if="content.results.length > 0">
+                        <tr>
+                            <th>Source</th>
+                            <th>Category</th>
+                            <th>Label</th>
+                            <th>Version</th>
+                            <th>First seen</th>
+                            <th>Last seen</th>
+                        </tr>
+                        <tr ng-repeat="c in content.results | orderBy:'-firstSeen'">
+                            <td>{{c.hostname || 'None'}}</td>
+                            <td>{{c.category || 'None'}}</td>
+                            <td>{{c.label || 'None'}}</td>
+                            <td>{{c.version || 'None'}}</td>
+                            <td>{{c.firstSeen || 'None'}}</td>
+                            <td>{{c.lastSeen || 'None'}}</td>
+                        </tr>
+                    </table>
+                </div>
+            </div>
+
+        </div>
+    </div>
+
+</div>
+
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
diff --git a/thehive-templates/PassiveTotal_Host_Pairs_2_0/long.html b/thehive-templates/PassiveTotal_Host_Pairs_2_0/long.html
@@ -0,0 +1,64 @@
+<div class="report-PT" ng-if="success">
+    <style>
+        .report-PT dl {
+            margin-bottom: 2px;
+        }
+    </style>
+
+
+    <div class="panel panel-info">
+        <div class="panel-heading">
+            <strong>PassiveTotal Host Pairs Report</strong>
+        </div>
+        <div class="panel-body">
+            <div ng-if="content.result.length === 0">
+                No records found
+            </div>
+            <div ng-if="content.result.length !== 0" class="panel panel-default">
+                <div class="panel-heading">
+                    Summary Information
+                </div>
+                <div class="panel-body">
+                    <dl class="dl-horizontal">
+                        <dt>Total Records:</dt>
+                        <dd>{{content.totalRecords}}</dd>
+                    </dl>
+                </div>
+            </div>
+            <div ng-if="content.result.length !== 0" class="panel panel-default">
+                <div class="panel-heading">
+                    Records
+                </div>
+                <div class="panel-body">
+                    <table class="table table-hover" ng-if="content.results.length > 0">
+                        <tr>
+                            <th>Parent</th>
+                            <th>Child</th>
+                            <th>Cause</th>
+                            <th>First seen</th>
+                            <th>Last seen</th>
+                        </tr>
+                        <tr ng-repeat="c in content.results | orderBy:'-firstSeen'">
+                            <td>{{c.parent || 'None'}}</td>
+                            <td>{{c.child || 'None'}}</td>
+                            <td>{{c.cause || 'None'}}</td>
+                            <td>{{c.firstSeen || 'None'}}</td>
+                            <td>{{c.lastSeen || 'None'}}</td>
+                        </tr>
+                    </table>
+                </div>
+            </div>
+
+        </div>
+    </div>
+
+</div>
+
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>