diff --git a/analyzers/PassiveTotal/PassiveTotal_Components.json b/analyzers/PassiveTotal/PassiveTotal_Components.json
new file mode 100644
index 000000000..9be950421
--- /dev/null
+++ b/analyzers/PassiveTotal/PassiveTotal_Components.json
@@ -0,0 +1,31 @@
+{
+ "name": "PassiveTotal_Components",
+ "version": "2.0",
+ "author": "Brandon Dixon (9bplus)",
+ "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+ "license": "AGPL-V3",
+ "description": "PassiveTotal Components Lookup.",
+ "dataTypeList": ["domain", "fqdn", "ip"],
+ "command": "PassiveTotal/passivetotal_analyzer.py",
+ "baseConfig": "PassiveTotal",
+ "config": {
+ "service": "components",
+ "auto_extract": true
+ },
+ "configurationItems": [
+ {
+ "name": "username",
+ "description": "Define the username of the account used to connect the service",
+ "type": "string",
+ "multi": false,
+ "required": true
+ },
+ {
+ "name": "key",
+ "description": "Define the API key to use to connect the service",
+ "type": "string",
+ "multi": false,
+ "required": true
+ }
+ ]
+}
diff --git a/analyzers/PassiveTotal/PassiveTotal_Enrichment.json b/analyzers/PassiveTotal/PassiveTotal_Enrichment.json
index 50554f195..1aab9223f 100644
--- a/analyzers/PassiveTotal/PassiveTotal_Enrichment.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Enrichment.json
@@ -9,7 +9,8 @@
"command": "PassiveTotal/passivetotal_analyzer.py",
"baseConfig": "PassiveTotal",
"config": {
- "service": "enrichment"
+ "service": "enrichment",
+ "auto_extract": true
},
"configurationItems": [
{
diff --git a/analyzers/PassiveTotal/PassiveTotal_Host_Pairs.json b/analyzers/PassiveTotal/PassiveTotal_Host_Pairs.json
new file mode 100644
index 000000000..c8f3bd9ec
--- /dev/null
+++ b/analyzers/PassiveTotal/PassiveTotal_Host_Pairs.json
@@ -0,0 +1,31 @@
+{
+ "name": "PassiveTotal_Host_Pairs",
+ "version": "2.0",
+ "author": "Brandon Dixon (9bplus)",
+ "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+ "license": "AGPL-V3",
+ "description": "PassiveTotal Host Pairs Lookup.",
+ "dataTypeList": ["domain", "fqdn", "ip"],
+ "command": "PassiveTotal/passivetotal_analyzer.py",
+ "baseConfig": "PassiveTotal",
+ "config": {
+ "service": "host_pairs",
+ "auto_extract": true
+ },
+ "configurationItems": [
+ {
+ "name": "username",
+ "description": "Define the username of the account used to connect the service",
+ "type": "string",
+ "multi": false,
+ "required": true
+ },
+ {
+ "name": "key",
+ "description": "Define the API key to use to connect the service",
+ "type": "string",
+ "multi": false,
+ "required": true
+ }
+ ]
+}
diff --git a/analyzers/PassiveTotal/PassiveTotal_Malware.json b/analyzers/PassiveTotal/PassiveTotal_Malware.json
index a2d3d144c..cdf502e3d 100644
--- a/analyzers/PassiveTotal/PassiveTotal_Malware.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Malware.json
@@ -9,7 +9,8 @@
"command": "PassiveTotal/passivetotal_analyzer.py",
"baseConfig": "PassiveTotal",
"config": {
- "service": "malware"
+ "service": "malware",
+ "auto_extract": true
},
"configurationItems": [
{
diff --git a/analyzers/PassiveTotal/PassiveTotal_Osint.json b/analyzers/PassiveTotal/PassiveTotal_Osint.json
index 92a6c552e..98e8dc5c5 100644
--- a/analyzers/PassiveTotal/PassiveTotal_Osint.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Osint.json
@@ -9,7 +9,8 @@
"command": "PassiveTotal/passivetotal_analyzer.py",
"baseConfig": "PassiveTotal",
"config": {
- "service": "osint"
+ "service": "osint",
+ "auto_extract": true
},
"configurationItems": [
{
diff --git a/analyzers/PassiveTotal/PassiveTotal_Passive_Dns.json b/analyzers/PassiveTotal/PassiveTotal_Passive_Dns.json
index a3135541d..872343b9a 100644
--- a/analyzers/PassiveTotal/PassiveTotal_Passive_Dns.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Passive_Dns.json
@@ -9,7 +9,8 @@
"command": "PassiveTotal/passivetotal_analyzer.py",
"baseConfig": "PassiveTotal",
"config": {
- "service": "passive_dns"
+ "service": "passive_dns",
+ "auto_extract": true
},
"configurationItems": [
{
diff --git a/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_Details.json b/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_Details.json
index 1f4dff33d..0bb26c0a0 100644
--- a/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_Details.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_Details.json
@@ -9,7 +9,8 @@
"command": "PassiveTotal/passivetotal_analyzer.py",
"baseConfig": "PassiveTotal",
"config": {
- "service": "ssl_certificate_details"
+ "service": "ssl_certificate_details",
+ "auto_extract": true
},
"configurationItems": [
{
diff --git a/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_History.json b/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_History.json
index 9fcbe96dd..8ef92ff11 100644
--- a/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_History.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_History.json
@@ -9,7 +9,8 @@
"command": "PassiveTotal/passivetotal_analyzer.py",
"baseConfig": "PassiveTotal",
"config": {
- "service": "ssl_certificate_history"
+ "service": "ssl_certificate_history",
+ "auto_extract": true
},
"configurationItems": [
{
diff --git a/analyzers/PassiveTotal/PassiveTotal_Trackers.json b/analyzers/PassiveTotal/PassiveTotal_Trackers.json
new file mode 100644
index 000000000..8f1c98f6d
--- /dev/null
+++ b/analyzers/PassiveTotal/PassiveTotal_Trackers.json
@@ -0,0 +1,31 @@
+{
+ "name": "PassiveTotal_Trackers",
+ "version": "2.0",
+ "author": "Brandon Dixon (9bplus)",
+ "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+ "license": "AGPL-V3",
+ "description": "PassiveTotal Trackers Lookup.",
+ "dataTypeList": ["domain", "fqdn", "ip"],
+ "command": "PassiveTotal/passivetotal_analyzer.py",
+ "baseConfig": "PassiveTotal",
+ "config": {
+ "service": "trackers",
+ "auto_extract": true
+ },
+ "configurationItems": [
+ {
+ "name": "username",
+ "description": "Define the username of the account used to connect the service",
+ "type": "string",
+ "multi": false,
+ "required": true
+ },
+ {
+ "name": "key",
+ "description": "Define the API key to use to connect the service",
+ "type": "string",
+ "multi": false,
+ "required": true
+ }
+ ]
+}
diff --git a/analyzers/PassiveTotal/PassiveTotal_Unique_Resolutions.json b/analyzers/PassiveTotal/PassiveTotal_Unique_Resolutions.json
index 531447785..e013017a2 100644
--- a/analyzers/PassiveTotal/PassiveTotal_Unique_Resolutions.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Unique_Resolutions.json
@@ -9,7 +9,8 @@
"command": "PassiveTotal/passivetotal_analyzer.py",
"baseConfig": "PassiveTotal",
"config": {
- "service": "unique_resolutions"
+ "service": "unique_resolutions",
+ "auto_extract": true
},
"configurationItems": [
{
diff --git a/analyzers/PassiveTotal/PassiveTotal_Whois_Details.json b/analyzers/PassiveTotal/PassiveTotal_Whois_Details.json
index 05b33fff8..33177c98d 100644
--- a/analyzers/PassiveTotal/PassiveTotal_Whois_Details.json
+++ b/analyzers/PassiveTotal/PassiveTotal_Whois_Details.json
@@ -9,7 +9,8 @@
"command": "PassiveTotal/passivetotal_analyzer.py",
"baseConfig": "PassiveTotal",
"config": {
- "service": "whois_details"
+ "service": "whois_details",
+ "auto_extract": true
},
"configurationItems": [
{
diff --git a/analyzers/PassiveTotal/passivetotal_analyzer.py b/analyzers/PassiveTotal/passivetotal_analyzer.py
index ae55e3781..dd1effb3d 100755
--- a/analyzers/PassiveTotal/passivetotal_analyzer.py
+++ b/analyzers/PassiveTotal/passivetotal_analyzer.py
@@ -7,6 +7,7 @@
from passivetotal.libs.enrichment import EnrichmentRequest
from passivetotal.libs.ssl import SslRequest
from passivetotal.libs.whois import WhoisRequest
+from passivetotal.libs.host_attributes import HostAttributeRequest
class PassiveTotalAnalyzer(Analyzer):
@@ -98,6 +99,51 @@ def summary(self, raw):
value = "REGISTRAR: {}".format(result['registrar'])
taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+ # component service
+ elif self.service == 'component':
+ predicate = "WebComponent"
+ if 'totalRecords' in raw and raw['totalRecords']:
+ result['total'] = raw['totalRecords']
+ else:
+ result['total'] = 0
+
+ if result['total'] < 2:
+ value = "{} record".format(result['total'])
+ else:
+ value = "{} records".format(result['total'])
+
+ taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+
+ # tracker service
+ elif self.service == 'trackers':
+ predicate = "Tracker"
+ if 'totalRecords' in raw and raw['totalRecords']:
+ result['total'] = raw['totalRecords']
+ else:
+ result['total'] = 0
+
+ if result['total'] < 2:
+ value = "{} record".format(result['total'])
+ else:
+ value = "{} records".format(result['total'])
+
+ taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+
+ # host pair service
+ elif self.service == 'host_pairs':
+ predicate = "HostPairs"
+ if 'totalRecords' in raw and raw['totalRecords']:
+ result['total'] = raw['totalRecords']
+ else:
+ result['total'] = 0
+
+ if result['total'] < 2:
+ value = "{} record".format(result['total'])
+ else:
+ value = "{} records".format(result['total'])
+
+ taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+
return {"taxonomies": taxonomies}
def run(self):
@@ -157,6 +203,27 @@ def run(self):
result = whois_request.get_whois_details(query=data)
self.report(result)
+ # components service
+ elif self.service == 'components':
+ host_attr_request = HostAttributeRequest(username=self.username, api_key=self.api_key)
+ result = host_attr_request.get_components(query=data)
+ self.report(result)
+
+ # trackers service
+ elif self.service == 'trackers':
+ host_attr_request = HostAttributeRequest(username=self.username, api_key=self.api_key)
+ result = host_attr_request.get_trackers(query=data)
+ self.report(result)
+
+ # host pairs service
+ elif self.service == 'host_pairs':
+ host_attr_request = HostAttributeRequest(username=self.username, api_key=self.api_key)
+ result = host_attr_request.get_host_pairs(query=data, direction='parents')
+ children = host_attr_request.get_host_pairs(query=data, direction='children')
+ result['totalRecords'] += children['totalRecords']
+ result['results'] = result['results'] + children['results']
+ self.report(result)
+
else:
self.error('Unknown PassiveTotal service')
diff --git a/thehive-templates/PassiveTotal_Components_2_0/long.html b/thehive-templates/PassiveTotal_Components_2_0/long.html
new file mode 100644
index 000000000..bb15bc884
--- /dev/null
+++ b/thehive-templates/PassiveTotal_Components_2_0/long.html
@@ -0,0 +1,66 @@
+
+
+
+
+
+
+ PassiveTotal Components Report
+
+
+
+ No records found
+
+
+
+ Summary Information
+
+
+
+ - Total Records:
+ - {{content.totalRecords}}
+
+
+
+
+
+ Records
+
+
+
+
+ | Source |
+ Category |
+ Label |
+ Version |
+ First seen |
+ Last seen |
+
+
+ | {{c.hostname || 'None'}} |
+ {{c.category || 'None'}} |
+ {{c.label || 'None'}} |
+ {{c.version || 'None'}} |
+ {{c.firstSeen || 'None'}} |
+ {{c.lastSeen || 'None'}} |
+
+
+
+
+
+
+
+
+
+
+ {{(artifact.data || artifact.attachment.name) | fang}}
+
+
+ {{content.errorMessage}}
+
+
+
+
+
+
+
+ PassiveTotal Host Pairs Report
+
+
+
+ No records found
+
+
+
+ Summary Information
+
+
+
+ - Total Records:
+ - {{content.totalRecords}}
+
+
+
+
+
+ Records
+
+
+
+
+ | Parent |
+ Child |
+ Cause |
+ First seen |
+ Last seen |
+
+
+ | {{c.parent || 'None'}} |
+ {{c.child || 'None'}} |
+ {{c.cause || 'None'}} |
+ {{c.firstSeen || 'None'}} |
+ {{c.lastSeen || 'None'}} |
+
+
+
+
+
+
+
+
+
+
+ {{(artifact.data || artifact.attachment.name) | fang}}
+
+
+ {{content.errorMessage}}
+
+
+
+
+
+
+
+ PassiveTotal Trackers Report
+
+
+
+ No records found
+
+
+
+ Summary Information
+
+
+
+ - Total Records:
+ - {{content.totalRecords}}
+
+
+
+
+
+ Records
+
+
+
+
+ | Source |
+ Type |
+ Value |
+ First seen |
+ Last seen |
+
+
+ | {{c.hostname || 'None'}} |
+ {{c.attributeType || 'None'}} |
+ {{c.attributeValue || 'None'}} |
+ {{c.firstSeen || 'None'}} |
+ {{c.lastSeen || 'None'}} |
+
+
+
+
+
+
+
+
+
+
+ {{(artifact.data || artifact.attachment.name) | fang}}
+
+
+ {{content.errorMessage}}
+
+