Merge pull request #1002 from pjuhas/develop

IP-API analyzer

analyzers/IP-API/IP-API.json

@@ -0,0 +1,11 @@
+{
+  "name": "IP-API",
+  "version": "1.0",
+  "author": "Peter Juhas",
+  "url": "https://github.com/pjuhas/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Check IP address or domain using ip-api.com",
+  "dataTypeList": ["ip", "domain"],
+  "baseConfig": "IP-API",
+  "command": "IP-API/IP-API.py"
+}

analyzers/IP-API/IP-API.py

@@ -0,0 +1,42 @@
+#!/usr/bin/env python
+import requests
+from cortexutils.analyzer import Analyzer
+
+
+class IPAPI(Analyzer):
+
+    def __init__(self):
+        Analyzer.__init__(self)
+
+    def summary(self, raw):
+        taxonomies = []
+        level = 'info'
+        namespace = 'IP-API'
+        predicate = 'Country'
+        value = "None"
+        if "country" in raw:
+            value = "{}".format(raw["country"])
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        return {'taxonomies': taxonomies}
+
+    def run(self):
+        Analyzer.run(self)
+        if self.data_type == 'ip' or self.data_type == 'domain':
+            try:
+                data = self.get_data()
+                s = requests.Session()
+                response_details = s.get('http://ip-api.com/json/{}'
+                                         .format(data))
+                if response_details.status_code == 200:
+                    result = response_details.json()
+                    self.report(result if len(result) > 0 else {})
+                else:
+                    self.error('Failed to query IP-API details. Status_code {}'.format(response_details.status_code))
+            except Exception as e:
+                self.unexpectedError(e)
+        else:
+            self.notSupported()
+
+
+if __name__ == '__main__':
+    IPAPI().run()

analyzers/IP-API/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+requests

thehive-templates/IP-API_1_0/long.html

@@ -0,0 +1,42 @@
+<div class="panel panel-info" ng-if="success">
+    <div class="panel-heading">
+        Geolocation of <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        <table class="table table-hover">
+            <tr>
+                <th>Country</th>
+                <td>{{content.country | ellipsis:130}}</td>
+            </tr>
+            <tr>
+                <th>Code</th>
+                <td>{{content.countryCode | ellipsis:130}}</td>
+            </tr>
+            <tr>
+                <th>City</th>
+                <td>{{content.city | ellipsis:130}}</td>
+            </tr>
+            <tr>
+                <th>ZIP</th>
+                <td>{{content.zip | ellipsis:130}}</td>
+            </tr>
+            <tr>
+                <th>ISP</th>
+                <td>{{content.isp | ellipsis:130}}</td>
+            </tr>
+            <tr>
+                <th>ORG</th>
+                <td>{{content.org | ellipsis:130}}</td>
+            </tr>
+        </table>
+    </div>
+</div>
+
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>

thehive-templates/IP-API_1_0/short.html

@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>