Merge branch 'TheHive-Project:develop' into develop

TheHive-Project · Jun 14, 2024 · 8c254fe · 8c254fe
2 parents 719d74b + be92c11
commit 8c254fe
Show file tree

Hide file tree

Showing 9 changed files with 66 additions and 26 deletions.
diff --git a/analyzers/Gatewatcher_CTI/Gatewatcher_CTI.py b/analyzers/Gatewatcher_CTI/Gatewatcher_CTI.py
@@ -50,8 +50,8 @@ def run(self):
                     has_max = False
                 total_found_relations = 0
                 for item in info["message"][0]["IOCs"]:
-                    if total_found_relations == len(relations) or \
-                    (has_max and total_found_relations >= self.max_relations):
+                    if (total_found_relations == len(relations) or
+                            (has_max and total_found_relations >= self.max_relations)):
                         break
 
                     if item["IocId"] in relations:
@@ -65,14 +65,16 @@ def run(self):
                         elif item["Type"] in ["URL", "Host", "MD5", "SHA1", "SHA256"]:
                             records["IOCs"].append(item)
 
-            additional = {k : v for k, v in additional.items() if v is not None}
+            additional = {k: v for k, v in additional.items() if v is not None}
             main.update(additional)
             records["IOCs"].insert(0, main)
+            if len(records["IOCs"]) == 1 and records["IOCs"][0]["Risk"].lower() == "unknown":
+                records["is_on_gw"] = False
 
         self.report(records)
 
     def check_response(self, response):
-        if response.status_code not in [200,422]:
+        if response.status_code not in [200, 422]:
             try:
                 result = response.json()
                 if (
@@ -102,23 +104,22 @@ def summary(self, raw):
         level = "info"
         namespace = "Gatewatcher CTI"
         predicate = "GetReport"
-        value = "Not found"
+        value = "not found"
         data = next(
             (ioc for ioc in raw["IOCs"] if ioc["Value"] == self.observable_value), None
         )
         if data is not None:
             level = data["Risk"].lower()
             if level == "malicious":
-                value = 86
+                value = 100
             elif level == "high suspicious":
-                value = 71
-                level = "suspicious"
-            else:
-                value = 31
+                value = 75
+            elif level == "suspicious":
+                value = 60
 
         taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
         return {"taxonomies": taxonomies}
 
 
 if __name__ == "__main__":
-    GatewatcherCTI().run()
+    GatewatcherCTI().run()
diff --git a/analyzers/Gatewatcher_CTI/README.md b/analyzers/Gatewatcher_CTI/README.md
@@ -1,5 +1,18 @@
-Requirement : if you want to use LastInfoSec's intelligence, you need an API key. You could contact LastInfoSec's team here https://www.gatewatcher.com/en/contact/
-LastInfosec has been acquired by Gatewatcher.
-LastInfoSec's Threat Feed is a data feed that makes it easier to detect threats within the information system. It contains enriched compromised evidences in order to reduce the time of threat analysis once detected.
-https://www.gatewatcher.com/en/nos-produits/last-info-sec
+## Gatewatcher
+Gatewatcher is a European leader in advanced Threats detection, protecting critical networks of large Entreprises and Governement organisations since 2015.
 
+## Gatewatcher CTI
+The Gatewatcher CTI (Cyber Threat Intelligence) offer is compatible with all cybersecurity solutions. It immediately enhances your detection with contextual information about internal and external cyber threats specifically targeting your business.
+
+## Cortex Integration
+This cortex analyzer allows you to search for an IOC (url, hash, host/domain) in the Gatewatcher CTI database
+
+## How to obtain credentials ?
+If you want to try our freemium offer your can obtain your API key : https://info.gatewatcher.com/en/lp-free-ioc-analysis-api-key
+
+If you want more you can contact us : https://info.gatewatcher.com/fr/speed-meeting-lastinfosec
+
+## TheHive Integration
+With this cortex integration, we also provide you templates for TheHive available in the [thehive-templates](../../thehive-templates/Gatewatcher_CTI_1_0) directory.
+
+![](assets/Gatewatcher_CTI_long.png)
diff --git a/analyzers/Jupyter_Analyzer/Jupyter_Run_Notebook_Analyzer.json b/analyzers/Jupyter_Analyzer/Jupyter_Run_Notebook_Analyzer.json
@@ -18,7 +18,8 @@
     "registry",
     "regexp",
     "other",
-    "filename"
+    "filename",
+    "mail-subject"
   ],
   "description": "Execute a parameterized notebook in Jupyter",
   "baseConfig": "Jupyter",

diff --git a/analyzers/MISP/MISP.json b/analyzers/MISP/MISP.json
@@ -18,7 +18,8 @@
     "registry",
     "regexp",
     "other",
-    "filename"
+    "filename",
+    "mail-subject"
   ],
   "baseConfig": "MISP",
   "command": "MISP/misp.py",

diff --git a/analyzers/OpenCTI/OpenCTI_SearchExactObservable.json b/analyzers/OpenCTI/OpenCTI_SearchExactObservable.json
@@ -18,7 +18,8 @@
     "registry",
     "regexp",
     "other",
-    "filename"
+    "filename",
+    "mail-subject"
   ],
   "config": {
       "service": "search_exact"

diff --git a/analyzers/OpenCTI/OpenCTI_SearchObservables.json b/analyzers/OpenCTI/OpenCTI_SearchObservables.json
@@ -18,7 +18,8 @@
     "registry",
     "regexp",
     "other",
-    "filename"
+    "filename",
+    "mail-subject"
   ],
   "config": {
       "service": "search_observables"

diff --git a/analyzers/OpenCTI/opencti.py b/analyzers/OpenCTI/opencti.py
@@ -78,12 +78,16 @@ def run(self):
 
                 # Get a list of reports containing this observable
                 reports = opencti["api_client"].report.list(
-                    filters=[
-                        {
-                            "key": "objectContains",
+                    filters={
+                        "mode": "and",
+                        "filters": [{
+                            "key": "objects",
                             "values": [observable["id"]],
-                        }
-                    ]
+                            "operator": "eq",
+                            "mode": "or",
+                        },],
+                        "filterGroups": [],
+                    }
                 )
 
                 # Strip reports data for lighter output.

diff --git a/analyzers/SoltraEdge/Soltra_search.json b/analyzers/SoltraEdge/Soltra_search.json
@@ -5,7 +5,22 @@
     "url": "http://soltra.com/en/",
     "license" : "AGPL-V3",
     "description": "Query against Soltra Edge.",
-    "dataTypeList": ["domain", "ip", "url", "fqdn", "uri_path","user-agent", "hash", "mail", "mail_subject" , "registry", "regexp", "other", "filename"],
+  "dataTypeList": [
+    "domain",
+    "ip",
+    "url",
+    "fqdn",
+    "uri_path",
+    "user-agent",
+    "hash",
+    "mail",
+    "mail_subject",
+    "registry",
+    "regexp",
+    "other",
+    "filename",
+    "mail-subject"
+  ],
     "command": "SoltraEdge/soltra.py",
     "baseConfig": "Soltra_Edge",
     "config": {

diff --git a/analyzers/Splunk/Splunk_Search_mail_subject.json b/analyzers/Splunk/Splunk_Search_mail_subject.json
@@ -4,7 +4,10 @@
   "url": "https://www.splunk.com",
   "author": "Unit777, LetMeR00t",
   "license": "AGPL-V3",
-  "dataTypeList": ["mail_subject"],
+  "dataTypeList": [
+    "mail_subject",
+    "mail-subject"
+  ],
   "description": "Execute a savedsearch on a Splunk instance with a mail subject as argument",
   "baseConfig": "Splunk",
   "config": {