diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index cdd7a74fd..4b994dd40 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -17,7 +17,7 @@ jobs:
runs-on: [ ubuntu-latest ]
steps:
- name: Checkout
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Build analyzers
@@ -32,7 +32,7 @@ jobs:
runs-on: [ ubuntu-latest ]
steps:
- name: Checkout
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Build responders
@@ -49,13 +49,13 @@ jobs:
if: always()
steps:
- name: Checkout
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
- name: Build catalog
uses: docker://thehiveproject/neurons-build-catalogs
- name: Build report-templates zip package
uses: docker://thehiveproject/neurons-build-report-templates
- name: Save Artifacts
- uses: actions/upload-artifact@v3
+ uses: actions/upload-artifact@v4
with:
name: catalog
path: |
@@ -80,13 +80,13 @@ jobs:
needs: [build_analyzers, build_responders ]
if: startsWith(github.ref, 'refs/tags/') && always()
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- name: Prepare documentation files
uses: docker://thehiveproject/doc-builder
with:
args: --type Cortex-Neurons
- name: Set up Python
- uses: actions/setup-python@v3
+ uses: actions/setup-python@v5
with:
python-version: "3.x"
architecture: x64
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 627be6844..2c6dcc728 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,17 +1,26 @@
# Changelog
-## [3.4.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.2) (2025-01-16)
+## [3.4.4](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.4) (2025-02-07)
+
+[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.4.3...3.4.4)
+
+**Closed issues:**
+
+- \[FR\] - Feedback for the MSEntraID Responder [\#1302](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1302)
+- \[Bug\] Elasticsearch analyzer does not work with index that has no @timestamp field [\#1290](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1290)
+
+## [3.4.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.3) (2025-01-16)
[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.4.2...3.4.3)
**Closed issues:**
-- \[FR\] Crowdstrike Falcon: support custom base URL [\#1306](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1309)
+- \[FR\] Crowdstrike Falcon: support custom base URL [\#1309](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1309)
**Merged pull requests:**
-- Crowdstrike Falcon - Custom Base URL support [\#1310](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1310) ([nusantara-self](https://github.com/nusantara-self))
- utils improvements [\#1311](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1311) ([nusantara-self](https://github.com/nusantara-self))
+- Crowdstrike Falcon - Custom Base URL support [\#1310](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1310) ([nusantara-self](https://github.com/nusantara-self))
## [3.4.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.2) (2024-12-26)
diff --git a/analyzers/AnyRun/anyrun_analyzer.py b/analyzers/AnyRun/anyrun_analyzer.py
index 5cbcac109..2d2af8f96 100755
--- a/analyzers/AnyRun/anyrun_analyzer.py
+++ b/analyzers/AnyRun/anyrun_analyzer.py
@@ -85,7 +85,7 @@ def run(self):
if status_code == 200:
task_id = response.json()["data"]["taskid"]
elif status_code == 201:
- task_id = response.json()["taskid"]
+ task_id = response.json()["data"]["taskid"]
elif status_code == 429:
# it not support parallel runs, so we wait and resubmit later
time.sleep(60)
diff --git a/analyzers/Cluster25/requirements.txt b/analyzers/Cluster25/requirements.txt
index 0e5dd6b1b..2cac23c03 100644
--- a/analyzers/Cluster25/requirements.txt
+++ b/analyzers/Cluster25/requirements.txt
@@ -1,2 +1,2 @@
-requests~=2.31.0
-cortexutils~=2.2.0
\ No newline at end of file
+requests
+cortexutils
diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceVulnerabilities.py
similarity index 100%
rename from analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py
rename to analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceVulnerabilities.py
diff --git a/analyzers/DShield/DShield_lookup.py b/analyzers/DShield/DShield_lookup.py
index a6cdb03a9..33c63d7fb 100755
--- a/analyzers/DShield/DShield_lookup.py
+++ b/analyzers/DShield/DShield_lookup.py
@@ -83,12 +83,19 @@ def run(self):
results['firstseen'] = info['mindate'] if isinstance(info['mindate'], str) else 'None'
results['updated'] = info['updated'] if isinstance(info['updated'], str) else 'None'
results['comment'] = info['comment'] if isinstance(info['comment'], str) else 'None'
- results['asabusecontact'] = info['asabusecontact'] if isinstance(info['asabusecontact'], str) else 'Unknown'
- results['as'] = info['as']
- results['asname'] = info['asname']
- results['ascountry'] = info['ascountry']
- results['assize'] = info['assize']
- results['network'] = info['network']
+ if 'asabusecontact' in info:
+ results['asabusecontact'] = info['asabusecontact'] if isinstance(info['asabusecontact'], str) else 'Unknown'
+ if 'as' in info:
+ results['as'] = info['as']
+ if 'asname' in info:
+ results['asname'] = info['asname']
+ if 'ascountry' in info:
+ results['ascountry'] = info['ascountry']
+ if 'assize' in info:
+ results['assize'] = info['assize']
+ if 'network' in info:
+ results['network'] = info['network']
+
results['threatfeedscount'] = 0
if 'threatfeeds' not in info:
results['threatfeeds'] = ''
diff --git a/analyzers/Elasticsearch/ElasticSearch.json b/analyzers/Elasticsearch/Elasticsearch_Analysis.json
similarity index 96%
rename from analyzers/Elasticsearch/ElasticSearch.json
rename to analyzers/Elasticsearch/Elasticsearch_Analysis.json
index 90f1f0ad4..2cd92909a 100644
--- a/analyzers/Elasticsearch/ElasticSearch.json
+++ b/analyzers/Elasticsearch/Elasticsearch_Analysis.json
@@ -92,4 +92,4 @@
"required": false
}
]
- }
\ No newline at end of file
+ }
diff --git a/analyzers/Elasticsearch/elk.py b/analyzers/Elasticsearch/elk.py
index 5a5c84475..1d1891cde 100755
--- a/analyzers/Elasticsearch/elk.py
+++ b/analyzers/Elasticsearch/elk.py
@@ -195,8 +195,24 @@ def run(self):
info['querystring'] += '"'
#loop to get hits from each index
for index in self.index:
+ body = {
+ "sort": [
+ {
+ "@timestamp": {
+ "order": "desc",
+ "unmapped_type" : "date"
+ }
+ }
+ ],
+ "query": {
+ "multi_match": {
+ "query": self.data,
+ "fields": self.fields
+ }
+ }
+ }
#search elastic for fields in each index
- res = es.search(size=self.size,index=index,body={'sort':[{"@timestamp":{"order":"desc"}}],'query':{'multi_match':{'query':self.data, 'fields':self.fields}}})
+ res = es.search(size=self.size,index=index,body=body)
#if relation is gte then more logs exist than we will display
if res['hits']['total']['relation'] == 'gte' or res['hits']['total']['relation'] == 'gt':
total = 'gte'
diff --git a/responders/Shuffle/shuffle.json b/responders/Shuffle/shuffle.json
index ef2610ddd..57b019065 100644
--- a/responders/Shuffle/shuffle.json
+++ b/responders/Shuffle/shuffle.json
@@ -5,7 +5,7 @@
"url": "https://github.com/frikky/shuffle",
"license": "AGPL-V3",
"description": "Execute a workflow in Shuffle",
- "dataTypeList": ["thehive:case", "thehive:alert"],
+ "dataTypeList": ["thehive:case", "thehive:alert", "thehive:case_artifact", "thehive:task", "thehive:case_task_log"],
"command": "Shuffle/shuffle.py",
"baseConfig": "Shuffle",
"configurationItems": [
diff --git a/thehive-templates/Elasticsearch/long.html b/thehive-templates/Elasticsearch_Analysis_1_0/long.html
similarity index 97%
rename from thehive-templates/Elasticsearch/long.html
rename to thehive-templates/Elasticsearch_Analysis_1_0/long.html
index 82f3bab2a..ccf291bf6 100644
--- a/thehive-templates/Elasticsearch/long.html
+++ b/thehive-templates/Elasticsearch_Analysis_1_0/long.html
@@ -185,4 +185,4 @@ {{content.info.hitcount}} Hit(s)
{{content.errorMessage}}
-
\ No newline at end of file
+
diff --git a/thehive-templates/Elasticsearch/short.html b/thehive-templates/Elasticsearch_Analysis_1_0/short.html
similarity index 95%
rename from thehive-templates/Elasticsearch/short.html
rename to thehive-templates/Elasticsearch_Analysis_1_0/short.html
index 1484efab9..6e842baad 100644
--- a/thehive-templates/Elasticsearch/short.html
+++ b/thehive-templates/Elasticsearch_Analysis_1_0/short.html
@@ -1,3 +1,3 @@
{{t.namespace}}:{{t.predicate}}="{{t.value}}"
-
\ No newline at end of file
+