From 5c579ee8453921091a1fe3364ebd823fea546681 Mon Sep 17 00:00:00 2001 From: BRIJRAJSINH N JHALA Date: Tue, 12 Jan 2021 23:05:22 -0500 Subject: [PATCH 01/14] exception resolved in ipv6 address (#21) Co-authored-by: Dan Prantl --- analyzers/DShield/DShield_lookup.py | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/analyzers/DShield/DShield_lookup.py b/analyzers/DShield/DShield_lookup.py index a6cdb03a9..33c63d7fb 100755 --- a/analyzers/DShield/DShield_lookup.py +++ b/analyzers/DShield/DShield_lookup.py @@ -83,12 +83,19 @@ def run(self): results['firstseen'] = info['mindate'] if isinstance(info['mindate'], str) else 'None' results['updated'] = info['updated'] if isinstance(info['updated'], str) else 'None' results['comment'] = info['comment'] if isinstance(info['comment'], str) else 'None' - results['asabusecontact'] = info['asabusecontact'] if isinstance(info['asabusecontact'], str) else 'Unknown' - results['as'] = info['as'] - results['asname'] = info['asname'] - results['ascountry'] = info['ascountry'] - results['assize'] = info['assize'] - results['network'] = info['network'] + if 'asabusecontact' in info: + results['asabusecontact'] = info['asabusecontact'] if isinstance(info['asabusecontact'], str) else 'Unknown' + if 'as' in info: + results['as'] = info['as'] + if 'asname' in info: + results['asname'] = info['asname'] + if 'ascountry' in info: + results['ascountry'] = info['ascountry'] + if 'assize' in info: + results['assize'] = info['assize'] + if 'network' in info: + results['network'] = info['network'] + results['threatfeedscount'] = 0 if 'threatfeeds' not in info: results['threatfeeds'] = '' From 76ead612831c5e86c907881ceb90fd252c31af80 Mon Sep 17 00:00:00 2001 From: Adrian Date: Mon, 20 Jan 2025 18:26:13 +0100 Subject: [PATCH 02/14] Update anyrun_analyzer.py --- analyzers/AnyRun/anyrun_analyzer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/AnyRun/anyrun_analyzer.py b/analyzers/AnyRun/anyrun_analyzer.py index 5cbcac109..2d2af8f96 100755 --- a/analyzers/AnyRun/anyrun_analyzer.py +++ b/analyzers/AnyRun/anyrun_analyzer.py @@ -85,7 +85,7 @@ def run(self): if status_code == 200: task_id = response.json()["data"]["taskid"] elif status_code == 201: - task_id = response.json()["taskid"] + task_id = response.json()["data"]["taskid"] elif status_code == 429: # it not support parallel runs, so we wait and resubmit later time.sleep(60) From f0fc4efbd59f7b4abc052a60dbe93113f21e976e Mon Sep 17 00:00:00 2001 From: Vito Piserchia Date: Wed, 22 Jan 2025 10:06:35 +0100 Subject: [PATCH 03/14] Rename thehive template for ES --- thehive-templates/{Elasticsearch => Elasticsearch_1_0}/long.html | 0 thehive-templates/{Elasticsearch => Elasticsearch_1_0}/short.html | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename thehive-templates/{Elasticsearch => Elasticsearch_1_0}/long.html (100%) rename thehive-templates/{Elasticsearch => Elasticsearch_1_0}/short.html (100%) diff --git a/thehive-templates/Elasticsearch/long.html b/thehive-templates/Elasticsearch_1_0/long.html similarity index 100% rename from thehive-templates/Elasticsearch/long.html rename to thehive-templates/Elasticsearch_1_0/long.html diff --git a/thehive-templates/Elasticsearch/short.html b/thehive-templates/Elasticsearch_1_0/short.html similarity index 100% rename from thehive-templates/Elasticsearch/short.html rename to thehive-templates/Elasticsearch_1_0/short.html From 236b22844247c5a981768fd986a8e6ed4040eae6 Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Thu, 6 Feb 2025 18:19:51 +0900 Subject: [PATCH 04/14] CSFalcon Spotlight -- fix filename --- ...abilities.py => CrowdstrikeFalcon_getDeviceVulnerabilities.py} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename analyzers/CrowdstrikeFalcon/{CrowdstrikeFalcon_GetDeviceVulnerabilities.py => CrowdstrikeFalcon_getDeviceVulnerabilities.py} (100%) diff --git a/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py b/analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceVulnerabilities.py similarity index 100% rename from analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py rename to analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceVulnerabilities.py From 63ab239ce3b4af48917f1d58132f7a0363c6a3df Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Thu, 6 Feb 2025 18:35:03 +0900 Subject: [PATCH 05/14] Update folder to analyzername --- .../{Elasticsearch_1_0 => Elasticsearch_Analysis_1_0}/long.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename thehive-templates/{Elasticsearch_1_0 => Elasticsearch_Analysis_1_0}/long.html (97%) diff --git a/thehive-templates/Elasticsearch_1_0/long.html b/thehive-templates/Elasticsearch_Analysis_1_0/long.html similarity index 97% rename from thehive-templates/Elasticsearch_1_0/long.html rename to thehive-templates/Elasticsearch_Analysis_1_0/long.html index 82f3bab2a..ccf291bf6 100644 --- a/thehive-templates/Elasticsearch_1_0/long.html +++ b/thehive-templates/Elasticsearch_Analysis_1_0/long.html @@ -185,4 +185,4 @@

{{content.info.hitcount}} Hit(s)

{{content.errorMessage}}
- \ No newline at end of file + From 73f7ef3940a07f2a0109c2e60282bea8a75ac7c9 Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Thu, 6 Feb 2025 18:35:41 +0900 Subject: [PATCH 06/14] Update folder to analyzername --- .../short.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename thehive-templates/{Elasticsearch_1_0 => Elasticsearch_Analysis_1_0}/short.html (95%) diff --git a/thehive-templates/Elasticsearch_1_0/short.html b/thehive-templates/Elasticsearch_Analysis_1_0/short.html similarity index 95% rename from thehive-templates/Elasticsearch_1_0/short.html rename to thehive-templates/Elasticsearch_Analysis_1_0/short.html index 1484efab9..6e842baad 100644 --- a/thehive-templates/Elasticsearch_1_0/short.html +++ b/thehive-templates/Elasticsearch_Analysis_1_0/short.html @@ -1,3 +1,3 @@ {{t.namespace}}:{{t.predicate}}="{{t.value}}" - \ No newline at end of file + From 82739294f8c16792195901258b1edb2372db1b55 Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Thu, 6 Feb 2025 18:37:02 +0900 Subject: [PATCH 07/14] Rename JSON definition to match Analyzer name --- .../{ElasticSearch.json => Elasticsearch_Analysis.json} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename analyzers/Elasticsearch/{ElasticSearch.json => Elasticsearch_Analysis.json} (96%) diff --git a/analyzers/Elasticsearch/ElasticSearch.json b/analyzers/Elasticsearch/Elasticsearch_Analysis.json similarity index 96% rename from analyzers/Elasticsearch/ElasticSearch.json rename to analyzers/Elasticsearch/Elasticsearch_Analysis.json index 90f1f0ad4..2cd92909a 100644 --- a/analyzers/Elasticsearch/ElasticSearch.json +++ b/analyzers/Elasticsearch/Elasticsearch_Analysis.json @@ -92,4 +92,4 @@ "required": false } ] - } \ No newline at end of file + } From 78a425ff76b166a7275a913d18e97c721f20b6d6 Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Thu, 6 Feb 2025 18:46:05 +0900 Subject: [PATCH 08/14] Shuffle - Support all datatypes as trigger for responder --- responders/Shuffle/shuffle.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/responders/Shuffle/shuffle.json b/responders/Shuffle/shuffle.json index ef2610ddd..57b019065 100644 --- a/responders/Shuffle/shuffle.json +++ b/responders/Shuffle/shuffle.json @@ -5,7 +5,7 @@ "url": "https://github.com/frikky/shuffle", "license": "AGPL-V3", "description": "Execute a workflow in Shuffle", - "dataTypeList": ["thehive:case", "thehive:alert"], + "dataTypeList": ["thehive:case", "thehive:alert", "thehive:case_artifact", "thehive:task", "thehive:case_task_log"], "command": "Shuffle/shuffle.py", "baseConfig": "Shuffle", "configurationItems": [ From 1aaa00cd44e09735d7ce9b31cecfaccd60d3b462 Mon Sep 17 00:00:00 2001 From: vpiserchia <2363618+vpiserchia@users.noreply.github.com> Date: Thu, 6 Feb 2025 11:55:22 +0100 Subject: [PATCH 09/14] Update elk.py to not fail when @timestamp has no mapping https://github.com/TheHive-Project/Cortex-Analyzers/issues/1290 --- analyzers/Elasticsearch/elk.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/analyzers/Elasticsearch/elk.py b/analyzers/Elasticsearch/elk.py index 5a5c84475..1d1891cde 100755 --- a/analyzers/Elasticsearch/elk.py +++ b/analyzers/Elasticsearch/elk.py @@ -195,8 +195,24 @@ def run(self): info['querystring'] += '"' #loop to get hits from each index for index in self.index: + body = { + "sort": [ + { + "@timestamp": { + "order": "desc", + "unmapped_type" : "date" + } + } + ], + "query": { + "multi_match": { + "query": self.data, + "fields": self.fields + } + } + } #search elastic for fields in each index - res = es.search(size=self.size,index=index,body={'sort':[{"@timestamp":{"order":"desc"}}],'query':{'multi_match':{'query':self.data, 'fields':self.fields}}}) + res = es.search(size=self.size,index=index,body=body) #if relation is gte then more logs exist than we will display if res['hits']['total']['relation'] == 'gte' or res['hits']['total']['relation'] == 'gt': total = 'gte' From a1feb0392ee31c18fe106ffc152b7edc5f4b579f Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Thu, 6 Feb 2025 22:09:19 +0900 Subject: [PATCH 10/14] CI - Fix deprecated upload-artifact --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cdd7a74fd..51fccbbab 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -55,7 +55,7 @@ jobs: - name: Build report-templates zip package uses: docker://thehiveproject/neurons-build-report-templates - name: Save Artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: catalog path: | From 162effb0f3b9def182d8614ab36d55c0e4f261c3 Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Thu, 6 Feb 2025 22:16:06 +0900 Subject: [PATCH 11/14] Update setup-python to latest version --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 51fccbbab..9e64f293e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -86,7 +86,7 @@ jobs: with: args: --type Cortex-Neurons - name: Set up Python - uses: actions/setup-python@v3 + uses: actions/setup-python@v5 with: python-version: "3.x" architecture: x64 From fdd594f6c93e528b3d7ffa6b9b584858879d0e57 Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Thu, 6 Feb 2025 22:33:30 +0900 Subject: [PATCH 12/14] Update checkout to v4 --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9e64f293e..4b994dd40 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,7 +17,7 @@ jobs: runs-on: [ ubuntu-latest ] steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Build analyzers @@ -32,7 +32,7 @@ jobs: runs-on: [ ubuntu-latest ] steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Build responders @@ -49,7 +49,7 @@ jobs: if: always() steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build catalog uses: docker://thehiveproject/neurons-build-catalogs - name: Build report-templates zip package @@ -80,7 +80,7 @@ jobs: needs: [build_analyzers, build_responders ] if: startsWith(github.ref, 'refs/tags/') && always() steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Prepare documentation files uses: docker://thehiveproject/doc-builder with: From e3b9bfa0984ddd8450bac0e4c9b7655cb2039557 Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Thu, 6 Feb 2025 22:48:48 +0900 Subject: [PATCH 13/14] Update requirements.txt --- analyzers/Cluster25/requirements.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/analyzers/Cluster25/requirements.txt b/analyzers/Cluster25/requirements.txt index 0e5dd6b1b..2cac23c03 100644 --- a/analyzers/Cluster25/requirements.txt +++ b/analyzers/Cluster25/requirements.txt @@ -1,2 +1,2 @@ -requests~=2.31.0 -cortexutils~=2.2.0 \ No newline at end of file +requests +cortexutils From e5d9c18c9dbd4091beb1af043b9b9835bbc1294e Mon Sep 17 00:00:00 2001 From: nusantara-self <15647296+nusantara-self@users.noreply.github.com> Date: Fri, 7 Feb 2025 08:48:44 +0800 Subject: [PATCH 14/14] Update version and changelog for 3.4.4 --- CHANGELOG.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 627be6844..2c6dcc728 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,17 +1,26 @@ # Changelog -## [3.4.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.2) (2025-01-16) +## [3.4.4](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.4) (2025-02-07) + +[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.4.3...3.4.4) + +**Closed issues:** + +- \[FR\] - Feedback for the MSEntraID Responder [\#1302](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1302) +- \[Bug\] Elasticsearch analyzer does not work with index that has no @timestamp field [\#1290](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1290) + +## [3.4.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.3) (2025-01-16) [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.4.2...3.4.3) **Closed issues:** -- \[FR\] Crowdstrike Falcon: support custom base URL [\#1306](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1309) +- \[FR\] Crowdstrike Falcon: support custom base URL [\#1309](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1309) **Merged pull requests:** -- Crowdstrike Falcon - Custom Base URL support [\#1310](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1310) ([nusantara-self](https://github.com/nusantara-self)) - utils improvements [\#1311](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1311) ([nusantara-self](https://github.com/nusantara-self)) +- Crowdstrike Falcon - Custom Base URL support [\#1310](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1310) ([nusantara-self](https://github.com/nusantara-self)) ## [3.4.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.2) (2024-12-26)