Merge pull request #719 from TheHive-Project/feature/abuseipdb_v3

abuseipdb update api to v2
TheHive-Project · Mar 18, 2020 · 962ca54 · 962ca54
2 parents 7ee0e67 + 944afb6
commit 962ca54
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 23 deletions.
diff --git a/analyzers/AbuseIPDB/abuseipdb.py b/analyzers/AbuseIPDB/abuseipdb.py
@@ -7,7 +7,7 @@
 
 class AbuseIPDBAnalyzer(Analyzer):
     """
-    AbuseIPDB API docs: https://www.abuseipdb.com/api
+    AbuseIPDB APIv2 docs: https://docs.abuseipdb.com/
     """
 
     @staticmethod
@@ -43,21 +43,33 @@ def run(self):
         try:
             if self.data_type == "ip":
                 api_key = self.get_param('config.key', None, 'Missing AbuseIPDB API key')
+
                 days_to_check = self.get_param('config.days', 30)
                 ip = self.get_data()
-                url = 'https://www.abuseipdb.com/check/{}/json?days={}'.format(ip, days_to_check)
-                response = requests.post(url, data = {'key': api_key})
+
+                url = 'https://api.abuseipdb.com/api/v2/check'
+                headers = {'Accept': 'application/json', 'Content-Type': 'application/x-www-form-urlencoded', 'Key': '%s' % api_key }
+                params = {'maxAgeInDays': days_to_check, 'verbose': 'True', 'ipAddress': ip}
+                response = requests.get(url, headers = headers, params = params)
+
                 if not (200 <= response.status_code < 300):
                     self.error('Unable to query AbuseIPDB API\n{}'.format(response.text))
+
                 json_response = response.json()
                 # this is because in case there's only one result, the api gives back a list instead of a dict
                 response_list = json_response if isinstance(json_response, list) else [json_response]
-                for found in response_list:
-                    if 'category' in found:
+                for response in response_list:
+                    if 'reports' in response["data"]:
                         categories_strings = []
-                        for category in found['category']:
-                            categories_strings.append(self.extract_abuse_ipdb_category(category))
-                        found['categories_strings'] = categories_strings
+                        for item in response["data"]["reports"]:
+                            item['categories_strings'] = []
+                            for category in item["categories"]:
+                                category_as_str = self.extract_abuse_ipdb_category(category)
+                                item['categories_strings'].append(category_as_str)
+                                if category_as_str not in categories_strings:
+                                    categories_strings.append(category_as_str)
+                        response['categories_strings'] = categories_strings
+
                 self.report({'values': response_list})
             else:
                 self.notSupported()
@@ -67,8 +79,8 @@ def run(self):
     def summary(self, raw):
         taxonomies = []
 
-        if raw and 'values' in raw and len(raw['values']) > 0 :
-            taxonomies.append(self.build_taxonomy('malicious', 'AbuseIPDB', 'Records', len(raw['values'])))
+        if raw and 'values' in raw and raw['values'][0]['data']['totalReports'] > 0 :
+            taxonomies.append(self.build_taxonomy('malicious', 'AbuseIPDB', 'Records', raw['values'][0]['data']['totalReports']))
         else:
             taxonomies.append(self.build_taxonomy('safe', 'AbuseIPDB', 'Records', 0))
 

diff --git a/thehive-templates/AbuseIPDB_1_0/long.html b/thehive-templates/AbuseIPDB_1_0/long.html
@@ -1,38 +1,36 @@
-	<div class="panel panel-danger" ng-if="success && content.values.length > 0">
+	<div class="panel panel-danger" ng-if="success && content.values[0].data.reports.length > 0">
 		<div class="panel-heading">
-			AbuseIPDB Report for {{artifact.data | fang}}
+			AbuseIPDB Report for {{ content.values[0].data.ipAddress }}
 		</div>
 		<div class="panel-body">
 			<table class="table table-striped" ng-if="content.values">
 				<thead>
 					<tr>
-						<th>Created Date</th>
+						<th>Reported Date</th>
 						<th>Abuse Confidence Score</th>
 						<th>ISO Code</th>
 						<th>Country</th>
-						<th>Withelisted</th>
+						<th>Whitelisted</th>
 						<th>Categories</th>
-
 					</tr>
 				</thead>
 				<tbody>
-					<tr ng-repeat="r in content.values | orderBy:'-created'">
-						<td>{{r.created}}</td>
+					<tr ng-repeat="r in content.values[0].data.reports | orderBy:'-reportedAt'">
+						<td>{{r.reportedAt}}</td>
 						<td><span class="text" 
-							ng-class="{ 'text-danger': r.abuseConfidenceScore >=70 ,'text-warning': r.abuseConfidenceScore < 70, 'text-success': r.abuseConfidenceScore == 0}">{{r.abuseConfidenceScore}}</span></td>
-						<td>{{r.isoCode}}</td>
-						<td>{{r.country}}</td>
-						<td>{{r.isWhitelisted}}</td>
+							ng-class="{ 'text-danger': content.values[0].data.abuseConfidenceScore >=70 ,'text-warning': content.values[0].data.abuseConfidenceScore < 70, 'text-success': content.values[0].data.abuseConfidenceScore == 0}">{{content.values[0].data.abuseConfidenceScore}}</span></td>
+						<td>{{r.reporterCountryCode}}</td>
+						<td>{{r.reporterCountryName}}</td>
+						<td>{{content.values[0].data.isWhitelisted}}</td>
 						<td>
 							<span ng-repeat="c in r.categories_strings"><span class="label label-primary">{{c}}</span> </span>
 						</td>
-
 					</tr>					
 				</tbody>
 			</table>
 		</div>
 	</div>
-	<div class="panel panel-success" ng-if="success && content.values.length == 0">
+	<div class="panel panel-success" ng-if="success && content.values[0].data.reports.length == 0">
 		<div class="panel-heading">
 			AbuseIPDB Report
 		</div>