Merge remote-tracking branch 'robertnixon2003/develop' into release/1…

….10.0
TheHive-Project · Jun 4, 2018 · aa52862 · aa52862
2 parents 4d9332b + e1c19be
commit aa52862
Show file tree

Hide file tree

Showing 5 changed files with 176 additions and 0 deletions.
diff --git a/analyzers/StaxxSearch/requirements.txt b/analyzers/StaxxSearch/requirements.txt
@@ -0,0 +1,3 @@
+cortexutils
+requests
+json
diff --git a/analyzers/StaxxSearch/staxx-cortex.py b/analyzers/StaxxSearch/staxx-cortex.py
@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*
+
+import requests
+import json
+from cortexutils.analyzer import Analyzer
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+class StaxxAnalyzer(Analyzer):
+
+	def __init__(self):
+		Analyzer.__init__(self)
+		self.auth_url = self.get_param('config.auth_url', None, 'Missing URL for Staxx API auth')
+		self.query_url = self.get_param('config.query_url', None, 'Missing URL for Staxx API query')
+		self.username = self.get_param('config.username', None, 'Missing username for Staxx API')
+		self.password = self.get_param('config.password', None, 'Missing password for Staxx API')
+		if self.get_param('config.cert_check', True):
+			self.ssl = self.get_param('config.cert_path', True)
+		else:
+			self.ssl = False
+
+	def _get_headers(self):
+		return {
+		'Content-Type': 'application/json'
+	}
+
+	def _get_auth_data(self):
+		return {
+		'username': self.username,
+		'password': self.password
+	}
+
+	def staxx_query(self, data):
+		headers = self._get_headers()
+		auth_data = self._get_auth_data()
+		r = requests.post(self.auth_url, json=auth_data, headers=headers, verify=self.ssl)
+		r.raise_for_status() #Raise exception on HTTP errors
+		token_id = r.json()['token_id']
+		pull_data = {'token': token_id, 'query': data, 'type': 'json'}
+		p = requests.post(self.query_url, json=pull_data, headers=headers, verify=self.ssl)
+		p.raise_for_status() #Raise exception on HTTP errors
+		return p.json()
+
+	def summary(self, raw):
+		taxonomies = []
+		namespace = "Staxx"
+		predicate = " Hits"
+		value = "\0\""
+
+		if 'count' in raw:
+			r = raw.get('count', 0)
+
+			value = "\"{}\"".format(r)
+
+			if r > 0:
+				level = "suspicious"
+			else:
+				level = "safe"
+			taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+		return {"taxonomies": taxonomies}
+
+	def run(self):
+		Analyzer.run(self)
+		data = self.get_param('data', None, 'Data is missing')
+		hits = self.staxx_query(data)
+		self.report({'hits': hits, 'count': len(hits)})
+
+
+if __name__ == '__main__':
+	StaxxAnalyzer().run()
diff --git a/analyzers/StaxxSearch/staxx.json b/analyzers/StaxxSearch/staxx.json
@@ -0,0 +1,57 @@
+{
+    "name": "staxx",
+    "author": "Robert Nixon",
+    "license": "AGPL-V3",
+    "url": "https://github.com/CERT/cortex-analyzers",
+    "version": "1.0",
+    "description": "Fetch observable details from a Anomali STAXX instance.",
+    "dataTypeList": ["domain", "fqdn", "ip", "url", "hash", "mail"],
+    "command": "StaxxSearch/staxx-cortex.py",
+    "baseConfig": "staxx",
+    "configurationItems": [
+      {
+        "name": "auth_url",
+        "description": "Define the URL of the auth endpoint",
+        "type": "string",
+        "multi": false,
+        "required": true
+      },
+      {
+        "name": "query_url",
+        "description": "Define the URL of the intelligence endpoint",
+        "type": "string",
+        "multi": false,
+        "required": true
+      },
+
+      {
+          "name": "username",
+          "description": "STAXX User Name",
+          "type": "string",
+          "multi": false,
+          "required": true
+      },
+      {
+        "name": "password",
+        "description": "STAXX Password",
+        "type": "string",
+        "multi": false,
+        "required": true
+      },
+      {
+        "name": "cert_check",
+        "description": "Verify server certificate",
+        "type": "boolean",
+        "multi": false,
+        "required": true,
+        "defaultValue": false
+    },
+    {
+        "name": "cert_path",
+        "description": "Path to the CA on the system used to check server certificate",
+        "type": "string",
+        "multi": true,
+        "required": false
+    }
+    ]
+  }
diff --git a/thehive-templates/staxx_1_0/long.html b/thehive-templates/staxx_1_0/long.html
@@ -0,0 +1,42 @@
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
+
+
+<div class="panel panel-info" ng-if="success">
+	<div class="panel-heading">
+		Staxx Report
+	</div>
+	<div class="panel-body">
+
+        <dl class="dl-horizontal" ng-if="content.errortext">
+			<dt><i class="fa fa-warning"></i> ERROR: </dt>
+			<dd class="wrap">{{content.errortext}}&nbsp;</dd>
+		</dl>
+
+		<dl class="dl-horizontal">
+			<dt>Related Hits Found: </dt>
+			<dd class="wrap">{{content.count}}</dd>
+		</dl>
+
+		<dl class="dl-horizontal">
+		    <dt>Last seen: </dt>
+		    <dd class="wrap">{{content.hits[0].date_last}}</dd>
+		</dl>
+
+		<dl class="dl-horizontal">
+		    <dt>Last type: </dt>
+		    <dd class="wrap">{{content.hits[0].itype}}</dd>
+		</dl>
+
+			<dl class="dl-horizontal">
+		    <dt>Lastest details: </dt>
+		    <dd class="wrap">{{content.hits[0].detail}}</dd>
+		</dl>
+	</div>
+</div>
diff --git a/thehive-templates/staxx_1_0/short.html b/thehive-templates/staxx_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>