Add Datascan and Inetnum flavors

analyzers/Onyphe/Onyphe_Datascan.json

@@ -0,0 +1,23 @@
+{
+  "name": "Onyphe_Datascan",
+  "version": "1.0",
+  "author": "Pierre Baudry, Adrien Barchapt",
+  "url": "https://github.com/cybernardo/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Retrieve datascan information Onyphe has for the given IPv{4,6} address with history of changes or search a string.",
+  "dataTypeList": ["ip","other"],
+  "command": "Onyphe/onyphe_analyzer.py",
+  "baseConfig": "Onyphe",
+  "config": {
+    "service": "datascan"
+  },
+  "configurationItems": [
+    {
+      "name": "key",
+      "description": "Define the API key to use to connect the service",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ]
+}

analyzers/Onyphe/Onyphe_Inetnum.json

@@ -0,0 +1,23 @@
+{
+  "name": "Onyphe_Inetnum",
+  "version": "1.0",
+  "author": "Pierre Baudry, Adrien Barchapt",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Retrieve Onyphe Inetnum information on an IPv{4,6} address with history.",
+  "dataTypeList": ["ip"],
+  "command": "Onyphe/onyphe_analyzer.py",
+  "baseConfig": "Onyphe",
+  "config": {
+    "service": "inetnum"
+  },
+  "configurationItems": [
+    {
+      "name": "key",
+      "description": "Define the API key to use to connect the service",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ]
+}

analyzers/Onyphe/onyphe_analyzer.py

@@ -44,6 +44,21 @@ def summary(self, raw):
                 'info', namespace, "Geolocate", "country: {}, city: {}".format(
                     location["country_name"], location["city"])))
 
+        if self.service == 'inetnum':
+            output_data = {}
+            for r in raw['inetnum']['results']:
+                subnet = r['subnet']
+                if subnet not in output_data:
+                    output_data[subnet] = {
+                        "dates": []
+                    }
+                if r['seen_date'] not in output_data[subnet]['dates']:
+                    output_data[subnet]['dates'].append(r['seen_date'])
+            for subnet, subnet_data in output_data.items():
+                taxonomies.append(self.build_taxonomy(
+                    'info', namespace, "Subnet", "subnet {} last seen {}".format(
+                        subnet, subnet_data['dates'][0])))
+
         if self.service == 'ports':
             output_data = {}
             for r in raw['ports']['results']:
@@ -59,6 +74,21 @@ def summary(self, raw):
                     'info', namespace, "Port", "port {} last seen {}".format(
                         port_number, port_data['dates'][0])))
 
+        if self.service == 'datascan':
+            output_data = {}
+            for r in raw['datascan']['results']:
+                port = r['port']
+                if port not in output_data:
+                    output_data[port] = {
+                        "dates": []
+                    }
+                if r['seen_date'] not in output_data[port]['dates']:
+                    output_data[port]['dates'].append(r['seen_date'])
+            for port_number, port_data in output_data.items():
+                taxonomies.append(self.build_taxonomy(
+                    'info', namespace, "Port", "port {} last seen {}".format(
+                        port_number, port_data['dates'][0])))
+
         if self.service == 'reverse':
             output_data = {}
             for r in raw['reverses']['results']:
@@ -117,6 +147,14 @@ def run(self):
                 ip = self.get_param('data', None, 'Data is missing')
                 results = {'forwards': self.onyphe_client.forward(ip)}
                 self.report(results)
+            if self.service == 'inetnum':
+                ip = self.get_param('data', None, 'Data is missing')
+                results = {'inetnum': self.onyphe_client.inetnum(ip)}
+                self.report(results)
+            if self.service == 'datascan':
+                ip = self.get_param('data', None, 'Data is missing')
+                results = {'datascan': self.onyphe_client.datascan(ip)}
+                self.report(results)
         except Exception:
             pass
 

thehive-templates/Onyphe_Datascan_1_0/long.html

@@ -0,0 +1,78 @@
+<div class="panel panel-info" ng-if="success">
+	<div class="panel-heading">
+		Onyphe Datascan - <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+	</div>
+	<div class="panel-body">
+        <dl class="dl-horizontal">
+            <dt>
+                My IP
+            </dt>
+            <dd>
+                {{content.datascan.myip}}
+            </dd>
+        </dl>
+        <dl class="dl-horizontal">
+            <dt>
+                Number of results
+            </dt>
+            <dd>
+                {{content.datascan.count}}
+            </dd>
+        </dl>
+        <dl class="dl-horizontal">
+            <dt>
+                Error(s)
+            </dt>
+            <dd>
+                {{content.datascan.error}}
+            </dd>
+        </dl>
+
+		<table class="table" ng-if="content.datascan.results.length !== 0 ">
+            <thead>
+                <th>Category</th>
+                <th>Type</th>
+                <th>ASN</th>
+                <th>Country</th>
+                <th>IPv4</th>
+                <th>Organisation</th>
+                <th>Location</th>
+                <th>Port</th>
+                <th>Protocol</th>
+                <th>OS</th>
+                <th>Product</th>
+                <th>Product Version</th>
+                <th>Seen Date</th>
+                <th>Data MD5</th>
+            </thead>
+            <tbody ng-repeat="r in content.datascan.results | orderBy:'-seen_date'">
+                <tr>
+                    <td>{{r["@category"]}}</td>
+                    <td>{{r["@type"]}}</td>
+                    <td>{{r.asn}}</td>
+                    <td>{{r.country}}</td>
+                    <td>{{r.ip}}</td>
+                    <td>{{r.organization}}</td>
+                    <td>{{r.location}}</td>
+                    <td>{{r.port}}</td>
+                    <td>{{r.protocol}}</td>
+                    <td>{{r.os}}</td>
+                    <td>{{r.product}}</td>
+                    <td>{{r.productversion}}</td>
+                    <td>{{r.seen_date}}</td>
+                    <td>{{r.datamd5}}</td>
+                </tr>
+            </tbody>
+        </table>
+    </div>
+</div>
+
+<!-- General error -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>

thehive-templates/Onyphe_Datascan_1_0/short.html

@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>

thehive-templates/Onyphe_Inetnum_1_0/long.html

@@ -0,0 +1,70 @@
+<div class="panel panel-info" ng-if="success">
+	<div class="panel-heading">
+		Onyphe Datascan - <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+	</div>
+	<div class="panel-body">
+        <dl class="dl-horizontal">
+            <dt>
+                My IP
+            </dt>
+            <dd>
+                {{content.inetnum.myip}}
+            </dd>
+        </dl>
+        <dl class="dl-horizontal">
+            <dt>
+                Number of results
+            </dt>
+            <dd>
+                {{content.inetnum.count}}
+            </dd>
+        </dl>
+        <dl class="dl-horizontal">
+            <dt>
+                Error(s)
+            </dt>
+            <dd>
+                {{content.inetnum.error}}
+            </dd>
+        </dl>
+
+		<table class="table" ng-if="content.inetnum.results.length !== 0 ">
+            <thead>
+                <th>Category</th>
+                <th>Type</th>
+                <th>ASN</th>
+                <th>Country</th>
+                <th>Subnet</th>
+                <th>Organisation</th>
+                <th>Location</th>
+                <th>Netname</th>
+                <th>Seen Date</th>
+                <th>Source</th>
+            </thead>
+            <tbody ng-repeat="r in content.inetnum.results | orderBy:'-seen_date'">
+                <tr>
+                    <td>{{r["@category"]}}</td>
+                    <td>{{r["@type"]}}</td>
+                    <td>{{r.asn}}</td>
+                    <td>{{r.country}}</td>
+                    <td>{{r.subnet}}</td>
+                    <td>{{r.organization}}</td>
+                    <td>{{r.location}}</td>
+                    <td>{{r.netname}}</td>
+                    <td>{{r.seen_date}}</td>
+                    <td>{{r.source}}</td>
+                </tr>
+            </tbody>
+        </table>
+    </div>
+</div>
+
+<!-- General error -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>

thehive-templates/Onyphe_Inetnum_1_0/short.html

@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>

thehive-templates/Onyphe_Ports_1_0/long.html

@@ -35,8 +35,8 @@
                 <th>ASN</th>
                 <th>Country</th>
                 <th>IPv4</th>
-                <th>Location</th>
                 <th>Organisation</th>
+                <th>Location</th>
                 <th>OS</th>
                 <th>Port</th>
                 <th>Seen date</th>