Merge pull request #714 from DomainTools/DT-config_clean_up

DomainToolsIris config cleanup
TheHive-Project · Mar 23, 2020 · cf0c9ce · cf0c9ce
2 parents 67ae15d + 871fdf6
commit cf0c9ce
Show file tree

Hide file tree

Showing 7 changed files with 128 additions and 8 deletions.
diff --git a/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json b/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json
@@ -25,14 +25,6 @@
       "type": "string",
       "multi": false,
       "required": true
-    },
-    {
-      "name": "pivot_count_threshold",
-      "description": "Pivot count threshold.",
-      "type": "number",
-      "multi": false,
-      "required": false,
-      "defaultValue": 500
     }
   ]
 }
diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json b/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json
@@ -0,0 +1,21 @@
+{
+  "name": "DomainToolsIris_AddRiskyDNSTag",
+  "version": "1.0",
+  "author": "DomainTools",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Add Tag saying that the case contains a risky DNS.",
+  "dataTypeList": ["thehive:case_artifact"],
+  "command": "DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py",
+  "baseConfig": "DomainToolsIris",
+  "configurationItems": [
+    {
+      "name": "high_risk_threshold",
+      "description": "Risk score threshold to be considered high risk.",
+      "type": "number",
+      "multi": false,
+      "required": false,
+      "defaultValue": 70
+    }
+  ]
+}
diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py b/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py
@@ -0,0 +1,41 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+
+from cortexutils.responder import Responder
+
+
+class DomainToolsIris(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+
+    def run(self):
+        Responder.run(self)
+        if self.get_param("data.dataType") == "domain":
+            self.report({"data": self.get_data()})
+        else:
+            self.report({"data": 'Can only operate on "domain" observables'})
+
+    def operations(self, raw):
+        build_list = []
+        taxonomies = (
+            raw.get("data", {})
+            .get("reports", {})
+            .get("DomainToolsIris_Investigate_1_0", {})
+            .get("taxonomies", None)
+        )
+
+        for x in taxonomies:
+            if x["predicate"] == "Risk Score":
+                if int(x["value"]) > int(self.get_param("config.high_risk_threshold")):
+                    build_list.append(
+                        self.build_operation("AddTagToCase", tag="DT:Risky DNS")
+                    )
+                    build_list.append(
+                        self.build_operation("AddTagToArtifact", tag="DT:Risky DNS")
+                    )
+        return build_list
+
+
+if __name__ == "__main__":
+    DomainToolsIris().run()
diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt b/responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt
diff --git a/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json b/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json
@@ -0,0 +1,20 @@
+{
+  "name": "DomainToolsIris_CheckMaliciousTags",
+  "version": "1.0",
+  "author": "DomainTools",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Add Tag saying that the observable and case have a malicious tag in their Iris Tags.",
+  "dataTypeList": ["thehive:case_artifact"],
+  "command": "DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py",
+  "baseConfig": "DomainToolsIris",
+  "configurationItems": [
+    {
+      "name": "monitored_iris_tags",
+      "description": "Monitored Iris tags.",
+      "type": "string",
+      "multi": true,
+      "required": false
+    }
+  ]
+}
diff --git a/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py b/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py
@@ -0,0 +1,46 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+
+from cortexutils.responder import Responder
+
+
+class DomainToolsIris(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+
+    def run(self):
+        Responder.run(self)
+        if self.get_param("data.dataType") == "domain":
+            self.report({"data": self.get_data()})
+        else:
+            self.report({"data": 'Can only operate on "domain" observables'})
+
+    def operations(self, raw):
+        build_list = []
+        taxonomies = (
+            raw.get("data", {})
+            .get("reports", {})
+            .get("DomainToolsIris_Investigate_1_0", {})
+            .get("taxonomies", None)
+        )
+
+        for x in taxonomies:
+            if x["predicate"] == "IrisTags":
+                malicious_tags_set = set(self.get_param("config.monitored_iris_tags"))
+                domain_tags_set = set(x["value"].split(","))
+
+                if len(malicious_tags_set.intersection(domain_tags_set)):
+                    build_list.append(
+                        self.build_operation(
+                            "AddTagToArtifact", tag="DT:Malicious Domain"
+                        )
+                    )
+                    build_list.append(
+                        self.build_operation("AddTagToCase", tag="DT:Malicious Domain")
+                    )
+        return build_list
+
+
+if __name__ == "__main__":
+    DomainToolsIris().run()
diff --git a/responders/DomainToolsIris_CheckMaliciousTags/requirements.txt b/responders/DomainToolsIris_CheckMaliciousTags/requirements.txt