Merge remote-tracking branch 'ninoseki/add-urlscanio-analyzer' into d…

…evelop
TheHive-Project · Oct 17, 2018 · deaa8ad · deaa8ad
2 parents d26402f + 71407d6
commit deaa8ad
Show file tree

Hide file tree

Showing 6 changed files with 133 additions and 0 deletions.
diff --git a/analyzers/Urlscan.io/Urlscan_Search.json b/analyzers/Urlscan.io/Urlscan_Search.json
@@ -0,0 +1,10 @@
+{
+  "name": "Urlscan.io_Search",
+  "author": "ninoseki",
+  "license": "MIT",
+  "url": "https://github.com/ninoseki/cortex_urlscan_analyzer",
+  "version": "0.1.0",
+  "description": "Search IPs, domains, hashes or URLs on urlscan.io",
+  "dataTypeList": ["ip", "domain", "hash", "url"],
+  "command": "urlscan/urlscan_analyzer.py"
+}
diff --git a/analyzers/Urlscan.io/requirements.txt b/analyzers/Urlscan.io/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+requests
diff --git a/analyzers/Urlscan.io/urlscan.py b/analyzers/Urlscan.io/urlscan.py
@@ -0,0 +1,20 @@
+import requests
+import json
+
+
+class UrlscanException(Exception):
+    pass
+
+
+class Urlscan:
+    def __init__(self, query=""):
+        assert len(query) > 0, "Qeury must be defined"
+        self.query = query
+
+    def search(self):
+        payload = {"q": self.query}
+        r = requests.get("https://urlscan.io/api/v1/search/", params=payload)
+        if r.status_code == 200:
+            return r.json()
+        else:
+            raise UrlscanException("urlscan.io returns %s" % r.status_code)
diff --git a/analyzers/Urlscan.io/urlscan_analyzer.py b/analyzers/Urlscan.io/urlscan_analyzer.py
@@ -0,0 +1,59 @@
+#!/usr/bin/env python3
+from cortexutils.analyzer import Analyzer
+from urlscan import Urlscan, UrlscanException
+
+
+class UrlscanAnalyzer(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+
+    def search(self, indicator):
+        """
+        Searches for a website using the indicator
+        :param indicator: domain, ip, hash, url
+        :type indicator: str
+        :return: dict
+        """
+        res = Urlscan(indicator).search()
+        return res
+
+    def run(self):
+        targets = ['ip', 'domain', 'hash', 'url']
+        if self.data_type == 'url':
+            query = '"{}"'.format(self.get_data())
+        else:
+            query = self.get_data()
+
+        try:
+            if self.data_type in targets:
+                self.report({
+                    'type': self.data_type,
+                    'query': query,
+                    'indicator': self.search(query)
+                })
+        except UrlscanException as err:
+            self.error(str(err))
+
+    def summary(self, raw):
+        taxonomies = []
+        level = "info"
+        namespace = "urlscan.io"
+        predicate = "Search"
+
+        total = raw["indicator"]["total"]
+        if total <= 1:
+            level = 'suspicious' if total == 1 else 'info'
+            value = "{} result".format(total)
+            taxonomies.append(self.build_taxonomy(
+                level, namespace, predicate, value))
+        else:
+            level = 'suspicious'
+            value = "{} results".format(total)
+            taxonomies.append(self.build_taxonomy(
+                level, namespace, predicate, value))
+
+        return {"taxonomies": taxonomies}
+
+
+if __name__ == '__main__':
+    UrlscanAnalyzer().run()
diff --git a/thehive-templates/Urlscan.io_Search_1.0/long.html b/thehive-templates/Urlscan.io_Search_1.0/long.html
@@ -0,0 +1,39 @@
+<div class="panel panel-info" ng-if="::content.indicator.results" ng-init="results_limit = 20">
+    <div class="panel-heading">
+        urlscan.io search results
+        <span class="pull-right" ng-show="::content.indicator.results.length > 20">
+            <a href ng-show="results_limit===20" ng-click="results_limit = undefined">Show All ({{::content.indicator.results.length}})</a>
+            <a href ng-show="!results_limit" ng-click="results_limit = 20">Show less</a>
+        </span>
+    </div>
+    <div class="panel-body">
+        <table class="table table-hover">
+            <tr>
+                <th>URL</th>
+                <th>Result</th>
+                <th>Time</th>
+            </tr>
+            <tr ng-repeat="r in content.indicator.results | limitTo:results_limit | orderBy:'-task.time'">
+                <td>{{r.page.url | ellipsis:40}}</td>
+                <td>
+                    <a href="https://urlscan.io/result/{{r._id}}" target="_blank">https://urlscan.io/result/{{r._id}}</a>
+                </td>
+                <td>{{r.task.time}}</td>
+            </tr>
+        </table>
+    </div>
+</div>
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        <dl class="dl-horizontal" ng-if="content.errorMessage">
+            <dt>
+                <i class="fa fa-warning"></i> urlscan.io: </dt>
+            <dd class="wrap">{{content.errorMessage}}</dd>
+        </dl>
+    </div>
+</div>
diff --git a/thehive-templates/Urlscan.io_Search_1.0/short.html b/thehive-templates/Urlscan.io_Search_1.0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>