From e54a42fabf3b7d06cb74974f14f2357b9221e3d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Leonard?= Date: Tue, 10 Mar 2020 11:30:17 +0100 Subject: [PATCH] Revert "Revert "DomainTools check for malicious tags depending on iris tags from DomainTools and add a tag to artifact and case. (#588)"" This reverts commit 6fced530f823a19b312ae0214bb9899aa10b30ba. --- .../DomainToolsIris_CheckMaliciousTags.json | 28 +++++++++++ .../domaintoolsiris_responder.py | 46 +++++++++++++++++++ .../requirements.txt | 0 3 files changed, 74 insertions(+) create mode 100644 responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json create mode 100644 responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py create mode 100644 responders/DomainToolsIris_CheckMaliciousTags/requirements.txt diff --git a/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json b/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json new file mode 100644 index 000000000..ef14d0828 --- /dev/null +++ b/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json @@ -0,0 +1,28 @@ +{ + "name": "DomainToolsIris_CheckMaliciousTags", + "version": "1.0", + "author": "DomainTools", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Add Tag saying that the observable and case have a malicious tag in their Iris Tags.", + "dataTypeList": ["thehive:case_artifact"], + "command": "DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py", + "baseConfig": "DomainToolsIris", + "configurationItems": [ + { + "name": "high_risk_threshold", + "description": "Risk score threshold to be considered high risk.", + "type": "number", + "multi": false, + "required": false, + "defaultValue": 70 + }, + { + "name": "monitored_iris_tags", + "description": "Monitored Iris tags.", + "type": "string", + "multi": true, + "required": false + } + ] +} \ No newline at end of file diff --git a/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py b/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py new file mode 100644 index 000000000..8490a0a24 --- /dev/null +++ b/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + + +from cortexutils.responder import Responder + + +class DomainToolsIris(Responder): + def __init__(self): + Responder.__init__(self) + + def run(self): + Responder.run(self) + if self.get_param("data.dataType") == "domain": + self.report({"data": self.get_data()}) + else: + self.report({"data": 'Can only operate on "domain" observables'}) + + def operations(self, raw): + build_list = [] + taxonomies = ( + raw.get("data", {}) + .get("reports", {}) + .get("DomainToolsIris_Investigate_1_0", {}) + .get("taxonomies", None) + ) + + for x in taxonomies: + if x["predicate"] == "IrisTags": + malicious_tags_set = set(self.get_param("config.monitored_iris_tags")) + domain_tags_set = set(x["value"].split(",")) + + if len(malicious_tags_set.intersection(domain_tags_set)): + build_list.append( + self.build_operation( + "AddTagToArtifact", tag="DT:Malicious Domain" + ) + ) + build_list.append( + self.build_operation("AddTagToCase", tag="DT:Malicious Domain") + ) + return build_list + + +if __name__ == "__main__": + DomainToolsIris().run() diff --git a/responders/DomainToolsIris_CheckMaliciousTags/requirements.txt b/responders/DomainToolsIris_CheckMaliciousTags/requirements.txt new file mode 100644 index 000000000..e69de29bb