Merge pull request #849 from jonathan6661/master

New analyzer: Inoitsu email lookup.

analyzers/Inoitsu/Inoitsu.json

@@ -0,0 +1,31 @@
+{
+  "name": "Inoitsu",
+  "version": "1.0",
+  "author": "Abdelkader Ben Ali",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "MIT",
+  "description": "Query Inoitsu for a compromised email address.",
+  "dataTypeList": ["mail"],
+  "command": "Inoitsu/inoitsu_analyzer.py",
+  "baseConfig": "Inoitsu",
+  "configurationItems": [
+
+  ],
+  "registration_required": false,
+  "subscription_required": false,
+  "service_homepage": "https://www.hotsheet.com/inoitsu/",
+  "service_logo": {
+    "path": "assets/inoitsu_logo.png",
+    "caption": "logo"
+  },
+  "screenshots": [
+    {
+      "path": "assets/Inoitsu_long.png",
+      "caption": "Inoitsu long report sample"
+    },
+    {
+      "path": "assets/Inoitsu_short.png",
+      "caption:": "Inoitsu mini report sample"
+    }
+  ]
+}

analyzers/Inoitsu/README.md

@@ -0,0 +1,48 @@
+# Inoitsu-analyzer
+
+This analyzer helps you investigate suspicious emails received from known or unknown senders to ensure that their email addresses aren't compromised.
+
+No API key required.
+
+If the email is compromised then it returns:
+- Total breaches
+- Most recent breach
+- Breached data 
+- Critical data
+- Exposure rating: The comparative data exposure and risk rating assigned to this email address.
+
+### Testing Inoitsu analyzer (Cortex)
+
+You need first to enable the analyzer.
+
+![enable analyzer](https://user-images.githubusercontent.com/37407314/92718622-f4079d00-f359-11ea-8124-0ee9ca565661.PNG)
+
+Navigate to Analyzers then run Inoitsu analyzer.
+
+![run analyzer](https://user-images.githubusercontent.com/37407314/92719258-ce2ec800-f35a-11ea-9f82-f4ed9f4ab01e.PNG)
+
+Test Inoitsu analyzer on a compromised email address.
+
+![report](https://user-images.githubusercontent.com/37407314/92719758-8d837e80-f35b-11ea-8120-014a389955cd.PNG)
+
+Test Inoitsu analyzer on an uncompromised email address.
+
+![uncompromised](https://user-images.githubusercontent.com/37407314/92720556-a9d3eb00-f35c-11ea-8157-911d85149ae4.PNG)
+
+### Testing Inoitsu analyzer (TheHive)
+
+In the observables section add emails to test.
+
+Then select the emails that you want to analyze, select Inoitsu and click on Run selected analyzers.
+
+![thehive iocs](https://user-images.githubusercontent.com/37407314/92724230-2d440b00-f362-11ea-8115-21c91bf27d2d.PNG)
+
+![response](https://user-images.githubusercontent.com/37407314/92725358-f2db6d80-f363-11ea-8e59-697e579a75aa.PNG)
+
+To view the report of the compromised email, click on ```Inoitsu:Compromised="True"```
+
+![analyzer report](https://user-images.githubusercontent.com/37407314/92727316-d3920f80-f366-11ea-9e29-d2c21d286277.PNG)
+
+To view the report of the uncompromised email, click on ```Inoitsu:Compromised="False"```
+
+![analyzer report 2](https://user-images.githubusercontent.com/37407314/92727203-a5accb00-f366-11ea-875a-da30f01b6c4d.PNG)

analyzers/Inoitsu/inoitsu_analyzer.py

@@ -0,0 +1,79 @@
+#!/usr/bin/env python3
+from cortexutils.analyzer import Analyzer
+import requests
+import re
+
+
+class InoitsuAnalyzer(Analyzer):
+	def __init__(self):
+		Analyzer.__init__(self)
+
+	def verify_email_format(self, email):
+		email_regex = '^(?i)[a-z0-9]+[\._]?[a-z0-9]+[@]\w+[.]\w{2,3}$'
+		if(re.search(email_regex,email)):
+			return True
+		else:
+			return False
+
+	def remove_html_tags(self, html):
+		regex = re.compile('<.*?>')
+		cleantext = re.sub(regex, '', html)
+		return cleantext
+
+	def inoitsu_check(self,email):
+		url ="https://www.hotsheet.com/inoitsu/"
+		data = {'act' : email, 'accounthide' : 'test', 'submit' : 'Submit'}
+		r = requests.post(url, data=data, timeout=10)
+		response = r.text
+		if 'BREACH DETECTED!' in response:
+			cleantext = self.remove_html_tags(response)
+			text = cleantext.replace('&nbsp;','')
+			Breached_data_finder = re.search('Breached Personal Data(.*)Critical Identity Alerts', text)
+			Breached_data = Breached_data_finder.group(1)[1:]
+			Critical_data_finder = re.search('Critical Identity Alerts(.*)Total Breaches', text)
+			Critical_data = Critical_data_finder.group(1)[1:]
+			Total_breaches_finder = re.search('Total Breaches(.*)Most Recent Breach', text)
+			Total_breaches = Total_breaches_finder.group(1)[1:]
+			Most_recent_breach_finder = re.search('Most Recent Breach(.*)Relative Exposure Rating', text)
+			Most_recent_breach = Most_recent_breach_finder.group(1)[2:]
+			Exposure_rating_finder = re.search('Relative Exposure Rating(.*)breach data from', text)
+			Exposure_rating = Exposure_rating_finder.group(1)[2:]
+			result = dict(Email = email, Leaked = True, Breached_data = Breached_data, Critical_data = Critical_data,
+			Total_breaches = int(Total_breaches), Most_recent_breach = Most_recent_breach,
+			Exposure_rating = Exposure_rating)
+			return result
+		else:
+			return dict(Email = email, Leaked = False)
+
+	def summary(self, raw):
+		taxonomies = []
+		level = "info"
+		namespace = "Inoitsu"
+		predicate = "Compromised"
+		leaked = raw.get("Leaked")
+		if leaked:
+			level = "malicious"
+			value = "True"
+		else:
+			level = "safe"
+			value = "False"
+		taxonomies.append(
+		self.build_taxonomy(level, namespace, predicate, value)
+		)
+		return {"taxonomies": taxonomies}
+
+	def run(self):
+		email = self.get_data()
+		if not email:
+			self.error('No email given.')
+		try:
+			if self.verify_email_format(email):
+				result = self.inoitsu_check(email)
+				self.report(result)
+			else:
+				self.error('Your input is not an email.')
+		except Exception as e:
+			self.error(str(e))
+
+if __name__ == "__main__":
+	InoitsuAnalyzer().run()

analyzers/Inoitsu/requirements.txt

@@ -0,0 +1,2 @@
+requests
+re

thehive-templates/Inoitsu_1_0/long.html

@@ -0,0 +1,63 @@
+<div class="report-SecurityTrails" ng-if="success">
+  <div class="panel panel-info">
+    <div class="panel-heading">
+      Inoitsu lookup ({{ content.Email }})
+    </div>
+    <div class="panel-body">
+      <div ng-if="(content | json) === '{}'">
+        No data found
+      </div>
+      <div ng-if="(content | json) !== '{}'">
+
+      <div ng-if="(content.Leaked)">
+        <dl class=" dl-horizontal">
+          <dt>Compromised:</dt>
+          <dd class="wrap">{{ content.Leaked }}</dd>
+        </dl>
+        <dl class=" dl-horizontal">
+          <dt>Total breaches:</dt>
+          <dd class="wrap">{{ content.Total_breaches }}</dd>
+        </dl>
+        <dl class="dl-horizontal">
+          <dt>Most recent breach:</dt>
+          <dd class="wrap">{{ content.Most_recent_breach }}</dd>
+        </dl>
+        <dl class="dl-horizontal">
+          <dt>Breached data:</dt>
+          <dd class="wrap">{{ content.Breached_data }}</dd>
+        </dl>
+        <dl class="dl-horizontal">
+          <dt>Critical data:</dt>
+          <dd class="wrap">{{ content.Critical_data }}</dd>
+        </dl>
+        <dl class="dl-horizontal">
+          <dt>Exposure rating:</dt>
+          <dd class="wrap">{{ content.Exposure_rating }}</dd>
+        </dl>
+        </div>
+
+        <div ng-if="!(content.Leaked)">
+        <dl class=" dl-horizontal">
+          <dt>Compromised:</dt>
+          <dd class="wrap">{{ content.Leaked }}</dd>
+        </dl>
+        </div>
+
+      </div>
+    </div>
+  </div>
+</div>
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+  <div class="panel-heading">
+    <strong>{{ artifact.data | fang }}</strong>
+  </div>
+  <div class="panel-body">
+    <dl class="dl-horizontal" ng-if="content.errorMessage">
+      <dt>
+        <i class="fa fa-warning"></i>
+      </dt>
+      <dd class="wrap">{{ content.errorMessage }}</dd>
+    </dl>
+  </div>
+</div>

thehive-templates/Inoitsu_1_0/short.html

@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>