Merge pull request #572 from DomainTools/DT-investigate_analyzer

DomainTools Iris - Investigate Analyzer
TheHive-Project · Mar 10, 2020 · ee329aa · ee329aa
2 parents 504d307 + 45a3567
commit ee329aa
Show file tree

Hide file tree

Showing 6 changed files with 616 additions and 4 deletions.
diff --git a/analyzers/DomainToolsIris/DomainToolsIris_Investigate.json b/analyzers/DomainToolsIris/DomainToolsIris_Investigate.json
@@ -0,0 +1,38 @@
+{
+  "name": "DomainToolsIris_Investigate",
+  "version": "1.0",
+  "author": "DomainTools",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Use DomainTools Iris API to investigate a domain.",
+  "dataTypeList": ["domain"],
+  "command": "DomainToolsIris/domaintoolsiris_analyzer.py",
+  "baseConfig": "DomainToolsIris",
+  "config": {
+      "service": "investigate-domain"
+  },
+  "configurationItems": [
+    {
+      "name": "username",
+      "description": "DomainTools Iris API credentials",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "key",
+      "description": "DomainTools Iris API credentials",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "pivot_count_threshold",
+      "description": "Pivot count threshold.",
+      "type": "number",
+      "multi": false,
+      "required": false,
+      "defaultValue": 500
+    }
+  ]
+}
diff --git a/analyzers/DomainToolsIris/domaintoolsiris_analyzer.py b/analyzers/DomainToolsIris/domaintoolsiris_analyzer.py
@@ -153,12 +153,12 @@ def format_single_domain(self, domain_data):
                 ] = DomainToolsAnalyzer.get_threat_level_class(
                     domain_risk["tpm"]["value"]
                 )
-            threat_profile_phshing_data = DomainToolsAnalyzer.get_threat_component(
+            threat_profile_phishing_data = DomainToolsAnalyzer.get_threat_component(
                 risk_components, "threat_profile_phishing"
             )
-            if threat_profile_phshing_data:
+            if threat_profile_phishing_data:
                 domain_risk["tpp"] = {}
-                domain_risk["tpp"]["value"] = threat_profile_malware_data.get(
+                domain_risk["tpp"]["value"] = threat_profile_phishing_data.get(
                     "risk_score", 0
                 )
                 domain_risk["tpp"][
@@ -171,7 +171,7 @@ def format_single_domain(self, domain_data):
             )
             if threat_profile_spam_data:
                 domain_risk["tps"] = {}
-                domain_risk["tps"]["value"] = threat_profile_malware_data.get(
+                domain_risk["tps"]["value"] = threat_profile_spam_data.get(
                     "risk_score", 0
                 )
                 domain_risk["tps"][

diff --git a/analyzers/DomainToolsIris/screenshots/InvestigateLongSummary.png b/analyzers/DomainToolsIris/screenshots/InvestigateLongSummary.png
diff --git a/analyzers/DomainToolsIris/screenshots/InvestigateShortSummary.png b/analyzers/DomainToolsIris/screenshots/InvestigateShortSummary.png