Unable to querry date to cortex analyser

[imad777550]

**_Hello, I am writing an analyser and I should be able to querry the alert date in order to perform my work. The result is always Null. Any help?

Nids_Analysis_Hive.json

{
  "name": "Nids_Analysis_Hive",
  "version": "1.0",
  "author": "Imad Boustany",
  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
  "license": "AGPL-v3",
  "description": "Investigate eve.json logs on thehive",
  "baseConfig": "Nids_Analysis_Hive",
  "dataTypeList": ["ip"],
  "command": "Nids_Analysis_Hive/Nids_Analysis_Hive.py",
  "configurationItems": [
    {
      "name": "ip",
      "description": "IP address of Nids server",
      "type": "string",
      "multi": false,
      "required": true
    },
    {
      "name": "port",
      "description": "Port of Running webserver",
      "type": "string",
      "multi": false,
      "required": true
    }
  ]
}

Nids_Analysis_Hive.py

#!/usr/bin/env python3

from cortexutils.analyzer import Analyzer

class Nids_Analysis_Hive(Analyzer):
    def init(self):
        Analyzer.__init__(self)
        self.IP = self.get_param("config.ip", None, "Nids IP to login")
        self.Port = self.get_param(
            "config.port", None, "Webserver Port needed to login"
        )

    def run(self):
        if self.data_type == "ip":
            self.report({"Nids Result": self.get_data()})


if __name__ == "__main__":
    Nids_Analysis_Hive().run()

The Hive result:

Thank You.

[dadokkio]

I don't think startDate is valid. From get_param you have config.* to obtain info from json and data.* to obtain info from object.
I didn't test it but something like self.get_param("data.startDate") should work.

[imad777550]

**_Hello, Thank you for your help.

I tried self.get_param("data.startDate") but this didn't worked.

error message:_**

"errorMessage": "Traceback (most recent call last): File "/opt/Cortex-Analyzers/analyzers/Nids_Analysis_Hive/Nids_Analysis_Hive.py", line 40, in Nids_Analysis_Hive().run() File "/opt/Cortex-Analyzers/analyzers/Nids_Analysis_Hive/Nids_Analysis_Hive.py", line 38, in run self.report({"Nids Result": self.get_param("data.startDate")}) File "/usr/local/lib/python3.7/dist-packages/cortexutils/analyzer.py", line 36, in get_param data = super(Analyzer, self).get_param(name, default, message) File "/usr/local/lib/python3.7/dist-packages/cortexutils/worker.py", line 136, in get_param return self.__get_param(self._input, name, default, message) File "/usr/local/lib/python3.7/dist-packages/cortexutils/worker.py", line 97, in __get_param return self.__get_param(new_source, name[1:], default, message) File "/usr/local/lib/python3.7/dist-packages/cortexutils/worker.py", line 95, in __get_param new_source = source.get(name[0])AttributeError: 'str' object has no attribute 'get'",

Thank you.

[dadokkio]

Ah, no wait sorry.
I think that just responder can interact with case/alert/task info.. in your case from analyzer you just have data itself and data_type.
How will it works from alert to observable in your case?

[imad777550]

Yeah I read the documentation about how to build an analyser and responder. I knew that this can be just done from from a responder. I just wanted to make sure of that !

So I can solve my problem by turning this to a responder, and I can print a report with a responder right?

[dadokkio]

Yes.. that should work. You can take inspiration from this one

[imad777550]

Thank you for your help! I build my responder !