TheHive-Project · 3c7 · Oct 17, 2018 · Oct 26, 2017
diff --git a/analyzers/ProofPoint/Long_ReportTemplate.txt b/analyzers/ProofPoint/Long_ReportTemplate.txt
@@ -0,0 +1,102 @@
+<!-- General error -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
+<div class="report-ProofPoint" ng-if="success">
+	<div ng-if="content.known == true">
+		<style>
+			.report-ProofPoint dl {
+				margin-bottom: 2px;
+			}
+			.smaller {
+				width: 25%;
+			}
+		</style>
+		<div class="panel panel-info">
+			<div class="panel-heading"><strong>ProofPoint Report</strong></div>
+				<div ng-if="content.reports && content.reports.length > 0">
+					<div class="panel-body">
+						<dl class="dl-horizontal">
+							<dt>Last analysis date</dt>
+							<dd>{{content.generated}}</dd>
+						</dl>
+						<div class="dl-horizontal" ng-repeat="(indexRep,reportFor) in content.reports">
+							<div ng-repeat="(indexElem,elem) in reportFor">
+								<div ng-if="indexElem == 'name'">
+									<dl class="dl-horizontal">
+										<dt>Threat Name</dt>
+										<dd>{{elem}}</dd>
+									</dl>
+								</div>
+								<div ng-if="indexElem == 'type'">
+									<dl class="dl-horizontal">
+										<dt>Threat Type</dt>
+										<dd>{{elem}}</dd>
+									</dl>
+								</div>
+								<div ng-if="indexElem == 'threatStatus'">
+									<dl class="dl-horizontal">
+										<dt>Threat Status</dt>
+										<dd>{{elem}}</dd>
+									</dl>
+								</div>
+							</div>
+						</div>
+					</div>
+				</div>
+		</div>
+		<div ng-if="content.reports && content.reports.length > 0">
+			<div ng-if="content.reports[0].forensics.length > 0">
+				<div class="panel panel-info">
+					<div class="panel-heading"><strong>Malicious Indicators</strong></div>
+						<div class="panel-body">
+							<div class="dl-horizontal" ng-repeat="(indexRep,reportFor) in content.reports">
+								<div ng-repeat="(indexElem,elem) in reportFor">
+									<div ng-if="indexElem == 'forensics'">
+										<div ng-repeat="(indexForens,forensics) in elem">
+											<div class="dl-horizontal" ng-if="forensics.malicious == true">
+												<dt>IOC Type</dt>
+												<dd>{{forensics.type}}</dd>
+												<br>
+												<dt>IOC Description</dt>
+												<dd>{{forensics.display}}</dd>
+												<br>
+												<div ng-if="forensics.note">
+													<dt>IOC Category</dt>
+													<dd>{{forensics.note}}</dd>
+													<br>
+												</div>
+												<br>
+											</div>
+										</div>
+										<div ng-repeat="(indexForens,forensics) in elem">
+											<div class="dl-horizontal" ng-if="forensics.type == 'screenshot'">
+												<dd><img class="img-responsive smaller" ng-src="{{forensics.what.url}}"/></dd>
+											</div>
+										</div>
+									</div>
+								</div>
+							</div>
+						</div>
+				</div>
+			</div>
+		</div>
+	</div>
+	<div ng-if="content.known == false">
+		<div class="panel panel-info">
+			<div class="panel-heading"><strong>ProofPoint Report</strong></div>
+				<div class="panel-body">
+					<dl class="dl-horizontal">
+						<dt>Last analysis date</dt>
+						<dd>Data Unknown by ProofPoint</dd>
+					</dl>
+				</div>
+			</div>
+		</div>
+	</div>
+</div>
diff --git a/analyzers/ProofPoint/ProofPoint_Lookup.json b/analyzers/ProofPoint/ProofPoint_Lookup.json
@@ -0,0 +1,16 @@
+{
+    "name": "ProofPoint_Lookup",
+    "version": "1.0",
+    "author": "Emmanuel Torquato",
+    "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Check URL, file, SHA256 against ProofPoint forensics",
+    "dataTypeList": ["url", "file", "hash"],
+    "baseConfig": "ProofPoint",
+    "config": {
+        "service": "query",
+        "max_tlp": 1,
+        "check_tlp": true
+    },
+    "command": "ProofPoint/proofpoint_lookup.py"
+}
diff --git a/analyzers/ProofPoint/proofpoint_lookup.py b/analyzers/ProofPoint/proofpoint_lookup.py
@@ -0,0 +1,101 @@
+#!/usr/bin/env python
+# encoding: utf-8
+
+from cortexutils.analyzer import Analyzer
+import requests
+import hashlib
+from requests.auth import HTTPBasicAuth
+import time
+
+class ProofPointForensicsAnalyzer(Analyzer):
+
+	def __init__(self):
+		Analyzer.__init__(self)
+		self.service = self.getParam('config.service', None, 'ProofPoint service is missing')
+		self.url = self.getParam('config.url', 'https://tap-api-v2.proofpoint.com', None)
+		self.apikey = self.getParam('config.apikey', None, 'ProofPoint apikey is missing')
+		self.secret = self.getParam('config.secret', None, 'ProofPoint secret is missing')
+		self.verify = self.getParam('config.verifyssl', True, None)
+		if not self.verify:
+			from requests.packages.urllib3.exceptions import InsecureRequestWarning
+			requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+	def summary(self, raw):
+
+		taxonomies = []
+		level = "info"
+		namespace = "ProofPoint"
+		predicate = "Category"
+		value = "\"Unknown\""
+
+		result = {
+			'service': self.service,
+			'dataType': self.data_type
+		}
+		if 'reports' in raw:
+			for report in raw['reports']:
+				threatstatus = report['threatStatus']
+				if threatstatus == 'active':
+					level = "malicious"
+				if threatstatus == 'falsePositive':
+					level = 'safe'
+				if 'forensics' in report:
+					if len(report['forensics']) > 0:
+						for forensic in report['forensics']:
+							if forensic['malicious']:
+								if threatstatus == 'active':
+									level = "malicious"
+								if threatstatus == 'falsePositive':
+									level = "suspicious"
+								if 'note' in forensic:
+									value = "\"{}\"".format(forensic['note'])
+		taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+		return {"taxonomies": taxonomies}
+
+	def run(self):
+		Analyzer.run(self)
+
+		try:
+			user_agent = {'User-agent': 'Cortex Analyzer'}
+			sha256 = None
+			report = {}
+			if self.service in ['query']:
+				if self.data_type == 'file':
+					filename = self.getParam('attachment.name', 'noname.ext')
+					filepath = self.getParam('file', None, 'File is missing')
+					sha256 = hashlib.sha256(open(filepath, 'r').read()).hexdigest()
+				elif self.data_type == 'hash' and len(self.getData()) == 64:
+					sha256 = self.getData()
+				else:
+					sha256 = hashlib.sha256(self.getData()).hexdigest()
+			else:
+				self.error('unknown service')
+			if sha256 != None:
+				params = {'threatId': sha256}
+				response = requests.get(self.url.strip('/') + '/v2/forensics', params=params, headers=user_agent, verify=self.verify, auth=HTTPBasicAuth(self.apikey, self.secret))
+				if response.status_code == 200:
+					data = response.json()
+					report['known'] = True
+					if 'reports' in data:
+						report['reports'] = data['reports']
+					if 'generated' in data:
+						report['generated'] = data['generated']
+					self.report(report)
+				elif response.status_code == 400:
+					self.error('bad request sent')
+				elif response.status_code == 401:
+					self.error('unauthorized access, verify your key and secret values')
+				elif response.status_code == 404:
+					report = {'known': False}
+					self.report(report)
+				else:
+					self.error('unknown error')
+			else:
+				self.error('no hash defined')
+		except requests.exceptions.RequestException as e:
+			self.error(e)
+		except Exception as e:
+			self.unexpectedError(e)
+
+if __name__ == '__main__':
+	ProofPointForensicsAnalyzer().run()