From 2d0f67829e376919eeb7d4c0c06781930dcc5443 Mon Sep 17 00:00:00 2001 From: srilumpa Date: Thu, 5 Jul 2018 09:44:28 +0200 Subject: [PATCH 1/3] Allow customization of suspicious and malicious categories --- .../Fortiguard/Fortiguard_URLCategory.json | 22 +++++++++++++++++-- analyzers/Fortiguard/urlcategory.py | 4 ++-- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/analyzers/Fortiguard/Fortiguard_URLCategory.json b/analyzers/Fortiguard/Fortiguard_URLCategory.json index 1e00d0406..351b86c04 100644 --- a/analyzers/Fortiguard/Fortiguard_URLCategory.json +++ b/analyzers/Fortiguard/Fortiguard_URLCategory.json @@ -5,7 +5,25 @@ "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "dataTypeList": ["domain", "url"], - "description": "Check the Fortiguard category of a URL or a domain.", + "description": "Check the Fortiguard category of a URL or a domain. Check the full available list at https://fortiguard.com/webfilter/categories", "baseConfig": "Fortiguard", - "command": "Fortiguard/urlcategory.py" + "command": "Fortiguard/urlcategory.py", + "configurationItems": [ + { + "name": "malicious_categories", + "description": "List of FortiGuard categories to be considered as malicious", + "type": "string", + "multi": true, + "required": true, + "defaultValue": ["Malicious Websites", "Phishing", "Spam URLs"] + }, + { + "name": "suspicious_categories", + "description": "List of FortiGuard categories to be considered as suspicious", + "type": "string", + "multi": true, + "required": true, + "defaultValue": ["Newly Observed Domain", "Newly Registered Domain", "Dynamic DNS", "Proxy Avoidance", "Hacking"] + } + ] } diff --git a/analyzers/Fortiguard/urlcategory.py b/analyzers/Fortiguard/urlcategory.py index f343f3952..d6b4f5892 100755 --- a/analyzers/Fortiguard/urlcategory.py +++ b/analyzers/Fortiguard/urlcategory.py @@ -16,9 +16,9 @@ def summary(self, raw): if 'category' in raw: r = raw.get('category') value = "\"{}\"".format(r) - if r == "Malicious Websites": + if r in self.get_param('config.malicious_categories', []): level = "malicious" - elif r == "Suspicious Websites": + elif r in self.get_param('config.suspicious_categories', []): level = "suspicious" elif r == "Not Rated": level = "info" From 9d0fd7d6df3cef57448f10b4f7503bd578fe93f1 Mon Sep 17 00:00:00 2001 From: srilumpa Date: Thu, 5 Jul 2018 09:48:14 +0200 Subject: [PATCH 2/3] Bump version --- analyzers/Fortiguard/Fortiguard_URLCategory.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/Fortiguard/Fortiguard_URLCategory.json b/analyzers/Fortiguard/Fortiguard_URLCategory.json index 351b86c04..ed7992fcf 100644 --- a/analyzers/Fortiguard/Fortiguard_URLCategory.json +++ b/analyzers/Fortiguard/Fortiguard_URLCategory.json @@ -1,6 +1,6 @@ { "name": "Fortiguard_URLCategory", - "version": "2.0", + "version": "2.1", "author": "Eric Capuano", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", From bfe9cf0d09840688740a3ba0d9232a35e1436e66 Mon Sep 17 00:00:00 2001 From: srilumpa Date: Thu, 5 Jul 2018 10:06:33 +0200 Subject: [PATCH 3/3] Bump report version to follow analyzer version --- .../long.html | 0 .../short.html | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename thehive-templates/{Fortiguard_URLCategory_2_0 => Fortiguard_URLCategory_2_1}/long.html (100%) rename thehive-templates/{Fortiguard_URLCategory_2_0 => Fortiguard_URLCategory_2_1}/short.html (100%) diff --git a/thehive-templates/Fortiguard_URLCategory_2_0/long.html b/thehive-templates/Fortiguard_URLCategory_2_1/long.html similarity index 100% rename from thehive-templates/Fortiguard_URLCategory_2_0/long.html rename to thehive-templates/Fortiguard_URLCategory_2_1/long.html diff --git a/thehive-templates/Fortiguard_URLCategory_2_0/short.html b/thehive-templates/Fortiguard_URLCategory_2_1/short.html similarity index 100% rename from thehive-templates/Fortiguard_URLCategory_2_0/short.html rename to thehive-templates/Fortiguard_URLCategory_2_1/short.html