From aa8be1db7c0488258c3a402daf111d1bd8551b43 Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Mon, 12 Nov 2018 16:08:51 +0100
Subject: [PATCH 1/3] add cyberprotect threatscore analyzer

---
 .../Cyberprotect/CyberprotectAnalyzer.py      | 48 +++++++++++++++++++
 .../Cyberprotect_ThreatScore.json             | 15 ++++++
 analyzers/Cyberprotect/requirements.txt       |  2 +
 .../Cyberprotect_ThreatScore/long.html        | 33 +++++++++++++
 .../Cyberprotect_ThreatScore/short.html       |  3 ++
 5 files changed, 101 insertions(+)
 create mode 100755 analyzers/Cyberprotect/CyberprotectAnalyzer.py
 create mode 100755 analyzers/Cyberprotect/Cyberprotect_ThreatScore.json
 create mode 100755 analyzers/Cyberprotect/requirements.txt
 create mode 100755 thehive-templates/Cyberprotect_ThreatScore/long.html
 create mode 100755 thehive-templates/Cyberprotect_ThreatScore/short.html

diff --git a/analyzers/Cyberprotect/CyberprotectAnalyzer.py b/analyzers/Cyberprotect/CyberprotectAnalyzer.py
new file mode 100755
index 000000000..82a6ed2b7
--- /dev/null
+++ b/analyzers/Cyberprotect/CyberprotectAnalyzer.py
@@ -0,0 +1,48 @@
+#!/usr/bin/env python
+# encoding: utf-8
+
+import requests
+from cortexutils.analyzer import Analyzer
+
+class CyberprotectAnalyzer(Analyzer):
+
+    URI = "https://threatscore.cyberprotect.fr/api/score/"
+
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.service = self.get_param('config.service', None, 'Service parameter is missing')
+
+    def summary(self, raw):
+        taxonomies = []
+        namespace = "Cyberprotect"
+        if self.service == 'ThreatScore':
+
+            level = 'info';
+            value = 'not in database'
+            if(raw.get('data') and raw.get('scores') and len(raw.get('scores')) > 0):
+                value = 'not analyzed yet'
+                if(raw['scores'][0].get('score')):
+                    level = 'safe';
+                    value = raw['scores'][0]['score']
+                    if value >= 0.5:
+                        level = 'danger'
+                    elif value >= 0.25 and value < 0.5:
+                        level = 'warning'
+
+            taxonomies.append(self.build_taxonomy(level, namespace, self.service, value))
+
+        return {"taxonomies": taxonomies}
+
+    def run(self):
+        Analyzer.run(self)
+        if self.service == 'ThreatScore' and (self.data_type == 'domain' or self.data_type == 'ip'):
+            try:
+                response = requests.get("{}{}".format(self.URI, self.get_data()))
+                self.report(response.json())
+            except Exception as e:
+                self.unexpectedError(e)
+        else:
+            self.notSupported()
+
+if __name__ == '__main__':
+    CyberprotectAnalyzer().run()
diff --git a/analyzers/Cyberprotect/Cyberprotect_ThreatScore.json b/analyzers/Cyberprotect/Cyberprotect_ThreatScore.json
new file mode 100755
index 000000000..7ee0eb894
--- /dev/null
+++ b/analyzers/Cyberprotect/Cyberprotect_ThreatScore.json
@@ -0,0 +1,15 @@
+{
+    "name": "Cyberprotect_ThreatScore",
+    "author": "Rémi Allain, Cyberprotect",
+    "license": "AGPL-V3",
+    "url": "https://github.com/Cyberprotect/Cortex-Analyzers",
+    "version": "1.0",
+    "description": "ThreatScore is a cyber threat scoring system provided by Cyberprotect",
+    "dataTypeList": ["domain", "ip"],
+    "command": "Cyberprotect/CyberprotectAnalyzer.py",
+    "baseConfig": "Cyberprotect",
+    "config": {
+        "service": "ThreatScore",
+        "check_tlp": true
+    }
+}
diff --git a/analyzers/Cyberprotect/requirements.txt b/analyzers/Cyberprotect/requirements.txt
new file mode 100755
index 000000000..4a21dbf63
--- /dev/null
+++ b/analyzers/Cyberprotect/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+requests
\ No newline at end of file
diff --git a/thehive-templates/Cyberprotect_ThreatScore/long.html b/thehive-templates/Cyberprotect_ThreatScore/long.html
new file mode 100755
index 000000000..30d34a93e
--- /dev/null
+++ b/thehive-templates/Cyberprotect_ThreatScore/long.html
@@ -0,0 +1,33 @@
+<div class="panel panel-info" ng-if="success">
+    <div class="panel-heading">
+        <a href="https://threatscore.cyberprotect.fr" target="_blank">threatscore.cyberprotect.fr</a> Cyberprotect threat scoring system
+        <br/> Report for
+        <strong>{{artifact.data}}</strong>
+    </div>
+    <div class="panel-body" ng-if="content.scores.length > 0">
+        <h4 class="dl-horizontal">{{content.scores.length}} scores found.</h4>
+            <table class="table table-bordered">
+                <tr>
+                    <th>Date</th>
+                    <th>Score</th>
+                </tr>
+                <tr ng-repeat="score in ::content.scores">
+                    <td>{{score.date}}</td>
+                    <td>{{score.score}}</td>
+                </tr>
+            </table>
+        </div>
+
+        <div class="panel-body" ng-if="content.scores.length < 1">
+            No results found
+        </div>
+    </div>
+
+    <div class="panel panel-danger" ng-if="!success">
+        <div class="panel-heading">
+            <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+        </div>
+        <div class="panel-body">
+            {{content.errorMessage}}
+        </div>
+    </div>
diff --git a/thehive-templates/Cyberprotect_ThreatScore/short.html b/thehive-templates/Cyberprotect_ThreatScore/short.html
new file mode 100755
index 000000000..57f9d29cf
--- /dev/null
+++ b/thehive-templates/Cyberprotect_ThreatScore/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>

From 9e18a9dd831f6d66186d177a5b4f536bece483f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi?= <rallain@cyberprotect.fr>
Date: Mon, 12 Nov 2018 16:12:36 +0100
Subject: [PATCH 2/3] update cyberprotect threatscore analyzer

---
 .../Cyberprotect/CyberprotectAnalyzer.py      |  3 --
 .../Cyberprotect_ThreatScore/long.html        | 44 +++++++++----------
 2 files changed, 21 insertions(+), 26 deletions(-)

diff --git a/analyzers/Cyberprotect/CyberprotectAnalyzer.py b/analyzers/Cyberprotect/CyberprotectAnalyzer.py
index 82a6ed2b7..ac325c28e 100755
--- a/analyzers/Cyberprotect/CyberprotectAnalyzer.py
+++ b/analyzers/Cyberprotect/CyberprotectAnalyzer.py
@@ -16,7 +16,6 @@ def summary(self, raw):
         taxonomies = []
         namespace = "Cyberprotect"
         if self.service == 'ThreatScore':
-
             level = 'info';
             value = 'not in database'
             if(raw.get('data') and raw.get('scores') and len(raw.get('scores')) > 0):
@@ -28,9 +27,7 @@ def summary(self, raw):
                         level = 'danger'
                     elif value >= 0.25 and value < 0.5:
                         level = 'warning'
-
             taxonomies.append(self.build_taxonomy(level, namespace, self.service, value))
-
         return {"taxonomies": taxonomies}
 
     def run(self):
diff --git a/thehive-templates/Cyberprotect_ThreatScore/long.html b/thehive-templates/Cyberprotect_ThreatScore/long.html
index 30d34a93e..18a087557 100755
--- a/thehive-templates/Cyberprotect_ThreatScore/long.html
+++ b/thehive-templates/Cyberprotect_ThreatScore/long.html
@@ -6,28 +6,26 @@
     </div>
     <div class="panel-body" ng-if="content.scores.length > 0">
         <h4 class="dl-horizontal">{{content.scores.length}} scores found.</h4>
-            <table class="table table-bordered">
-                <tr>
-                    <th>Date</th>
-                    <th>Score</th>
-                </tr>
-                <tr ng-repeat="score in ::content.scores">
-                    <td>{{score.date}}</td>
-                    <td>{{score.score}}</td>
-                </tr>
-            </table>
-        </div>
-
-        <div class="panel-body" ng-if="content.scores.length < 1">
-            No results found
-        </div>
+        <table class="table table-bordered">
+            <tr>
+                <th>Date</th>
+                <th>Score</th>
+            </tr>
+            <tr ng-repeat="score in ::content.scores">
+                <td>{{score.date}}</td>
+                <td>{{score.score}}</td>
+            </tr>
+        </table>
     </div>
-
-    <div class="panel panel-danger" ng-if="!success">
-        <div class="panel-heading">
-            <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
-        </div>
-        <div class="panel-body">
-            {{content.errorMessage}}
-        </div>
+    <div class="panel-body" ng-if="content.scores.length < 1">
+        No results found
     </div>
+</div>
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>

From de9cf9604e58b7aa9d8dc1a8f9e9b10d0ba516ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20ALLAIN?= <rallain@cyberprotect.fr>
Date: Tue, 13 Nov 2018 09:10:51 +0100
Subject: [PATCH 3/3] modify levelslabel

---
 analyzers/Cyberprotect/CyberprotectAnalyzer.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/analyzers/Cyberprotect/CyberprotectAnalyzer.py b/analyzers/Cyberprotect/CyberprotectAnalyzer.py
index ac325c28e..fbb9b0009 100755
--- a/analyzers/Cyberprotect/CyberprotectAnalyzer.py
+++ b/analyzers/Cyberprotect/CyberprotectAnalyzer.py
@@ -24,9 +24,9 @@ def summary(self, raw):
                     level = 'safe';
                     value = raw['scores'][0]['score']
                     if value >= 0.5:
-                        level = 'danger'
+                        level = 'malicious'
                     elif value >= 0.25 and value < 0.5:
-                        level = 'warning'
+                        level = 'suspicious'
             taxonomies.append(self.build_taxonomy(level, namespace, self.service, value))
         return {"taxonomies": taxonomies}