Added enhanced support for "Auto extraction" with observables for the emlparser analyzer #399
Conversation
|
Probably should use a better regex for the IP address extraction. Something like this: (25[0-5]|2[0-4]\d|[1]\d\d|[1-9]\d|[1-9])(.(25[0-5]|2[0-4]\d|[1]\d\d|[1-9]\d|\d)){3} |
|
You could also add |
3c7
added
category:enhancement
|
@3c7 Can you give an example as there already is a + present so I am having some trouble understanding what you mean. |
|
@gekkeharry13 The addresses can look like this https://regex101.com/r/kPRWoJ/1 so I added |
|
oohh, I did not knew this syntax (or mail filters in general) exist. I will add it and update my fork. |
|
In general those characters can be used in the local part of an e-mail address:
The |
|
Thanks for the info @3c7! |
Added branch for it This reverts commit f2e1f76.
|
Hi all, I am having some issues with my git stupidity. I have made these changes in master and now I have some other analyzers, responders that I am building, making, but I am kinda stuck here. Do you guys like this proposal, because then I can tidy it for the merge or if you do not like it let me know. I think this needs to merge or be removed in order to place my next pull request (without it being dirty). |
|
Hi @gekkeharry13 I like the changes you added to the extractor, but I don't think it's a good idea to have a custom extractor within the analyzer. What could be great it to try to add your changes in https://github.com/TheHive-Project/Cortex-Analyzers/blob/master/contrib/cortexutils/extractor.py which is part of That being said, I don't know what does the |
|
Ah yes, that would be great indeed, it should work as I literally copied that class. |
|
I think this is a good idea. @3c7 what do you think about that? |
|
Yeah, I like that, too. |
|
Instead of customizing the extractor with just a regex, I would customize it with a dataType + an extraction function. The function could be a regex test. |
|
Yeah I agree. Something that extends the functionality of the automated extractor. I will change my repo and let you know when I think I have a good solution :) |
|
Hi guys, so I have been working on the new approach today. The cortexutils fork can be found here: I am a bit stuck at how I can properly inherit the class (or make it a function) so that "def artifacts" isn't required in the analyzer itself. Maybe some of you are a bit more experienced and have a solution for this? The latest changes I have added removed most of the code from the analyzer, back to the cortexutils. |
|
@gekkeharry13 you need to fork this entire repo and then update the files under contrib/cortexutils so that we can see the diff inteoduced by your PR. If you want to create anther PR for that, you can, it will be easier for both of us Thanks |
|
Hereby the PR 👍 |
|
Poping in the conversation, someone's just asked me about attachment. What do you guys think ? |
|
This is not possible for the moment, but it can be considered for the next version of cortex |
|
Agree, the functionality can be extracted from synapse I guess? As we pop our mails through Synapse and files are extracted just fine. When Cortex 3 is released we should check :) |
|
That's what I thought (and said). |
|
This is not handled in |
To enhance the workflow of analists who analyse Scam E-mails, we wanted to make it possible to extract observables automatically out of the data generated by the emlparser (that is, header, body and such).
As we developed it specifically for this analyzer, I imported the class responsible for this feature and modified it as required.
I created the merge request as there are a few other teams that might benefit this enhancement.
The regexes seem to be pretty solid after a few weeks of testing (haven't heard any complaints from the team).