Add responder QRadarAutoClose[FR#441]

analyzers/AbuseIPDB/AbuseIPDB.json

@@ -0,0 +1,33 @@
+{
+    "name": "AbuseIPDB",
+    "version": "1.0",
+    "author": "Matteo Lodi",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-v3",
+    "description": "Determine whether an IP was reported or not as malicious by AbuseIPDB",
+    "dataTypeList": ["ip"],
+    "baseConfig": "AbuseIPDB",
+    "command": "AbuseIPDB/abuseipdb.py",
+    "configurationItems": [
+      {
+        "name": "key",
+        "description": "API key for AbuseIPDB",
+        "type": "string",
+        "multi": false,
+        "required": true
+      },
+      {
+        "name": "days",
+        "description": "Check for IP Reports in the last X days",
+        "type": "number",
+        "multi": false,
+        "required": false,
+        "defaultValue": 30
+      }
+    ],
+    "config": {
+        "check_tlp": true,
+        "max_tlp": 2,
+        "auto_extract": false
+    }
+}

analyzers/AbuseIPDB/abuseipdb.py

@@ -0,0 +1,79 @@
+#!/usr/bin/env python3
+
+import requests
+
+from cortexutils.analyzer import Analyzer
+
+
+class AbuseIPDBAnalyzer(Analyzer):
+    """
+    AbuseIPDB API docs: https://www.abuseipdb.com/api
+    """
+
+    @staticmethod
+    def extract_abuse_ipdb_category(category_number):
+        # Reference: https://www.abuseipdb.com/categories
+        mapping = {
+            "3": "Fraud Orders",
+            "4": "DDOS Attack",
+            "5": "FTP Brute-Force",
+            "6": "Ping of Death",
+            "7": "Phishing",
+            "8": "Fraud VOIP",
+            "9": "Open Proxy",
+            "10": "Web Spam",
+            "11": "Email Spam",
+            "12": "Blog Spam",
+            "13": "VPN IP",
+            "14": "Port Scan",
+            "15": "Hacking",
+            "16": "SQL Injection",
+            "17": "Spoofing",
+            "18": "Brute Force",
+            "19": "Bad Web Bot",
+            "20": "Exploited Host",
+            "21": "Web App Attack",
+            "22": "SSH",
+            "23": "IoT Targeted",
+        }
+        return mapping.get(str(category_number), 'unknown category')
+
+    def run(self):
+
+        try:
+            if self.data_type == "ip":
+                api_key = self.get_param('config.key', None, 'Missing AbuseIPDB API key')
+                days_to_check = self.get_param('config.days', 30)
+                ip = self.get_data()
+                url = 'https://www.abuseipdb.com/check/{}/json?days={}'.format(ip, days_to_check)
+                response = requests.post(url, data = {'key': api_key})
+                if not (200 <= response.status_code < 300):
+                    self.error('Unable to query AbuseIPDB API\n{}'.format(response.text))
+                json_response = response.json()
+                # this is because in case there's only one result, the api gives back a list instead of a dict
+                response_list = json_response if isinstance(json_response, list) else [json_response]
+                for found in response_list:
+                    if 'category' in found:
+                        categories_strings = []
+                        for category in found['category']:
+                            categories_strings.append(self.extract_abuse_ipdb_category(category))
+                        found['categories_strings'] = categories_strings
+                self.report({'values': response_list})
+            else:
+                self.notSupported()
+        except Exception as e:
+            self.unexpectedError(e)
+
+    def summary(self, raw):
+        taxonomies = []
+
+        if raw and 'values' in raw and len(raw['values']) > 0 :
+            taxonomies.append(self.build_taxonomy('malicious', 'AbuseIPDB', 'Records', len(raw['values'])))
+        else:
+            taxonomies.append(self.build_taxonomy('safe', 'AbuseIPDB', 'Records', 0))
+
+        return {"taxonomies": taxonomies}
+
+
+if __name__ == '__main__':
+    AbuseIPDBAnalyzer().run()

analyzers/AbuseIPDB/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+requests

analyzers/BackscatterIO/BackscatterIO_Enrichment.json

@@ -0,0 +1,26 @@
+{
+    "name": "BackscatterIO_Enrichment",
+    "version": "1.0",
+    "author": "[email protected]",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "APLv2",
+    "description": "Enrich values using Backscatter.io data.",
+    "dataTypeList": ["ip", "network", "autonomous-system", "port"],
+    "baseConfig": "BackscatterIO",
+    "command": "BackscatterIO/backscatter-io.py",
+    "configurationItems": [
+      {
+        "name": "key",
+        "description": "API key for Backscatter.io",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+    ],
+    "config": {
+        "check_tlp": true,
+        "max_tlp": 2,
+        "auto_extract": true,
+        "service": "enrichment"
+    }
+}

analyzers/BackscatterIO/BackscatterIO_GetObservations.json

@@ -0,0 +1,26 @@
+{
+    "name": "BackscatterIO_GetObservations",
+    "version": "1.0",
+    "author": "[email protected]",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "APLv2",
+    "description": "Determine whether a value has known scanning activity using Backscatter.io data.",
+    "dataTypeList": ["ip", "network", "autonomous-system"],
+    "baseConfig": "BackscatterIO",
+    "command": "BackscatterIO/backscatter-io.py",
+    "configurationItems": [
+      {
+        "name": "key",
+        "description": "API key for Backscatter.io",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+    ],
+    "config": {
+        "check_tlp": true,
+        "max_tlp": 2,
+        "auto_extract": true,
+        "service": "observations"
+    }
+}

analyzers/BackscatterIO/backscatter-io.py

@@ -0,0 +1,101 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+from backscatter import Backscatter
+from collections import defaultdict, OrderedDict
+from cortexutils.analyzer import Analyzer
+
+
+class BackscatterAnalyzer(Analyzer):
+
+    """
+    Backscatter.io API docs: https://backscatter.io/developers
+    """
+
+    def __init__(self):
+        """Setup the Backscatter object."""
+        Analyzer.__init__(self)
+        self.api_key = self.get_param('config.key', None, 'No Backscatter.io API key provided.')
+        self.proxies = {
+            "https" : self.get_param("config.proxy_https"),
+            "http" : self.get_param("config.proxy_http")
+        }
+        kwargs = {'api_key': self.api_key, 'headers': {'X-Integration': 'TheHive'}}
+        if self.proxies['https'] or self.proxies['http']:
+            kwargs.update({'proxies': self.proxies})
+        self.bs = Backscatter(**kwargs)
+        self.service = self.get_param('config.service', None, 'Backscatter service is missing')
+
+    def run(self):
+        """Run the process to get observation data from Backscatter.io."""
+        kwargs = {'query': self.get_data()}
+        if self.data_type == "ip":
+            kwargs.update({'query_type': 'ip'})
+        elif self.data_type == "network":
+            kwargs.update({'query_type': 'network'})
+        elif self.data_type == 'autonomous-system':
+            kwargs.update({'query_type': 'asn'})
+        elif self.data_type == 'port':
+            kwargs.update({'query_type': 'port'})
+        else:
+            self.notSupported()
+            return False
+
+        if self.service == 'observations':
+            response = self.bs.get_observations(**kwargs)
+            self.report(response)
+        elif self.service == 'enrichment':
+            response = self.bs.enrich(**kwargs)
+            self.report(response)
+        else:
+            self.report({'error': 'Invalid service defined.'})
+
+    def summary(self, raw):
+        """Use the Backscatter.io summary data to create a view."""
+        taxonomies = list()
+        level = 'info'
+        namespace = 'Backscatter.io'
+
+        if self.service == 'observations':
+            summary = raw.get('results', dict()).get('summary', dict())
+            taxonomies = taxonomies + [
+                self.build_taxonomy(level, namespace, 'Observations', summary.get('observations_count', 0)),
+                self.build_taxonomy(level, namespace, 'IP Addresses', summary.get('ip_address_count', 0)),
+                self.build_taxonomy(level, namespace, 'Networks', summary.get('network_count', 0)),
+                self.build_taxonomy(level, namespace, 'AS', summary.get('autonomous_system_count', 0)),
+                self.build_taxonomy(level, namespace, 'Ports', summary.get('port_count', 0)),
+                self.build_taxonomy(level, namespace, 'Protocols', summary.get('protocol_count', 0))
+            ]
+        elif self.service == 'enrichment':
+            summary = raw.get('results', dict())
+            if self.data_type == 'ip':
+                taxonomies = taxonomies + [
+                    self.build_taxonomy(level, namespace, 'Network', summary.get('network')),
+                    self.build_taxonomy(level, namespace, 'Network Broadcast', summary.get('network_broadcast')),
+                    self.build_taxonomy(level, namespace, 'Network Size', summary.get('network_size')),
+                    self.build_taxonomy(level, namespace, 'Country', summary.get('country_name')),
+                    self.build_taxonomy(level, namespace, 'AS Number', summary.get('as_num')),
+                    self.build_taxonomy(level, namespace, 'AS Name', summary.get('as_name')),
+                ]
+            elif self.data_type == 'network':
+                taxonomies = taxonomies + [
+                    self.build_taxonomy(level, namespace, 'Network Size', summary.get('network_size'))
+                ]
+            elif self.data_type == 'autonomous-system':
+                taxonomies = taxonomies + [
+                    self.build_taxonomy(level, namespace, 'Prefix Count', summary.get('prefix_count')),
+                    self.build_taxonomy(level, namespace, 'AS Number', summary.get('as_num')),
+                    self.build_taxonomy(level, namespace, 'AS Name', summary.get('as_name'))
+                ]
+            elif self.data_type == 'port':
+                for result in raw.get('results', list()):
+                    display = "%s (%s)" % (result.get('service'), result.get('protocol'))
+                    taxonomies.append(self.build_taxonomy(level, namespace, 'Service', display))
+            else:
+                pass
+        else:
+            pass
+        return {"taxonomies": taxonomies}
+
+
+if __name__ == '__main__':
+    BackscatterAnalyzer().run()

analyzers/BackscatterIO/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+backscatter

analyzers/SoltraEdge/Soltra_search.json

@@ -0,0 +1,47 @@
+{
+    "name": "SoltraEdge",
+    "version": "1.0",
+    "author": "Michael Stensrud, Nordic Financial CERT",
+    "url": "http://soltra.com/en/",
+    "license" : "AGPL-V3",
+    "description": "Query against Soltra Edge.",
+    "dataTypeList": ["domain", "ip", "url", "fqdn", "uri_path","user-agent", "hash", "email", "mail", "mail_subject" , "registry", "regexp", "other", "filename"],
+    "command": "SoltraEdge/soltra.py",
+    "baseConfig": "Soltra_Edge",
+    "config": {
+        "check_tlp": true,
+        "service": "search"
+    },
+    "configurationItems": [
+        {
+          "name": "token",
+          "description": "Define the Token Key",
+          "type": "string",
+          "multi": false,
+          "required": true
+        },
+        {
+            "name": "username",
+            "description": "Define the Username",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "base_url",
+            "description": "Base API URL for Soltra Edge Server. (Example: https://test.soltra.com/api/stix)",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://feed.yourdomain./api/stix"
+        },
+        {
+            "name": "verify_ssl",
+            "description": "Verify server certificate",
+            "type": "boolean",
+            "multi": false,
+            "required": true,
+            "defaultValue": true
+        }
+    ]
+}

analyzers/SoltraEdge/requirements.txt

@@ -0,0 +1,4 @@
+json
+base64
+requests
+cortexutils