From bb44e7dd334e0505d1b99a6514255a2907e0954f Mon Sep 17 00:00:00 2001 From: Matteo Lodi Date: Mon, 24 Jun 2019 14:38:44 +0200 Subject: [PATCH 1/2] added IntezerCommunity analyzer --- .../IntezerCommunity/IntezerCommunity.json | 25 ++++++ .../IntezerCommunity/intezer_community.py | 82 +++++++++++++++++++ analyzers/IntezerCommunity/requirements.txt | 2 + .../IntezerCommunity_1_0/long.html | 42 ++++++++++ .../IntezerCommunity_1_0/short.html | 3 + 5 files changed, 154 insertions(+) create mode 100644 analyzers/IntezerCommunity/IntezerCommunity.json create mode 100644 analyzers/IntezerCommunity/intezer_community.py create mode 100644 analyzers/IntezerCommunity/requirements.txt create mode 100644 thehive-templates/IntezerCommunity_1_0/long.html create mode 100644 thehive-templates/IntezerCommunity_1_0/short.html diff --git a/analyzers/IntezerCommunity/IntezerCommunity.json b/analyzers/IntezerCommunity/IntezerCommunity.json new file mode 100644 index 000000000..26ed32b31 --- /dev/null +++ b/analyzers/IntezerCommunity/IntezerCommunity.json @@ -0,0 +1,25 @@ +{ + "name": "IntezerCommunity", + "version": "1.0", + "author": "Matteo Lodi", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-v3", + "description": "Analyze a possible malicious file with Intezer Analyzer", + "dataTypeList": ["file"], + "baseConfig": "IntezerCommunity", + "command": "IntezerCommunity/intezer_community.py", + "configurationItems": [ + { + "name": "key", + "description": "API key for Intezer", + "type": "string", + "multi": false, + "required": true + } + ], + "config": { + "check_tlp": true, + "max_tlp": 2, + "auto_extract": false + } +} \ No newline at end of file diff --git a/analyzers/IntezerCommunity/intezer_community.py b/analyzers/IntezerCommunity/intezer_community.py new file mode 100644 index 000000000..a1e962470 --- /dev/null +++ b/analyzers/IntezerCommunity/intezer_community.py @@ -0,0 +1,82 @@ +#!/usr/bin/env python3 + +import requests +import time +import os + +from cortexutils.analyzer import Analyzer + + +class IntezerCommunityAnalyzer(Analyzer): + """ + Intezer Community APIs: https://analyze.intezer.com/api/docs/documentation + """ + + def run(self): + + try: + + if self.data_type == 'file': + api_key = self.get_param('config.key', None, 'Missing Intezer API key') + filepath = self.get_param('file', None, 'File is missing') + filename = self.get_param('filename', os.path.basename(filepath)) + + base_url = 'https://analyze.intezer.com/api/v2-0' + # this should be done just once in a day, but we cannot do that with Cortex Analyzers + response = requests.post(base_url + '/get-access-token', json={'api_key': api_key}) + response.raise_for_status() + session = requests.session() + session.headers['Authorization'] = session.headers['Authorization'] = 'Bearer %s' % response.json()[ + 'result'] + + with open(filepath, 'rb') as file_to_upload: + files = {'file': (filename, file_to_upload)} + response = session.post(base_url + '/analyze', files=files) + if response.status_code != 201: + self.error('Error sending file to Intezer Analyzer\n{}'.format(response.text)) + + while response.status_code != 200: + time.sleep(3) + result_url = response.json()['result_url'] + response = session.get(base_url + result_url) + response.raise_for_status() + + report = response.json() + self.report(report) + + else: + self.notSupported() + + except requests.HTTPError as e: + self.error(e) + except Exception as e: + self.unexpectedError(e) + + def summary(self, raw): + taxonomies = [] + namespace = 'IntezerCommunity' + + if 'status' in raw and raw['status'] == 'succeeded': + predicate = 'Analysis succeeded' + else: + predicate = 'Analysis failed' + + level = 'info' + value = 'no family' + if 'result' in raw: + if 'verdict' in raw['result']: + level = raw['result']['verdict'] + if level == 'trusted': + level = 'safe' + if level not in ['info', 'safe', 'suspicious', 'malicious']: + level = 'info' + if 'family_name' in raw['result']: + value = raw['result']['family_name'] + + taxonomies.append(self.build_taxonomy(level, namespace, predicate, value)) + + return {'taxonomies': taxonomies} + + +if __name__ == '__main__': + IntezerCommunityAnalyzer().run() diff --git a/analyzers/IntezerCommunity/requirements.txt b/analyzers/IntezerCommunity/requirements.txt new file mode 100644 index 000000000..580238893 --- /dev/null +++ b/analyzers/IntezerCommunity/requirements.txt @@ -0,0 +1,2 @@ +requests +cortexutils \ No newline at end of file diff --git a/thehive-templates/IntezerCommunity_1_0/long.html b/thehive-templates/IntezerCommunity_1_0/long.html new file mode 100644 index 000000000..feb229df4 --- /dev/null +++ b/thehive-templates/IntezerCommunity_1_0/long.html @@ -0,0 +1,42 @@ +
+
+ Intezer Analysis Results +
+
+
+
Verdict
+
{{content.result.verdict}}
+
+
+
Sub-verdict
+
{{content.result.sub_verdict}}
+
+
+
Family
+
{{content.result.family_score}}
+
+
+
+
+
+ Intezer Analysis Results +
+
+ No result +
+
+ + +
+
+ {{(artifact.data || artifact.attachment.name) | fang}} +
+
+
+
Intezer:
+
{{content.errorMessage}}
+
+
+
+ + diff --git a/thehive-templates/IntezerCommunity_1_0/short.html b/thehive-templates/IntezerCommunity_1_0/short.html new file mode 100644 index 000000000..3dfae10bf --- /dev/null +++ b/thehive-templates/IntezerCommunity_1_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}="{{t.value}}" +  From 86d92e083689ac4dca9118e32392489372a29f84 Mon Sep 17 00:00:00 2001 From: Matteo Lodi Date: Mon, 24 Jun 2019 14:50:05 +0200 Subject: [PATCH 2/2] put the correct malware family key --- thehive-templates/IntezerCommunity_1_0/long.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/thehive-templates/IntezerCommunity_1_0/long.html b/thehive-templates/IntezerCommunity_1_0/long.html index feb229df4..06d9d8e82 100644 --- a/thehive-templates/IntezerCommunity_1_0/long.html +++ b/thehive-templates/IntezerCommunity_1_0/long.html @@ -13,7 +13,7 @@
Family
-
{{content.result.family_score}}
+
{{content.result.family_name}}