[BugFix] HIBP Analyser no longer works

analyzers/HIBP/HIBP_Query.json

@@ -1,25 +1,51 @@
 {
-    "name": "HIBP_Query",
-    "version": "1.0",
-    "author": "Matt Erasmus",
-    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
-    "license": "AGPL-V3",
-    "description": "Query haveibeenpwned.com for a compromised email address",
-    "dataTypeList": ["mail"],
-    "baseConfig": "HIBP",
-    "config": {
-      "service": "query",
-      "url": "https://haveibeenpwned.com/api/v2/breachedaccount/"
+  "name": "HIBP_Query",
+  "version": "2.0",
+  "author": "Matt Erasmus, Jonas Hergenhahn",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Query haveibeenpwned.com for a compromised email address",
+  "dataTypeList": [
+    "mail"
+  ],
+  "baseConfig": "HIBP",
+  "config": {
+    "service": "query",
+    "url": "https://haveibeenpwned.com/api/v3/breachedaccount/"
+  },
+  "command": "HIBP/hibpquery_analyzer.py",
+  "configurationItems": [
+    {
+      "name": "unverified",
+      "description": "Include unverified breaches",
+      "type": "boolean",
+      "multi": false,
+      "required": true,
+      "defaultValue": true
     },
-    "command": "HIBP/hibpquery_analyzer.py",
-    "configurationItems": [
-        {
-          "name": "unverified",
-          "description": "Include unverified breaches",
-          "type": "boolean",
-          "multi": false,
-          "required": true,
-          "defaultValue": true
-        }
-    ]
+    {
+      "name": "truncate",
+      "description": "Truncated response means only the name of data breaches",
+      "type": "boolean",
+      "multi": false,
+      "required": true,
+      "defaultValue": false
+    },
+    {
+      "name": "api_key",
+      "description": "Api key for hibp",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": ""
+    },
+    {
+      "name": "retries",
+      "description": "Retries to request api while getting status code 429",
+      "type": "number",
+      "multi": false,
+      "required": false,
+      "defaultValue": 5
+    }
+  ]
 }

analyzers/HIBP/hibpquery_analyzer.py

@@ -1,6 +1,6 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 # encoding: utf-8
-import json
+import time
 import requests
 import ast
 
@@ -14,17 +14,17 @@ def __init__(self):
         self.service = self.get_param('config.service', None, 'Service parameter is missing')
         self.api_url = self.get_param('config.url', None, 'Missing API URL')
         self.unverified = self.get_param('config.unverified', None, 'Missing Unverified option')
+        self.truncate = self.get_param('config.truncate', None, 'Missing Truncate option')
+        self.api_key = self.get_param('config.api_key', None, 'Missing Api Key')
+        self.retries = self.get_param('config.retries', 5, 'Missing Retries option')
 
     @staticmethod
     def cleanup(return_data):
 
         response = dict()
         matches = []
-        found = False
-        count = 0
 
         for entry in return_data:
-            found = True
             x = ast.literal_eval(str(entry))
             matches.append(x)
 
@@ -36,14 +36,14 @@ def hibp_query(self, data):
         results = dict()
 
         try:
-            if self.unverified == True:
-                unverified = '?includeUnverified=true'
-            else:
-                unverified = ''
 
-            hibpurl = self.api_url + data + unverified
+            hibpurl = '{}{}?includeUnverified={}&truncateResponse={}'.format(
+                self.api_url, data, self.unverified, self.truncate
+            )
+
             headers = {
-                'User-Agent': 'HIBP-Cortex-Analyzer'
+                'User-Agent': 'HIBP-Cortex-Analyzer',
+                'hibp-api-key': self.api_key
             }
 
             _query = requests.get(hibpurl, headers=headers)
@@ -54,6 +54,20 @@ def hibp_query(self, data):
                     return self.cleanup(_query.json())
             elif _query.status_code == 404:
                 return dict()
+            elif _query.status_code == 429:
+                retry_after = _query.headers.get('retry-after')
+
+                # if header retry-after is missing
+                if retry_after is None:
+                    retry_after = 0
+
+                self.retries = self.retries - 1
+                if self.retries < 0:
+                    self.error('API Access error: %s' % _query.text)
+
+                # recursive call after waiting
+                time.sleep(retry_after)
+                return self.hibp_query(data)
             else:
                 self.error('API Access error: %s' % _query.text)
 

thehive-templates/HIBP_Query_1_0/long.html → thehive-templates/HIBP_Query_2_0/long.html

@@ -11,7 +11,7 @@
         <p ng-if="content.CompromisedAccounts.length > 0">
           Compromised Accounts: {{content.CompromisedAccounts.length}}
         </p>
-        <table class="table" ng-if="content.CompromisedAccounts && content.CompromisedAccounts.length > 0">
+        <table class="table" ng-if="content.CompromisedAccounts && content.CompromisedAccounts.length > 0 && content.CompromisedAccounts[0].hasOwnProperty('IsVerified')">
             <thead>
                 <th width="120px">IsVerified</th>
                 <th>PwnCNT</th>
@@ -40,6 +40,16 @@
                 </tr>
             </tbody>
         </table>
+        <table class="table" ng-if="content.CompromisedAccounts && content.CompromisedAccounts.length > 0 && !content.CompromisedAccounts[0].hasOwnProperty('IsVerified')">
+            <thead>
+                <th>Name</th>
+            </thead>
+            <tbody ng-repeat="r in content.CompromisedAccounts">
+                <tr>
+                    <td>{{r.Name}}</td>
+                </tr>
+            </tbody>
+        </table>
     </div>
 </div>