Analyzer for Sophos Intelix

analyzers/SophosIntelix/SophosIntelix_GetReport.json

@@ -0,0 +1,38 @@
+{
+  "name": "SophosIntelix_GetReport",
+  "version": "0.3",
+  "author": "SOL",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Fast and easy way to find out if the file is known Good, PUA (Potentially Unwanted Application), or, Malware. For more information or to sign up for SophosLabs Intelix (with a free tier) see https://www.sophos.com/en-us/labs/intelix.aspx",
+  "dataTypeList": ["hash", "domain", "fqdn", "url"],
+  "command": "SophosIntelix/intelix_analyzer.py",
+  "baseConfig": "SophosIntelix",
+  "config": {
+    "service": "get"
+  },
+  "configurationItems": [
+    {
+      "name": "clientID",
+      "description": "Client ID for Sophos Labs Intelix",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "clientSecret",
+      "description": "Client Secret for Sophos Labs Intelix",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "polling_interval",
+      "description": "Define time interval between two requests attempts for the report",
+      "type": "number",
+      "multi": false,
+      "required": false,
+      "defaultValue": 60
+    }
+  ]
+}

analyzers/SophosIntelix/SophosIntelix_Submit_Dynamic.json

@@ -0,0 +1,38 @@
+{
+  "name": "SophosIntelix_Submit_Dynamic",
+  "version": "0.1",
+  "author": "SOL",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Detonate your suspicious file in SophosLabs Sandbox and find what behaviours the file has. For more information or to sign up for SophosLabs Intelix (with a free tier) see https://www.sophos.com/en-us/labs/intelix.aspx",
+  "dataTypeList": ["file"],
+  "command": "SophosIntelix/intelix_analyzer.py",
+  "baseConfig": "SophosIntelix",
+  "config": {
+    "service": "submit_dynamic"
+  },
+  "configurationItems": [
+    {
+      "name": "clientID",
+      "description": "Client ID for Sophos Labs Intelix",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "clientSecret",
+      "description": "Client Secret for Sophos Labs Intelix",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "polling_interval",
+      "description": "Define time interval between two requests attempts for the report",
+      "type": "number",
+      "multi": false,
+      "required": false,
+      "defaultValue": 60
+    }
+  ]
+}

analyzers/SophosIntelix/SophosIntelix_Submit_Static.json

@@ -0,0 +1,38 @@
+{
+  "name": "SophosIntelix_Submit_Static",
+  "version": "0.1",
+  "author": "SOL",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Use SophosLabs machine learning to understand the characteristics of your suspicious file allowing you to see if the file is similar to known malware. For more information or to sign up for SophosLabs Intelix (with a free tier) see https://www.sophos.com/en-us/labs/intelix.aspx",
+  "dataTypeList": ["file"],
+  "command": "SophosIntelix/intelix_analyzer.py",
+  "baseConfig": "SophosIntelix",
+  "config": {
+    "service": "submit_static"
+  },
+  "configurationItems": [
+    {
+      "name": "clientID",
+      "description": "Client ID for Sophos Labs Intelix",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "clientSecret",
+      "description": "Client Secret for Sophos Labs Intelix",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "polling_interval",
+      "description": "Define time interval between two requests attempts for the report",
+      "type": "number",
+      "multi": false,
+      "required": false,
+      "defaultValue": 60
+    }
+  ]
+}

analyzers/SophosIntelix/intelix_analyzer.py

@@ -0,0 +1,159 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+import intelix
+import time
+from cortexutils.analyzer import Analyzer
+
+
+class SophosIntelixAnalyzer(Analyzer):
+
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.service = self.get_param('config.service', None, 'Service parameter is missing')
+        self.clientId = self.get_param('config.clientID', None, 'ClientId is Missing')
+        self.clientSecret = self.get_param('config.clientSecret', None, 'Client Secret is Missing')
+        self.polling_interval = self.get_param('config.polling_interval', 60)
+        try:
+            self.ic = intelix.client(self.clientId, self.clientSecret)
+        except Exception as e:
+            error = str(e)
+            self.error('Error: {}'.format(error))
+
+    def run(self):
+        if self.service == 'get':
+            if self.data_type == 'hash':
+                try:
+                    data = self.get_data()
+                    try:
+                        self.ic.file_lookup(data)
+                        self.report({
+                            "file_hash": data,
+                            "reputation_score": self.ic.reputationScore,
+                            "classification": self.ic.classification
+                        })
+                    except TypeError:
+                        self.report({
+                            "file_hash": data,
+                            "reputation_score": "None",
+                            "classification": "Unknown"
+                        })
+                except Exception as e:
+                    error = str(e)
+                    self.error('Error: {}'.format(error))
+
+            elif self.data_type in ('domain', 'fqdn', 'url'):
+                try:
+                    data = self.get_data()
+                    self.ic.url_lookup(data)
+                    self.report({
+                        "prod_category": self.ic.productivityCategory,
+                        "sec_category": self.ic.securityCategory,
+                        "risk_level": self.ic.riskLevel
+                    })
+                except:
+                    self.error('Error running URL lookup on {}'.format(data))
+            else:
+                self.error('Unsupported Data Type')
+        elif self.service == "submit_static":
+            filepath = self.get_param('file', None, 'File is missing')
+            self.ic.submit_file(filepath, "static")
+            self.ic.file_report_by_jobid(self.ic.jobId, "static")
+
+            while self.ic.report is None:
+                time.sleep(self.polling_interval)
+                self.ic.file_report_by_jobid(self.ic.jobId, "static")
+            else:
+                self.report(self.ic.report)
+
+        elif self.service == "submit_dynamic":
+            filepath = self.get_param('file', None, 'File is missing')
+            self.ic.submit_file(filepath, "dynamic")
+            self.ic.file_report_by_jobid(self.ic.jobId, "dynamic")
+
+            while self.ic.report is None:
+                time.sleep(self.polling_interval)
+                self.ic.file_report_by_jobid(self.ic.jobId, "dynamic")
+            else:
+                self.report(self.ic.report)
+        else:
+            self.error('Invalid Service Type')
+
+    def summary(self, raw):
+
+        taxonomies = []
+        namespace = "Intelix"
+
+        if self.service == 'get':
+            if self.data_type in ('domain', 'fqdn', 'url'):
+                if self.ic.riskLevel == "UNCLASSIFIED":
+                    level = "info"
+                elif self.ic.riskLevel == "TRUSTED":
+                    level = "safe"
+                elif self.ic.riskLevel == "LOW":
+                    level = "info"
+                elif self.ic.riskLevel == "MEDIUM":
+                    level = "suspicious"
+                elif self.ic.riskLevel == "HIGH":
+                    level = "malicious"
+                else:
+                    level = "info"
+
+                result = {
+                    "has_result": True
+                }
+
+                predicate = "RiskLevel"
+                value = "{}".format(self.ic.riskLevel)
+
+                taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+                return {"taxonomies": taxonomies}
+
+            elif self.data_type == 'hash':
+                if (self.ic.reputationScore <= 19):
+                    level = "malicious"
+                elif (self.ic.reputationScore > 19 and self.ic.reputationScore <= 29):
+                    level = "suspicious"
+                elif (self.ic.reputationScore > 29 and self.ic.reputationScore <= 69):
+                    level = "suspicious"
+                elif (self.ic.reputationScore > 69 and self.ic.reputationScore <= 100):
+                    level = "safe"
+                else:
+                    level = "info"
+
+                result = {
+                    "has_result": True
+                }
+
+                predicate = "Score"
+                value = "{} - {}".format(self.ic.reputationScore, self.ic.classification)
+
+                taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+                return {"taxonomies": taxonomies}
+
+        elif (self.service == "submit_static") or (self.service == "submit_dynamic"):
+
+            result = {
+                "has_result": True
+            }
+
+            predicate = "Score"
+            value = "{}".format(self.ic.report.get("score"))
+
+            if (self.ic.report.get("score") <= 19):
+                level = "malicious"
+            elif (self.ic.report.get("score") > 19 and self.ic.report.get("score") <= 29):
+                level = "suspicious"
+            elif (self.ic.report.get("score") > 29 and self.ic.report.get("score") <= 69):
+                level = "suspicious"
+            elif (self.ic.report.get("score") > 69 and self.ic.report.get("score") <= 100):
+                level = "safe"
+            else:
+                level = "info"
+
+            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+            return {"taxonomies": taxonomies}
+
+
+if __name__ == '__main__':
+    SophosIntelixAnalyzer().run()

analyzers/SophosIntelix/requirements.txt

@@ -0,0 +1,3 @@
+cortexutils
+requests
+intelix

thehive-templates/SophosIntelix_GetReport_0_3/long.html

@@ -0,0 +1,31 @@
+	<div class="panel panel-danger" ng-if="!success">
+   <div class="panel-heading">
+      <strong>{{artifact.data | fang}}</strong>
+   </div>
+   <div class="panel-body">
+      {{content.errorMessage}}
+   </div>
+</div>
+<div class="panel panel-primary" ng-if="success">
+   <div class="panel-info">
+      <div class="panel-heading">
+         <strong>Report for {{artifact.data | fang}} </strong>
+      </div>
+      <div class="panel-body">
+         <dl ng-if="::['domain', 'fqdn', 'url'].indexOf(artifact.dataType) != -1">
+            <dt>Productivity Category</dt>
+            <dd>{{content.prod_category || "No Data"}}</dd>
+            <dt>Security Category</dt>
+            <dd>{{content.sec_category || "No Data"}}</dd>
+            <dt>Risk Level</dt>
+            <dd>{{content.risk_level || "No Data"}}</dd>
+         </dl>
+      </div>
+      <div class="panel-body">
+         <dl ng-if="::artifact.dataType === 'hash'">
+            <dt>File Classification</dt>
+            <dd>{{content.classification || "No Data"}}</dd>
+         </dl>
+      </div>
+   </div>
+</div> 

thehive-templates/SophosIntelix_GetReport_0_3/short.html

@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+{{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>