LdapQuery Analyzer #589
LdapQuery Analyzer #589
Conversation
|
Hello @cyberpescadito Thanks for the PR, is it possible to add a PR for https://github.com/TheHive-Project/CortexDocs/blob/master/analyzer_requirements.md |
analyzers/LdapQuery/LdapQuery.py
Outdated
| namespace = "LDAP" | ||
| predicate = "Query" | ||
| value = "Success" | ||
| taxonomies.append(self.build_taxonomy(level, namespace, predicate, value)) |
There was a problem hiding this comment.
Is there any useful information you can put as the value of that taxonomie? probably the cn or the uid?
There was a problem hiding this comment.
I agree it would be strange to not include "cn" value in attributes list to fetch from the LDAP, but if "cn" isn't declared in "attributes" list by the admin in cortex analyzer configuration it could break the summary. So i chosen to not include any value of LDAP there.
What is your point of view? should I change de program design to enforce "cn" attribute fetching ?
There was a problem hiding this comment.
No, the idea was to make that taxonomie meaningful/useful.
If it will be always: Ldap:Query=Success then it's not worth it.
I would make a taxonomy like: LdapQuery:cn=XXX or LdapQuery:ATTRIBUTE_NAME=ARRTIBUTE_VALUE or nothing
There was a problem hiding this comment.
is value a mandatory attribute of taxonomies?
There was a problem hiding this comment.
Note sure, but the taxonomy aims to provide important info, without having to read the full report. You can probably show a taxonomy for important attributes if they exist?
There was a problem hiding this comment.
Also I'm not sure how summary can receive taxonomies_values as parameter.
Probably you can add taxonomies_values as class variable and use it here with self.taxonomies_values
To-om
force-pushed
the
develop
branch
3 times, most recently
from
fb8f5aa to
23be632
Compare
analyzers/LdapQuery/LdapQuery.py
Outdated
| l.protocol_version = ldap.VERSION3 | ||
| l.simple_bind_s(self.username, self.password) | ||
| valid = True | ||
| except ldap.LDAPError, e: |
There was a problem hiding this comment.
I think this should be:
except ldap.LDAPError as e:
analyzers/LdapQuery/LdapQuery.py
Outdated
| queryResult[strnew]=queryResult.pop(str) | ||
|
|
||
| # Find a value to return in value attribute of taxonomies object | ||
| if o in queryResult: |
There was a problem hiding this comment.
I think o, cn and mail are strings and not variable in this case.
So they should be 'o', 'cn' and 'mail', correct?
analyzers/LdapQuery/LdapQuery.py
Outdated
| namespace = "LDAP" | ||
| predicate = "Query" | ||
| value = "Success" | ||
| taxonomies.append(self.build_taxonomy(level, namespace, predicate, value)) |
There was a problem hiding this comment.
Also I'm not sure how summary can receive taxonomies_values as parameter.
Probably you can add taxonomies_values as class variable and use it here with self.taxonomies_values
|
I updated your pull following our discussion.
|
Hello,
Today I wanna share a simple LdapQuery analyzer. It's useful to get the context of an user from your organization for investigations purposes.
Configure it:
Run in TheHive:
-Declare an observable (accepted types: username & email address)
-Run the Analyzer