diff --git a/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json b/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json index 0eed41a42..d6e6c053c 100644 --- a/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json +++ b/analyzers/DomainToolsIris/DomainToolsIris_Pivot.json @@ -25,14 +25,6 @@ "type": "string", "multi": false, "required": true - }, - { - "name": "pivot_count_threshold", - "description": "Pivot count threshold.", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 500 } ] } \ No newline at end of file diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json b/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json new file mode 100644 index 000000000..be634926d --- /dev/null +++ b/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json @@ -0,0 +1,21 @@ +{ + "name": "DomainToolsIris_AddRiskyDNSTag", + "version": "1.0", + "author": "DomainTools", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Add Tag saying that the case contains a risky DNS.", + "dataTypeList": ["thehive:case_artifact"], + "command": "DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py", + "baseConfig": "DomainToolsIris", + "configurationItems": [ + { + "name": "high_risk_threshold", + "description": "Risk score threshold to be considered high risk.", + "type": "number", + "multi": false, + "required": false, + "defaultValue": 70 + } + ] +} \ No newline at end of file diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py b/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py new file mode 100644 index 000000000..38062a18c --- /dev/null +++ b/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py @@ -0,0 +1,41 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + + +from cortexutils.responder import Responder + + +class DomainToolsIris(Responder): + def __init__(self): + Responder.__init__(self) + + def run(self): + Responder.run(self) + if self.get_param("data.dataType") == "domain": + self.report({"data": self.get_data()}) + else: + self.report({"data": 'Can only operate on "domain" observables'}) + + def operations(self, raw): + build_list = [] + taxonomies = ( + raw.get("data", {}) + .get("reports", {}) + .get("DomainToolsIris_Investigate_1_0", {}) + .get("taxonomies", None) + ) + + for x in taxonomies: + if x["predicate"] == "Risk Score": + if int(x["value"]) > int(self.get_param("config.high_risk_threshold")): + build_list.append( + self.build_operation("AddTagToCase", tag="DT:Risky DNS") + ) + build_list.append( + self.build_operation("AddTagToArtifact", tag="DT:Risky DNS") + ) + return build_list + + +if __name__ == "__main__": + DomainToolsIris().run() diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt b/responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt new file mode 100644 index 000000000..e69de29bb diff --git a/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json b/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json new file mode 100644 index 000000000..402bfa357 --- /dev/null +++ b/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json @@ -0,0 +1,20 @@ +{ + "name": "DomainToolsIris_CheckMaliciousTags", + "version": "1.0", + "author": "DomainTools", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Add Tag saying that the observable and case have a malicious tag in their Iris Tags.", + "dataTypeList": ["thehive:case_artifact"], + "command": "DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py", + "baseConfig": "DomainToolsIris", + "configurationItems": [ + { + "name": "monitored_iris_tags", + "description": "Monitored Iris tags.", + "type": "string", + "multi": true, + "required": false + } + ] +} \ No newline at end of file diff --git a/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py b/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py new file mode 100644 index 000000000..8490a0a24 --- /dev/null +++ b/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + + +from cortexutils.responder import Responder + + +class DomainToolsIris(Responder): + def __init__(self): + Responder.__init__(self) + + def run(self): + Responder.run(self) + if self.get_param("data.dataType") == "domain": + self.report({"data": self.get_data()}) + else: + self.report({"data": 'Can only operate on "domain" observables'}) + + def operations(self, raw): + build_list = [] + taxonomies = ( + raw.get("data", {}) + .get("reports", {}) + .get("DomainToolsIris_Investigate_1_0", {}) + .get("taxonomies", None) + ) + + for x in taxonomies: + if x["predicate"] == "IrisTags": + malicious_tags_set = set(self.get_param("config.monitored_iris_tags")) + domain_tags_set = set(x["value"].split(",")) + + if len(malicious_tags_set.intersection(domain_tags_set)): + build_list.append( + self.build_operation( + "AddTagToArtifact", tag="DT:Malicious Domain" + ) + ) + build_list.append( + self.build_operation("AddTagToCase", tag="DT:Malicious Domain") + ) + return build_list + + +if __name__ == "__main__": + DomainToolsIris().run() diff --git a/responders/DomainToolsIris_CheckMaliciousTags/requirements.txt b/responders/DomainToolsIris_CheckMaliciousTags/requirements.txt new file mode 100644 index 000000000..e69de29bb