TheHive-Project · jeromeleonard · Jun 14, 2020 · May 26, 2020
diff --git a/analyzers/WOT/WOT_lookup.json b/analyzers/WOT/WOT_lookup.json
@@ -1,8 +1,8 @@
 {
   "name": "WOT_Lookup",
-  "version": "1.0",
-  "author": "Andrea Garavaglia, LDO-CERT",
-  "url": "https://github.com/garanews/Cortex-Analyzers",
+  "version": "2.0",
+  "author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-V3",
   "description": "Use Web of Trust to check a domain's reputation.",
   "dataTypeList": ["domain", "fqdn"],
@@ -12,6 +12,13 @@
       "service": "query"
   },
   "configurationItems": [
+    {
+      "name": "user",
+      "description": "Define the API user",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },    
     {
       "name": "key",
       "description": "Define the API key",

diff --git a/analyzers/WOT/WOT_lookup.py b/analyzers/WOT/WOT_lookup.py
@@ -9,99 +9,55 @@
 class WOTAnalyzer(Analyzer):
     def __init__(self):
         Analyzer.__init__(self)
+        self.WOT_id = self.get_param('config.user', None,
+                                      'Missing WOT API user')        
         self.WOT_key = self.get_param('config.key', None,
                                       'Missing WOT API key')
-        self.categories = {
-            "101": "Malware or viruses",
-            "102": "Poor customer experience",
-            "103": "Phishing",
-            "104": "Scam",
-            "105": "Potentially illegal",
-            "201": "Misleading claims or unethical",
-            "202": "Privacy risks",
-            "203": "Suspicious",
-            "204": "Hate, discrimination",
-            "205": "Spam",
-            "206": "Potentially unwanted programs",
-            "207": "Ads / pop-ups",
-            "301": "Online tracking",
-            "302": "Alternative or controversial medicine",
-            "303": "Opinions, religion, politics",
-            "304": "Other",
-            "401": "Adult content",
-            "402": "Incidental nudity",
-            "403": "Gruesome or shocking",
-            "404": "Site for kids",
-            "501": "Good site"
-        }
-
-    def points_to_verbose(self, points):
-        if points >= 80:
-            return "Excellent"
-        elif points >= 60:
-            return "Good"
-        elif points >= 40:
-            return "Unsatisfactory"
-        elif points >= 20:
-            return "Poor"
-        else:
-            return "Very poor"
 
     def wot_checkurl(self, data):
-        url = 'http://api.mywot.com/0.4/public_link_json2?hosts=' + data + '/&callback=process&key=' + self.WOT_key
-        r = requests.get(url)
-        return json.loads(r.text.replace("process(", "").replace(")", ""))
+        url = 'http://scorecard.api.mywot.com/v3/targets?t={}'.format(data)
+        headers = {
+            'x-user-id': self.WOT_id,
+            'x-api-key': self.WOT_key
+        }
+        r = requests.get(url, headers=headers)
+        if r.status_code == 200:
+            return r.json()[0]
+        else:
+            self.error("{}{}".format(r.status_code, r.text))
 
     def summary(self, raw):
         taxonomies = []
         value = "-"
+        level = "info"
 
-        categories = raw.get("Categories", None)
-        blacklists = raw.get("Blacklists", None)
-        num_categories = raw.get("Categories Identifier", None)
+        categories = [x.get('name', None) for x in raw.get("categories", [])]
+        blacklists = raw.get("blackList", [])
+        min_categories = min([x.get('id', 501) for x in raw.get("categories", [])])
 
         if categories:
-            value = "|".join(categories)
-        if blacklists:
-            value = "|".join([x[0] for x in blacklists])
-            level = "malicious"
-        else:
-            if num_categories:
-                min_cat = min([int(x) for x in num_categories])
-            else:
-                min_cat = 501
+            value = "|".join(categories)         
             if min_cat > 300:
                 level = "safe"
             elif min_cat > 200:
                 level = "suspicious"
             else:
                 level = "malicious"
 
+        if blacklists:
+            value = "|".join(blacklists)
+            level = "malicious"
+
+
         taxonomies.append(self.build_taxonomy(level, "WOT", "Category", "{}".format(value)))
         return {"taxonomies": taxonomies}
 
     def run(self):
         if self.data_type in ['domain', 'fqdn']:
             data = self.get_param('data', None, 'Data is missing')
             r = self.wot_checkurl(data)
-            if data in r.keys():
-                info = r[data]
-                r_dict = {}
-                if '0' in info.keys():
-                    r_dict['Trustworthiness'] = {}
-                    r_dict['Trustworthiness']['Reputation'] = self.points_to_verbose(info['0'][0])
-                    r_dict['Trustworthiness']['Confidence'] = self.points_to_verbose(info['0'][1])
-                if '4' in info.keys():
-                    r_dict['Child_Safety'] = {}
-                    r_dict['Child_Safety']['Reputation'] = self.points_to_verbose(info['4'][0])
-                    r_dict['Child_Safety']['Confidence'] = self.points_to_verbose(info['4'][1])
-                if 'blacklists' in info.keys():
-                    r_dict['Blacklists'] = [(k, datetime.datetime.fromtimestamp(v).strftime('%Y-%m-%d %H:%M:%S'))
-                                            for k, v in info['blacklists'].items()]
-                if 'categories' in info.keys():
-                    r_dict['Categories'] = [self.categories[x] for x in list(info['categories'].keys())]
-                    r_dict['Categories Identifier'] = list(info['categories'].keys())
-                self.report(r_dict)
+            if r:
+                self.report(r)
         else:
             self.error('Invalid data type')
 

diff --git a/analyzers/WOT/requirements.txt b/analyzers/WOT/requirements.txt
@@ -1 +1,2 @@
 cortexutils
+requests
diff --git a/thehive-templates/WOT_Lookup_1_0/long.html → thehive-templates/WOT_Lookup_2_0/long.html b/thehive-templates/WOT_Lookup_1_0/long.html → thehive-templates/WOT_Lookup_2_0/long.html
@@ -7,48 +7,49 @@
 
     <div class="panel panel-info">
         <div class="panel-heading">
-            <strong>General Information</strong>
+            <strong>General Information for {{content.target}}</strong>
         </div>
         <div class="panel-body">
 
-            <div ng-if="content.Trustworthiness">
-                <h4>Trustworthiness</h4>
+            <div ng-if="content.safety">
+                <h4>Safety</h4>
                 <dl class="dl-horizontal">
-                    <dt>Reputation</dt>
-                    <dd>{{content.Trustworthiness.Reputation}}</dd>
+                    <dt>Status</dt>
+                    <dd>{{content.safety.status}}</dd>
                 </dl>
                 <dl class="dl-horizontal">
-                    <dt>Confidence</dt>
-                    <dd>{{content.Trustworthiness.Confidence}}</dd>
+                    <dt>Reputations</dt>
+                    <dd>{{content.safety.reputations}}</dd>
                 </dl>   
+                <dl class="dl-horizontal">
+                    <dt>Confidence</dt>
+                    <dd>{{content.safety.confidence}}</dd>
+                </dl>                   
             </div>
 
-            <div ng-if="content.Child_Safety">
+            <div ng-if="content.childSafety">
                 <h4>Child Safety</h4>
                 <dl class="dl-horizontal">
                     <dt>Reputation</dt>
-                    <dd>{{content.Child_Safety.Reputation}}</dd>
+                    <dd>{{content.childSafety.reputations}}</dd>
                 </dl>
                 <dl class="dl-horizontal">
                     <dt>Confidence</dt>
-                    <dd>{{content.Child_Safety.Confidence}}</dd>
+                    <dd>{{content.childSafety.confidence}}</dd>
                 </dl>   
             </div>
 
-            <div ng-if="content.Blacklists">
+            <div ng-if="content.blackList">
                 <h4>Blacklists</h4>
-                <br>
-                <dl class="dl-horizontal" ng-repeat="blk in content.Blacklists track by $index">
-                    <dt>{{ blk[0] }}</dt>
-                    <dd>{{ blk[1] }}</dd>
-                </dl>
+                <p><span class="label label-primary" ng-repeat="blk in content.blackList">{{blk}}</span></p>
             </div>           
 
-            <div ng-if="content.Categories">
+            <div ng-if="content.categories">
                 <h4>Categories</h4>
                 <br>
-                <dl class="dl-horizontal" ng-repeat="ctg in content.Categories track by $index">
-                    <dd>{{ ctg }}</dd>
+                <dl class="dl-horizontal" ng-repeat="ctg in content.categories">
+                    <dt>{{ctg.name}}</dt>
+                    <dd>Confidence: {{ctg.confidence}}</dd>
                 </dl>
             </div>  
 
@@ -66,4 +67,4 @@ <h4>Categories</h4>
     <div class="panel-body">
         {{content.errorMessage}}
     </div>
-</div>
+</div>
diff --git a/thehive-templates/WOT_Lookup_1_0/short.html → thehive-templates/WOT_Lookup_2_0/short.html b/thehive-templates/WOT_Lookup_1_0/short.html → thehive-templates/WOT_Lookup_2_0/short.html