TheHive-Project · jeromeleonard · Jul 26, 2021 · Mar 13, 2021 · Mar 13, 2021 · Mar 13, 2021
diff --git a/analyzers/StamusNetworks/StamusNetworks_IPInfo.json b/analyzers/StamusNetworks/StamusNetworks_IPInfo.json
@@ -0,0 +1,44 @@
+{
+  "name": "StamusNetworks_HostID",
+  "version": "1.0",
+  "author": "Stamus Networks",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Get information from your Scirius Security Platform for an IP address.",
+  "dataTypeList": ["ip"],
+  "command": "StamusNetworks/hostid_analyzer.py",
+  "baseConfig": "StamusNetworks",
+  "config": {
+    "service": "get"
+  },
+  "configurationItems": [
+    {
+      "name": "url",
+      "description": "Base URL of Scirius Security Platform",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "key",
+      "description": "API key for Scirius Security Platform",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "ssl_verify",
+      "description": "Verify TLS certificate when connection to Scirius Security Platform",
+      "type": "boolean",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "tenant",
+      "description": "Tenant value for organization in Scirius Security Platform",
+      "type": "string",
+      "multi": false,
+      "required": false
+    }
+  ]
+}
diff --git a/analyzers/StamusNetworks/hostid_analyzer.py b/analyzers/StamusNetworks/hostid_analyzer.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.analyzer import Analyzer
+
+import requests
+
+
+class StamusNetworksAnalyzer(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.api_key = self.get_param('config.key', None, 'Scirius Security Platform api key is missing')
+        self.base_url = self.get_param('config.url', None, 'Scirius Security Platform url is missing')
+        self.base_url = self.base_url.rstrip('/ ')
+        self.ssl_verify = self.get_param('config.ssl_verify', None, 'Scirius Security Platform TLS verification info is missing')
+        tenant = self.get_param('config.tenant')
+        if tenant is not None and len(tenant):
+            self.tenant_param = "?tenant=" + tenant
+        else:
+            self.tenant_param = ""
+        self.proxies = {
+                "https" : self.get_param("config.proxy_https", None),
+                "http" : self.get_param("config.proxy_http", None)
+                }
+        self.session = requests.Session()
+        self.session.headers.update({ 'Content-Type': 'application/json', 'Authorization': 'Token ' + self.api_key })
+
+    def artifacts(self, raw):
+        artifacts = []
+        if raw.get('host_id') is None:
+            return []
+        hostnames = raw['host_id'].get('hostname', [])
+        for host in hostnames:
+            tags=["first-seen:" + host['first_seen'], "last-seen:" + host['last_seen']]
+            artifacts.append(
+                    self.build_artifact('fqdn',
+                        host['host'],
+                        tags=tags))
+        net_info = raw['host_id'].get('net_info', [])
+        if len(net_info) > -1:
+            net_info = sorted(net_info, key=lambda k: k['last_seen'], reverse=True)[0]['agg']
+            tags=["network-info"]
+            artifacts.append(
+                    self.build_artifact('other',
+                        net_info,
+                        tags=tags))
+        return artifacts
+
+    def summary(self, raw):
+        taxonomies = []
+        namespace = "SSP"
+        value = raw["host_id"]["first_seen"]
+        taxonomies.append(self.build_taxonomy("info", namespace, 'first-seen', value))
+        value = raw["host_id"]["last_seen"]
+        taxonomies.append(self.build_taxonomy("info", namespace, 'last-seen', value))
+
+        value = raw["host_id"].get("services_count")
+        if value:
+            taxonomies.append(self.build_taxonomy("info", namespace, 'services', value))
+        value = raw["host_id"].get("tls.ja3_count")
+        if value:
+            taxonomies.append(self.build_taxonomy("info", namespace, 'tls-agents', value))
+        value = raw["host_id"].get("http.user_agent_count")
+        if value:
+            taxonomies.append(self.build_taxonomy("info", namespace, 'http-agents', value))
+
+        return {"taxonomies": taxonomies}
+
+    def run(self):
+        Analyzer.run(self)
+        info = {}
+        try:
+            if self.data_type == 'ip':
+                url = self.base_url + "/rest/appliances/host_id/" + self.get_data() + self.tenant_param
+                resp = self.session.get(url, verify=self.ssl_verify, proxies=self.proxies)
+                resp.raise_for_status()
+                info = resp.json()
+            # TODO add support for user-agent and fqdn
+            else:
+                self.error('Invalid data type !')
+
+            self.report(info)
+
+        except Exception as e:
+            self.unexpectedError(e)
+
+
+if __name__ == '__main__':
+    StamusNetworksAnalyzer().run()
diff --git a/analyzers/StamusNetworks/requirements.txt b/analyzers/StamusNetworks/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+requests
diff --git a/thehive-templates/StamusNetworks_HostID_1_0/long.html b/thehive-templates/StamusNetworks_HostID_1_0/long.html
@@ -0,0 +1,80 @@
+<!-- Success !-->
+<div class="panel panel-info" ng-if="success"  ng-init="recordsLimit=20">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+        <a ng-show="::content.records.length > 20" class="pull-right" href ng-click="recordsLimit=undefined">View All ({{::content.records.length}})</a>
+    </div>
+    <div class="panel-body">
+        <p>
+            SSP Host Information Report
+        </p>
+        <div ng-if="content.host_id.services_count>0">
+            <p><em>Services for IP</em></p>
+            <table class="table">
+                <thead>
+                    <tr>
+                        <th width="50">#</th>
+                        <th>Proto</th>
+                        <th>Port</th>
+                    </tr>
+                </thead>
+                <tbody ng-repeat="row in content.host_id.services | limitTo:recordsLimit">
+                    <td>{{$index + 1}}</td>
+                    <td>{{row.proto}}</td>
+                    <td>{{row.port}}</td>
+                </tbody>
+            </table>
+        </div>
+        <div ng-if="content.host_id.username_count>0">
+            <p><em>Username</em></p>
+            <table class="table">
+                <thead>
+                    <tr>
+                        <th width="50">#</th>
+                        <th>Username</th>
+                        <th>First Seen</th>
+                        <th>Last Seen</th>
+                    </tr>
+                </thead>
+                <tbody ng-repeat="row in content.host_id.username | limitTo:recordsLimit">
+                    <td>{{$index + 1}}</td>
+                    <td>{{row.user}}</td>
+                    <td>{{row.first_seen}}</td>
+                    <td>{{row.last_seen}}</td>
+                </tbody>
+            </table>
+        </div>
+        <div ng-if="content.host_id['http.user_agent']">
+            <p><em>Username</em></p>
+            <table class="table">
+                <thead>
+                    <tr>
+                        <th width="50">#</th>
+                        <th>HTTP User Agent</th>
+                        <th>First Seen</th>
+                        <th>Last Seen</th>
+                    </tr>
+                </thead>
+                <tbody ng-repeat="row in content.host_id['http.user_agent'] | limitTo:recordsLimit">
+                    <td>{{$index + 1}}</td>
+                    <td>{{row.agent}}</td>
+                    <td>{{row.first_seen}}</td>
+                    <td>{{row.last_seen}}</td>
+                </tbody>
+            </table>
+        </div>
+    </div>
+
+</div>
+
+<!-- Error !-->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading" >
+        <strong> Error while running the service </strong>
+     </div>
+     <div class="panel-body">
+        <pre>
+        {{content.errorMessage}}
+        </pre>
+     </div>
+</div>
diff --git a/thehive-templates/StamusNetworks_HostID_1_0/short.html b/thehive-templates/StamusNetworks_HostID_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>