TheHive-Project · dadokkio · Apr 15, 2021 · Apr 9, 2021 · Apr 9, 2021
diff --git a/analyzers/CyberCrime-Tracker/README.md b/analyzers/CyberCrime-Tracker/README.md
@@ -1,4 +1,5 @@
-### cyberprotect
-[cyberprotect](https://threatscore.cyberprotect.cloud/) collect more than 500 millions of network events per day and value those data by analyzed them with analysis engines (behavioral analysis, sandboxes, threat feeds, etc.). 
+### cybercrime-tracker
+[cybercrime-tracker](https://cybercrime-tracker.net/) site is dedicated to tracking the C&C servers of botnets. This site is used as a source for many IP and domain blacklists. 
+
 #### Requirements
 No configuration is required.
diff --git a/analyzers/Cyberprotect/CyberprotectAnalyzer.py b/analyzers/Cyberprotect/CyberprotectAnalyzer.py
@@ -6,7 +6,7 @@
 
 class CyberprotectAnalyzer(Analyzer):
 
-    URI = "https://threatscore.cyberprotect.fr/api/score/"
+    URL = "https://api.threatscore.cyberprotect.cloud/api/v3/observables/search/by-value"
 
     def __init__(self):
         Analyzer.__init__(self)
@@ -18,25 +18,21 @@ def summary(self, raw):
         if self.service == 'ThreatScore':
             level = 'info'
             value = 'not in database'
-            if raw.get('data') and raw.get('scores') and len(raw.get('scores')) > 0:
+            if 'threatscore' in raw:
                 value = 'not analyzed yet'
-                if raw['scores'][0].get('score'):
-                    level = 'safe'
-                    value = raw['scores'][0]['score']
-                    if value >= 0.5:
-                        level = 'malicious'
-                    elif value >= 0.25 and value < 0.5:
-                        level = 'suspicious'
+                if 'value' in raw['threatscore'] and 'level' in raw['threatscore']:
+                    value = raw['threatscore']['value']
+                    level = raw['threatscore']['level']
             taxonomies.append(self.build_taxonomy(level, namespace, self.service, value))
         return {"taxonomies": taxonomies}
 
     def run(self):
         Analyzer.run(self)
-        if self.service == 'ThreatScore' and (self.data_type == 'domain' or self.data_type == 'ip'):
+        if self.service == 'ThreatScore' and (self.data_type == 'domain' or self.data_type == 'hash' or self.data_type == 'ip' or self.data_type == 'url' or self.data_type == 'user-agent'):
             try:
-                response = requests.get("{}{}".format(self.URI, self.get_data()))
+                response = requests.post(self.URL, json = { 'data' : self.get_data() })
                 result = response.json()
-                self.report(result if len(result) > 0 else {})
+                self.report(result)
             except Exception as e:
                 self.unexpectedError(e)
         else:

diff --git a/analyzers/Cyberprotect/Cyberprotect_ThreatScore.json b/analyzers/Cyberprotect/Cyberprotect_ThreatScore.json
@@ -3,9 +3,9 @@
   "author": "Rémi Allain, Cyberprotect",
   "license": "AGPL-V3",
   "url": "https://github.com/Cyberprotect/Cortex-Analyzers",
-  "version": "1.0",
+  "version": "3.0",
   "description": "ThreatScore is a cyber threat scoring system provided by Cyberprotect",
-  "dataTypeList": ["domain", "ip"],
+  "dataTypeList": ["domain", "hash", "ip", "url", "user-agent"],
   "command": "Cyberprotect/CyberprotectAnalyzer.py",
   "baseConfig": "Cyberprotect",
   "config": {
@@ -15,7 +15,7 @@
   "registration_required": false,
   "subscription_required": false,
   "free_subscription": false,
-  "service_homepage": "https://threatscore.cyberprotect.cloud/",
+  "service_homepage": "https://console.threatscore.cyberprotect.cloud/",
   "service_logo": {
     "path": "assets/threatscore.jpg",
     "caption": "logo"

diff --git a/analyzers/Cyberprotect/README.md b/analyzers/Cyberprotect/README.md
@@ -1,5 +1,4 @@
-### cybercrime-tracker
-[cybercrime-tracker](https://cybercrime-tracker.net/) site is dedicated to tracking the C&C servers of botnets. This site is used as a source for many IP and domain blacklists. 
-
+### cyberprotect
+[cyberprotect](https://console.threatscore.cyberprotect.cloud/) collect more than 500 millions of network events per day and value those data by analyzed them with analysis engines (behavioral analysis, sandboxes, threat feeds, etc.). 
 #### Requirements
 No configuration is required.
diff --git a/analyzers/Cyberprotect/assets/long_report.png b/analyzers/Cyberprotect/assets/long_report.png
diff --git a/thehive-templates/Cyberprotect_ThreatScore_1_0/long.html b/thehive-templates/Cyberprotect_ThreatScore_1_0/long.html
diff --git a/thehive-templates/Cyberprotect_ThreatScore_3_0/long.html b/thehive-templates/Cyberprotect_ThreatScore_3_0/long.html
@@ -0,0 +1,119 @@
+<!-- Error -->
+<div class="panel panel-danger" ng-if="!success" >
+  <div class="panel-heading" >
+    <strong>Error while running the service</strong>
+   </div>
+   <div class="panel-body">
+    <pre>{{content.errorMessage}}</pre>
+   </div>
+</div>
+
+<!-- Success: Summary -->
+<div class="panel panel-info" ng-if="success">
+  <div class="panel-heading">
+    Cyberprotect Threatscore <a href="https://console.threatscore.cyberprotect.cloud/search?query={{artifact.data}}" target="_blank"><i class="fa fa-external-link"></i></a>
+    <br/>
+    Report for <strong>{{artifact.data | fang}}</strong>
+  </div>
+  <div class="panel-body" ng-if="content.error">
+    <h2>{{content.error.message}}</h2>
+  </div>
+  <div class="panel-body" ng-if="!content.error">
+    <p>
+      <span ng-if="content.threatscore.categories.length > 0">
+        Categories:&nbsp;
+        <span ng-repeat="category in content.threatscore.categories">
+          <span class="label label-default">
+            {{category.replace("_"," ") | uppercase}}
+          </span>&nbsp;
+        </span>
+        <br/>
+      </span>
+      Indicators:&nbsp;
+      <span class="label" ng-class="{'label-danger': content.threatscore.indicators.blocklist, 'label-default': !content.threatscore.indicators.blocklist}">
+        <span ng-if="content.threatscore.indicators.blocklist">
+          Blocklist
+        </span>
+        <del ng-if="!content.threatscore.indicators.blocklist">
+          Blocklist
+        </del>
+      </span>&nbsp;
+      <span class="label" ng-class="{'label-danger': content.threatscore.indicators.attack, 'label-default': !content.threatscore.indicators.attack}">
+        <span ng-if="content.threatscore.indicators.attack">
+          Attack
+        </span>
+        <del ng-if="!content.threatscore.indicators.attack">
+          Attack
+        </del>
+      </span>&nbsp;
+      <span class="label" ng-class="{'label-danger': content.threatscore.indicators.scan, 'label-default': !content.threatscore.indicators.scan}">
+        <span ng-if="content.threatscore.indicators.scan">
+          Scan
+        </span>
+        <del ng-if="!content.threatscore.indicators.scan">
+          Scan
+        </del>
+      </span>&nbsp;
+      <span class="label" ng-class="{'label-danger': content.threatscore.indicators.compromission, 'label-default': !content.threatscore.indicators.compromission}">
+        <span ng-if="content.threatscore.indicators.compromission">
+          Compromission
+        </span>
+        <del ng-if="!content.threatscore.indicators.compromission">
+          Compromission
+        </del>
+      </span>
+      <br/>
+      <span ng-if="content.observable.geo && content.observable.geo.country_name">
+        Location:&nbsp;
+        <span ng-if="content.observable.geo && content.observable.geo.city_name">{{content.observable.geo.city_name}},
+        </span>{{content.observable.geo.country_name}}
+        <br/>
+      </span>
+      <span ng-if="content.observable.as">
+        AS:&nbsp;{{content.observable.as.asn}}
+        <span ng-if="content.observable.as.organization_name">&nbsp;({{content.observable.as.organization_name}})</span>
+        <br/>
+      </span>
+      <span ng-if="content.observable.last_seen">
+        First seen:&nbsp;<span title="first seen">{{content.observable.first_seen | date: 'medium'}}</span>
+        <br/>
+        Last seen:&nbsp;<span title="last seen">{{content.observable.last_seen | date: 'medium'}}</span>
+      </span>
+    </p>
+  </div>
+</div>
+
+<!-- Success: Analysis -->
+<div class="panel panel-info" ng-if="success && !content.error">
+  <div class="panel-heading">
+    Analysis
+  </div>
+  <div class="panel-body" ng-if="content.analysis && content.analysis.length > 0">
+    <h3 ng-if="content.threatscore.level">
+      Threat score of <span ng-class="{'text-success': content.threatscore.level === 'safe', 'text-warning': content.threatscore.level === 'suspicious', 'text-danger': content.threatscore.level === 'malicious'}">{{content.threatscore.value * 100 | number:1.0-0}}%</span>
+    </h3>
+    <br />
+    <table class="table table-bordered panel">
+      <thead>
+        <th>ID</th>
+        <th>Date</th>
+        <th>Threat Level</th>
+      </thead>
+      <tbody>
+        <tr ng-repeat="a in content.analysis">
+          <td>{{a.id}}</td>
+          <td>{{a.date | date : 'medium'}}</td>
+          <td ng-if="!a.score && a.score !== 0" class="text-info"><strong>Info</strong></td>
+          <td ng-if="a.score || a.score === 0">
+            <span class="text-success" ng-if="a.score < 0.25"><strong>Safe</strong></span>
+            <span class="text-warning" ng-if="a.score >= 0.25 && a.score < 0.5"><strong>Suspicious</strong></span>
+            <span class="text-danger" ng-if="a.score >= 0.5"><strong>Malicious</span>
+          </td>
+        </tr>	
+      </tbody>
+    </table>
+  </div>
+  <div class="panel-body" ng-if="!content.analysis || content.analysis.length == 0">
+    <h2>Not analyzed yet</h2>
+  </div>
+</div>
diff --git a/...s/Cyberprotect_ThreatScore_1_0/short.html → ...s/Cyberprotect_ThreatScore_3_0/short.html b/...s/Cyberprotect_ThreatScore_1_0/short.html → ...s/Cyberprotect_ThreatScore_3_0/short.html