valitydev/Cortex-Analyzers
14
0
Fork 0
mirror of https://github.com/valitydev/Cortex-Analyzers.git synced 2024-11-06 09:05:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

adding Patrowl analyzer

Browse Source
This commit is contained in:
Nicolas Mattiocco 2018-12-05 10:48:23 +01:00 committed by Nabil Adouani
parent 5caf39ca9c
commit 4afff2e18e
7 changed files with 209 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
analyzers/Patrowl/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
env
.DS_Store

26
analyzers/Patrowl/Patrowl_GetReport.json Normal file
View File

@ -0,0 +1,26 @@
{
"name": "Patrowl_GetReport",
"version": "1.0",
"author": "Nicolas Mattiocco",
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Get the current Patrowl report for a fdqn, a domain or an IP address.",
"dataTypeList": ["fqdn", "domain", "ip"],
"baseConfig": "Patrowl",
"config": {
"url": "http://my.patrowl.io:8000",
"service": "getreport",
"username": "cortex",
"password": "Bonjour1!"
},
"configurationItems": [
{
"name": "url",
"description": "Define the PatrOwl url",
"type": "string",
"multi": false,
"required": true
}
],
"command": "Patrowl/patrowl.py"
}

10
analyzers/Patrowl/README.md Normal file
View File

@ -0,0 +1,10 @@
![](https://github.com/Patrowl/PatrowlDocs/blob/master/images/logos/logo-patrowl-light.png)
[![Join the chat at https://gitter.im/Patrowl/Support](https://badges.gitter.im/Patrowl/Support.png)](https://gitter.im/Patrowl/Support)
# **PatrOwl**
[PatrOwl](https://www.patrowl.io/) is a scalable, free and open-source solution for orchestrating Security Operations.
**PatrowlManager** is the Front-end application for managing the assets, reviewing risks on real-time, orchestrating the operations (scans, searches, API calls, ...), aggregating the results, relaying alerts on third parties (ex: Incident Response platform like [TheHive](https://github.com/TheHive-Project/TheHive/), Splunk, ...) and providing the reports and dashboards. Operations are performed by the [PatrowlEngines](https://github.com/Patrowl/PatrowlEngines/) instances. Don't forget to install and deploy them ;)
# Installation
See [Cortex Installation Guide](https://github.com/TheHive-Project/CortexDocs).

77
analyzers/Patrowl/patrowl.py Executable file
View File

@ -0,0 +1,77 @@
#!/usr/bin/env python
# encoding: utf-8
"""Patrowl Analyzer for Cortex."""
import requests
from cortexutils.analyzer import Analyzer
class PatrowlAnalyzer(Analyzer):
"""PatrowlAnalyzer Class definition."""
def __init__(self):
"""Initialize the Analyzer."""
Analyzer.__init__(self)
self.service = self.getParam('config.service', None, 'Patrowl service is missing')
self.url = self.getParam('config.url', None, 'Patrowl URL is missing').rstrip("/")
self.username = self.getParam('config.username', None, 'Patrowl Username is missing')
self.password = self.getParam('config.password', None, 'Patrowl Password is missing')
def summary(self, raw):
"""Parse, format and return scan summary."""
taxonomies = []
level = "info"
namespace = "Patrowl"
# getreport service
if self.service == 'getreport':
if 'risk_level' in raw and raw['risk_level']:
# Grade
if raw['risk_level']['grade'] in ["A", "B"]:
level = "safe"
else:
level = "suspicious"
taxonomies.append(self.build_taxonomy(
level, namespace, "Grade", raw['risk_level']['grade']))
# Findings
if raw['risk_level']['high'] > 0:
level = "malicious"
elif raw['risk_level']['medium'] > 0 or raw['risk_level']['low'] > 0:
level = "suspicious"
else:
level = "info"
taxonomies.append(self.build_taxonomy(
level, namespace, "Findings", "{}/{}/{}/{}".format(
raw['risk_level']['high'],
raw['risk_level']['medium'],
raw['risk_level']['low'],
raw['risk_level']['info']
)))
#todo: add_asset service
return {"taxonomies": taxonomies}
def run(self):
"""Run the analyzer."""
Analyzer.run(self)
data = self.getData()
try:
if self.service == 'getreport':
service_url = self.url+"/assets/api/v1/details/"+data
response = requests.get(service_url, auth=requests.auth.HTTPBasicAuth(self.username, self.password))
self.report(response.json())
else:
self.error('Unknown Patrowl service')
except Exception as e:
self.unexpectedError(e)
if __name__ == '__main__':
"""Main function."""
PatrowlAnalyzer().run()

2
analyzers/Patrowl/requirements.txt Normal file
View File

@ -0,0 +1,2 @@
cortexutils
requests

89
analyzers/Patrowl/templates/Patrowl_GetReport_long.html Normal file
View File

@ -0,0 +1,89 @@
<div class="report-Patrowl" ng-if="success">
<style>
.report-Patrowl dl {
margin-bottom: 2px;
}
.report-Patrowl .patrowl-info {
background-color: #3B4CA1;
}
.report-Patrowl .patrowl-low {
background-color: #79AB3D;
}
.report-Patrowl .patrowl-medium {
background-color: #D5C920;
}
.report-Patrowl .patrowl-high {
background-color: #D39F27;
}
.report-Patrowl .patrowl-critical {
background-color: #C61010;
}
</style>
<div class="panel panel-info">
<div class="panel-heading">
<strong>Patrowl Report</strong>
</div>
<div class="panel-body">
<h4>Asset Information for {{content.value}}</h4>
<dl class="dl-horizontal">
<dt>Name</dt>
<dd>{{content.name}}</dd>
<dt>Criticity</dt>
<dd><label class="label patrowl-{{content.criticity}}">{{content.criticity}}</label></dd>
<dt>DataType</dt>
<dd>{{content.type}}</dd>
<dt>Description</dt>
<dd>{{content.description}}</dd>
<dt>Findings summary</dt>
<dd>
<div class="progress">
<div class="progress-bar patrowl-info" ng-style="{width:(content.risk_level.info *100)/(content.risk_level.total)+'%'}">
<span>{{content.risk_level.info}}</span>
</div>
<div class="progress-bar patrowl-low" ng-style="{width:(content.risk_level.low *100)/(content.risk_level.total)+'%'}">
<span>{{content.risk_level.low}}</span>
</div>
<div class="progress-bar patrowl-medium" ng-style="{width:(content.risk_level.medium *100)/(content.risk_level.total)+'%'}">
<span>{{content.risk_level.medium}}</span>
</div>
<div class="progress-bar patrowl-high" ng-style="{width:(content.risk_level.high *100)/(content.risk_level.total)+'%'}">
<span>{{content.risk_level.high}}</span>
</div>
</div>
</dd>
</dl>
<br>
<hr>
<h4>Findings Reports</h4>
<div ng-if="content.findings" ng-repeat="finding in content.findings">
<div class="panel panel-default">
<div class="panel-heading">
<strong>{{finding.title}}</strong>
</div>
<div class="panel-body">
<dl class="dl-horizontal" nf-if="finding.severity" >
<dt>Severity</dt>
<dd><label class="label patrowl-{{finding.severity}}">{{finding.severity}}</label></dd>
<dt>Description</dt>
<dd>{{finding.description}}</dd>
<dt>From engine</dt>
<dd>{{finding.engine_type}}</dd>
</dl>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- General error -->
<div class="panel panel-danger" ng-if="!success">
<div class="panel-heading">
<strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
</div>
<div class="panel-body">
{{content.errorMessage}}
</div>
</div>

3
analyzers/Patrowl/templates/Patrowl_GetReport_short.html Normal file
View File

@ -0,0 +1,3 @@
<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
{{t.namespace}}:{{t.predicate}}={{t.value}}
</span>