Merge pull request #505 from mlodic/develop

added IntezerCommunity analyzer
2024-11-06 09:05:19 +00:00 · 2020-03-09 12:38:11 +01:00 · 2020-03-09 12:38:11 +01:00 · 504d307956
commit 504d307956
parent e7aeb0ff7f
5 changed files with 154 additions and 0 deletions
--- a/analyzers/IntezerCommunity/IntezerCommunity.json
+++ b/analyzers/IntezerCommunity/IntezerCommunity.json
@ -0,0 +1,25 @@
+{
+    "name": "IntezerCommunity",
+    "version": "1.0",
+    "author": "Matteo Lodi",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-v3",
+    "description": "Analyze a possible malicious file with Intezer Analyzer",
+    "dataTypeList": ["file"],
+    "baseConfig": "IntezerCommunity",
+    "command": "IntezerCommunity/intezer_community.py",
+    "configurationItems": [
+      {
+        "name": "key",
+        "description": "API key for Intezer",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+    ],
+    "config": {
+        "check_tlp": true,
+        "max_tlp": 2,
+        "auto_extract": false
+    }
+}
--- a/analyzers/IntezerCommunity/intezer_community.py
+++ b/analyzers/IntezerCommunity/intezer_community.py
@ -0,0 +1,82 @@
+#!/usr/bin/env python3
+
+import requests
+import time
+import os
+
+from cortexutils.analyzer import Analyzer
+
+
+class IntezerCommunityAnalyzer(Analyzer):
+    """
+    Intezer Community APIs: https://analyze.intezer.com/api/docs/documentation
+    """
+
+    def run(self):
+
+        try:
+
+            if self.data_type == 'file':
+                api_key = self.get_param('config.key', None, 'Missing Intezer API key')
+                filepath = self.get_param('file', None, 'File is missing')
+                filename = self.get_param('filename', os.path.basename(filepath))
+
+                base_url = 'https://analyze.intezer.com/api/v2-0'
+                # this should be done just once in a day, but we cannot do that with Cortex Analyzers
+                response = requests.post(base_url + '/get-access-token', json={'api_key': api_key})
+                response.raise_for_status()
+                session = requests.session()
+                session.headers['Authorization'] = session.headers['Authorization'] = 'Bearer %s' % response.json()[
+                    'result']
+
+                with open(filepath, 'rb') as file_to_upload:
+                    files = {'file': (filename, file_to_upload)}
+                    response = session.post(base_url + '/analyze', files=files)
+                    if response.status_code != 201:
+                        self.error('Error sending file to Intezer Analyzer\n{}'.format(response.text))
+
+                while response.status_code != 200:
+                    time.sleep(3)
+                    result_url = response.json()['result_url']
+                    response = session.get(base_url + result_url)
+                    response.raise_for_status()
+
+                report = response.json()
+                self.report(report)
+
+            else:
+                self.notSupported()
+
+        except requests.HTTPError as e:
+            self.error(e)
+        except Exception as e:
+            self.unexpectedError(e)
+
+    def summary(self, raw):
+        taxonomies = []
+        namespace = 'IntezerCommunity'
+
+        if 'status' in raw and raw['status'] == 'succeeded':
+            predicate = 'Analysis succeeded'
+        else:
+            predicate = 'Analysis failed'
+
+        level = 'info'
+        value = 'no family'
+        if 'result' in raw:
+            if 'verdict' in raw['result']:
+                level = raw['result']['verdict']
+                if level == 'trusted':
+                    level = 'safe'
+                if level not in ['info', 'safe', 'suspicious', 'malicious']:
+                    level = 'info'
+            if 'family_name' in raw['result']:
+                value = raw['result']['family_name']
+
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+
+        return {'taxonomies': taxonomies}
+
+
+if __name__ == '__main__':
+    IntezerCommunityAnalyzer().run()
--- a/analyzers/IntezerCommunity/requirements.txt
+++ b/analyzers/IntezerCommunity/requirements.txt
@ -0,0 +1,2 @@
+requests
+cortexutils
--- a/thehive-templates/IntezerCommunity_1_0/long.html
+++ b/thehive-templates/IntezerCommunity_1_0/long.html
@ -0,0 +1,42 @@
+	<div class="panel panel-danger" ng-if="success && content.result">
+		<div class="panel-heading">
+			Intezer Analysis Results
+		</div>
+        <div class="panel-body">
+            <dl class="dl-horizontal">
+                <dt>Verdict</dt>
+                <dd>{{content.result.verdict}}</dd>
+            </dl>
+            <dl class="dl-horizontal">
+                <dt>Sub-verdict</dt>
+                <dd>{{content.result.sub_verdict}}</dd>
+            </dl>
+            <dl class="dl-horizontal">
+                <dt>Family</dt>
+                <dd>{{content.result.family_name}}</dd>
+            </dl>
+        </div>
+	</div>
+	<div class="panel panel-success" ng-if="success && !content.result">
+		<div class="panel-heading">
+			Intezer Analysis Results
+		</div>
+		<div class="panel-body">
+			<span>No result</span>
+		</div>
+	</div>
+
+	<!-- General error  -->
+	<div class="panel panel-danger" ng-if="!success">
+		<div class="panel-heading">
+			<strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+		</div>
+		<div class="panel-body">
+			<dl class="dl-horizontal" ng-if="content.errorMessage">
+				<dt><i class="fa fa-warning"></i> Intezer:</dt>
+				<dd class="wrap">{{content.errorMessage}}</dd>
+			</dl>
+		</div>
+	</div>
+
+
--- a/thehive-templates/IntezerCommunity_1_0/short.html
+++ b/thehive-templates/IntezerCommunity_1_0/short.html
@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>&nbsp;