valitydev/Cortex-Analyzers
14
0
Fork 0
mirror of https://github.com/valitydev/Cortex-Analyzers.git synced 2024-11-06 09:05:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/dadokkio/Cortex-Analyzers into dadokkio-master

Browse Source
This commit is contained in:
Jerome Leonard 2017-11-03 13:59:22 +01:00
commit 7aff6caf4c
3 changed files with 498 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
analyzers/EmergingThreats/emergingthreats_analyzer.py
View File

@ -40,7 +40,7 @@ class EmergingThreatsAnalyzer(Analyzer):
namespace = "ET" namespace = "ET"
predicate = self.service predicate = self.service
if predicate in ['domain-info', 'ip-info'] and raw['reputation'] != "-": if predicate in ['domain-info', 'ip-info'] and raw['reputation'] not in ["-", "Error"]:
for x in raw["reputation"]: for x in raw["reputation"]:
value = "%s=%d" % (x['category'], x['score']) value = "%s=%d" % (x['category'], x['score'])
if x['category'] in RED_CATEGORIES and x['score'] >= 70: if x['category'] in RED_CATEGORIES and x['score'] >= 70:
@ -50,7 +50,7 @@ class EmergingThreatsAnalyzer(Analyzer):
else: else:
level = "safe" level = "safe"
taxonomies.append(self.build_taxonomy(level, namespace, predicate, value)) taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
elif predicate == 'malware-info' and raw['events'] != "-": elif predicate == 'malware-info' and raw['events'] not in ["-", "Error"]:
value = str(len(raw['events'])) + " signatures" value = str(len(raw['events'])) + " signatures"
taxonomies.append(self.build_taxonomy("malicious", namespace, predicate, value)) taxonomies.append(self.build_taxonomy("malicious", namespace, predicate, value))

248
thehive-templates/DomainTools_WhoisLookup_2_0/EmergingThreats_DomainInfo_1_0/long.html Normal file
View File

@ -0,0 +1,248 @@
<link rel="stylesheet" href="https://unpkg.com/leaflet@1.2.0/dist/leaflet.css"/>
<script src="https://unpkg.com/leaflet@1.2.0/dist/leaflet.js"></script>
<style>
#mapid { width: 800px;height: 600px; }
</style>
<div class="report-EmergingThreats" ng-if="success">
<div class="panel panel-info" ng-if="content.reputation != '-' && content.reputation != 'Error'">
<div class="panel-heading">
<strong>Reputation</strong>
</div>
<div class="panel-body">
<dl class="dl-horizontal" ng-repeat="reputation in content.reputation track by $index">
<dt>{{ reputation.category }}</dt>
<dd class="wrap">{{ reputation.score }}</dd>
</dl>
</div>
</div>
<div class="panel panel-info" ng-if="content.events != '-' && content.events != 'Error'">
<div class="panel-heading">
<strong>Events</strong>
</div>
<div class="panel-body">
<table class="table table-hover">
<tr>
<th>Count</th>
<th>Date</th>
<th>Domain</th>
<th>Sid</th>
<th>Signature</th>
<th>Source</th>
</tr>
<tr ng-repeat="events in content.events track by $index">
<td>{{ events.count }}</td>
<td>{{ events.date }}</td>
<td>{{ events.domain }}</td>
<td>{{ events.sid }}</td>
<td>{{ events.signature }}</td>
<td>{{ events.source }}</td>
</tr>
</table>
</div>
</div>
<div class="panel panel-info" ng-if="content.geoloc != '-' && content.geoloc != 'Error'">
<div class="panel-heading">
<strong>Geoloc</strong>
</div>
<div class="panel-body">
<div ng-repeat="geo in content.geoloc track by $index">
<dl class="dl-horizontal">
<dt>City</dt>
<dd class="wrap">{{ geo.city }}</dd>
</dl>
<dl class="dl-horizontal">
<dt>country</dt>
<dd class="wrap">{{ geo.country }} [{{ geo.country_code }}]</dd>
</dl>
<dl class="dl-horizontal">
<dt>IP</dt>
<dd class="wrap">{{ geo.ip }}</dd>
</dl>
<dl class="dl-horizontal">
<dt>Coordinates<dt>
<dd class="wrap"><span class="geo_lat">{{ geo.latitude }}</span> / <span class="geo_lon">{{ geo.longitude }}</span></dd>
</dl>
</div>
<div id="mapid"></div>
<script>
$(document).ready(function(){
setTimeout(function(){
var lat = $(".geo_lat").map(function(){return parseInt($(this).text());}).get();
var lon = $(".geo_lon").map(function(){return parseInt($(this).text());}).get();
var mymap = L.map('mapid').setView([0, 0], 3);
L.tileLayer('https://api.tiles.mapbox.com/v4/{id}/{z}/{x}/{y}.png?access_token=pk.eyJ1IjoibWFwYm94IiwiYSI6ImNpejY4NXVycTA2emYycXBndHRqcmZ3N3gifQ.rJcFIG214AriISLbB6B5aw', {
maxZoom: 18,
id: 'mapbox.streets'
}).addTo(mymap);
$.each( lon, function( index, value ){
L.marker([lat[index] , lon[index]]).addTo(mymap);
});
var mark_list = $.map( lon, function( index, value ){
return L.marker([lat[index] , lon[index]]);
});
var group = new L.featureGroup(mark_list);
mymap.fitBounds(group.getBounds(),{maxZoom: 3});
}, 3000);
});
</script>
</div>
</div>
</div>
<div class="panel panel-info" ng-if="content.ips && content.ips != '-' && content.ips != 'Error'">
<div class="panel-heading">
<strong>IPs</strong>
</div>
<div class="panel-body">
<table class="table table-hover">
<tr>
<th>First seen</th>
<th>IP</th>
<th>Last seen</th>
</tr>
<tr ng-repeat="ip in content.ips track by $index">
<td>{{ ip.first_seen }}</td>
<td>{{ ip.ip }}</td>
<td>{{ ip.last_seen }}</td>
</tr>
</table>
</div>
</div>
<div class="panel panel-info" ng-if="content.domains && content.domains != '-' && content.domains != 'Error'">
<div class="panel-heading">
<strong>Domains</strong>
</div>
<div class="panel-body">
<table class="table table-hover">
<tr>
<th>First seen</th>
<th>Name</th>
<th>Last seen</th>
</tr>
<tr ng-repeat="domain in content.domains track by $index">
<td>{{ domain.first_seen }}</td>
<td>{{ domain.domain }}</td>
<td>{{ domain.last_seen }}</td>
</tr>
</table>
</div>
</div>
<div class="panel panel-info" ng-if="content.samples != '-' && content.samples != 'Error'">
<div class="panel-heading">
<strong>Samples</strong>
</div>
<div class="panel-body">
<table class="table table-hover">
<tr>
<th>First seen</th>
<th>Last seen</th>
<th>Source</th>
</tr>
<tr ng-repeat="sample in content.samples track by $index">
<td>{{ sample.first_seen }}</td>
<td>{{ sample.last_seen }}</td>
<td>{{ sample.source }}</td>
</tr>
</table>
</div>
</div>
<div class="panel panel-info" ng-if="content.nameservers && content.nameservers != '-' && content.nameservers != 'Error'">
<div class="panel-heading">
<strong>Nameservers</strong>
</div>
<div class="panel-body">
<table class="table table-hover">
<tr>
<th>First seen</th>
<th>Last seen</th>
<th>Server</th>
</tr>
<tr ng-repeat="nameserver in content.nameservers track by $index">
<td>{{ nameserver.first_seen }}</td>
<td>{{ nameserver.last_seen }}</td>
<td>{{ nameserver.server }}</td>
</tr>
</table>
</div>
</div>
<div class="panel panel-info" ng-if="content.reputation != '-' && content.reputation != 'Error'">
<div class="panel-heading">
<strong>Urls</strong>
</div>
<div class="panel-body">
<dl class="dl-horizontal" ng-repeat="url in content.urls track by $index">
<dd class="wrap">{{ url }}</dd>
</dl>
</div>
</div>
<div class="panel panel-info" ng-if="content.whois && content.whois != '-' && content.whois != 'Error'">
<div class="panel-heading">
<strong>Whois</strong>
</div>
<div class="panel-body">
<h4>Domain</h4>
<dl class="dl-horizontal">
<dd class="wrap">{{ content.whois.domain }}</dd>
</dl>
<h4>Registrant</h4>
<dl class="dl-horizontal">
<dt>Created</dt>
<dd class="wrap">{{ content.whois.registrant.created }}</dd>
</dl>
<dl class="dl-horizontal">
<dt>Expires</dt>
<dd class="wrap">{{ content.whois.registrant.expires }}</dd>
</dl>
<dl class="dl-horizontal">
<dt>Updated</dt>
<dd class="wrap">{{ content.whois.registrant.updated }}</dd>
</dl>
<h4>Registrar</h4>
<dl class="dl-horizontal">
<dt>Country</dt>
<dd class="wrap">{{ content.whois.registrar.country }}</dd>
</dl>
<dl class="dl-horizontal">
<dt>Name</dt>
<dd class="wrap">{{ content.whois.registrar.name }}</dd>
</dl>
<dl class="dl-horizontal">
<dt>Website</dt>
<dd class="wrap">{{ content.whois.registrar.website }}</dd>
</dl>
</div>
</div>
</div>
<!-- General error -->
<div class="panel panel-danger" ng-if="!success">
<div class="panel-heading">
<strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
</div>
<div class="panel-body">
{{content.errorMessage}}
</div>
</div>

248
thehive-templates/DomainTools_WhoisLookup_2_0/EmergingThreats_IPInfo_1_0/long.html Normal file
View File

@ -0,0 +1,248 @@
<link rel="stylesheet" href="https://unpkg.com/leaflet@1.2.0/dist/leaflet.css"/>
<script src="https://unpkg.com/leaflet@1.2.0/dist/leaflet.js"></script>
<style>
#mapid { width: 800px;height: 600px; }
</style>
<div class="report-EmergingThreats" ng-if="success">
<div class="panel panel-info" ng-if="content.reputation != '-' && content.reputation != 'Error'">
<div class="panel-heading">
<strong>Reputation</strong>
</div>
<div class="panel-body">
<dl class="dl-horizontal" ng-repeat="reputation in content.reputation track by $index">
<dt>{{ reputation.category }}</dt>
<dd class="wrap">{{ reputation.score }}</dd>
</dl>
</div>
</div>
<div class="panel panel-info" ng-if="content.events != '-' && content.events != 'Error'">
<div class="panel-heading">
<strong>Events</strong>
</div>
<div class="panel-body">
<table class="table table-hover">
<tr>
<th>Count</th>
<th>Date</th>
<th>Domain</th>
<th>Sid</th>
<th>Signature</th>
<th>Source</th>
</tr>
<tr ng-repeat="events in content.events track by $index">
<td>{{ events.count }}</td>
<td>{{ events.date }}</td>
<td>{{ events.domain }}</td>
<td>{{ events.sid }}</td>
<td>{{ events.signature }}</td>
<td>{{ events.source }}</td>
</tr>
</table>
</div>
</div>
<div class="panel panel-info" ng-if="content.geoloc != '-' && content.geoloc != 'Error'">
<div class="panel-heading">
<strong>Geoloc</strong>
</div>
<div class="panel-body">
<div ng-repeat="geo in content.geoloc track by $index">
<dl class="dl-horizontal">
<dt>City</dt>
<dd class="wrap">{{ geo.city }}</dd>
</dl>
<dl class="dl-horizontal">
<dt>country</dt>
<dd class="wrap">{{ geo.country }} [{{ geo.country_code }}]</dd>
</dl>
<dl class="dl-horizontal">
<dt>IP</dt>
<dd class="wrap">{{ geo.ip }}</dd>
</dl>
<dl class="dl-horizontal">
<dt>Coordinates<dt>
<dd class="wrap"><span class="geo_lat">{{ geo.latitude }}</span> / <span class="geo_lon">{{ geo.longitude }}</span></dd>
</dl>
</div>
<div id="mapid"></div>
<script>
$(document).ready(function(){
setTimeout(function(){
var lat = $(".geo_lat").map(function(){return parseInt($(this).text());}).get();
var lon = $(".geo_lon").map(function(){return parseInt($(this).text());}).get();
var mymap = L.map('mapid').setView([0, 0], 3);
L.tileLayer('https://api.tiles.mapbox.com/v4/{id}/{z}/{x}/{y}.png?access_token=pk.eyJ1IjoibWFwYm94IiwiYSI6ImNpejY4NXVycTA2emYycXBndHRqcmZ3N3gifQ.rJcFIG214AriISLbB6B5aw', {
maxZoom: 18,
id: 'mapbox.streets'
}).addTo(mymap);
$.each( lon, function( index, value ){
L.marker([lat[index] , lon[index]]).addTo(mymap);
});
var mark_list = $.map( lon, function( index, value ){
return L.marker([lat[index] , lon[index]]);
});
var group = new L.featureGroup(mark_list);
mymap.fitBounds(group.getBounds(),{maxZoom: 3});
}, 3000);
});
</script>
</div>
</div>
</div>
<div class="panel panel-info" ng-if="content.ips && content.ips != '-' && content.ips != 'Error'">
<div class="panel-heading">
<strong>IPs</strong>
</div>
<div class="panel-body">
<table class="table table-hover">
<tr>
<th>First seen</th>
<th>IP</th>
<th>Last seen</th>
</tr>
<tr ng-repeat="ip in content.ips track by $index">
<td>{{ ip.first_seen }}</td>
<td>{{ ip.ip }}</td>
<td>{{ ip.last_seen }}</td>
</tr>
</table>
</div>
</div>
<div class="panel panel-info" ng-if="content.domains && content.domains != '-' && content.domains != 'Error'">
<div class="panel-heading">
<strong>Domains</strong>
</div>
<div class="panel-body">
<table class="table table-hover">
<tr>
<th>First seen</th>
<th>Name</th>
<th>Last seen</th>
</tr>
<tr ng-repeat="domain in content.domains track by $index">
<td>{{ domain.first_seen }}</td>
<td>{{ domain.domain }}</td>
<td>{{ domain.last_seen }}</td>
</tr>
</table>
</div>
</div>
<div class="panel panel-info" ng-if="content.samples != '-' && content.samples != 'Error'">
<div class="panel-heading">
<strong>Samples</strong>
</div>
<div class="panel-body">
<table class="table table-hover">
<tr>
<th>First seen</th>
<th>Last seen</th>
<th>Source</th>
</tr>
<tr ng-repeat="sample in content.samples track by $index">
<td>{{ sample.first_seen }}</td>
<td>{{ sample.last_seen }}</td>
<td>{{ sample.source }}</td>
</tr>
</table>
</div>
</div>
<div class="panel panel-info" ng-if="content.nameservers && content.nameservers != '-' && content.nameservers != 'Error'">
<div class="panel-heading">
<strong>Nameservers</strong>
</div>
<div class="panel-body">
<table class="table table-hover">
<tr>
<th>First seen</th>
<th>Last seen</th>
<th>Server</th>
</tr>
<tr ng-repeat="nameserver in content.nameservers track by $index">
<td>{{ nameserver.first_seen }}</td>
<td>{{ nameserver.last_seen }}</td>
<td>{{ nameserver.server }}</td>
</tr>
</table>
</div>
</div>
<div class="panel panel-info" ng-if="content.reputation != '-' && content.reputation != 'Error'">
<div class="panel-heading">
<strong>Urls</strong>
</div>
<div class="panel-body">
<dl class="dl-horizontal" ng-repeat="url in content.urls track by $index">
<dd class="wrap">{{ url }}</dd>
</dl>
</div>
</div>
<div class="panel panel-info" ng-if="content.whois && content.whois != '-' && content.whois != 'Error'">
<div class="panel-heading">
<strong>Whois</strong>
</div>
<div class="panel-body">
<h4>Domain</h4>
<dl class="dl-horizontal">
<dd class="wrap">{{ content.whois.domain }}</dd>
</dl>
<h4>Registrant</h4>
<dl class="dl-horizontal">
<dt>Created</dt>
<dd class="wrap">{{ content.whois.registrant.created }}</dd>
</dl>
<dl class="dl-horizontal">
<dt>Expires</dt>
<dd class="wrap">{{ content.whois.registrant.expires }}</dd>
</dl>
<dl class="dl-horizontal">
<dt>Updated</dt>
<dd class="wrap">{{ content.whois.registrant.updated }}</dd>
</dl>
<h4>Registrar</h4>
<dl class="dl-horizontal">
<dt>Country</dt>
<dd class="wrap">{{ content.whois.registrar.country }}</dd>
</dl>
<dl class="dl-horizontal">
<dt>Name</dt>
<dd class="wrap">{{ content.whois.registrar.name }}</dd>
</dl>
<dl class="dl-horizontal">
<dt>Website</dt>
<dd class="wrap">{{ content.whois.registrar.website }}</dd>
</dl>
</div>
</div>
</div>
<!-- General error -->
<div class="panel panel-danger" ng-if="!success">
<div class="panel-heading">
<strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
</div>
<div class="panel-body">
{{content.errorMessage}}
</div>
</div>