Minor changes to proofpoint analyzer (template, function names etc.)

2024-11-06 00:55:17 +00:00 · 2018-10-17 10:17:10 +02:00 · 2018-10-17 10:17:10 +02:00 · d26402f205
commit d26402f205
parent 002d5ca3ee
3 changed files with 115 additions and 10 deletions
--- a/analyzers/ProofPoint/proofpoint_lookup.py
+++ b/analyzers/ProofPoint/proofpoint_lookup.py
@ -11,11 +11,11 @@ class ProofPointForensicsAnalyzer(Analyzer):

 	def __init__(self):
 		Analyzer.__init__(self)
-		self.service = self.getParam('config.service', None, 'ProofPoint service is missing')
-		self.url = self.getParam('config.url', 'https://tap-api-v2.proofpoint.com', None)
-		self.apikey = self.getParam('config.apikey', None, 'ProofPoint apikey is missing')
-		self.secret = self.getParam('config.secret', None, 'ProofPoint secret is missing')
-		self.verify = self.getParam('config.verifyssl', True, None)
+		self.service = self.get_param('config.service', None, 'ProofPoint service is missing')
+		self.url = self.get_param('config.url', 'https://tap-api-v2.proofpoint.com', None)
+		self.apikey = self.get_param('config.apikey', None, 'ProofPoint apikey is missing')
+		self.secret = self.get_param('config.secret', None, 'ProofPoint secret is missing')
+		self.verify = self.get_param('config.verifyssl', True, None)
 		if not self.verify:
 			from requests.packages.urllib3.exceptions import InsecureRequestWarning
 			requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
@ -61,13 +61,13 @@ class ProofPointForensicsAnalyzer(Analyzer):
 			report = {}
 			if self.service in ['query']:
 				if self.data_type == 'file':
-					filename = self.getParam('attachment.name', 'noname.ext')
-					filepath = self.getParam('file', None, 'File is missing')
+					filename = self.get_param('attachment.name', 'noname.ext')
+					filepath = self.get_param('file', None, 'File is missing')
 					sha256 = hashlib.sha256(open(filepath, 'r').read()).hexdigest()
-				elif self.data_type == 'hash' and len(self.getData()) == 64:
-					sha256 = self.getData()
+				elif self.data_type == 'hash' and len(self.get_data()) == 64:
+					sha256 = self.get_data()
 				else:
-					sha256 = hashlib.sha256(self.getData()).hexdigest()
+					sha256 = hashlib.sha256(self.get_data()).hexdigest()
 			else:
 				self.error('unknown service')
 			if sha256 != None:
--- a/thehive-templates/ProofPoint_Lookup_1_0/long.html
+++ b/thehive-templates/ProofPoint_Lookup_1_0/long.html
@ -0,0 +1,102 @@
+<!-- General error -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
+<div class="report-ProofPoint" ng-if="success">
+	<div ng-if="content.known == true">
+		<style>
+			.report-ProofPoint dl {
+				margin-bottom: 2px;
+			}
+			.smaller {
+				width: 25%;
+			}
+		</style>
+		<div class="panel panel-info">
+			<div class="panel-heading"><strong>ProofPoint Report</strong></div>
+				<div ng-if="content.reports && content.reports.length > 0">
+					<div class="panel-body">
+						<dl class="dl-horizontal">
+							<dt>Last analysis date</dt>
+							<dd>{{content.generated}}</dd>
+						</dl>
+						<div class="dl-horizontal" ng-repeat="(indexRep,reportFor) in content.reports">
+							<div ng-repeat="(indexElem,elem) in reportFor">
+								<div ng-if="indexElem == 'name'">
+									<dl class="dl-horizontal">
+										<dt>Threat Name</dt>
+										<dd>{{elem}}</dd>
+									</dl>
+								</div>
+								<div ng-if="indexElem == 'type'">
+									<dl class="dl-horizontal">
+										<dt>Threat Type</dt>
+										<dd>{{elem}}</dd>
+									</dl>
+								</div>
+								<div ng-if="indexElem == 'threatStatus'">
+									<dl class="dl-horizontal">
+										<dt>Threat Status</dt>
+										<dd>{{elem}}</dd>
+									</dl>
+								</div>
+							</div>
+						</div>
+					</div>
+				</div>
+		</div>
+		<div ng-if="content.reports && content.reports.length > 0">
+			<div ng-if="content.reports[0].forensics.length > 0">
+				<div class="panel panel-info">
+					<div class="panel-heading"><strong>Malicious Indicators</strong></div>
+						<div class="panel-body">
+							<div class="dl-horizontal" ng-repeat="(indexRep,reportFor) in content.reports">
+								<div ng-repeat="(indexElem,elem) in reportFor">
+									<div ng-if="indexElem == 'forensics'">
+										<div ng-repeat="(indexForens,forensics) in elem">
+											<div class="dl-horizontal" ng-if="forensics.malicious == true">
+												<dt>IOC Type</dt>
+												<dd>{{forensics.type}}</dd>
+												<br>
+												<dt>IOC Description</dt>
+												<dd>{{forensics.display}}</dd>
+												<br>
+												<div ng-if="forensics.note">
+													<dt>IOC Category</dt>
+													<dd>{{forensics.note}}</dd>
+													<br>
+												</div>
+												<br>
+											</div>
+										</div>
+										<div ng-repeat="(indexForens,forensics) in elem">
+											<div class="dl-horizontal" ng-if="forensics.type == 'screenshot'">
+												<dd><img class="img-responsive smaller" ng-src="{{forensics.what.url}}"/></dd>
+											</div>
+										</div>
+									</div>
+								</div>
+							</div>
+						</div>
+				</div>
+			</div>
+		</div>
+	</div>
+	<div ng-if="content.known == false">
+		<div class="panel panel-info">
+			<div class="panel-heading"><strong>ProofPoint Report</strong></div>
+				<div class="panel-body">
+					<dl class="dl-horizontal">
+						<dt>Last analysis date</dt>
+						<dd>Data Unknown by ProofPoint</dd>
+					</dl>
+				</div>
+			</div>
+		</div>
+	</div>
+</div>
--- a/thehive-templates/ProofPoint_Lookup_1_0/short.html
+++ b/thehive-templates/ProofPoint_Lookup_1_0/short.html
@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>