Merge branch 'master' of https://github.com/sigalpes/Cortex-Analyzers into sigalpes-master

analyzers/PhishingInitiative/PhishingInitiative_Scan.json

@@ -0,0 +1,20 @@
+{
+    "name": "PhishingInitiative_Scan",
+    "version": "1.0",
+    "author": "Remi Pointel",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Use Phishing Initiative to scan a URL.",
+    "dataTypeList": ["url"],
+    "baseConfig": "PhishingInitiative",
+    "command": "PhishingInitiative/phishinginitiative_scan.py",
+    "configurationItems": [
+    {
+      "name": "key",
+      "description": "Define the API Key",
+      "type": "string",
+      "multi": false,
+      "required": true
+    }
+  ]
+}

analyzers/PhishingInitiative/phishinginitiative_scan.py

@@ -0,0 +1,49 @@
+#!/usr/bin/env python
+# encoding: utf-8
+from cortexutils.analyzer import Analyzer
+from pyeupi import PyEUPI
+
+
+class PhishingInitiativeAnalyzer(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.phishinginitiative_key = self.get_param('config.key', None,
+                                                     'Missing PhishingInitiative API key')
+
+
+    def summary(self, raw):
+        taxonomies = []
+        level = "safe"
+        namespace = "PhishingInitiative"
+        predicate = "Status"
+        value = "\"Clean\""
+
+        if raw["status"] == "phishing":
+            level = "malicious"
+            value = "\"{}\"".format(raw["status"])
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        return {"taxonomies": taxonomies}
+
+    def run(self):
+        Analyzer.run(self)
+
+        data = self.get_data()
+
+        try:
+            p = PyEUPI(self.phishinginitiative_key)
+            api_response = p.post_submission(url=data, comment="Submitted by Cortex")
+            api_response_url = "".join(api_response["url"])
+
+            if "Elle a été marquée comme étant du phishing" in api_response_url:
+                self.report({"status":"phishing"})
+            elif "Elle est en cours d'analyse" in api_response_url:
+                self.report({"status":"analyzing"})
+            elif "Elle n'est pas considérée comme étant du phishing" in api_response_url:
+                self.report({"status":"clean"})
+            else:
+                self.report({"status":"report"})
+        except Exception:
+            self.unexpectedError("Service unavailable")
+
+if __name__ == '__main__':
+    PhishingInitiativeAnalyzer().run()

thehive-templates/PhishingInitiative_Scan_1_0/long.html

@@ -0,0 +1,21 @@
+<div class="panel panel-info" ng-if="success">
+    <div class="panel-heading">
+        PhishingInitiative Report for <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+ <dl class="dl-horizontal">
+                <dt>Status: </dt>
+                <dd class="wrap" ng-class="{'text-danger': content.status==='phishing', 'text-warning': content.status==='analyzing', 'text-success': content.status==='clean'}">
+   {{content.status}}
+  </dd>
+        </dl>
+    </div>
+</div>
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>

thehive-templates/PhishingInitiative_Scan_1_0/short.html

@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>