Merge branch 'staf711-feature/oscd' into feature/oscd

analyzers/EmlParser/input/input.json

@@ -0,0 +1,17 @@
+ {
+    "dataType":"file",
+    "file": "Payment Notification 00000307700.eml",
+    "filename": "filetest",
+    "config":{
+        "manalyze_enable": false,
+        "manalyze_enable_docker": false,
+        "proxy_http": null,
+        "proxy_https": null,
+        "cacerts": null,
+        "jobTimeout": 10,
+        "check_tlp": false,
+        "max_tlp": 2,
+        "check_pap": false,
+        "max_pap": 2
+    }
+}

analyzers/EmlParser/output/output.json

@@ -0,0 +1 @@
+{"success": true, "summary": {"taxonomies": [{"level": "info", "namespace": "EmlParser", "predicate": "Attachments", "value": 1}]}, "artifacts": [{"dataType": "ip", "data": "18.23.71.149"}, {"dataType": "ip", "data": "165.199.8.49"}, {"dataType": "ip", "data": "87.227.176.38"}, {"dataType": "mail", "data": "[email protected]"}, {"dataType": "mail", "data": "[email protected]"}, {"dataType": "hash", "data": "4dd9dfc92887e8c02cbc54a2abf73fb2"}, {"dataType": "hash", "data": "f7586d41577ed314ef5794072ddffef838996088"}, {"dataType": "hash", "data": "bfee589efb80fccdc2c19e16b54fa19d2a9ee7f5c359e0340cd568dce09f8ecb"}, {"dataType": "file", "file": "tmpu4zg7dbi", "filename": "Inv_307700_Service_04086.xlsm"}], "full": {"subject": "Payment Notification 00000307700", "date": "Mon, 22 Jun 2020 14:15:37 +0200", "receivers": "", "displayFrom": "[email protected]", "sender": "", "topic": "", "bcc": "", "displayTo": "<>", "headers": "Received: from ([87.227.176.38]) by [removed] for [removed];\n\tMon, 22 Jun 2020 12:15:38 +0000 (UTC)\nReceived: from [18.23.71.149] (account [email protected] HELO TIQOPOP.GAFYWOG.bwd) by customer.orbitel.bg (Exim 4.89)\twith ESMTPA id 89509C7C5024 for [removed]; Mon, 22 Jun 2020 14:15:37 +0200\nReceived: from ([165.199.8.49]) by customer.orbitel.bg with SMTP id 3943963C; Mon, 22 Jun 2020 14:15:37 +0200\nDate: Mon, 22 Jun 2020 14:15:37 +0200\nContent-Class: urn:content-classes:message\nSubject: Payment Notification 00000307700\nFrom: \"Billing Support\" <[email protected]>\n", "body": "Thank you very much for your business and continued support.\n\nPlease open the attached file to view your Invoice.\n\n    Invoice Due Date:      06/22/2020\n    Invoice Total Amount:  $1,278.00\n\nBest Regards\n", "attachments": [{"filename": "Inv_307700_Service_04086.xlsm", "mime": "Microsoft Excel 2007+", "extension": "xlsm", "md5": "4dd9dfc92887e8c02cbc54a2abf73fb2", "sha1": "f7586d41577ed314ef5794072ddffef838996088", "sha256": "bfee589efb80fccdc2c19e16b54fa19d2a9ee7f5c359e0340cd568dce09f8ecb", "path": "/job/output/Inv_307700_Service_04086.xlsm"}]}}

responders/PaloAltoNGFW/PaloAltoNGFW_block_external_IP_address.json

@@ -0,0 +1,56 @@
+{
+  "name": "PaloAltoNGFW_block_external_IP_address",
+  "version": "2.0.0",
+  "author": "Maxim Konakin, OSCD Initiative",
+  "url": "",
+  "license": "AGPL-V3",
+  "description": "Block external IP address",
+  "dataTypeList": ["thehive:alert","thehive:case_artifact","thehive:case"],
+  "command": "PaloAltoNGFW/block_external_ip.py",
+  "baseConfig": "PaloAltoNGFW_main",
+  "configurationItems": [
+    {
+      "name": "Hostname_PaloAltoNGFW",
+      "description": "Hostname PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "User_PaloAltoNGFW",
+      "description": "User PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Password_PaloAltoNGFW",
+      "description": "User PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Security_rule_for_block_external_IP_address",
+      "description": "Name external name security rule for IP address",
+      "type": "string",
+      "multi": false,
+      "required": true,
+	  "defaultValue": "TheHive Block external IP address"
+    },
+	{
+        "name": "TheHive_instance",
+        "description": "URL of the TheHive instance to query",
+        "type": "string",
+        "multi": false,
+        "required": true
+      },
+      {
+        "name": "TheHive_API_key",
+        "description": "TheHive API key with read access",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+  ]
+}

responders/PaloAltoNGFW/PaloAltoNGFW_block_external_domain.json

@@ -0,0 +1,56 @@
+{
+  "name": "PaloAltoNGFW_block_external_domain",
+  "version": "2.0.0",
+  "author": "Maxim Konakin, OSCD Initiative",
+  "url": "",
+  "license": "AGPL-V3",
+  "description": "Block external domain",
+  "dataTypeList": ["thehive:alert","thehive:case_artifact","thehive:case"],
+  "command": "PaloAltoNGFW/block_external_domain.py",
+  "baseConfig": "PaloAltoNGFW_main",
+  "configurationItems": [
+    {
+      "name": "Hostname_PaloAltoNGFW",
+      "description": "Hostname PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "User_PaloAltoNGFW",
+      "description": "User PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Password_PaloAltoNGFW",
+      "description": "User PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Security_rule_for_block_external_domain",
+      "description": "Name external security rule for domains",
+      "type": "string",
+      "multi": false,
+      "required": true,
+	  "defaultValue": "TheHive Block external Domain"
+    },
+	{
+        "name": "TheHive_instance",
+        "description": "URL of the TheHive instance to query",
+        "type": "string",
+        "multi": false,
+        "required": true
+      },
+      {
+        "name": "TheHive_API_key",
+        "description": "TheHive API key with read access",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+  ]
+}

responders/PaloAltoNGFW/PaloAltoNGFW_block_external_user.json

@@ -0,0 +1,56 @@
+{
+  "name": "PaloAltoNGFW_block_external_user",
+  "version": "1.0.0",
+  "author": "Maxim Konakin, OSCD Initiative",
+  "url": "",
+  "license": "AGPL-V3",
+  "description": "Block external user",
+  "dataTypeList": ["thehive:alert","thehive:case_artifact","thehive:case"],
+  "command": "PaloAltoNGFW/block_external_user.py",
+  "baseConfig": "PaloAltoNGFW_main",
+  "configurationItems": [
+    {
+      "name": "Hostname_PaloAltoNGFW",
+      "description": "Hostname PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "User_PaloAltoNGFW",
+      "description": "User PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Password_PaloAltoNGFW",
+      "description": "User PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Security_rule_for_block_external_user",
+      "description": "Name security rule for external users",
+      "type": "string",
+      "multi": false,
+      "required": true,
+	  "defaultValue": "TheHive Block external user"
+    },
+	{
+        "name": "TheHive_instance",
+        "description": "URL of the TheHive instance to query",
+        "type": "string",
+        "multi": false,
+        "required": true
+      },
+      {
+        "name": "TheHive_API_key",
+        "description": "TheHive API key with read access",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+  ]
+}

responders/PaloAltoNGFW/PaloAltoNGFW_block_internal_IP_address.json

@@ -0,0 +1,56 @@
+{
+  "name": "PaloAltoNGFW_block_internal_IP_address",
+  "version": "2.0.0",
+  "author": "Maxim Konakin, OSCD Initiative",
+  "url": "",
+  "license": "AGPL-V3",
+  "description": "Block internal IP address",
+  "dataTypeList": ["thehive:alert","thehive:case_artifact","thehive:case"],
+  "command": "PaloAltoNGFW/block_internal_ip.py",
+  "baseConfig": "PaloAltoNGFW_main",
+  "configurationItems": [
+    {
+      "name": "Hostname_PaloAltoNGFW",
+      "description": "Hostname PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "User_PaloAltoNGFW",
+      "description": "User PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Password_PaloAltoNGFW",
+      "description": "User PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Security_rule_for_block_internal_IP_address",
+      "description": "Name internal security rule for IP address",
+      "type": "string",
+      "multi": false,
+      "required": true,
+	  "defaultValue": "TheHive Block internal IP address"
+    },
+	{
+        "name": "TheHive_instance",
+        "description": "URL of the TheHive instance to query",
+        "type": "string",
+        "multi": false,
+        "required": true
+      },
+      {
+        "name": "TheHive_API_key",
+        "description": "TheHive API key with read access",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+  ]
+}

responders/PaloAltoNGFW/PaloAltoNGFW_block_internal_domain.json

@@ -0,0 +1,56 @@
+{
+  "name": "PaloAltoNGFW_block_internal_domain",
+  "version": "2.0.0",
+  "author": "Maxim Konakin, OSCD Initiative",
+  "url": "",
+  "license": "AGPL-V3",
+  "description": "Block internal domain",
+  "dataTypeList": ["thehive:alert","thehive:case_artifact","thehive:case"],
+  "command": "PaloAltoNGFW/block_internal_domain.py",
+  "baseConfig": "PaloAltoNGFW_main",
+  "configurationItems": [
+    {
+      "name": "Hostname_PaloAltoNGFW",
+      "description": "Hostname PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "User_PaloAltoNGFW",
+      "description": "User PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Password_PaloAltoNGFW",
+      "description": "User PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Security_rule_for_block_internal_domain",
+      "description": "Name internal security rule for domains",
+      "type": "string",
+      "multi": false,
+      "required": true,
+	  "defaultValue": "TheHive Block internal Domain"
+    },
+	{
+        "name": "TheHive_instance",
+        "description": "URL of the TheHive instance to query",
+        "type": "string",
+        "multi": false,
+        "required": true
+      },
+      {
+        "name": "TheHive_API_key",
+        "description": "TheHive API key with read access",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+  ]
+}

responders/PaloAltoNGFW/PaloAltoNGFW_block_internal_user.json

@@ -0,0 +1,56 @@
+{
+  "name": "PaloAltoNGFW_block_internal_user",
+  "version": "1.0.0",
+  "author": "Maxim Konakin, OSCD Initiative",
+  "url": "",
+  "license": "AGPL-V3",
+  "description": "Block internal user",
+  "dataTypeList": ["thehive:alert","thehive:case_artifact","thehive:case"],
+  "command": "PaloAltoNGFW/block_internal_user.py",
+  "baseConfig": "PaloAltoNGFW_main",
+  "configurationItems": [
+    {
+      "name": "Hostname_PaloAltoNGFW",
+      "description": "Hostname PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "User_PaloAltoNGFW",
+      "description": "User PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Password_PaloAltoNGFW",
+      "description": "User PaloAltoNGFW",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
+    {
+      "name": "Security_rule_for_block_internal_user",
+      "description": "Name internal security rule for users",
+      "type": "string",
+      "multi": false,
+      "required": false,
+	  "defaultValue": "TheHive Block internal user"
+    },
+	{
+        "name": "TheHive_instance",
+        "description": "URL of the TheHive instance to query",
+        "type": "string",
+        "multi": false,
+        "required": true
+      },
+      {
+        "name": "TheHive_API_key",
+        "description": "TheHive API key with read access",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+  ]
+}