forked from TheHive-Project/Cortex-Analyzers
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'ssp-info' of https://github.com/StamusNetworks/Cortex-A…
…nalyzers into StamusNetworks-ssp-info
- Loading branch information
Showing
5 changed files
with
218 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| { | ||
| "name": "StamusNetworks_HostID", | ||
| "version": "1.0", | ||
| "author": "Stamus Networks", | ||
| "url": "https://github.com/TheHive-Project/Cortex-Analyzers", | ||
| "license": "AGPL-V3", | ||
| "description": "Get information from your Scirius Security Platform for an IP address.", | ||
| "dataTypeList": ["ip"], | ||
| "command": "StamusNetworks/hostid_analyzer.py", | ||
| "baseConfig": "StamusNetworks", | ||
| "config": { | ||
| "service": "get" | ||
| }, | ||
| "configurationItems": [ | ||
| { | ||
| "name": "url", | ||
| "description": "Base URL of Scirius Security Platform", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "key", | ||
| "description": "API key for Scirius Security Platform", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "ssl_verify", | ||
| "description": "Verify TLS certificate when connection to Scirius Security Platform", | ||
| "type": "boolean", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "tenant", | ||
| "description": "Tenant value for organization in Scirius Security Platform", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": false | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| #!/usr/bin/env python3 | ||
| # encoding: utf-8 | ||
|
|
||
| from cortexutils.analyzer import Analyzer | ||
|
|
||
| import requests | ||
|
|
||
|
|
||
| class StamusNetworksAnalyzer(Analyzer): | ||
| def __init__(self): | ||
| Analyzer.__init__(self) | ||
| self.api_key = self.get_param('config.key', None, 'Scirius Security Platform api key is missing') | ||
| self.base_url = self.get_param('config.url', None, 'Scirius Security Platform url is missing') | ||
| self.base_url = self.base_url.rstrip('/ ') | ||
| self.ssl_verify = self.get_param('config.ssl_verify', None, 'Scirius Security Platform TLS verification info is missing') | ||
| tenant = self.get_param('config.tenant') | ||
| if tenant is not None and len(tenant): | ||
| self.tenant_param = "?tenant=" + tenant | ||
| else: | ||
| self.tenant_param = "" | ||
| self.proxies = { | ||
| "https" : self.get_param("config.proxy_https", None), | ||
| "http" : self.get_param("config.proxy_http", None) | ||
| } | ||
| self.session = requests.Session() | ||
| self.session.headers.update({ 'Content-Type': 'application/json', 'Authorization': 'Token ' + self.api_key }) | ||
|
|
||
| def artifacts(self, raw): | ||
| artifacts = [] | ||
| if raw.get('host_id') is None: | ||
| return [] | ||
| hostnames = raw['host_id'].get('hostname', []) | ||
| for host in hostnames: | ||
| tags=["first-seen:" + host['first_seen'], "last-seen:" + host['last_seen']] | ||
| artifacts.append( | ||
| self.build_artifact('fqdn', | ||
| host['host'], | ||
| tags=tags)) | ||
| net_info = raw['host_id'].get('net_info', []) | ||
| if len(net_info) > -1: | ||
| net_info = sorted(net_info, key=lambda k: k['last_seen'], reverse=True)[0]['agg'] | ||
| tags=["network-info"] | ||
| artifacts.append( | ||
| self.build_artifact('other', | ||
| net_info, | ||
| tags=tags)) | ||
| return artifacts | ||
|
|
||
| def summary(self, raw): | ||
| taxonomies = [] | ||
| namespace = "SSP" | ||
| value = raw["host_id"]["first_seen"] | ||
| taxonomies.append(self.build_taxonomy("info", namespace, 'first-seen', value)) | ||
| value = raw["host_id"]["last_seen"] | ||
| taxonomies.append(self.build_taxonomy("info", namespace, 'last-seen', value)) | ||
|
|
||
| value = raw["host_id"].get("services_count") | ||
| if value: | ||
| taxonomies.append(self.build_taxonomy("info", namespace, 'services', value)) | ||
| value = raw["host_id"].get("tls.ja3_count") | ||
| if value: | ||
| taxonomies.append(self.build_taxonomy("info", namespace, 'tls-agents', value)) | ||
| value = raw["host_id"].get("http.user_agent_count") | ||
| if value: | ||
| taxonomies.append(self.build_taxonomy("info", namespace, 'http-agents', value)) | ||
|
|
||
| return {"taxonomies": taxonomies} | ||
|
|
||
| def run(self): | ||
| Analyzer.run(self) | ||
| info = {} | ||
| try: | ||
| if self.data_type == 'ip': | ||
| url = self.base_url + "/rest/appliances/host_id/" + self.get_data() + self.tenant_param | ||
| resp = self.session.get(url, verify=self.ssl_verify, proxies=self.proxies) | ||
| resp.raise_for_status() | ||
| info = resp.json() | ||
| # TODO add support for user-agent and fqdn | ||
| else: | ||
| self.error('Invalid data type !') | ||
|
|
||
| self.report(info) | ||
|
|
||
| except Exception as e: | ||
| self.unexpectedError(e) | ||
|
|
||
|
|
||
| if __name__ == '__main__': | ||
| StamusNetworksAnalyzer().run() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| cortexutils | ||
| requests |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| <!-- Success !--> | ||
| <div class="panel panel-info" ng-if="success" ng-init="recordsLimit=20"> | ||
| <div class="panel-heading"> | ||
| <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong> | ||
| <a ng-show="::content.records.length > 20" class="pull-right" href ng-click="recordsLimit=undefined">View All ({{::content.records.length}})</a> | ||
| </div> | ||
| <div class="panel-body"> | ||
| <p> | ||
| SSP Host Information Report | ||
| </p> | ||
| <div ng-if="content.host_id.services_count>0"> | ||
| <p><em>Services for IP</em></p> | ||
| <table class="table"> | ||
| <thead> | ||
| <tr> | ||
| <th width="50">#</th> | ||
| <th>Proto</th> | ||
| <th>Port</th> | ||
| </tr> | ||
| </thead> | ||
| <tbody ng-repeat="row in content.host_id.services | limitTo:recordsLimit"> | ||
| <td>{{$index + 1}}</td> | ||
| <td>{{row.proto}}</td> | ||
| <td>{{row.port}}</td> | ||
| </tbody> | ||
| </table> | ||
| </div> | ||
| <div ng-if="content.host_id.username_count>0"> | ||
| <p><em>Username</em></p> | ||
| <table class="table"> | ||
| <thead> | ||
| <tr> | ||
| <th width="50">#</th> | ||
| <th>Username</th> | ||
| <th>First Seen</th> | ||
| <th>Last Seen</th> | ||
| </tr> | ||
| </thead> | ||
| <tbody ng-repeat="row in content.host_id.username | limitTo:recordsLimit"> | ||
| <td>{{$index + 1}}</td> | ||
| <td>{{row.user}}</td> | ||
| <td>{{row.first_seen}}</td> | ||
| <td>{{row.last_seen}}</td> | ||
| </tbody> | ||
| </table> | ||
| </div> | ||
| <div ng-if="content.host_id['http.user_agent']"> | ||
| <p><em>Username</em></p> | ||
| <table class="table"> | ||
| <thead> | ||
| <tr> | ||
| <th width="50">#</th> | ||
| <th>HTTP User Agent</th> | ||
| <th>First Seen</th> | ||
| <th>Last Seen</th> | ||
| </tr> | ||
| </thead> | ||
| <tbody ng-repeat="row in content.host_id['http.user_agent'] | limitTo:recordsLimit"> | ||
| <td>{{$index + 1}}</td> | ||
| <td>{{row.agent}}</td> | ||
| <td>{{row.first_seen}}</td> | ||
| <td>{{row.last_seen}}</td> | ||
| </tbody> | ||
| </table> | ||
| </div> | ||
| </div> | ||
|
|
||
| </div> | ||
|
|
||
| <!-- Error !--> | ||
| <div class="panel panel-danger" ng-if="!success"> | ||
| <div class="panel-heading" > | ||
| <strong> Error while running the service </strong> | ||
| </div> | ||
| <div class="panel-body"> | ||
| <pre> | ||
| {{content.errorMessage}} | ||
| </pre> | ||
| </div> | ||
| </div> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]"> | ||
| {{t.namespace}}:{{t.predicate}}="{{t.value}}" | ||
| </span> |