diff --git a/analyzers/StamusNetworks/StamusNetworks_IPInfo.json b/analyzers/StamusNetworks/StamusNetworks_IPInfo.json new file mode 100644 index 000000000..25dbb4f60 --- /dev/null +++ b/analyzers/StamusNetworks/StamusNetworks_IPInfo.json @@ -0,0 +1,44 @@ +{ + "name": "StamusNetworks_HostID", + "version": "1.0", + "author": "Stamus Networks", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Get information from your Scirius Security Platform for an IP address.", + "dataTypeList": ["ip"], + "command": "StamusNetworks/hostid_analyzer.py", + "baseConfig": "StamusNetworks", + "config": { + "service": "get" + }, + "configurationItems": [ + { + "name": "url", + "description": "Base URL of Scirius Security Platform", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "key", + "description": "API key for Scirius Security Platform", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "ssl_verify", + "description": "Verify TLS certificate when connection to Scirius Security Platform", + "type": "boolean", + "multi": false, + "required": true + }, + { + "name": "tenant", + "description": "Tenant value for organization in Scirius Security Platform", + "type": "string", + "multi": false, + "required": false + } + ] +} diff --git a/analyzers/StamusNetworks/hostid_analyzer.py b/analyzers/StamusNetworks/hostid_analyzer.py new file mode 100755 index 000000000..d7c19dc08 --- /dev/null +++ b/analyzers/StamusNetworks/hostid_analyzer.py @@ -0,0 +1,89 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.analyzer import Analyzer + +import requests + + +class StamusNetworksAnalyzer(Analyzer): + def __init__(self): + Analyzer.__init__(self) + self.api_key = self.get_param('config.key', None, 'Scirius Security Platform api key is missing') + self.base_url = self.get_param('config.url', None, 'Scirius Security Platform url is missing') + self.base_url = self.base_url.rstrip('/ ') + self.ssl_verify = self.get_param('config.ssl_verify', None, 'Scirius Security Platform TLS verification info is missing') + tenant = self.get_param('config.tenant') + if tenant is not None and len(tenant): + self.tenant_param = "?tenant=" + tenant + else: + self.tenant_param = "" + self.proxies = { + "https" : self.get_param("config.proxy_https", None), + "http" : self.get_param("config.proxy_http", None) + } + self.session = requests.Session() + self.session.headers.update({ 'Content-Type': 'application/json', 'Authorization': 'Token ' + self.api_key }) + + def artifacts(self, raw): + artifacts = [] + if raw.get('host_id') is None: + return [] + hostnames = raw['host_id'].get('hostname', []) + for host in hostnames: + tags=["first-seen:" + host['first_seen'], "last-seen:" + host['last_seen']] + artifacts.append( + self.build_artifact('fqdn', + host['host'], + tags=tags)) + net_info = raw['host_id'].get('net_info', []) + if len(net_info) > -1: + net_info = sorted(net_info, key=lambda k: k['last_seen'], reverse=True)[0]['agg'] + tags=["network-info"] + artifacts.append( + self.build_artifact('other', + net_info, + tags=tags)) + return artifacts + + def summary(self, raw): + taxonomies = [] + namespace = "SSP" + value = raw["host_id"]["first_seen"] + taxonomies.append(self.build_taxonomy("info", namespace, 'first-seen', value)) + value = raw["host_id"]["last_seen"] + taxonomies.append(self.build_taxonomy("info", namespace, 'last-seen', value)) + + value = raw["host_id"].get("services_count") + if value: + taxonomies.append(self.build_taxonomy("info", namespace, 'services', value)) + value = raw["host_id"].get("tls.ja3_count") + if value: + taxonomies.append(self.build_taxonomy("info", namespace, 'tls-agents', value)) + value = raw["host_id"].get("http.user_agent_count") + if value: + taxonomies.append(self.build_taxonomy("info", namespace, 'http-agents', value)) + + return {"taxonomies": taxonomies} + + def run(self): + Analyzer.run(self) + info = {} + try: + if self.data_type == 'ip': + url = self.base_url + "/rest/appliances/host_id/" + self.get_data() + self.tenant_param + resp = self.session.get(url, verify=self.ssl_verify, proxies=self.proxies) + resp.raise_for_status() + info = resp.json() + # TODO add support for user-agent and fqdn + else: + self.error('Invalid data type !') + + self.report(info) + + except Exception as e: + self.unexpectedError(e) + + +if __name__ == '__main__': + StamusNetworksAnalyzer().run() diff --git a/analyzers/StamusNetworks/requirements.txt b/analyzers/StamusNetworks/requirements.txt new file mode 100644 index 000000000..6aabc3cfa --- /dev/null +++ b/analyzers/StamusNetworks/requirements.txt @@ -0,0 +1,2 @@ +cortexutils +requests diff --git a/thehive-templates/StamusNetworks_HostID_1_0/long.html b/thehive-templates/StamusNetworks_HostID_1_0/long.html new file mode 100644 index 000000000..c18f81669 --- /dev/null +++ b/thehive-templates/StamusNetworks_HostID_1_0/long.html @@ -0,0 +1,80 @@ + +
+
+ {{(artifact.data || artifact.attachment.name) | fang}} + View All ({{::content.records.length}}) +
+
+

+ SSP Host Information Report +

+
+

Services for IP

+ + + + + + + + + + + + + +
#ProtoPort
{{$index + 1}}{{row.proto}}{{row.port}}
+
+
+

Username

+ + + + + + + + + + + + + + + +
#UsernameFirst SeenLast Seen
{{$index + 1}}{{row.user}}{{row.first_seen}}{{row.last_seen}}
+
+
+

Username

+ + + + + + + + + + + + + + + +
#HTTP User AgentFirst SeenLast Seen
{{$index + 1}}{{row.agent}}{{row.first_seen}}{{row.last_seen}}
+
+
+ +
+ + +
+
+ Error while running the service +
+
+ 
+        {{content.errorMessage}}
+
+
+
diff --git a/thehive-templates/StamusNetworks_HostID_1_0/short.html b/thehive-templates/StamusNetworks_HostID_1_0/short.html new file mode 100644 index 000000000..5fc0dabfb --- /dev/null +++ b/thehive-templates/StamusNetworks_HostID_1_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}="{{t.value}}" +