Merge branch 'release/3.4.3'

CHANGELOG.md

@@ -1,6 +1,19 @@
 # Changelog
 
-## [3.4.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.2) (2024-12-24)
+## [3.4.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.2) (2025-01-16)
+
+[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.4.2...3.4.3)
+
+**Closed issues:**
+
+- \[FR\] Crowdstrike Falcon: support custom base URL [\#1306](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1309)
+
+**Merged pull requests:**
+
+- Crowdstrike Falcon - Custom Base URL support [\#1310](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1310) ([nusantara-self](https://github.com/nusantara-self))
+- utils improvements [\#1311](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1311) ([nusantara-self](https://github.com/nusantara-self))
+
+## [3.4.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.2) (2024-12-26)
 
 [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.4.1...3.4.2)
 
@@ -10,6 +23,13 @@
 - \[FR\] Analyzer for observable validation [\#1305](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1305)
 - \[FR\] New Analyzer: Axur Ioc's \(WIP\) [\#1190](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1190)
 
+**Merged pull requests:**
+
+- Add ValidateObservable analyzer [\#1308](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1308) ([nusantara-self](https://github.com/nusantara-self))
+- CrowdStrike Falcon - Implement TheHive custom user-agent across integrations [\#1307](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1307) ([nusantara-self](https://github.com/nusantara-self))
+- feat\(c25\): adds cluster25's cortex analyzer [\#1241](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1241) ([Mv35](https://github.com/Mv35))
+- Implemented Axur ioc's analyzer [\#1191](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1191) ([Paulovgarcia](https://github.com/Paulovgarcia))
+
 ## [3.4.1](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.1) (2024-12-17)
 
 [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.4.0...3.4.1)

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.json

@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "vuln_fields",
             "description": "Specific field values to keep in resulting payload for vulnerabilities",

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_GetDeviceVulnerabilities.py

@@ -12,7 +12,7 @@ def __init__(self):
         self.client_id = self.get_param("config.client_id")
         self.client_secret = self.get_param("config.client_secret")
         self.vuln_fields = self.get_param("config.vuln_fields", [])
-
+        self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com")
 
 
     def run(self):
@@ -23,7 +23,7 @@ def run(self):
                 extra_headers = {
                     "User-Agent": "strangebee-thehive/1.0"
                 }
-                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
+                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url)
                 hosts = Hosts(auth_object=auth, ext_headers=extra_headers)
                 hostname = self.get_data()
 

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox.py

@@ -15,6 +15,7 @@ def __init__(self):
         self.filepath = self.getParam("file", None, "File is missing")
         self.client_id = self.get_param("config.client_id")
         self.client_secret = self.get_param("config.client_secret")
+        self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com")
         self.environment = self.get_param("config.service", 160)
         self.network_settings = self.get_param("config.network_settings", "default")
         self.action_script = self.get_param("config.action_script", "default")
@@ -48,7 +49,7 @@ def run(self):
             }
 
             with open(filepath, "rb") as sample:
-                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
+                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url)
                 # Define the custom header
                 extra_headers = {
                     "User-Agent": "strangebee-thehive/1.0"

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Android.json

@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "network_settings",
             "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline",

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Linux.json

@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "network_settings",
             "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline",

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_MacOS.json

@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "network_settings",
             "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline",

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win10.json

@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "network_settings",
             "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline",

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win11.json

@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "network_settings",
             "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline",

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7.json

@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "network_settings",
             "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline",

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_Sandbox_Win7_64.json

@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "network_settings",
             "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline",

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.json

@@ -32,6 +32,14 @@
             "required": true,
             "defaultValue": ""
         },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
+        },
         {
             "name": "alert_fields",
             "description": "Fields to return for each invidividual alerts",

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceAlerts.py

@@ -10,14 +10,15 @@ def __init__(self):
         Analyzer.__init__(self)
         self.client_id = self.get_param("config.client_id")
         self.client_secret = self.get_param("config.client_secret")
+        self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com")
         self.alert_fields = self.get_param("config.alert_fields")
         self.days_before = self.get_param("config.days_before")
 
     def run(self):
         Analyzer.run(self)
         if self.data_type == 'hostname':
             try:
-                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
+                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url)
                 # Define the custom header
                 extra_headers = {
                     "User-Agent": "strangebee-thehive/1.0"

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.json

@@ -31,6 +31,14 @@
             "multi": false,
             "required": true,
             "defaultValue": ""
+        },
+        {
+            "name": "base_url",
+            "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+            "type": "string",
+            "multi": false,
+            "required": true,
+            "defaultValue": "https://api.crowdstrike.com"
         }
     ],
     "registration_required": true,

analyzers/CrowdstrikeFalcon/CrowdstrikeFalcon_getDeviceDetails.py

@@ -11,12 +11,14 @@ def __init__(self):
         Analyzer.__init__(self)
         self.client_id = self.get_param("config.client_id")
         self.client_secret = self.get_param("config.client_secret")
+        self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com")
+
 
     def run(self):
         Analyzer.run(self)
         if self.data_type == 'hostname':
             try:
-                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
+                auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url)
                 # Define the custom header
                 extra_headers = {
                     "User-Agent": "strangebee-thehive/1.0"

analyzers/ValidateObservable/README.md

@@ -13,49 +13,49 @@ The **ValidateObservable** analyzer is designed to validate multiple observable
 ## Supported Data Types / Features
 1. **IP Addresses**
 
-- Validates individual IPs and CIDR ranges.
-- Flags reserved, private, and loopback IPs with appropriate notes.
+    - Validates individual IPs and CIDR ranges.
+    - Flags reserved, private, and loopback IPs with appropriate notes.
 
 2. **Domains**
 
-- Detects valid domain names.
-- Flags domains using Punycode (e.g., xn--) as suspicious.
-- Identifies unusual characters in domain names.
+    - Detects valid domain names.
+    - Flags domains using Punycode (e.g., xn--) as suspicious.
+    - Identifies unusual characters in domain names.
 
 3. **URLs**
 
-- Validates URLs with or without schemes.
-- Flags URLs containing Punycode domains or unusual characters as suspicious.
-- Detects malformed URLs.
+    - Validates URLs with or without schemes.
+    - Flags URLs containing Punycode domains or unusual characters as suspicious.
+    - Detects malformed URLs.
 
 4. **Fully Qualified Domain Names (FQDNs)**
 
-- Validates FQDNs for proper structure and length.
-- Flags FQDNs using Punycode and unusual characters as suspicious.
+    - Validates FQDNs for proper structure and length.
+    - Flags FQDNs using Punycode and unusual characters as suspicious.
 
 5. **Emails**
 
-- Checks email structure for validity.
-- Detects unusual characters in email addresses.
-- Validates against length constraints.
+    - Checks email structure for validity.
+    - Detects unusual characters in email addresses.
+    - Validates against length constraints.
 
 6. **File Hashes**
 
-- Validates MD5, SHA1, SHA256, and SHA512 hash formats.
+    - Validates MD5, SHA1, SHA256, and SHA512 hash formats.
 
 7. **Filenames**
 
-- Flags invalid characters in filenames (<, >, :, |, etc.).
-- Detects multiple extensions (for example, .txt.exe) as suspicious.
-- Identifies Unicode bidirectional override characters (U+202E, etc.) to prevent obfuscated extensions.
+    - Flags invalid characters in filenames (<, >, :, |, etc.).
+    - Detects multiple extensions (for example, .txt.exe) as suspicious.
+    - Identifies Unicode bidirectional override characters (U+202E, etc.) to prevent obfuscated extensions.
 
 8. **URI Paths**
 
-- Ensures paths start with / and are well-formed.
+    - Ensures paths start with / and are well-formed.
 
 9. **User Agents**
 
-- Checks for excessive length and control characters.
+    - Checks for excessive length and control characters.
 
 ## Special Features
 

responders/CrowdstrikeFalcon/CrowdStrikeFalcon_AddIOC.json

@@ -30,6 +30,14 @@
       "required": true,
       "defaultValue": ""
     },
+    {
+      "name": "base_url",
+      "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "https://api.crowdstrike.com"
+    },
     {
       "name": "severity",
       "description": "Severity linked to the IoC - informational, low, medium, high, critical",

responders/CrowdstrikeFalcon/CrowdStrikeFalcon_Sync.json

@@ -30,6 +30,14 @@
       "required": true,
       "defaultValue": ""
     },
+    {
+      "name": "base_url",
+      "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "https://api.crowdstrike.com"
+    },
     {
       "name": "custom_field_name_alert_id",
       "description": "Custom field in TheHive containing the CSFalcon Alert ID",

responders/CrowdstrikeFalcon/CrowdStrikeFalcon_removeIOC.json

@@ -29,6 +29,14 @@
       "multi": false,
       "required": true,
       "defaultValue": ""
+    },
+    {
+      "name": "base_url",
+      "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "https://api.crowdstrike.com"
     }
   ],
   "registration_required": true,

responders/CrowdstrikeFalcon/CrowdstrikeFalconHosts.py

@@ -9,6 +9,8 @@ def __init__(self):
         self.client_id = self.get_param("config.client_id")
         self.client_secret = self.get_param("config.client_secret")
         self.service = self.get_param("config.service", None)
+        self.base_url = self.get_param("config.base_url", "https://api.crowdstrike.com")
+
 
     def run(self):
         Responder.run(self)
@@ -18,7 +20,7 @@ def run(self):
         extra_headers = {
             "User-Agent": "strangebee-thehive/1.0"
         }
-        auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret)
+        auth = OAuth2(client_id=self.client_id, client_secret=self.client_secret, base_url=self.base_url)
         hosts = Hosts(auth_object=auth, ext_headers=extra_headers)
 
         # Search for the device ID using the hostname