Added new LupovisProwlAnalyzer #1277

analyzers/LupovisProwlAnalyzer/LupovisProwlAnalyzer.json

@@ -0,0 +1,30 @@
+{
+  "name": "LupovisProwlAnalyzer",
+  "description": "Analyzer for IP reputation using Lupovis Prowl API",
+  "author": "Lyle Docherty",
+  "version": "1.1",
+  "url": "https://api.prowl.lupovis.io",
+  "license": "AGPL-V3",
+  "dataTypeList": [
+    "ip"
+  ],
+  "baseConfig": "LupovisProwl",
+  "config": {
+    "service": "query",
+    "url": "https://api.prowl.lupovis.io/GetIPReputation?ip="
+  },
+  "command": "LupovisProwlAnalyzer/LupovisProwlAnalyzer.py",
+  "configurationItems": [
+    {
+      "name": "prowl_api_key",
+      "description": "API key for Lupovis Prowl",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "<Enter Your API Key Here>"
+    }
+  ],
+  "registration_required": true,
+  "subscription_required": true,
+  "service_homepage": "https://prowl.lupovis.io"
+}

analyzers/LupovisProwlAnalyzer/LupovisProwlAnalyzer.py

@@ -0,0 +1,94 @@
+!/usr/bin/env python3
+
+import subprocess
+import json
+from cortexutils.analyzer import Analyzer
+
+class LupovisProwlAnalyzer(Analyzer):
+    def __init__(self):
+        super().__init__()
+        self.prowl_api_key = 'Enter your API Key'
+        self.prowl_api_url = 'https://api.prowl.lupovis.io/GetIPReputation?ip='
+        self.proxy = 'Enter your proxy server if required'
+
+    def summary(self, raw):
+        """
+        Provides a summary of the analysis results.
+        :param raw: Raw results from the analyzer
+        :return: A list of dictionaries containing summary information
+        """
+        ttps = raw.get('ttps', [])
+        if ttps:
+            return [
+                {
+                    'level': 'malicious',
+                    'namespace': 'LupovisProwlAnalyzer',
+                    'predicate': 'Threat',
+                    'value': ttps[0] if isinstance(ttps, list) and ttps else 'Unknown threat'
+                }
+            ]
+        else:
+            return [
+                {
+                    'level': 'safe',
+                    'namespace': 'LupovisProwlAnalyzer',
+                    'predicate': 'Threat',
+                    'value': 'No known malicious activity'
+                }
+            ]
+
+    def build_taxonomy(self, level, namespace, predicate, value):
+        """
+        Constructs a taxonomy entry.
+        :param level: Severity level ('info', 'safe', 'suspicious', 'malicious')
+        :param namespace: Name of analyzer
+        :param predicate: Name of service
+        :param value: Value to report
+        :return: Dictionary representing the taxonomy entry
+        """
+        if level not in ['info', 'safe', 'suspicious', 'malicious']:
+            level = 'info'
+
+        return {
+            'level': level,
+            'namespace': namespace,
+            'predicate': predicate,
+            'value': value
+        }
+
+    def run(self):
+        """
+        Runs the analyzer, fetches data, processes it, and reports the result.
+        """
+        ip = self.get_data()
+        if not ip:
+            self.error('No IP provided')
+            return
+
+        url = f'{self.prowl_api_url}{ip}'
+        try:
+            # Constructing the curl command
+            curl_command = ['curl', '-H', f'x-api-key: {self.prowl_api_key}', url]
+            # Executing the curl command and capturing output
+            process = subprocess.Popen(curl_command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, env={'http_proxy': self.proxy, 'https_proxy': self.proxy})
+            stdout, stderr = process.communicate()
+            if process.returncode == 0:
+                output = stdout.decode()
+                # Parse the JSON output
+                output_json = json.loads(output)
+                # Check if "ttps" field is empty or contains "no known malicious activity"
+                details = output_json.get('ttps', 'No known malicious activity')
+                level = 'malicious' if output_json.get('ttps') else 'safe'
+                result = {
+                    "ip": ip,
+                    "details": details,
+                    "taxonomy": self.build_taxonomy(level, 'LupovisProwlAnalyzer', 'Threat', details)
+                }
+                self.report(result)
+            else:
+                self.error(f'curl command failed with error: {stderr.decode()}')
+        except Exception as e:
+            self.error(f'Error executing curl command: {e}')
+
+if __name__ == '__main__':
+    LupovisProwlAnalyzer().run()

analyzers/LupovisProwlAnalyzer/README.md

@@ -0,0 +1,28 @@
+# LupovisProwlAnalyzer
+
+## Overview
+
+The `LupovisProwlAnalyzer` is an analyzer for [TheHive](https://thehive-project.org) that integrates with the [Lupovis Prowl API](https://api.prowl.lupovis.io) to evaluate the reputation of IP addresses
+
+## Features
+
+- **IP Reputation Analysis**: Checks if an IP address is linked to malicious activities.
+- **Detailed Reporting**: Generates both detailed and summary reports for analysis results.
+- **Flexible Configuration**: Supports configuration of API keys and proxy settings.
+
+## API Key
+
+API Key: Obtain an API key from Lupovis Prowl.
+
+## Reporting
+The analyzer generates two types of reports:
+
+- Long Report (long.html): Provides a detailed view of the analysis result.
+
+- Short Report (short.html): Shows a concise summary using taxonomies.
+
+## License
+This project is licensed under the AGPL-V3 License.
+
+## Author
+Name: Lyle Docherty

analyzers/LupovisProwlAnalyzer/long.html

@@ -0,0 +1,33 @@
+<!-- Success -->
+<div class="panel panel-danger" ng-if="success">
+    <div class="panel-heading">
+        LupovisProwlAnalyzer Report
+    </div>
+    <div class="panel-body">
+        <dl class="dl-horizontal">
+            <dt>IP Address:</dt>
+            <dd>{{content.full.ip}}</dd>
+
+            <dt>Details:</dt>
+            <dd ng-if="content.full.details !== 'no known malicious activity'">
+                {{content.full.details}}
+            </dd>
+            <dd ng-if="content.full.details === 'no known malicious activity'">
+                No known malicious activity associated with this IP address.
+            </dd>
+        </dl>
+    </div>
+</div>
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        <dl class="dl-horizontal" ng-if="content.errorMessage">
+            <dt><i class="fa fa-warning"></i> LupovisProwlAnalyzer: </dt>
+            <dd class="wrap">{{content.errorMessage}}</dd>
+        </dl>
+    </div>
+</div>

analyzers/LupovisProwlAnalyzer/requirements.txt

@@ -0,0 +1,2 @@
+requests
+cortexutils

analyzers/LupovisProwlAnalyzer/short.html

@@ -0,0 +1,6 @@
+<span class="label" ng-repeat="t in content.taxonomies"
+  ng-class="{'info': 'label-info', 'safe': 'label-success',
+  'suspicious': 'label-warning',
+  'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>