Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Observable Extractor improvement #1

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

Observable Extractor improvement #1

wants to merge 3 commits into from

Conversation

jeffrey-e
Copy link

This PR contains support for full text regex parsing in order to find basic observables throughout multiline text bodies.

Current support:

  • ip
  • mail (sub matches: domain)
  • url (sub matches: domain, fqdn, uri_path)

This PR is related to: TheHive-Project/Cortex-Analyzers#399

@jeffrey-e jeffrey-e mentioned this pull request Feb 19, 2019
Closed
@kx499-zz
Copy link

This is awesome! I was actually looking to do the same thing for a spam email workflow. My take on it is that you don't want to always so a full text regex on all fields. I was thinking if you could make it an option on check_iterable and check_string. Something like an addotional param on those functions like ft=False. So it doesn't break existing stuff and you call it either on the entire analyzer output or just a field like body or something. Just my thoughts

@nadouani nadouani added this to the 2.0.0 milestone Apr 2, 2019
@nadouani
Copy link
Contributor

nadouani commented Apr 2, 2019

@gekkeharry13 Sorry for the delay, this will be merged into the new cortexutils 2.0.0 version that was under construction for Cortex 3.0.0 release.

@nadouani nadouani changed the base branch from master to develop April 4, 2019 08:38
@nadouani nadouani removed this from the 2.0.0 milestone Apr 4, 2019
@nadouani nadouani self-requested a review April 4, 2019 10:30
@kx499-zz kx499-zz mentioned this pull request Jun 25, 2019
Open
@iwitz
Copy link

iwitz commented Oct 3, 2019

There is an error at line 179 :
self.regexpack = self.ftregex + self.asregex
should be
self.regexpack = self.ftregex
Since self.asregex is not defined.

@jeffrey-e
Copy link
Author

Patched the error @iwitz and @nadouani

nadouani
nadouani reviewed Jan 21, 2020
View reviewed changes
cortexutils/extractor.py Show resolved Hide resolved
cortexutils/extractor.py Show resolved Hide resolved
cortexutils/extractor.py Show resolved Hide resolved
cortexutils/extractor.py Outdated Show resolved Hide resolved
@nadouani
Copy link
Contributor

This PR is a bit outdated, and needs to resolve conflicts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nadouani nadouani nadouani left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jeffrey-e @kx499-zz @nadouani @iwitz