-
Notifications
You must be signed in to change notification settings - Fork 379
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1191 from Paulovgarcia/master
Implemented Axur ioc's analyzer
- Loading branch information
Showing
6 changed files
with
252 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| ### Axur Ioc's analyzer | ||
|
|
||
| The Axur IOC Analyzer is a tool for identifying and value potential threats in your data. It uses Axur's services and databases to perform analysis on a variety of data types. | ||
|
|
||
| The Analyzer provides an efficient solution to evaluate potential threats by examining various data types including: | ||
|
|
||
| * _domain_ | ||
| * _url_ | ||
| * _ip_ | ||
| * _fqdn_ | ||
| * _hash_ | ||
|
|
||
| With the Axur IOC Analyzer, Axur clients have an easy way to make their data environment safer and more secure. | ||
|
|
||
| #### Requirements | ||
| You need a valid Axur API key to use the analyzer. Available exclusively to our Axur clients. | ||
|
|
||
| - Provide your API key as values for the `api_key` header. | ||
|
|
||
| ### Return example | ||
|
|
||
| ``` | ||
| { | ||
| "success": true, | ||
| "summary": { | ||
| "taxonomies": [ | ||
| { | ||
| "level": "suspicious", | ||
| "namespace": "Axur", | ||
| "predicate": "IOC_FEED", | ||
| "value": 2 | ||
| }, | ||
| { | ||
| "level": "suspicious", | ||
| "namespace": "Axur", | ||
| "predicate": "EXPLORE", | ||
| "value": 1 | ||
| }, | ||
| { | ||
| "level": "suspicious", | ||
| "namespace": "Axur", | ||
| "predicate": "MALICIOUS_URL", | ||
| "value": 1 | ||
| } | ||
| ] | ||
| }, | ||
| "artifacts": [], | ||
| "operations": [], | ||
| "full": { | ||
| "type": "URL", | ||
| "value": "https://sso.ecometrica.com/accounts/#", | ||
| "results": [ | ||
| { | ||
| "source": "IOC_FEED", | ||
| "score": 2, | ||
| "hits": 2, | ||
| "context": [ | ||
| { | ||
| "tags": [ | ||
| "phishing" | ||
| ], | ||
| "detection": 1683945464000, | ||
| "risk": "UNDEFINED", | ||
| "platform": "AXUR" | ||
| }, | ||
| { | ||
| "tags": [], | ||
| "detection": 1642009957000, | ||
| "risk": "MEDIUM", | ||
| "platform": "AXUR" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "source": "EXPLORE", | ||
| "score": 2, | ||
| "hits": 1, | ||
| "context": [ | ||
| { | ||
| "content": "texto", | ||
| "detection": 1687187006704, | ||
| "platform": "AXUR" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "source": "MALICIOUS_URL", | ||
| "score": 2, | ||
| "hits": 1, | ||
| "context": [ | ||
| { | ||
| "riskLevel": 0.49, | ||
| "collectorName": "urlscan", | ||
| "detection": 1687187006704, | ||
| "ticketStatus": "open", | ||
| "platform": "AXUR" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "searchDate": 1687292305787 | ||
| } | ||
| } | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| { | ||
| "name": "Axur", | ||
| "author": "Axur", | ||
| "version": "1.0", | ||
| "license": "AGPL-V3", | ||
| "url": "https://github.com/TheHive-Project/Cortex-Analyzers", | ||
| "description": "Search IPs, domains, hashes or URLs on axur.com", | ||
| "dataTypeList": ["domain", "fqdn", "ip", "url", "hash"], | ||
| "command": "Axur/axur_analyzer.py", | ||
| "baseConfig": "Axur", | ||
| "configurationItems": [ | ||
| { | ||
| "name": "api_key", | ||
| "description": "Define the API key", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| } | ||
| ], | ||
| "registration_required": true, | ||
| "subscription_required": true, | ||
| "free_subscription": false, | ||
| "service_homepage": "https://www.axur.com" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| #!/usr/bin/env python3 | ||
| # encoding: utf-8 | ||
|
|
||
| from cortexutils.analyzer import Analyzer | ||
| from urllib.parse import quote_plus | ||
| import requests | ||
|
|
||
|
|
||
| class AxurAnalyzer(Analyzer): | ||
|
|
||
| def __init__(self): | ||
| Analyzer.__init__(self) | ||
| self.api_key = self.get_param( | ||
| 'config.api_key', None, 'Missing Axur API key' | ||
| ) | ||
|
|
||
| def run(self): | ||
| if self.data_type not in ['domain', 'fqdn', 'ip', 'url', 'hash']: | ||
| self.error('Wrong data type') | ||
|
|
||
| encoded_data = quote_plus(self.get_data()) | ||
| url = f'https://api.axur.com/gateway/1.0/api/ioc-search/search/{self.data_type}/{encoded_data}' | ||
|
|
||
| try: | ||
| response = requests.get(url, headers={'Authorization': f'Bearer {self.api_key}'}) | ||
| response.raise_for_status() | ||
| self.report(response.json()) | ||
| except requests.HTTPError as http_err: | ||
| self.error('HTTP error occurred: {}'.format(http_err)) | ||
| except Exception as err: | ||
| self.error('Error occurred: {}'.format(err)) | ||
|
|
||
| def summary(self, raw): | ||
| taxonomies = [] | ||
| levels = ['info', 'safe', 'suspicious', 'malicious'] | ||
|
|
||
| for data in raw['results']: | ||
| level = levels[data.get('score', 0)] | ||
| taxonomies.append( | ||
| self.build_taxonomy(level, 'Axur', data['source'], data.get('hits', 0)) | ||
| ) | ||
|
|
||
| return {'taxonomies': taxonomies} | ||
|
|
||
|
|
||
| if __name__ == '__main__': | ||
| AxurAnalyzer().run() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| cortexutils | ||
| requests | ||
| urllib |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| <div class="panel panel-info" ng-if="success"> | ||
| <div class="panel-heading"> | ||
| <strong>Axur IOC Search Results</strong> | ||
| </div> | ||
| <div class="panel-body"> | ||
| <div ng-repeat="result in content" class="panel panel-default"> | ||
| <div class="panel-heading"> | ||
| <strong>{{result.source}}</strong> | ||
| </div> | ||
| <div class="panel-body"> | ||
| <dl class="dl-horizontal"> | ||
| <dt>Source</dt> | ||
| <dd class="wrap">{{result.source || "-"}}</dd> | ||
|
|
||
| <dt>Hits</dt> | ||
| <dd class="wrap">{{result.hits || "-"}}</dd> | ||
|
|
||
| <dt>Score</dt> | ||
| <dd class="wrap">{{result.score || "-"}}</dd> | ||
| </dl> | ||
|
|
||
| <div ng-repeat="context in result.context"> | ||
| <hr> | ||
|
|
||
| <div ng-if="result.source == 'ioc-feed'"> | ||
| <dl class="dl-horizontal"> | ||
| <dt>Tags</dt> | ||
| <dd class="wrap">{{context.tags.join(', ') || "-"}}</dd> | ||
|
|
||
| <dt>Detection</dt> | ||
| <dd class="wrap">{{context.detection || "-"}}</dd> | ||
| </dl> | ||
| </div> | ||
|
|
||
| <div ng-if="result.source == 'explore'"> | ||
| <dl class="dl-horizontal"> | ||
| <dt>Content</dt> | ||
| <dd class="wrap">{{context.content || "-"}}</dd> | ||
|
|
||
| <dt>Detection</dt> | ||
| <dd class="wrap">{{context.detection || "-"}}</dd> | ||
| </dl> | ||
| </div> | ||
|
|
||
| <div ng-if="result.source == 'malicious-urls'"> | ||
| <dl class="dl-horizontal"> | ||
| <dt>Risk Level</dt> | ||
| <dd class="wrap">{{context.riskLevel || "-"}}</dd> | ||
|
|
||
| <dt>Collector Name</dt> | ||
| <dd class="wrap">{{context['collector-name'] || "-"}}</dd> | ||
|
|
||
| <dt>Detection</dt> | ||
| <dd class="wrap">{{context.detection || "-"}}</dd> | ||
| </dl> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| </div> | ||
|
|
||
| <!-- General error --> | ||
| <div class="panel panel-danger" ng-if="!success"> | ||
| <div class="panel-heading"> | ||
| <strong>Error</strong> | ||
| </div> | ||
| <div class="panel-body"> | ||
| {{content.errorMessage}} | ||
| </div> | ||
| </div> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]"> | ||
| {{t.namespace}}:{{t.predicate}}="{{t.value}}" | ||
| </span> |