From 03554a879434acde993ba50fb9469b6a6ca443f9 Mon Sep 17 00:00:00 2001 From: Paulo Garcia Date: Mon, 5 Jun 2023 16:24:02 -0300 Subject: [PATCH 1/9] Implemented Axur ioc's analyzer --- analyzers/Axur/axur_analyzer.json | 19 +++++++++++++++++ analyzers/Axur/axur_analyzer.py | 34 +++++++++++++++++++++++++++++++ analyzers/Axur/requirements.txt | 2 ++ 3 files changed, 55 insertions(+) create mode 100644 analyzers/Axur/axur_analyzer.json create mode 100644 analyzers/Axur/axur_analyzer.py create mode 100644 analyzers/Axur/requirements.txt diff --git a/analyzers/Axur/axur_analyzer.json b/analyzers/Axur/axur_analyzer.json new file mode 100644 index 000000000..e7d1f973c --- /dev/null +++ b/analyzers/Axur/axur_analyzer.json @@ -0,0 +1,19 @@ +{ + "name": "Axur", + "author": "Axur", + "version": "1.0.", + "license": "AGPL-V3", + "description": "Search IPs, domains, hashes or URLs on axur.com", + "dataTypeList": ["domain", "fqdn", "ip", "url", "hash"], + "command": "Axur/axur_analyzer.py", + "baseConfig": "Axur", + "configurationItems": [ + { + "name": "api_key", + "description": "Define the API key", + "type": "string", + "multi": false, + "required": true + } + ] +} \ No newline at end of file diff --git a/analyzers/Axur/axur_analyzer.py b/analyzers/Axur/axur_analyzer.py new file mode 100644 index 000000000..74a1aefc7 --- /dev/null +++ b/analyzers/Axur/axur_analyzer.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.analyzer import Analyzer +import requests + + +class AxurAnalyzer(Analyzer): + + def __init__(self): + Analyzer.__init__(self) + self.api_key = self.get_param( + 'config.api_key', None, 'Missing API key' + ) + + def run(self): + if self.data_type not in ['domain', 'fqdn', 'ip', 'url', 'hash']: + self.error('Wrong data type') + + url = f'https://api.axur.com/gateway/1.0/ioc/{self.data_type}/{self.get_data()}' + + try: + self.report(requests.get(url, headers={'api_key': self.api_key}).json()) + except Exception as e: + self.error(e) + + def summary(self, raw): + value = raw.get('Score', 0) + level = ['safe', 'suspicious', 'malicious'][value] + return {'taxonomies': [self.build_taxonomy(level, 'Axur', 'Score', value)]} + + +if __name__ == '__main__': + AxurAnalyzer().run() diff --git a/analyzers/Axur/requirements.txt b/analyzers/Axur/requirements.txt new file mode 100644 index 000000000..4a21dbf63 --- /dev/null +++ b/analyzers/Axur/requirements.txt @@ -0,0 +1,2 @@ +cortexutils +requests \ No newline at end of file From d681c91afd5ea990a86035cd191e60fe2c2da24c Mon Sep 17 00:00:00 2001 From: Paulo Garcia Date: Fri, 9 Jun 2023 12:46:23 -0300 Subject: [PATCH 2/9] Refactored Axur ioc's analyzer and added templates --- analyzers/Axur/axur_analyzer.json | 1 + analyzers/Axur/axur_analyzer.py | 25 +++++++--- thehive-templates/Axur_1.0/long.html | 71 +++++++++++++++++++++++++++ thehive-templates/Axur_1.0/short.html | 3 ++ 4 files changed, 93 insertions(+), 7 deletions(-) create mode 100644 thehive-templates/Axur_1.0/long.html create mode 100644 thehive-templates/Axur_1.0/short.html diff --git a/analyzers/Axur/axur_analyzer.json b/analyzers/Axur/axur_analyzer.json index e7d1f973c..50270a5a6 100644 --- a/analyzers/Axur/axur_analyzer.json +++ b/analyzers/Axur/axur_analyzer.json @@ -3,6 +3,7 @@ "author": "Axur", "version": "1.0.", "license": "AGPL-V3", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "description": "Search IPs, domains, hashes or URLs on axur.com", "dataTypeList": ["domain", "fqdn", "ip", "url", "hash"], "command": "Axur/axur_analyzer.py", diff --git a/analyzers/Axur/axur_analyzer.py b/analyzers/Axur/axur_analyzer.py index 74a1aefc7..6b0cbeba9 100644 --- a/analyzers/Axur/axur_analyzer.py +++ b/analyzers/Axur/axur_analyzer.py @@ -17,17 +17,28 @@ def run(self): if self.data_type not in ['domain', 'fqdn', 'ip', 'url', 'hash']: self.error('Wrong data type') - url = f'https://api.axur.com/gateway/1.0/ioc/{self.data_type}/{self.get_data()}' + url = f'https://api.axur.com/gateway/1.0/ioc-search/{self.data_type}/{self.get_data()}' try: - self.report(requests.get(url, headers={'api_key': self.api_key}).json()) - except Exception as e: - self.error(e) + response = requests.get(url, headers={'api_key': self.api_key}) + response.raise_for_status() + self.report(response.json()) + except requests.HTTPError as http_err: + self.error('HTTP error occurred: {}'.format(http_err)) + except Exception as err: + self.error('Error occurred: {}'.format(err)) def summary(self, raw): - value = raw.get('Score', 0) - level = ['safe', 'suspicious', 'malicious'][value] - return {'taxonomies': [self.build_taxonomy(level, 'Axur', 'Score', value)]} + taxonomies = [] + levels = ['info', 'safe', 'suspicious', 'malicious'] + + for data in raw: + level = levels[data.get('score', 0)] + taxonomies.append( + self.build_taxonomy(level, 'Axur', data['source'], data.get('hits', 0)) + ) + + return {'taxonomies': taxonomies} if __name__ == '__main__': diff --git a/thehive-templates/Axur_1.0/long.html b/thehive-templates/Axur_1.0/long.html new file mode 100644 index 000000000..616858389 --- /dev/null +++ b/thehive-templates/Axur_1.0/long.html @@ -0,0 +1,71 @@ +
+
+ Axur IOC Search Results +
+
+
+
+ {{result.source}} +
+
+
+
Source
+
{{result.source || "-"}}
+ +
Hits
+
{{result.hits || "-"}}
+ +
Score
+
{{result.score || "-"}}
+
+ +
+
+ +
+
+
Tags
+
{{context.tags.join(', ') || "-"}}
+ +
Detection
+
{{context.detection || "-"}}
+
+
+ +
+
+
Content
+
{{context.content || "-"}}
+ +
Detection
+
{{context.detection || "-"}}
+
+
+ +
+
+
Risk Level
+
{{context.riskLevel || "-"}}
+ +
Collector Name
+
{{context['collector-name'] || "-"}}
+ +
Detection
+
{{context.detection || "-"}}
+
+
+
+
+
+
+
+ + +
+
+ Error +
+
+ {{content.errorMessage}} +
+
diff --git a/thehive-templates/Axur_1.0/short.html b/thehive-templates/Axur_1.0/short.html new file mode 100644 index 000000000..9fd48f9fa --- /dev/null +++ b/thehive-templates/Axur_1.0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}="{{t.value}}" + \ No newline at end of file From 58f88b979095d27bdf005fcd0d8cc1a5a9cfec21 Mon Sep 17 00:00:00 2001 From: Paulo Garcia Date: Mon, 19 Jun 2023 20:01:41 -0300 Subject: [PATCH 3/9] Improvement Axur ioc's analyzer --- analyzers/Axur/README.md | 18 ++++++++++++++++++ analyzers/Axur/axur_analyzer.py | 10 ++++++---- analyzers/Axur/requirements.txt | 3 ++- 3 files changed, 26 insertions(+), 5 deletions(-) create mode 100644 analyzers/Axur/README.md diff --git a/analyzers/Axur/README.md b/analyzers/Axur/README.md new file mode 100644 index 000000000..76fc6254a --- /dev/null +++ b/analyzers/Axur/README.md @@ -0,0 +1,18 @@ +### Axur Ioc's analyzer + +The Axur IOC Analyzer is a tool for identifying and value potential threats in your data. It uses Axur's services and databases to perform analysis on a variety of data types. + +The Analyzer provides an efficient solution to evaluate potential threats by examining various data types including: + +* _domain_ +* _url_ +* _ip_ +* _fqdn_ +* _hash_ + +With the Axur IOC Analyzer, Axur clients have an easy way to make their data environment safer and more secure. + +#### Requirements +You need a valid Axur API key to use the analyzer. Available exclusively to our Axur clients. + +- Provide your API key as values for the `api_key` header. \ No newline at end of file diff --git a/analyzers/Axur/axur_analyzer.py b/analyzers/Axur/axur_analyzer.py index 6b0cbeba9..f1f4160f5 100644 --- a/analyzers/Axur/axur_analyzer.py +++ b/analyzers/Axur/axur_analyzer.py @@ -2,6 +2,7 @@ # encoding: utf-8 from cortexutils.analyzer import Analyzer +from urllib.parse import quote_plus import requests @@ -10,17 +11,18 @@ class AxurAnalyzer(Analyzer): def __init__(self): Analyzer.__init__(self) self.api_key = self.get_param( - 'config.api_key', None, 'Missing API key' + 'config.api_key', None, 'Missing Axur API key' ) def run(self): if self.data_type not in ['domain', 'fqdn', 'ip', 'url', 'hash']: self.error('Wrong data type') - url = f'https://api.axur.com/gateway/1.0/ioc-search/{self.data_type}/{self.get_data()}' + encoded_data = quote_plus(self.get_data()) + url = f'https://api.axur.com/gateway/1.0/api/ioc-search/search/{self.data_type}/{encoded_data}' try: - response = requests.get(url, headers={'api_key': self.api_key}) + response = requests.get(url, headers={'Authorization': f'Bearer {self.api_key}'}) response.raise_for_status() self.report(response.json()) except requests.HTTPError as http_err: @@ -32,7 +34,7 @@ def summary(self, raw): taxonomies = [] levels = ['info', 'safe', 'suspicious', 'malicious'] - for data in raw: + for data in raw['results']: level = levels[data.get('score', 0)] taxonomies.append( self.build_taxonomy(level, 'Axur', data['source'], data.get('hits', 0)) diff --git a/analyzers/Axur/requirements.txt b/analyzers/Axur/requirements.txt index 4a21dbf63..24c10f722 100644 --- a/analyzers/Axur/requirements.txt +++ b/analyzers/Axur/requirements.txt @@ -1,2 +1,3 @@ cortexutils -requests \ No newline at end of file +requests +urllib \ No newline at end of file From 19ef8347c13819d7bb9a98c657cfba73d952e7d8 Mon Sep 17 00:00:00 2001 From: Paulo Garcia Date: Wed, 21 Jun 2023 19:40:31 -0300 Subject: [PATCH 4/9] Added only results in report --- analyzers/Axur/axur_analyzer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/Axur/axur_analyzer.py b/analyzers/Axur/axur_analyzer.py index f1f4160f5..1f0786fe5 100644 --- a/analyzers/Axur/axur_analyzer.py +++ b/analyzers/Axur/axur_analyzer.py @@ -24,7 +24,7 @@ def run(self): try: response = requests.get(url, headers={'Authorization': f'Bearer {self.api_key}'}) response.raise_for_status() - self.report(response.json()) + self.report(response.json()["results"]) except requests.HTTPError as http_err: self.error('HTTP error occurred: {}'.format(http_err)) except Exception as err: From fbb7bc62f2dfc69eaea9085719139dbaaca797bf Mon Sep 17 00:00:00 2001 From: Paulo Garcia Date: Fri, 21 Jul 2023 13:28:31 -0300 Subject: [PATCH 5/9] Refactored results in report --- analyzers/Axur/axur_analyzer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/Axur/axur_analyzer.py b/analyzers/Axur/axur_analyzer.py index 1f0786fe5..f1f4160f5 100644 --- a/analyzers/Axur/axur_analyzer.py +++ b/analyzers/Axur/axur_analyzer.py @@ -24,7 +24,7 @@ def run(self): try: response = requests.get(url, headers={'Authorization': f'Bearer {self.api_key}'}) response.raise_for_status() - self.report(response.json()["results"]) + self.report(response.json()) except requests.HTTPError as http_err: self.error('HTTP error occurred: {}'.format(http_err)) except Exception as err: From 4dc8a711d9702696768905e5b5a192e9436be750 Mon Sep 17 00:00:00 2001 From: brunotoresan-axur Date: Wed, 16 Aug 2023 16:58:03 -0300 Subject: [PATCH 6/9] adding return example in README --- analyzers/Axur/README.md | 88 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 87 insertions(+), 1 deletion(-) diff --git a/analyzers/Axur/README.md b/analyzers/Axur/README.md index 76fc6254a..70a01833d 100644 --- a/analyzers/Axur/README.md +++ b/analyzers/Axur/README.md @@ -15,4 +15,90 @@ With the Axur IOC Analyzer, Axur clients have an easy way to make their data env #### Requirements You need a valid Axur API key to use the analyzer. Available exclusively to our Axur clients. -- Provide your API key as values for the `api_key` header. \ No newline at end of file +- Provide your API key as values for the `api_key` header. + +### Return example + +``` +{ + "success": true, + "summary": { + "taxonomies": [ + { + "level": "suspicious", + "namespace": "Axur", + "predicate": "IOC_FEED", + "value": 2 + }, + { + "level": "suspicious", + "namespace": "Axur", + "predicate": "EXPLORE", + "value": 1 + }, + { + "level": "suspicious", + "namespace": "Axur", + "predicate": "MALICIOUS_URL", + "value": 1 + } + ] + }, + "artifacts": [], + "operations": [], + "full": { + "type": "URL", + "value": "https://sso.ecometrica.com/accounts/login", + "results": [ + { + "source": "IOC_FEED", + "score": 2, + "hits": 2, + "context": [ + { + "tags": [ + "phishing" + ], + "detection": 1683945464000, + "risk": "UNDEFINED", + "platform": "AXUR" + }, + { + "tags": [], + "detection": 1642009957000, + "risk": "MEDIUM", + "platform": "AXUR" + } + ] + }, + { + "source": "EXPLORE", + "score": 2, + "hits": 1, + "context": [ + { + "content": "texto", + "detection": 1687187006704, + "platform": "AXUR" + } + ] + }, + { + "source": "MALICIOUS_URL", + "score": 2, + "hits": 1, + "context": [ + { + "riskLevel": 0.49, + "collectorName": "urlscan", + "detection": 1687187006704, + "ticketStatus": "open", + "platform": "AXUR" + } + ] + } + ], + "searchDate": 1687292305787 + } +} +``` From fc0fef2785f2958a3d7d8980a62c89dd39aa349d Mon Sep 17 00:00:00 2001 From: "Fabien B." <15647296+nusantara-self@users.noreply.github.com> Date: Wed, 23 Oct 2024 02:39:59 +0900 Subject: [PATCH 7/9] Update axur_analyzer.json - Fix version number & registration requirements --- analyzers/Axur/axur_analyzer.json | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/analyzers/Axur/axur_analyzer.json b/analyzers/Axur/axur_analyzer.json index 50270a5a6..b8da62c08 100644 --- a/analyzers/Axur/axur_analyzer.json +++ b/analyzers/Axur/axur_analyzer.json @@ -1,7 +1,7 @@ { "name": "Axur", "author": "Axur", - "version": "1.0.", + "version": "1.0", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "description": "Search IPs, domains, hashes or URLs on axur.com", @@ -16,5 +16,9 @@ "multi": false, "required": true } - ] -} \ No newline at end of file + ], + "registration_required": true, + "subscription_required": true, + "free_subscription": false, + "service_homepage": "https://www.axur.com" +} From 0f99e9c88e7756430521f69656b24d311cc26022 Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Wed, 18 Dec 2024 23:55:37 +0100 Subject: [PATCH 8/9] Fix folder name --- thehive-templates/{Axur_1.0 => Axur_1_0}/long.html | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename thehive-templates/{Axur_1.0 => Axur_1_0}/long.html (100%) diff --git a/thehive-templates/Axur_1.0/long.html b/thehive-templates/Axur_1_0/long.html similarity index 100% rename from thehive-templates/Axur_1.0/long.html rename to thehive-templates/Axur_1_0/long.html From 183986dc2d9edd0bfa28b6d6e2d2201156c53b2b Mon Sep 17 00:00:00 2001 From: Fabien Bloume <15647296+nusantara-self@users.noreply.github.com> Date: Wed, 18 Dec 2024 23:56:11 +0100 Subject: [PATCH 9/9] Fix folder name --- thehive-templates/{Axur_1.0 => Axur_1_0}/short.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename thehive-templates/{Axur_1.0 => Axur_1_0}/short.html (96%) diff --git a/thehive-templates/Axur_1.0/short.html b/thehive-templates/Axur_1_0/short.html similarity index 96% rename from thehive-templates/Axur_1.0/short.html rename to thehive-templates/Axur_1_0/short.html index 9fd48f9fa..5fc0dabfb 100644 --- a/thehive-templates/Axur_1.0/short.html +++ b/thehive-templates/Axur_1_0/short.html @@ -1,3 +1,3 @@ {{t.namespace}}:{{t.predicate}}="{{t.value}}" - \ No newline at end of file +