Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Implemented Axur ioc's analyzer #1191

Merged
merged 9 commits into from
Dec 18, 2024
Merged

Implemented Axur ioc's analyzer #1191

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
03554a8
Implemented Axur ioc's analyzer
Paulovgarcia Jun 5, 2023
d681c91
Refactored Axur ioc's analyzer and added templates
Paulovgarcia Jun 9, 2023
58f88b9
Improvement Axur ioc's analyzer
Paulovgarcia Jun 19, 2023
19ef834
Added only results in report
Paulovgarcia Jun 21, 2023
fbb7bc6
Refactored results in report
Paulovgarcia Jul 21, 2023
4dc8a71
adding return example in README
brunotoresan-axur Aug 16, 2023
fc0fef2
Update axur_analyzer.json - Fix version number & registration require…
nusantara-self Oct 22, 2024
0f99e9c
Fix folder name
nusantara-self Dec 18, 2024
183986d
Fix folder name
nusantara-self Dec 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 104 additions & 0 deletions analyzers/Axur/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
### Axur Ioc's analyzer

The Axur IOC Analyzer is a tool for identifying and value potential threats in your data. It uses Axur's services and databases to perform analysis on a variety of data types.

The Analyzer provides an efficient solution to evaluate potential threats by examining various data types including:

* _domain_
* _url_
* _ip_
* _fqdn_
* _hash_

With the Axur IOC Analyzer, Axur clients have an easy way to make their data environment safer and more secure.

#### Requirements
You need a valid Axur API key to use the analyzer. Available exclusively to our Axur clients.

- Provide your API key as values for the `api_key` header.

### Return example

```
{
"success": true,
"summary": {
"taxonomies": [
{
"level": "suspicious",
"namespace": "Axur",
"predicate": "IOC_FEED",
"value": 2
},
{
"level": "suspicious",
"namespace": "Axur",
"predicate": "EXPLORE",
"value": 1
},
{
"level": "suspicious",
"namespace": "Axur",
"predicate": "MALICIOUS_URL",
"value": 1
}
]
},
"artifacts": [],
"operations": [],
"full": {
"type": "URL",
"value": "https://sso.ecometrica.com/accounts/#",
"results": [
{
"source": "IOC_FEED",
"score": 2,
"hits": 2,
"context": [
{
"tags": [
"phishing"
],
"detection": 1683945464000,
"risk": "UNDEFINED",
"platform": "AXUR"
},
{
"tags": [],
"detection": 1642009957000,
"risk": "MEDIUM",
"platform": "AXUR"
}
]
},
{
"source": "EXPLORE",
"score": 2,
"hits": 1,
"context": [
{
"content": "texto",
"detection": 1687187006704,
"platform": "AXUR"
}
]
},
{
"source": "MALICIOUS_URL",
"score": 2,
"hits": 1,
"context": [
{
"riskLevel": 0.49,
"collectorName": "urlscan",
"detection": 1687187006704,
"ticketStatus": "open",
"platform": "AXUR"
}
]
}
],
"searchDate": 1687292305787
}
}
```
24 changes: 24 additions & 0 deletions analyzers/Axur/axur_analyzer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"name": "Axur",
"author": "Axur",
"version": "1.0",
"license": "AGPL-V3",
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
"description": "Search IPs, domains, hashes or URLs on axur.com",
"dataTypeList": ["domain", "fqdn", "ip", "url", "hash"],
"command": "Axur/axur_analyzer.py",
"baseConfig": "Axur",
"configurationItems": [
{
"name": "api_key",
"description": "Define the API key",
"type": "string",
"multi": false,
"required": true
}
],
"registration_required": true,
"subscription_required": true,
"free_subscription": false,
"service_homepage": "https://www.axur.com"
}
47 changes: 47 additions & 0 deletions analyzers/Axur/axur_analyzer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
#!/usr/bin/env python3
# encoding: utf-8

from cortexutils.analyzer import Analyzer
from urllib.parse import quote_plus
import requests


class AxurAnalyzer(Analyzer):

def __init__(self):
Analyzer.__init__(self)
self.api_key = self.get_param(
'config.api_key', None, 'Missing Axur API key'
)

def run(self):
if self.data_type not in ['domain', 'fqdn', 'ip', 'url', 'hash']:
self.error('Wrong data type')

encoded_data = quote_plus(self.get_data())
url = f'https://api.axur.com/gateway/1.0/api/ioc-search/search/{self.data_type}/{encoded_data}'

try:
response = requests.get(url, headers={'Authorization': f'Bearer {self.api_key}'})
response.raise_for_status()
self.report(response.json())
except requests.HTTPError as http_err:
self.error('HTTP error occurred: {}'.format(http_err))
except Exception as err:
self.error('Error occurred: {}'.format(err))

def summary(self, raw):
taxonomies = []
levels = ['info', 'safe', 'suspicious', 'malicious']

for data in raw['results']:
level = levels[data.get('score', 0)]
taxonomies.append(
self.build_taxonomy(level, 'Axur', data['source'], data.get('hits', 0))
)

return {'taxonomies': taxonomies}


if __name__ == '__main__':
AxurAnalyzer().run()
3 changes: 3 additions & 0 deletions analyzers/Axur/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
cortexutils
requests
urllib
71 changes: 71 additions & 0 deletions thehive-templates/Axur_1_0/long.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
<div class="panel panel-info" ng-if="success">
<div class="panel-heading">
<strong>Axur IOC Search Results</strong>
</div>
<div class="panel-body">
<div ng-repeat="result in content" class="panel panel-default">
<div class="panel-heading">
<strong>{{result.source}}</strong>
</div>
<div class="panel-body">
<dl class="dl-horizontal">
<dt>Source</dt>
<dd class="wrap">{{result.source || "-"}}</dd>

<dt>Hits</dt>
<dd class="wrap">{{result.hits || "-"}}</dd>

<dt>Score</dt>
<dd class="wrap">{{result.score || "-"}}</dd>
</dl>

<div ng-repeat="context in result.context">
<hr>

<div ng-if="result.source == 'ioc-feed'">
<dl class="dl-horizontal">
<dt>Tags</dt>
<dd class="wrap">{{context.tags.join(', ') || "-"}}</dd>

<dt>Detection</dt>
<dd class="wrap">{{context.detection || "-"}}</dd>
</dl>
</div>

<div ng-if="result.source == 'explore'">
<dl class="dl-horizontal">
<dt>Content</dt>
<dd class="wrap">{{context.content || "-"}}</dd>

<dt>Detection</dt>
<dd class="wrap">{{context.detection || "-"}}</dd>
</dl>
</div>

<div ng-if="result.source == 'malicious-urls'">
<dl class="dl-horizontal">
<dt>Risk Level</dt>
<dd class="wrap">{{context.riskLevel || "-"}}</dd>

<dt>Collector Name</dt>
<dd class="wrap">{{context['collector-name'] || "-"}}</dd>

<dt>Detection</dt>
<dd class="wrap">{{context.detection || "-"}}</dd>
</dl>
</div>
</div>
</div>
</div>
</div>
</div>

<!-- General error -->
<div class="panel panel-danger" ng-if="!success">
<div class="panel-heading">
<strong>Error</strong>
</div>
<div class="panel-body">
{{content.errorMessage}}
</div>
</div>
3 changes: 3 additions & 0 deletions thehive-templates/Axur_1_0/short.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
{{t.namespace}}:{{t.predicate}}="{{t.value}}"
</span>