diff --git a/.nojekyll b/.nojekyll new file mode 100644 index 000000000..e69de29bb diff --git a/404.html b/404.html new file mode 100644 index 000000000..fedd20e6d --- /dev/null +++ b/404.html @@ -0,0 +1,4471 @@ + + + +
+ + + + + + + + + + + + + + +Copyright (C) 2017-2022 Nabil Adouani
+Copyright (C) 2014-2022 Thomas Franco
+Copyright (C) 2014-2019 Saâd Kadhi
+Copyright (C) 2014-2022 Jérôme Leonard
+ + + + + + + + + + + + + + + + + + + + +Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+ +Closed issues:
+Merged pull requests:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+ +Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Merged pull requests:
+ +Merged pull requests:
+ +Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Closed issues:
+Closed issues:
+Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Closed issues:
+Merged pull requests:
+ +Closed issues:
+Closed issues:
+Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+Closed issues:
+ +Merged pull requests:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+ +Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Closed issues:
+Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Closed issues:
+Closed issues:
+Merged pull requests:
+ +Closed issues:
+Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+ +Closed issues:
+Merged pull requests:
+ +Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+ +Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+ +Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+Closed issues:
+ +Closed issues:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+Closed issues:
+Merged pull requests:
+ +Closed issues:
+Merged pull requests:
+Closed issues:
+Merged pull requests:
+Closed issues:
+Closed issues:
+* This Changelog was automatically generated by github_changelog_generator
+ + + + + + + + + + + + + + + + + + + + +This guide outlines the steps to take when there is a new release of Cortex-Analyzers so that you can benefit from the new or updated analyzers and responders.
+There are three steps to perform, two of which require user action:
+With TheHive version 5.0.14 and above and Cortex version 3.1.7 and above, Cortex automatically fetches and updates the catalog. As a result, you may receive a notification in TheHive indicating that action is required if there is any new version of an analyzer or responder you are already using.
+This notification can be seen in the bottom left corner of your TheHive interface.
+ +Clicking on it will open a drawer indicating if there are any obsolete analyzers or responders.
+ +When new analyzers or responders are available, please refer to the changelog to review the new additions so you don't miss anything.
+Then, perform the following steps:
+Analyzers or responders become obsolete when a new version is available.
+If you're using TheHive 5, remember to always import the new report templates into your instance. This step is essential for an optimal experience with the updated analyzers and responders. Otherwise, you may encounter issues with the report templates for the new analyzers.
+Refer to the official documentation on how to update Analyzers templates in your TheHive tenant.
+ + + + + + + + + + + + + + + + + + + + + +This guide propose a way to manage your own analyzers without publishing them or installing all dependencies on the host running Cortex.
+Make Cortex know of custom Analyzers and Responders.
+Update the /etc/cortex/application.conf
or add the folders where you store your custom code. Ensure your configuration is similar to:
[..]
+analyzer {
+ # Absolute path where you have pulled the Cortex-Analyzers repository.
+ urls = [
+ "https://download.thehive-project.org/analyzers.json"
+ "/opt/customneurons/analyzers"
+ ]
+
+[..]
+}
+[..]
+responder {
+ urls = [
+ "https://download.thehive-project.org/responders.json"
+ "/opt/customneurons/responders"
+
+]
+[..]
+}
+
See:
+ +To prepare your package you have to write your Dockerfile
. We recommend starting with this one and update it, especially if additional packages or programs are required in the image.
As a result, your program should be at least:
+Analyzer/
+├── analyzer.json #required
+├── analyzer.py #required
+├── README.md #optional
+├── Dockerfile #required
+└── requirements.txt #required
+
A program helps you to manage the build of your private analyzers/responders. You can find it there.
+Download it, and edit the file to adjust few variables:
+#############################
+# VARIABLES TO CUSTOMISE #
+#############################
+## Set the path to your custom analyzers repository (configured in Cortex)
+analyzerspath="/opt/customneurons/analyzers"
+## Set the path to your custom responders repository (configured in Cortex)
+responderspath="/opt/customneurons/responders"
+# Set path to your docker images archives
+dockerimagearchives="/opt/backup-images"
+# Set a name for the docker image registry
+dockerimageregistryname="localhost"
+# Set a name for the docker image repository
+dockerimagerepositoryname="customimage"
+
4 variables should be set:
+analyzerspath
, the path to your custom analyzers repository (it should be the same as in the Cortex configuration)responderspath
, the path to your custom responders repository (it should be the same as in the Cortex configuration)dockerimagearchives
, the path to your docker images archives. Indeed, once built, the program save the docker images in a dedicated folderdockerimageregistryname
, name for the docker image registry. By default this is localhost. Even if you do not have a docker registry, Cortex will ensure to use the local images loaded.dockerimagerepositoryname
, a name for the docker image repository, used in docker image names or tags. customimage
is used by defaultOnce updated, save the file.
+Before running it, there are few requirements:
+jq
(from https://stedolan.github.io/jq/) should be installed in the system. For example, if using Ubuntu or Debian, run the following command: apt install jq
json-spec
should be installed (pip3 install json-spec
)The program has several options.
+Build docker images for Custom analyzers and responders
+
+ Syntax: build-customimage.sh [options]
+
+ options:
+ -h Print this Help.
+ -t type Type: 'analyzer' or 'responder'
+ -b path path to analyzer or responder json file
+
To run it successfully, you need to identify the type of neuron to build, analyzer
or responder
and specify the path to the neurons JSON file.
For example:
+./build-customimage.sh -t analyzer -b /home/dev/PrivateAnalyzer/analyzer.json
+
This will:
+customimage-analyzer:latest
Open Cortex web console, log in as orgadmin
, and refresh Analyzers.
Then your analyzer should appear and be ready to be configured and used as a Docker image.
+ + + + + + + + + + + + + + + + + + + + +README
+AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.
+The analyzer comes in only one flavor.
+You need a valid AbuseIPDB API integration subscription to use the analyzer:
+key
parameter.days
parameter to limit temporal range in search+ +
+ +Author: Matteo Lodi
+License: AGPL-v3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.abuseipdb.com/
Determine whether an IP was reported or not as malicious by AbuseIPDB
+key | +API key for AbuseIPDB | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days | +Check for IP Reports in the last X days | +
---|---|
Default value if not configured | +30 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
README
+Use CERT-SG's Abuse Finder +to find abuse contacts associated with domain names, URLs, IPs and email addresses.
+The analyzer comes in only one flavor.
+No configuration is required. It can be used out of the box.
+This Analyzer can only be run as a docker container or as process with Python <= 3.6.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - url
+ - mail
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://github.com/certsocietegenerale/abuse_finder
Find abuse contacts associated with domain names, URLs, IPs and email addresses.
+No specific configuration required.
+README
+ANY.RUN is a malware sandbox service in the cloud. By using this analyzer, an analyst can submit a suspicious file or URL to the service for analysis and get a report. The report can contain various information such as:
+You need a valid AnyRun API integration subscription to use the analyzer. Free plan does not provide API access.
+token
parameter.privacy_type
parameter.verify_ssl
parameter as false if you connection requires itAnyRun provides a number of parameters that can be modified to do additional/different analysis.
+- Set the "bitness" of your runtime environment with the env_bitness
parameter.
+- Select which version of Windows to use by setting env_version
parameter.
+- Select which products to install by default with env_type
parameter.
+- Enable/disable networking with opt_network_connect
parameter.
+- Enable/disable "FakeNet" with opt_network_fakenet
parameter.
+- Enable/disable the TOR network with opt_network_tor
parameter.
+- Enable/disable MITM for https connections with opt_network_mitm
parameter.
+- Need a specific geolocation? use opt_network_geo
parameter.
+- Need to analyze something with evasion tactics? opt_kernel_heavyevasion
+- Change the timeout settings with opt_timeout
parameter.
+- Select which folder the analysis starts in with obj_ext_startfolder
parameter.
+- Select which browser to use for analysis with obj_ext_browser
parameter.
Author: Andrea Garavaglia, Davide Arcuri, LDO-CERT; Nate Olsen, WSECU
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - file
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://any.run/
Any.Run Sandbox file analysis
+token | +API token | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
privacy_type | +Define the privacy setting (Allowed values: public, bylink, owner) | +
---|---|
Default value if not configured | +bylink | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
verify_ssl | +Verify SSL certificate | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
env_bitness | +default OS bitness; 32 or 64 | +
---|---|
Default value if not configured | +32 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
env_version | +Which version of Windows do you want to use by default? allowed values: "vista", "7", "8.1", "10" | +
---|---|
Default value if not configured | +7 | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
env_type | +How much do you want pre-installed in the runtime environment? allowed values: "clean", "office", "complete" | +
---|---|
Default value if not configured | +complete | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
opt_network_connect | +Do you want to disable networking? set false to disable | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
opt_network_fakenet | +FakeNet feature status; set true to enable. | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
opt_network_tor | +TOR using. | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +Boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
opt_network_mitm | +HTTPS MITM proxy option. | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +Boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
opt_network_geo | +Geo location option. Allowed values: "fastest", "AU", "BR", "DE", "CH", "FR", "KR", "US", "RU", "GB", "IT" | +
---|---|
Default value if not configured | +fastest | +
Type of the configuration item | +String | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
opt_kernel_heavyevasion | +Heavy evasion option. Default value: false | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +Boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
opt_timeout | +Timeout option. Size range: 10-660 | +
---|---|
Default value if not configured | +60 | +
Type of the configuration item | +Number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
obj_ext_startfolder | +Start object from. Allowed values: "desktop", "home", "downloads", "appdata", "temp", "windows", "root" | +
---|---|
Default value if not configured | +temp | +
Type of the configuration item | +String | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
obj_ext_browser | +Choose which browser to use. Allowed values: "Google Chrome", "Mozilla Firefox", "Opera", "Internet Explorer" | +
---|---|
Default value if not configured | +Internet Explorer | +
Type of the configuration item | +String | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
Author: ANSSI
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - other
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Search samples in Autofocus with a full search query in JSON
+apikey | +Autofocus API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: ANSSI
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - user-agent
+ - imphash
+ - ip
+ - mutex
+ - tag
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Search samples in Autofocus based on a single IOC
+apikey | +Autofocus API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: ANSSI
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Get full analysis from a sample based on its hash
+apikey | +Autofocus API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: brandon@backscatter.io
+License: APLv2
+Version: 1.0
+Supported observables types:
+ - ip
+ - network
+ - autonomous-system
+ - port
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Enrich values using Backscatter.io data.
+key | +API key for Backscatter.io | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: brandon@backscatter.io
+License: APLv2
+Version: 1.0
+Supported observables types:
+ - ip
+ - network
+ - autonomous-system
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Determine whether a value has known scanning activity using Backscatter.io data.
+key | +API key for Backscatter.io | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+AIR is an "Automated Incident Response" platform that provides the complete feature set for:
+This responder lets you start acquisition and isolation of an endpoint with Binalyze AIR.
+One of the core features of AIR is collecting evidence remotely. This feature is made possible by "Acquisition Profiles," a group of different evidence categories. With this integration, you can use following profiles:
+Endpoint isolation works by terminating all connections of an endpoint and not allowing any new connections. +When an endpoint is isolated, you can still perform tasks such as Acquisition.
+For more information, please refer to Knowledge Base +The program uses Binalyze AIR API
++ +
+ +Author: Binalyze Integration Team
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - thehive:case_artifact
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.binalyze.com/air
Isolate your endpoints with Binalyze AIR.
+air_console_url | +Console URL | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
air_api_key | +API Key, | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
endpoint_hostname | +Endpoint Hostname | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
isolation | +Isolation operation | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
++ +
+ +Author: Binalyze Integration Team
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - thehive:case_artifact
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.binalyze.com/air
Start an acquisition with Binalyze AIR.
+air_console_url | +Console URL | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
air_api_key | +API Key, | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
endpoint_hostname | +Endpoint Hostname | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
acquisition_name | +Acquisition name should match with the AIR console. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Peter Juhas
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - btc_address
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Check Bitcoin address against Bitcoin Abuse database
+key | +API key for Bitcoin Abuse | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: etz69
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Query C1fApp OSINT Aggregator for IPs, domains and URLs
+url | +URL of C1fApp service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Checks CERT.at Passive DNS for a given domain.
+limit | +Define the maximum number of results per request | +
---|---|
Default value if not configured | +100 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + ++ +
+ +Author: Mikael Keri
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - hash
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: https://hashlookup.circl.lu/
CIRCL hashlookup uses a public API to lookup hash values against databases of known good files
+No specific configuration required.
+README
+Check CIRCL's Passive DNS for a + given domain.
+This analyzer comes in only one flavor.
+Access to CIRCL Passive DNS is only allowed to trusted partners in Luxembourg +and abroad. Contact CIRCL if you would like +access. Include your affiliation and the foreseen use of the Passive DNS +data.
+If the CIRCL positively answers your access request, you'll obtain a username + and password which are needed to make the analyzer work.
+supply your username as the value for the user
parameter and your password
+as the value for the password
parameter.
+ +
+ +Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - url
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.circl.lu/services/passive-dns/
Check CIRCL's Passive DNS for a given domain or URL.
+user | +Username | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
password | +Password | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
README
+Check CIRCL's Passive SSL +service for a given IP address or certificate hash.
+This analyzer comes in only one flavor.
+Access to CIRCL Passive SSL is allowed to partners including security +researchers or incident analysts worldwide. Contact CIRCL +if you would like access.
+If the CIRCL positively answers your access request, you'll obtain a username + and password which are needed to make the analyzer work.
+Supply your username as the value for the user
parameter and your password
+as the value for the password
parameter.
+ +
+ +Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - certificate_hash
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.circl.lu/services/passive-ssl/
Check CIRCL's Passive SSL for a given IP address or a X509 certificate hash.
+user | +Username | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
password | +Password | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
README
+The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the rapidly changing cybersecurity needs of U.S. elections offices.
+Malicious Code Analysis Platform (MCAP) is a no-cost web-based sandbox which enables MS-ISAC and EI-ISAC members to submit suspicious files such as executables, DLLs, documents, quarantine files, and archives for analysis in a controlled and non-public fashion. The platform also enables users to perform threat analysis based on domain, IP address, URL, hashes, and various Indicators of Compromise (IOCs).
+This analyzer allows you to submit a variety of observables to MCAP to analyze files or check feeds for known indicators of compromise for other data types.
+To read more, visit https://www.cisecurity.org/ms-isac
++ +
+ +Author: Joe Lazaro
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - hash
+ - url
+ - domain
+ - fqdn
+ - file
+Registration required: True
+Subscription required: False
+Free subscription: False
+Third party service: https://www.cisecurity.org/ms-isac/services
Malicious Code Analysis Platform (MCAP) by the Center for Internet Security (CIS). Submit files for analysis or check feeds for known indicators of compromise for other data types.
+key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
private_samples | +Submitted samples will not be shared with other members of the portal | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
minimum_confidence | +Restrict to IOCs with this confidence score or higher. | +
---|---|
Default value if not configured | +80 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
minimum_severity | +Restrict to IOCs with this severity score or higher. | +
---|---|
Default value if not configured | +80 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
polling_interval | +Interval (seconds) between requests for sample status. | +
---|---|
Default value if not configured | +120 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
max_sample_result_wait | +Maximum time to retry requests for sample status. | +
---|---|
Default value if not configured | +1000 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: Wes Lambert; nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://github.com/mandiant/capa
Analyze files with Capa
+capa_path | +Path to Capa binary (if installed locally, should be /opt/Cortex-Analyzers/analyzers/Capa/capa) | +
---|---|
Default value if not configured | +/worker/Capa/capa | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
README
+Censys is a platform that helps information security practitioners discover, monitor, and analyze devices that are accessible from the Internet. Regularly probes every public IP address and popular domain names, curate and enrich the resulting data, and make it intelligible through an interactive search engine and API.
+You need a valid Censys API integration subscription to use the analyzer.
+uid
parameter.key
parameter.+ +
+ +Author: Nils Kuhnert, CERT-Bund; nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - hash
+ - domain
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://censys.io/
Check IPs, certificate hashes or domains against censys.io.
+uid | +UID for Censys | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
max_records | +Maximum number of records for domains | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: Peter Juhas
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - string
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: https://checkphish.ai
Check url address via CheckPhish using jobID returned from CheckPhish_Submit
+key | +Api key for CheckPhish | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: Peter Juhas
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: https://checkphish.ai
Submit url address to CheckPhish
+key | +Api key for CheckPhish | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Brian Laskowski
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use Clamscan with custom rules
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+Check CrowdSec Threat Intelligence about an ip address.
+For further information, please consult the official documentation.
+Running the analyzer will expose the result as taxonomies in the short report displayed in the ip observable.
+ +The raw report contains the whole json response from CrowdSec.
+e.g.:
+{
+ "ip": "192.42.116.218",
+ "reputation": "malicious",
+ "ip_range": "192.42.116.0/22",
+ "background_noise": "high",
+ "confidence": "high",
+ "background_noise_score": 10,
+ "ip_range_score": 5,
+ "as_name": "SURF B.V.",
+ "as_num": 1101,
+ "ip_range_24": "192.42.116.0/24",
+ "ip_range_24_reputation": "malicious",
+ "ip_range_24_score": 5,
+ "location": {
+ "country": "NL",
+ "city": null,
+ "latitude": 52.3824,
+ "longitude": 4.8995
+ },
+ "reverse_dns": "44.tor-exit.nothingtohide.nl",
+ "behaviors": [
+ {
+ "name": "tcp:scan",
+ "label": "TCP Scan",
+ "description": "IP has been reported for performing TCP port scanning.",
+ "references": [],
+ "$$hashKey": "object:984"
+ },
+ {
+ "name": "http:bruteforce",
+ "label": "HTTP Bruteforce",
+ "description": "IP has been reported for performing a HTTP brute force attack (either generic HTTP probing or applicative related brute force).",
+ "references": [],
+ "$$hashKey": "object:985"
+ },
+ {
+ "name": "http:exploit",
+ "label": "HTTP Exploit",
+ "description": "IP has been reported for attempting to exploit a vulnerability in a web application.",
+ "references": [],
+ "$$hashKey": "object:986"
+ },
+ {
+ "name": "http:scan",
+ "label": "HTTP Scan",
+ "description": "IP has been reported for performing actions related to HTTP vulnerability scanning and discovery.",
+ "references": [],
+ "$$hashKey": "object:987"
+ },
+ {
+ "name": "http:spam",
+ "label": "Web form spam",
+ "description": "IP has been reported trying to perform spam via web forms/forums.",
+ "references": [],
+ "$$hashKey": "object:988"
+ },
+ {
+ "name": "generic:exploit",
+ "label": "Exploitation attempt",
+ "description": "IP has been reported trying to exploit known vulnerability/CVE on unspecified protocols.",
+ "references": [],
+ "$$hashKey": "object:989"
+ },
+ {
+ "name": "ssh:bruteforce",
+ "label": "SSH Bruteforce",
+ "description": "IP has been reported for performing brute force on ssh services.",
+ "references": [],
+ "$$hashKey": "object:990"
+ }
+ ],
+ "history": {
+ "first_seen": "2022-12-26T01:15:00+00:00",
+ "last_seen": "2024-07-31T10:00:00+00:00",
+ "full_age": 585,
+ "days_age": 584
+ },
+ "classifications": {
+ "false_positives": [],
+ "classifications": [
+ {
+ "name": "proxy:tor",
+ "label": "TOR exit node",
+ "description": "IP is being flagged as a TOR exit node.",
+ "references": [],
+ "$$hashKey": "object:1021"
+ },
+ {
+ "name": "crowdsec:ai_vpn_proxy",
+ "label": "VPN or Proxy",
+ "description": "IP is identified as a VPN or a Proxy by CrowdSec AI Detection Algorithm.",
+ "references": [],
+ "$$hashKey": "object:1022"
+ },
+ {
+ "name": "community-blocklist",
+ "label": "CrowdSec Community Blocklist",
+ "description": "IP belongs to the CrowdSec Community Blocklist",
+ "$$hashKey": "object:1023"
+ }
+ ]
+ },
+ "attack_details": [
+ {
+ "name": "firewallservices/pf-scan-multi_ports",
+ "label": "PF Scan Multi Ports",
+ "description": "ban IPs that are scanning us",
+ "references": [],
+ "$$hashKey": "object:1027"
+ },
+ {
+ "name": "crowdsecurity/http-path-traversal-probing",
+ "label": "HTTP Path Traversal Exploit",
+ "description": "Detect path traversal attempt",
+ "references": [],
+ "$$hashKey": "object:1028"
+ },
+ {
+ "name": "crowdsecurity/grafana-cve-2021-43798",
+ "label": "CVE-2021-43798",
+ "description": "Detect cve-2021-43798 exploitation attemps",
+ "references": [],
+ "$$hashKey": "object:1029"
+ },
+ {
+ "name": "crowdsecurity/http-admin-interface-probing",
+ "label": "HTTP Admin Interface Probing",
+ "description": "Detect generic HTTP admin interface probing",
+ "references": [],
+ "$$hashKey": "object:1030"
+ },
+ {
+ "name": "crowdsecurity/http-open-proxy",
+ "label": "HTTP Open Proxy Probing",
+ "description": "Detect scan for open proxy",
+ "references": [],
+ "$$hashKey": "object:1031"
+ },
+ {
+ "name": "crowdsecurity/http-cve-probing",
+ "label": "HTTP CVE Probing",
+ "description": "Detect generic HTTP cve probing",
+ "references": [],
+ "$$hashKey": "object:1032"
+ },
+ {
+ "name": "LePresidente/http-generic-403-bf",
+ "label": "HTTP Bruteforce",
+ "description": "Detect generic 403 Forbidden (Authorization) error brute force",
+ "references": [],
+ "$$hashKey": "object:1033"
+ },
+ {
+ "name": "crowdsecurity/http-sqli-probbing-detection",
+ "label": "SQL Injection Attempt",
+ "description": "A scenario that detects SQL injection probing with minimal false positives",
+ "references": [],
+ "$$hashKey": "object:1034"
+ },
+ {
+ "name": "crowdsecurity/http-sensitive-files",
+ "label": "Access to sensitive files over HTTP",
+ "description": "Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",
+ "references": [],
+ "$$hashKey": "object:1035"
+ },
+ {
+ "name": "crowdsecurity/http-bad-user-agent",
+ "label": "Bad User Agent",
+ "description": "Detect usage of bad User Agent",
+ "references": [],
+ "$$hashKey": "object:1036"
+ },
+ {
+ "name": "crowdsecurity/suricata-major-severity",
+ "label": "Suricata Severity 1 Event",
+ "description": "Detect exploit attempts via emerging threat rules",
+ "references": [],
+ "$$hashKey": "object:1037"
+ },
+ {
+ "name": "crowdsecurity/ssh-bf",
+ "label": "SSH Bruteforce",
+ "description": "Detect ssh bruteforce",
+ "references": [],
+ "$$hashKey": "object:1038"
+ },
+ {
+ "name": "crowdsecurity/apache_log4j2_cve-2021-44228",
+ "label": "Log4j CVE-2021-44228",
+ "description": "Detect cve-2021-44228 exploitation attemps",
+ "references": [],
+ "$$hashKey": "object:1039"
+ },
+ {
+ "name": "crowdsecurity/http-bf-wordpress_bf_xmlrpc",
+ "label": "WP XMLRPC bruteforce",
+ "description": "detect wordpress bruteforce on xmlrpc",
+ "references": [],
+ "$$hashKey": "object:1040"
+ },
+ {
+ "name": "crowdsecurity/ssh-slow-bf",
+ "label": "SSH Slow Bruteforce",
+ "description": "Detect slow ssh bruteforce",
+ "references": [],
+ "$$hashKey": "object:1041"
+ },
+ {
+ "name": "crowdsecurity/http-bf-wordpress_bf",
+ "label": "WordPress Bruteforce",
+ "description": "Detect WordPress bruteforce on admin interface",
+ "references": [],
+ "$$hashKey": "object:1042"
+ },
+ {
+ "name": "crowdsecurity/http-wordpress_wpconfig",
+ "label": "Access to WordPress wp-config.php",
+ "description": "Detect WordPress probing: variations around wp-config.php by wpscan",
+ "references": [],
+ "$$hashKey": "object:1043"
+ },
+ {
+ "name": "crowdsecurity/http-xss-probbing",
+ "label": "XSS Attempt",
+ "description": "A scenario that detects XSS probing with minimal false positives",
+ "references": [],
+ "$$hashKey": "object:1044"
+ },
+ {
+ "name": "crowdsecurity/modsecurity",
+ "label": "Modsecurity Alert",
+ "description": "Web exploitation via modsecurity",
+ "references": [],
+ "$$hashKey": "object:1045"
+ },
+ {
+ "name": "crowdsecurity/http-probing",
+ "label": "HTTP Probing",
+ "description": "Detect site scanning/probing from a single ip",
+ "references": [],
+ "$$hashKey": "object:1046"
+ }
+ ],
+ "target_countries": {
+ "US": 38,
+ "DE": 20,
+ "JP": 10,
+ "FR": 8,
+ "GB": 7,
+ "NL": 5,
+ "PL": 3,
+ "CA": 2,
+ "RU": 2,
+ "DK": 2
+ },
+ "mitre_techniques": [
+ {
+ "name": "T1595",
+ "label": "Active Scanning",
+ "description": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting.",
+ "references": [],
+ "$$hashKey": "object:1009"
+ },
+ {
+ "name": "T1018",
+ "label": "Remote System Discovery",
+ "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.",
+ "references": [],
+ "$$hashKey": "object:1010"
+ },
+ {
+ "name": "T1046",
+ "label": "Network Service Discovery",
+ "description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.",
+ "references": [],
+ "$$hashKey": "object:1011"
+ },
+ {
+ "name": "T1110",
+ "label": "Brute Force",
+ "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.",
+ "references": [],
+ "$$hashKey": "object:1012"
+ },
+ {
+ "name": "T1190",
+ "label": "Exploit Public-Facing Application",
+ "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.",
+ "references": [],
+ "$$hashKey": "object:1013"
+ },
+ {
+ "name": "T1589",
+ "label": "Gather Victim Identity Information",
+ "description": "Adversaries may gather information about the victim's identity that can be used during targeting.",
+ "references": [],
+ "$$hashKey": "object:1014"
+ }
+ ],
+ "cves": [
+ "CVE-2021-43798",
+ "CVE-2021-44228"
+ ],
+ "scores": {
+ "overall": {
+ "aggressiveness": 5,
+ "threat": 4,
+ "trust": 5,
+ "anomaly": 1,
+ "total": 5
+ },
+ "last_day": {
+ "aggressiveness": 5,
+ "threat": 4,
+ "trust": 5,
+ "anomaly": 1,
+ "total": 5
+ },
+ "last_week": {
+ "aggressiveness": 5,
+ "threat": 4,
+ "trust": 5,
+ "anomaly": 1,
+ "total": 5
+ },
+ "last_month": {
+ "aggressiveness": 5,
+ "threat": 4,
+ "trust": 5,
+ "anomaly": 1,
+ "total": 5
+ }
+ },
+ "references": [
+ {
+ "name": "list:crowdsec_high_background_noise",
+ "label": "CrowdSec High Background Noise List",
+ "description": "Contains all IPs in our database that are considered as background noise. These IPs are not necessarily malicious, but they are considered as a potential threat. Proactively block these IPs if you want to reduce the noise on your systems.",
+ "references": [],
+ "$$hashKey": "object:1077"
+ },
+ {
+ "name": "list:crowdsec_intelligence_blocklist",
+ "label": "CrowdSec Intelligence List",
+ "description": "Contains all IPs in our database that have been identified as actively aggressive, performing a wide variety of attacks. Proactively block these IPs if you don’t want to take any chances with malicious IPs potentially reaching your systems.",
+ "references": [],
+ "$$hashKey": "object:1078"
+ },
+ {
+ "name": "list:firehol_botscout_7d",
+ "label": "Firehol BotScout list",
+ "description": "BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. This list is composed of the most recently-caught bots.",
+ "references": [
+ "https://iplists.firehol.org/?ipset=botscout_7d"
+ ],
+ "$$hashKey": "object:1079"
+ }
+ ]
+}
+
Provide a CrowdSec CTI Api key
+as a value for the api_key
parameter.
+ +
+ +Author: CERT-ARKEA
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.crowdsec.net/product/threat-intelligence
Query Crowdsec API
+api_key | +Crowdsec API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
taxonomy_reputation | +Create taxonomy for reputation | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
taxonomy_as_name | +Create taxonomy for AS name | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
taxonomy_ip_range_score | +Create taxonomy for IP range score | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
taxonomy_last_seen | +Create taxonomy for last seen date | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
taxonomy_attack_details | +Create taxonomy for attack details | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
taxonomy_behaviors | +Create taxonomy for behaviors | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
taxonomy_mitre_techniques | +Create taxonomy for mitre techniques | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
taxonomy_cves | +Create taxonomy for cves | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
taxonomy_not_found | +Create taxonomy for not found IP | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
README
+This documentation covers the setup and usage of CrowdStrike Falcon analyzers for retrieving device information, vulnerabilities and alerts linked to a given hostname observable, as well as performing file analysis using the CrowdStrike Falcon Sandbox.
+To use these analyzers, you must have the following configured in your CrowdStrike Falcon tenant:
+getDeviceDetails
and getDeviceVulnerabilities
).getDeviceVulnerabilities
).getDeviceAlerts
).Falcon Sandbox
).Hosts: Read
Displays basic details such as: +- Vendor +- OS version +- Agent status +- Last user logged in
+ +Provides detailed information about the device.
+ +Hosts: Read
, Vulnerabilities: Read
Displays the number of vulnerabilities linked to the hostname.
+ +Provides a detailed list of vulnerabilities with contextual information.
+ +Alerts: Read
Displays the number of alerts linked to the hostname.
+ +Provides a detailed list of alerts with contextual information.
+ +Sandbox (Falcon Intelligence): Read, Write
List of analyzers:
+
Configuration interface:
+
Displays whether the analyzed file is considered: +- Safe (green) +- Suspicious (orange) +- Malicious (red)
+ +Provides a detailed analysis of the file.
+ +For more information on the relevant CrowdStrike Falcon APIs, refer to the following resources: +- CrowdStrike Falcon Hosts API +- CrowdStrike Falcon Vulnerabilities API +- CrowdStrike Falcon Alerts API +- CrowdStrike Falcon Sample Uploads API +- CrowdStrike Falcon Sandbox API
+Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hostname
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com
Get Device alerts from Crowdstrike Falcon
+client_id | +Crowdstrike client ID key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
client_secret | +Crowdstrike client secret key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
alert_fields | +Fields to return for each invidividual alerts | +
---|---|
Default value if not configured | +['timestamp', 'description', 'status', 'user_name', 'severity', 'severity_name', 'scenario', 'filename', 'filepath', 'confidence', 'cmdline'] | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
days_before | +Only query alerts from the past X days. | +
---|---|
Default value if not configured | +30 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com
Send a file to CrowdstrikeFalcon Sandbox
+client_id | +Crowdstrike client ID key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
client_secret | +Crowdstrike client secret key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
network_settings | +Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline | +
---|---|
Default value if not configured | +default | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
action_script | +Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles | +
---|---|
Default value if not configured | +default | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hostname
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com
Get device information from Crowdstrike Falcon
+client_id | +Crowdstrike client ID key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
client_secret | +Crowdstrike client secret key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com
Send a file to CrowdstrikeFalcon Sandbox
+client_id | +Crowdstrike client ID key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
client_secret | +Crowdstrike client secret key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
network_settings | +Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline | +
---|---|
Default value if not configured | +default | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
action_script | +Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles | +
---|---|
Default value if not configured | +default | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com
Send a file to CrowdstrikeFalcon Sandbox
+client_id | +Crowdstrike client ID key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
client_secret | +Crowdstrike client secret key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
network_settings | +Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline | +
---|---|
Default value if not configured | +default | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
action_script | +Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles | +
---|---|
Default value if not configured | +default | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com
Send a file to CrowdstrikeFalcon Sandbox
+client_id | +Crowdstrike client ID key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
client_secret | +Crowdstrike client secret key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
network_settings | +Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline | +
---|---|
Default value if not configured | +default | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
action_script | +Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles | +
---|---|
Default value if not configured | +default | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com
Send a file to CrowdstrikeFalcon Sandbox
+client_id | +Crowdstrike client ID key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
client_secret | +Crowdstrike client secret key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
network_settings | +Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline | +
---|---|
Default value if not configured | +default | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
action_script | +Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles | +
---|---|
Default value if not configured | +default | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com
Send a file to CrowdstrikeFalcon Sandbox
+client_id | +Crowdstrike client ID key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
client_secret | +Crowdstrike client secret key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
network_settings | +Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline | +
---|---|
Default value if not configured | +default | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
action_script | +Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles | +
---|---|
Default value if not configured | +default | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com
Send a file to CrowdstrikeFalcon Sandbox
+client_id | +Crowdstrike client ID key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
client_secret | +Crowdstrike client secret key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
network_settings | +Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline | +
---|---|
Default value if not configured | +default | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
action_script | +Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles | +
---|---|
Default value if not configured | +default | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hostname
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com
Get device vulnerabilities from hostname
+client_id | +Crowdstrike client ID key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
client_secret | +Crowdstrike client secret key | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
vuln_fields | +Specific field values to keep in resulting payload for vulnerabilities | +
---|---|
Default value if not configured | +['vulnerability_id', 'status', 'created_timestamp', 'updated_timestamp', 'apps.product_name_version', 'confidence', 'cve', 'host_info.asset_criticality', 'host_info.internet_exposure', 'remediation.entities.action'] | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
README
+Crtsh is a platform that permits you search for certificates that have been logged by CT.
+It does not require any requirements.
++ +
+ +Author: crackytsi
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://crt.sh/
Query domains against the certificate transparency lists available at crt.sh.
+No specific configuration required.
+README
+CuckooSandbox is an advanced, extremely modular, and 100% open source automated malware analysis system with infinite application opportunities.
+The analyzer comes in two different flavour to analzye url or file with internet access.
+You need to have your cuckoosandox deployed in your infrastructure. You can download it and follow installation instructions.
+The address of the machine must be se as url
parameter and relative token as the value for the token
parameter.
+Depending on your network configuration you can configure verifyssl
and cert_path
accordingly.
+ +
+ +Author: Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.2
+Supported observables types:
+ - url
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://cuckoosandbox.org/
Cuckoo Sandbox URL analysis.
+url | +URL | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
token | +API token | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
verifyssl | +Verify SSL certificate | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
cert_path | +Path to the CA on the system used to check server certificate | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.2
+Supported observables types:
+ - file
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://cuckoosandbox.org/
Cuckoo Sandbox file analysis with Internet access.
+url | +URL | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
token | +API token | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
verifyssl | +Verify SSL certificate | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
cert_path | +Path to the CA on the system used to check server certificate | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
README
+Cyberchef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.
+The analyzer comes in three flavours to help you convert from base64, hex or CharCode.
+You need to deploy Cyberchef-server on your infrastructure.
+The url of the server must be used to configure the url
parameter.
+ +
+ +Author: Wes Lambert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - other
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://github.com/gchq/CyberChef-server
Convert Base64 with CyberChef Server
+url | +CyberChef Server URL | +
---|---|
Default value if not configured | +http://192.168.1.178:3000/ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
+ +
+ +Author: Wes Lambert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - other
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://github.com/gchq/CyberChef-server
Convert Char Code with CyberChef Server
+url | +CyberChef Server URL | +
---|---|
Default value if not configured | +http://192.168.1.178:3000/ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
+ +
+ +Author: Wes Lambert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - other
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://github.com/gchq/CyberChef-server
Convert Hex with CyberChef Server
+url | +CyberChef Server URL | +
---|---|
Default value if not configured | +http://192.168.1.178:3000/ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
README
+cybercrime-tracker site is dedicated to tracking the C&C servers of botnets. This site is used as a source for many IP and domain blacklists.
+No configuration is required.
++ +
+ +Author: ph34tur3
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+ - url
+ - other
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://cybercrime-tracker.net/
Search cybercrime-tracker.net for C2 servers.
+No specific configuration required.
+README
+cyberprotect collect more than 500 millions of network events per day and value those data by analyzed them with analysis engines (behavioral analysis, sandboxes, threat feeds, etc.).
+No configuration is required.
++ +
+ +Author: Rémi Allain, Cyberprotect
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - domain
+ - hash
+ - ip
+ - url
+ - user-agent
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://console.threatscore.cyberprotect.cloud/
ThreatScore is a cyber threat scoring system provided by Cyberprotect
+No specific configuration required.
+README
+Cylance hash lookup enables you to query possible infected clients of yours using a SHA256 hash. +The response includes information about the matching sample(s) along with information about affected clients.
+Sadly, although the response data contains an MD5 hash, the API only allows you to query with a SHA256
++ +
+ +Author: Mikael Keri
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.blackberry.com/
Search for a specific hash, if there is a match, coresponding client information
+ten_id | +Tenant ID | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
app_id | +App ID | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
app_secret | +App Secret | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
region | +Portal region, : NA, US, APN, JP, APS, AU, EU, GOV, SA, SP | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use DNSDB to fetch historical records for a fully-qualified domain name.
+server | +DNSDB server name | +
---|---|
Default value if not configured | +https://api.dnsdb.info | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use DNSDB to fetch historical records for an IP address.
+server | +DNSDB server name | +
---|---|
Default value if not configured | +https://api.dnsdb.info | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use DNSDB to fetch historical records for a domain.
+server | +DNSDB server name | +
---|---|
Default value if not configured | +https://api.dnsdb.info | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+Lookup domain names from different locations using the ISC SANS DNS Lookingglass API service.
+There is no requirements to use this analyzer.
++ +
+ +Author: Dennis Perto, Conscia
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://isc.sans.edu/
Query the SANS ISC Global DNS Lookingglass API to check a domain name for resolved IP addresses.
+No specific configuration required.
+Author: Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Check if a domain is sinkholed via DNS Sinkhole server
+ip | +Define the DNS Sinkhole Server IP | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
sink_ip | +Define the sinkholed response address IP | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+This analyzer makes a call to the DNSdumpster service to enrich the Domain information.
+Nothing special. Doesn't need API-key or credentials. Just enable and use.
+Author: Keijo Korte - @korteke
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://dnsdumpster.com
Query domain information from DNSdumpster.com.
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+DShield is a community-based collaborative firewall log correlation system. It receives logs from volunteers worldwide and uses them to analyze attack trends.
+The analyzer comes in just one analyzer that returns info of submitted ip.
+No configuration is required.
++ +
+ +Author: Xavier Xavier, SANS ISC
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: https://isc.sans.edu/
Query the SANS ISC DShield API to check for an IP address reputation.
+No specific configuration required.
++ +
+ +Author: Ignacio Rodriguez Paez
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: N/A
+Third party service: https://diario.elevenpaths.com/
Get the latest Diario report for a file or hash.
+client_id | +Client id for Diario | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
secret | +Secret for Diario | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
polling_interval | +Define time interval between two requests attempts for the report | +
---|---|
Default value if not configured | +60 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: Ignacio Rodriguez Paez
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: N/A
+Third party service: https://diario.elevenpaths.com/
Use Diario to scan a file, it can be DOC, XLS, PPTX or PDF.
+client_id | +Client id for Diario | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
secret | +Secret for Diario | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
polling_interval | +Define time interval between two requests attempts for the report | +
---|---|
Default value if not configured | +60 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
Author: torsolaso
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: N/A
DomainMailSPFDMARC
+No specific configuration required.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use DomainTools to get the ownership record for a domain or an IP address with basic registration details parsed.
+username | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: ANSSI
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - mail
+ - ip
+ - domain
+ - other
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use DomainTools to get a list of IP addresses which share the same registrant information.
+username | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: ANSSI
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use DomainTools to get a list of historical registrant, name servers and IP addresses for a domain name.
+username | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use DomainTools to get a risk score and evidence details on a domain or fqdn
+username | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use DomainTools to get a list of domain names sharing the same IP address.
+username | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use DomainTools to get the ownership record for an IP address or a domain without parsing.
+username | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - mail
+ - ip
+ - domain
+ - other
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use DomainTools to get a list of domain names which share the same registrant information.
+username | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use DomainTools to get a list of domain names that share the same primary or secondary name server.
+username | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use DomainTools to get a list of historical Whois records associated with a domain name.
+username | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use DomainTools to get a reputation score on a domain or fqdn
+username | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +DomainTools API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+Look up domain names, IP addresses, e-mail addresses, and SSL hashes using the popular + DomainTools Iris service API.
+The analyzer comes in 2 flavors:
+You need a valid DomainTools API integration subscription to use the analyzer:
+username
parameter and API key as
+ a value for the key
parameter.pivot_count_threshold
parameter to highlight any item below that value as being of interest in the
+ report's template.+ +
+ +Author: DomainTools
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.domaintools.com
Use DomainTools Iris API to investigate a domain.
+username | +DomainTools Iris API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +DomainTools Iris API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
pivot_count_threshold | +Pivot count threshold. | +
---|---|
Default value if not configured | +500 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: DomainTools
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+ - ip
+ - mail
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.domaintools.com
Use DomainTools Iris API to pivot on ssl_hash, ip, or email.
+username | +DomainTools Iris API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +DomainTools Iris API credentials | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
+ +
+ +Author: Joe Lazaro
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+ - filename
+Registration required: True
+Subscription required: False
+Free subscription: True
+Third party service: https://www.echotrail.io/
EchoTrail Insights takes a Windows filename or hash and provides several unique pieces of analytical context including prevalence & rank scores, process ancestry, behavioral analysis, and security analysis.
+key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
README
+EclecticIQ is a cyber threat intelligence platform which provides aggregation and analysis capabilities for threat intelligence data and integration with organization assets.
+The analyzer comes in one flavor to look for an observable in the platform and return any parent entities and their context.
+The EclecticIQ analyzer requires you to have access to an EclecticIQ Intelligence Center instance.
+Three parameters are required for each instance to make the analyzer work:
+url
: URL of the instance, e.g. "https://intel-platform.local"key
: API Key for a user of the EclecticIQ Intelligence Center instance+ +
+ +Author: BW
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - ip
+ - url
+ - fqdn
+ - uri_path
+ - user-agent
+ - hash
+ - mail
+ - mail_subject
+ - registry
+ - regexp
+ - other
+ - filename
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.eclecticiq.com
Query EclecticIQ Intelligence Center for a specific observable.
+name | +Name of EclecticIQ instance | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
url | +URL of EclecticIQ instance | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +API key for EclecticIQ instance | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
cert_check | +Verify server certificate | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Nick Prokop
+License: MIT
+Version: 1.0
+Supported observables types:
+ - url
+ - domain
+ - ip
+ - hash
+ - filename
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Search for IoCs in Elasticsearch
+endpoints | +Define the Elasticsearch endpoints | +
---|---|
Default value if not configured | +['http://127.0.0.1:9200'] | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
keys | +Set the Elasticsearch api keys for each endpoint. Note: Use api key or basic auth, but not both. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +False | +
users | +Set the Elasticsearch users for each endpoint. Note: Use api key or basic auth, but not both. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +False | +
passwords | +Set the Elasticsearch passwords for each endpoint. Note: Use api key or basic auth, but not both. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +False | +
kibana | +Define the kibana address | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
dashboard | +Set the kibana dashboard id that will be linked in the report | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
index | +Define the Elasticsearch indices to use | +
---|---|
Default value if not configured | +['apm--transaction', 'auditbeat-', 'endgame-', 'filebeat-', 'packetbeat-', 'winlogbeat-*'] | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
field | +Define the fields to query | +
---|---|
Default value if not configured | +['destination.ip', 'dll.hash.md5', 'dll.hash.sha256', 'dns.question.name', 'dns.resolved_ip', 'file.hash.md5', 'file.hash.sha256', 'file.name', 'hash.md5', 'hash.sha256', 'process.args', 'process.hash.md5', 'process.hash.sha256', 'process.parent.hash.md5', 'process.parent.hash.sha256', 'source.ip', 'url.domain', 'url.full'] | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
size | +Define the number of hits per index to return | +
---|---|
Default value if not configured | +10 | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
verifyssl | +Verify SSL certificate | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
cert_path | +Path to the CA on the system used to check server certificate | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+DShiEmailrepeld is a system of crawlers, scanners and enrichment services that collects data on email addresses, domains, and internet personas.
+EmailRep uses hundreds of data points from social media profiles, professional networking sites, dark web credential leaks, data breaches, phishing kits, phishing emails, spam lists, open mail relays, domain age and reputation, deliverability, and more to predict the risk of an email address.
+A key
can be added to configuration but it's not necessary.
+ +
+ +Author: Manabu Niseki
+License: MIT
+Version: 1.0
+Supported observables types:
+ - mail
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: https://emailrep.io/
emailrep.io lookup.
+key | +Define the API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
README
+EmergingThreats intelligence helps prevent attacks and reduce risk by helping you understand the historical context of where these threats originated, who is behind them, when have they attacked, what methods they used, and what they're after.
+The analyzer is available in 3 flavors: +- EmergingThreats_DomainInfo: retrieve ET reputation, related malware, and IDS requests for a given domain. +- EmergingThreats_IPInfo: retrieve ET reputation, related malware, and IDS requests for a given IP address. +- EmergingThreats_MalwareInfo: retrieve ET details and info related to a malware hash.
+You need a valid EmergingThreats API subscription to use the analyzer:
+key
parameter.+ +
+ +Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://threatintel.proofpoint.com/
Retrieve ET details and info related to a malware hash.
+key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
+ +
+ +Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://threatintel.proofpoint.com/
Retrieve ET reputation, related malware, and IDS requests for a given IP address.
+key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
+ +
+ +Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://threatintel.proofpoint.com/
Retrieve ET reputation, related malware, and IDS requests for a given domain.
+key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
README
+This Analyzer allows you to view the content of an email without opening it in a dedicated application.
+This programs gathers headers, message content, files, gives access to the raw message and extracts following observables:
+Extracted observables are enriched with tags giving context.
+An option permits to get an overview of the HTML rendered email. The program creates a screenshot of html parts of the message, inline and attachment parts.
+By default, this option is not enabled. To proceed, the Analyzer requires the program wkhtmltoimage
beeing installed on the system.
When enabled, the Analyzer tries to render the html included in the email. If it fails, a dedicated message is displayed.
+ +wkhtmltopdf
program is required to enable visualisation. DEB and RPM packages exist.
+Once installed, in Cortex, configure the Analyzer accordingly :
email_visualisation
to true.wkhtmltoimage
program path in the parameter wkhtmltoimage_path
(the default value suits the docker image of the Analyzer).+ +
+ +Author: StrangeBee
+License: AGPL-V3
+Version: 2.1
+Supported observables types:
+ - file
+Registration required: False
+Subscription required: False
+Free subscription: N/A
+Third party service: https://www.strangebee.com
Parse and visualise EML email message. Submit a .eml formatted file and extract some useful information.
+email_visualisation | +Enable email visualisation in report. This option requires the program wkhtmltoimage and installation of wkhtmltopdf package on the system. Docker image has this program installed. Refer to the documentation for more information. |
+
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
wkhtmltoimage_path | +Path of wkhtmltoimage program on the system. This program is required to generate visualisation of the message as it seen in mail client program. If using Docker image, use default configuration. | +
---|---|
Default value if not configured | +/usr/bin/wkhtmltoimage | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: Sebastian Schmerl - Computacenter
+License: AGPL-v3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com
Submit observables to the Crowdstrike FalconX Sandbox
+API_Base_Url | +Crowdstrike Api Base Url | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Client_ID | +Crowdstrike Api ClientID | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Client_Secret | +Crowdstrike Api Client Secret | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: TheHive-Project
+License: AGPL-V3
+Version: 8.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Parse files in several formats such as OLE and OpenXML to detect VBA macros, extract their source code, generate useful information on PE, PDF files...
+manalyze_enable | +Wether to enable manalyze submodule or not. | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
manalyze_enable_docker | +Use docker to run Manalyze. Can be used only if not using the docker image of FileInfo | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
manalyze_enable_binary | +Use local binary to run Manalyze. Need to compile it before! | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
manalyze_binary_path | +Path to the Manalyze binary that was compiled before. Keep the default value if using the docker image of FileInfo | +
---|---|
Default value if not configured | +/worker/Manalyze/bin/manalyze | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
floss_enable | +Enable the use of FireEye FLARE FLOSS | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
floss_binary_path | +Path to the FLOSS binary. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
floss_minimal_string_length | +Length of strings must be in order to be considered. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+FireEyeiSight adds context and priority to global threats before, during and after an attack. Data is gleaned from the adversarial underground, virtual network detection sensors and Mandiant IR investigations from the world’s largest breaches.
+The analyzer comes in only one flavor.
+You need a valid FireEye iSight subscription to use the analyzer.
+key
parameter.pwd
parameter.+ +
+ +Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - ip
+ - hash
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://intelligence.fireeye.com/
Query domains, IPs, hashes and URLs on FireEye's iSIGHT threat intelligence service.
+key | +API key for FireEye iSIGHT. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
pwd | +Password associated to the API key. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
README
+FireJOLBlocklists is a composition of other IP lists. +The objective is to create a blacklist that can be safe enough to be used on all systems, with a firewall, to block access entirely, from and to its listed IPs.
+The analyzer comes in a single flavout that will return if provided ip is in block list and link to its report.
+You need to clone original repo on the cortex machine [git clone https://github.com/firehol/blocklist-ipsets] and update relative path in blocklistpath
variable.
+ +
+ +Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://iplists.firehol.org/
Check IP addresses against the FireHOL blocklists
+blocklistpath | +Path to blocklists | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
README
+Categorize domain names, URL, fqdn, IP addresses using the popular Forcepoint Master Database service .
+You need a valid Forcepoint license to use the analyzer:
+hostname
parameter and timeout as a value for the timeout
parameter.Author: Andrea Garavaglia, Davide Arcuri - LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+ - ip
+ - domain
+ - fqdn
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.forcepoint.com
Use ForcepointWebsensePing to determine which category a certain URL is assigned to.
+hostname | +Forcepoint remote Filtering Service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
timeout | +WebsensePing timeout-secs | +
---|---|
Default value if not configured | +10 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
path | +WebsensePing path | +
---|---|
Default value if not configured | +/opt/Websense/bin | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
malicious_categories | +List of Forcepoint categories to be considered as malicious | +
---|---|
Default value if not configured | +['Dynamic DNS', 'Elevated Exposure', 'Emerging Exploits', 'Extended Protection', 'Newly Registered Websites', 'Suspicious Content', 'Advanced Malware Command and Control', 'Advanced Malware Payloads', 'Botnets', 'Bot Networks', 'Compromised Websites', 'Malicious Web Sites', 'Custom-Encrypted Uploads', 'Files Containing Passwords', 'Keyloggers', 'Malicious Embedded Link', 'Malicious Embedded Iframe', 'Malicious Websites', 'Mobile Malware', 'Phishing and Other Frauds', 'Potentially Exploited Documents', 'Potentially Unwanted Software', 'Spyware', 'Suspicious Embedded Link', 'Elevated Exposure Newly Registered Websites', 'Unauthorized Mobile Marketplaces', 'User-Defined'] | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
suspicious_categories | +List of Forcepoint categories you would consider as suspicious | +
---|---|
Default value if not configured | +['Uncategorized', 'Parked Domain', 'Hacking', 'Proxy Avoidance', 'Intolerance', 'Abused Drugs', 'Adult Content', 'Adult Material', 'Advertisements', 'Computer Security', 'Drugs', 'Dynamic Content', 'Illegal or Questionable', 'Marijuana', 'Militancy and Extremist', 'Network Errors', 'Peer-to-Peer File Sharing', 'Personal Network Storage and Backup', 'Private IP Addresses', 'Sex', 'Tastelesstopics or to improper language', 'Violence', 'Web and Email Spam', 'Security'] | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
safe_categories | +List of Forcepoint categories you would consider as safe | +
---|---|
Default value if not configured | +['Business and Economy', 'Bandwidth', 'Education', 'Government', 'News and Media', 'Productivity', 'Religion', 'Society and Lifestyles', 'Special Events', 'Information Technology', 'Abortion', 'Advocacy Groups', 'Entertainment', 'Facebook Apps ', 'Facebook Chat', 'Facebook Commenting', 'Facebook Events', 'Facebook Friends', 'Facebook Games', 'Facebook Groups', 'Facebook Mail', 'Facebook Photo Upload', 'Facebook Posting', 'Facebook Questions', 'Facebook Video Upload', 'File Download Servers', 'LinkedIn Connections', 'LinkedIn Jobs', 'LinkedIn Mail', 'LinkedIn Updates', 'Twitter Follow', 'Twitter Mail', 'Twitter Posting', 'YouTube Commenting', 'YouTube Sharing', 'YouTube Video Upload', 'Alternative Journals', 'Application and Software Download', 'Blog Commenting', 'Blog Posting', 'Blogs and Personal Sites', 'Classified Posting', 'Social and Affiliation Organizations', 'Social Networking', 'Social Organizations', 'Social Web - Facebook', 'Social Web - LinkedIn', 'Social Web - Twitter', 'Social Web - YouTube', 'Social Web Controls - Various', 'Sports', 'Entertainment Video', 'Financial Data and Services', 'Instant Messaging', 'Job Search', 'Shopping', 'Travel', 'Vehicles', 'Search Engines and Portals', 'Alcohol and Tobacco', 'Collaboration – Office', 'Content Delivery Networks', 'Cultural Institutions', 'Educational Institutions', 'Educational Materials', 'Educational Video', 'General Email', 'Health', 'Hobbies', 'Gay or Lesbian or Bisexual Interest', 'Gambling', 'Games', 'Hosted Business Applications', 'Internet Auctions', 'Internet Communication', 'Internet Radio and TV', 'Internet Telephony', 'Media File Download', 'Message Boards and Forums', 'Non-Traditional Religion', 'Nudity', 'Nutrition', 'Office - Apps', 'Office - Documents', 'Office - Drive', 'Office - Mail', 'Office Category used to manage the Office domain', 'Online Brokerage and Trading', 'Organizational Email', 'Personals and Dating', 'Pay-to-Surf', 'Political Organizations', 'Prescribed Medications', 'Pro-Choice', 'Pro-Life', 'Professional and Worker Organizations', 'Real Estate', 'Reference Materials', 'Restaurants and Dining', 'Service and Philanthropic Organizations', 'Sex Education', 'Lingerie and Swimsuit', 'Sport Hunting and Gun Clubs', 'Streaming Media', 'Surveillance', 'Text and Media Messaging', 'Traditional Religions', 'Viral Video', 'Weapons', 'Web Analytics', 'Web and Email Marketing', 'Web Chat', 'Web Collaboration', 'Web Hosting', 'Web Images', 'Web Infrastructure', 'Website Translation'] | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
README
+Fortiguard is a web filtering service commonly used in organizations.
+The analyzer comes in a single flavout that will return websense categorization for provided url or domain.
+The analyzer returns just their categorization, you can customize which category must be considerd suspiciour or malicious adding them to suspicious_categories
or malicious_categories
variables.
+ +
+ +Author: Eric Capuano
+License: AGPL-V3
+Version: 2.1
+Supported observables types:
+ - domain
+ - url
+ - fqdn
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://www.fortiguard.com/webfilter
Check the Fortiguard category of a URL, FQDN or a domain. Check the full available list at https://fortiguard.com/webfilter/categories
+malicious_categories | +List of FortiGuard categories to be considered as malicious | +
---|---|
Default value if not configured | +['Malicious Websites', 'Phishing', 'Spam URLs'] | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
suspicious_categories | +List of FortiGuard categories to be considered as suspicious | +
---|---|
Default value if not configured | +['Newly Observed Domain', 'Newly Registered Domain', 'Dynamic DNS', 'Proxy Avoidance', 'Hacking'] | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
Author: pettai@sunet.se, SUNET
+License: AGPL-V3
+Version: 0.1
+Supported observables types:
+ - ip
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Search GRR for the host agent.
+url | +URL of the GRR API. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +API user to use | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
password | +API password to the API user | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+Gatewatcher is a European leader in advanced Threats detection, protecting critical networks of large Entreprises and Governement organisations since 2015.
+The Gatewatcher CTI (Cyber Threat Intelligence) offer is compatible with all cybersecurity solutions. It immediately enhances your detection with contextual information about internal and external cyber threats specifically targeting your business.
+This cortex analyzer allows you to search for an IOC (url, hash, host/domain) in the Gatewatcher CTI database
+If you want to try our freemium offer your can obtain your API key : https://info.gatewatcher.com/en/lp-free-ioc-analysis-api-key
+If you want more you can contact us : https://info.gatewatcher.com/fr/speed-meeting-lastinfosec
+With this cortex integration, we also provide you templates for TheHive available in the thehive-templates directory.
+ ++ +
+ +Author: Gatewatcher
+License: AGPL-3.0
+Version: 1.0
+Supported observables types:
+ - hash
+ - domain
+ - fqdn
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.gatewatcher.com/
Get Gatewatcher CTI Report
+apiKey | +Gatewatcher CTI Api Key. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
extendedReport | +Show reports for relations. | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
maxRelations | +Max relation reports to display if you have enabled the extendReport option. Set -1 to show all report | +
---|---|
Default value if not configured | +50 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
Author: CERT-LaPoste
+License: AGPL-V3
+Version: 1.0.0
+Supported observables types:
+ - domain
+ - ip
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Request Google DNS over HTTPS service
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - url
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use Google Safebrowing to check URLs and domain names.
+client_id | +Client identifier | +
---|---|
Default value if not configured | +cortex | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: CERT-LaPoste
+License: AGPL-V3
+Version: 1.0.0
+Supported observables types:
+ - file
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Find look alike image via Google Cloud Vision API using the Web_Detection service
+api_key | +API key for this service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
max_result | +Maximum number of url to fetch | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+GreyNoise collect and analyze untargeted, widespread, and opportunistic scan and attack +activity that reaches every server directly connected to the Internet. Mass scanners (such as Shodan and Censys), +search engines, bots, worms, and crawlers generate logs and events omnidirectionally on every IP address in the IPv4 +space. GreyNoise gives you the ability to filter this useless noise out.
+The analyzer comes in a single flavour, but supports both the GreyNoise Paid and Community APIs, that will return +GreyNoise additional information categorization for provided ip.
+You need a valid GreyNoise API integration subscription or Community account to use the analyzer.
+key
parameter.api_type
parameter+ +
+ +Author: Nclose
+License: APLv2
+Version: 3.1
+Supported observables types:
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://viz.greynoise.io/
Determine whether an IP has known scanning activity using GreyNoise.
+key | +API key for GreyNoise | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
api_type | +API Type to Match Key, either 'enterprise' or 'community' | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
Author: Matt Erasmus, Jonas Hergenhahn
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - mail
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Query haveibeenpwned.com for a compromised email address
+unverified | +Include unverified breaches | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
truncate | +Truncated response means only the name of data breaches | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +Api key for hibp | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
retries | +Retries to request api while getting status code 429 | +
---|---|
Default value if not configured | +5 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+Hashdd search engine for file hashes which automatically queries 3rd party services like VirusTotal and enriches the information provided based on the 3rd party data.
+The analyzer includes two flavors: Status and Detail. The first one is used to query hashdd without an API key for the threat level only. The latter produces additional meta information about the sample, but requires an API key.
+A valid Hashdd API is necessary just for detail flavour, for status can still be added.
+key
parameter.+ +
+ +Author: iosonogio, dadokkio
+License: AGPLv3
+Version: 2.0
+Supported observables types:
+ - hash
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: https://www.hashdd.com/
Determine whether a hash is good or bad; if good then list what it is.
+api_key | +API key for hashdd | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: iosonogio, dadokkio
+License: AGPLv3
+Version: 2.0
+Supported observables types:
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Determine whether a hash is good or bad.
+api_key | +API key for hashdd | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Get the Hippocampe Score report associated with an IP address, a domain or a URL.
+url | +URL of the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Get the Hippocampe detailed report for an IP address, a domain or a URL.
+url | +URL of the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + ++ +
+ +Author: Rémi Allain, Cyberprotect
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://hunter.io/
hunter.io is a service to find email addresses from a domain.
+key | +api key of hunter.io | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: Daniil Yugoslavskiy, Tieto
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+ - file
+ - filename
+ - url
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Fetch Hybrid Analysis reports associated with hashes and filenames.
+key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - ip
+ - hash
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Query domains, IPs, hashes and URLs against IBM X-Force threat intelligence sharing platform.
+url | +X-Force API URL | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +X-Force API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
pwd | +X-Force API Password | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
verify | +Enable/Disable certificate verification | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Peter Juhas
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Check IP address or domain using ip-api.com
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Joel Snape @ Nettitude
+License: AGPL-v3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Determine whether an IP is present on any of the feeds consumed by IPVoid
+key | +API key for IPVoid | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Manabu Niseki
+License: MIT
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
IPinfo hosted domains lookup.
+api_key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: Manabu Niseki
+License: MIT
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
IPinfo details lookup.
+api_key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+Get intelligence from an IVRE instance.
+You need an access to an IVRE instance. Unlike most analyzers, IVRE +does not exist as a public service but is an open-source tool: you +need to install and run your own instance. The repository is on +GitHub.
+To learn more about IVRE (and its "purposes"), you can read the +documentation, particularly about the +principles, +and some use +cases.
+Supply the following parameters to the analyzer in order to use it:
+db_url
(string): the IVRE instance database URL (format: same as IVRE's
+ configuration; default: use IVRE's configuration)db_url_data
(string): the IVRE instance database URL for the data purpose
+ (idem)db_url_passive
(string): the IVRE instance database URL for the passive purpose
+ (idem)db_url_scans
(string): the IVRE instance database URL for the scans purpose
+ (idem)use_data
(boolean): should the analyzer use the data purpose?use_passive
(boolean): should the analyzer use the passive purpose?use_scans
(boolean): should the analyzer use the scans purpose?+ +
+ +Author: Pierre Lalet
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - autonomous-system
+ - certificate_hash
+ - domain
+ - fqdn
+ - ip
+ - network
+ - port
+ - user-agent
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: https://ivre.rocks/
Fetch details from an IVRE instance.
+use_data | +Use data from the data purpose (MaxMind) | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
use_passive | +Use data from the passive purpose | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
use_scans | +Use data from the scans (nmap) purpose | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
db_url | +The URL of the IVRE database (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
db_url_data | +The URL of the IVRE database for the data purpose (e.g., maxmind:///usr/share/ivre/geoip or http://host/cgi); defaults to using IVRE's configuration | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
db_url_passive | +The URL of the IVRE database for the passive purpose (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
db_url_scans | +The URL of the IVRE database for the scans (nmap) purpose (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+This analyzer helps you investigate suspicious emails received from known or unknown senders to ensure that their email addresses aren't compromised.
+No API key required.
+If the email is compromised then it returns: +- Total breaches +- Most recent breach +- Breached data +- Critical data +- Exposure rating: The comparative data exposure and risk rating assigned to this email address.
+You need first to enable the analyzer.
+ +Navigate to Analyzers then run Inoitsu analyzer.
+ +Test Inoitsu analyzer on a compromised email address.
+ +Test Inoitsu analyzer on an uncompromised email address.
+ +In the observables section add emails to test.
+Then select the emails that you want to analyze, select Inoitsu and click on Run selected analyzers.
+ + +To view the report of the compromised email, click on Inoitsu:Compromised="True"
To view the report of the uncompromised email, click on Inoitsu:Compromised="False"
+ +
+ +Author: Abdelkader Ben Ali
+License: MIT
+Version: 1.0
+Supported observables types:
+ - mail
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: https://www.hotsheet.com/inoitsu/
Query Inoitsu for a compromised email address.
+No specific configuration required.
+README
+Intezer is a subscription-based SaaS product that provides rapid malware detection and analysis.
+The analyzer comes in a single flavour that permits user to upload files and detect code reuse in trusted and malicious software, and obtain new insights and information about malware families and threat actors.
+You need a valid Intezer Community API integration subscription to use the analyzer.
+key
parameter.+ +
+ +Author: Matteo Lodi
+License: AGPL-v3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://analyze.intezer.com/
Analyze a possible malicious file with Intezer Analyzer
+key | +API key for Intezer | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: Cisco Umbrella Research @opendns
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Retrieve Investigate categorization and security features for a domain.
+key | +Define the Investigate API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: Cisco Umbrella Research @opendns
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Retrieve sample data from Investigate for a hash. (Sample data provided by ThreatGrid)
+key | +Define the Investigate API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+With the version 3.0 this analyzer allow you to have:
+This analyzer has 3 flavors:
+Author: CERT-BDF
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: N/A
+Third party service: N/A
Joe Sandbox file analysis with Internet access.
+url | +URL of JoeSandbox service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
analysistimeout | +Analysis timeout (seconds) | +
---|---|
Default value if not configured | +1800 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
networktimeout | +Network timeout (second) | +
---|---|
Default value if not configured | +30 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
HTML_report | +Download HTML report | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
images | +Allow images in the report | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
observables | +Creat observables form report | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: CERT-BDF
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: N/A
+Third party service: N/A
Joe Sandbox file analysis without Internet access.
+url | +URL of JoeSandbox service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
analysistimeout | +Analysis timeout (seconds) | +
---|---|
Default value if not configured | +1800 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
networktimeout | +Network timeout (second) | +
---|---|
Default value if not configured | +30 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
HTML_report | +Download HTML report | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
images | +Allow images in the report | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
observables | +Creat observables form report | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Joe Sandbox URL analysis.
+url | +URL of JoeSandbox service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
analysistimeout | +Analysis timeout (seconds) | +
---|---|
Default value if not configured | +1800 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
networktimeout | +Network timeout (second) | +
---|---|
Default value if not configured | +30 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+This analyzer allows you to execute a parametrized notebook in Jupyter. This can help you investigate observables by submitting them to custom notebooks for automated investigation tasks. +You can choose to execute your notebooks locally or remotely.
+This was designed to run with a running remote JupyterHub instance but you can work directly with local/remote storages (Azure, S3 etc.)
+You can run several notebooks at the same time for one observable.
+You can setup several Jupyter connectors just with a copy/paste of the file "Jupyter_Run_Notebook_Analyzer.json" file.
+You must install the required librairies described in the requirements.txt file.
+++⚠️ A current issue was identified in the Papermill on how the requests are managed when HTTP handler is used. The Jupyter HTTP REST API is adding an additionnal layer in the JSON response that need to be removed before recovering the notebook. An issue was raised accordingly: +Nbformat/nbformat_minor not well extracted with HTTP handler #727
+
You can fix the issue by replacing the HTTPHandler class in papermill source code (iorw.py#L180) to this code:
+class HttpHandler(object):
+ @classmethod
+ def read(cls, path):
+- return requests.get(path, headers={'Accept': 'application/json'}).text
++ return json.dumps(requests.get(path, headers={'Accept': 'application/json'}).json()["content"])
+
+ @classmethod
+ def listdir(cls, path):
+ raise PapermillException('listdir is not supported by HttpHandler')
+
+ @classmethod
+ def write(cls, buf, path):
++ payload = {"type": "notebook", "format": "json", "path": path}
++ payload["content"] = json.loads(buf)
++ result = requests.put(path, json=payload)
+- result = requests.put(path, json=json.loads(buf))
+ result.raise_for_status()
+
+ @classmethod
+ def pretty_path(cls, path):
+ return path
+
You must create a service account to access the JupyterHub instance. +This is a proposed configuration:
+c.JupyterHub.load_roles = [
+ {
+ "name": "role_cortex_servers",
+ "scopes": [
+ "servers", # manage servers
+ "access:servers", # access servers themselves
+ ],
+ # assign role to our 'cortex' service
+ "services": ["cortex"],
+ }
+]
+
+# persist token to a file, to share it with the launch-server.py script
+import pathlib
+import secrets
+
+here = pathlib.Path(__file__).parent
+token_file = here.joinpath("service-token-cortex")
+if token_file.exists():
+ with token_file.open("r") as f:
+ token = f.read()
+else:
+ token = secrets.token_hex(16)
+ with token_file.open("w") as f:
+ f.write(token)
+
+# define our service
+c.JupyterHub.services = [
+ {
+ "name": "cortex",
+ "api_token": token,
+ }
+]
+
A token will be available locally to your JupyterHub instance under the file named "service-token-cortex"
+You must enable the named servers by adding this into your configuration: +
c.JupyterHub.allow_named_servers = True
+
This connector is using the Papermill library to work. It will allow you to get the notebook, execute it locally after parameterize the notebook and then store it. +Please refer to the Supported Name Handles description to have more details.
+Papermill is also used in this case but additional code (specific to this connector) was added to let you work with remote JupyterHun instance instead of having the notebooks run locally on the Cortex instance. This should help you to avoid having to install local dependencies on your Cortex instance.
+To do so, the connector is communicating directly with the remote kernel using the Jupyter HTTP REST API and Jupyter Websocket API so you must use HTTP handlers accordingly (with the provided fix above applied). It's sending automatically the code to execute following the kernel logic explained here: Messaging in Jupyter.
+You must use HTTP handlers provided by Papermill, meaning that input notebooks must be starting with "http://" or "https://" and allow traffic using the websocket protocol ("ws://").
+You'll have to setup several parameters for the connector. +Parameters can be identified with:
+[INPUT]
: Concerns only input notebooks[OUTPUT]
: Concerns only output notebooks[ANY]
: Concerns either an input or output notebooks[HTTP Handler]
: Need to be setup only if you are using HTTP Handlers. Not used for local/remote storage (Azure, S3 etc)Here is the description for each parameter:
+input_hostname
: [INPUT] Hostname representing the Jupyter(Hub) instance (or Azure, S3 etc location) to reach to get the input notebook. See https://github.com/nteract/papermill#supported-name-handlers for more information.input_handler_http_service_api_token
: [HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate an API token used by a dedicated service, otherwise don't take this parameter into accountinput_handler_http_is_jupyterhub
: [INPUT][HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate if you're behind a JupyterHub instance or not, otherwise don't take this parameter into account (Default: true)input_handler_http_execute_remotely
: [INPUT][HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate if you want to run your code locally (papermill) or remotely (websocket through HTTP), otherwise don't take this parameter into accountinput_paths
: [INPUT] List of paths of the notebooks you want to runoutput_hostname
: [OUTPUT] Hostname representing the Jupyter(Hub) instance (or Azure, S3 etc location) to reach to store the output notebook. See https://github.com/nteract/papermill#supported-name-handlers for more information.output_handler_http_service_api_token
: [HTTP Handler] If you want to use the REST API to store the output notebook, you must indicate an API token used by a dedicated service, otherwise don't take this parameter into accountoutput_handler_http_is_jupyterhub
: [OUTPUT][HTTP Handler] If you want to use the REST API to store the output notebook, you must indicate if you're behind a JupyterHub instance or not, otherwise don't take this parameter into account (Default: true)output_folder
: [OUTPUT] Folder path in which executed notebooks will be stored. This field is supporting format code for datetime such as the one used by the strftime()
function.any_handler_http_user
: [ANY][HTTP Handler] If you want to use the REST API directly (HTTP handler), you must indicate which user will be used as the reference for having the original notebooks, otherwise don't take this parameter into account.any_generate_html
: [ANY] Indicates if you want only the HTML conversion as a response (not the full detailed payload) (Default: true)Here is an example of what it could looks like:
+ +As we are using Papermill, we can parameterize the notebooks before execution. +The connector will recover the input playbook, find the associated tagged cell with "parameters" and add these four parameters:
+thehive_organisation
: This is specifying the organisation in which the connector was executedthehive_user
: This is specifying which user executed the connectorthehive_observable_type
: This is indicating the observable type (from the predefined list from TheHive)thehive_observable_value
: This is indicating the observable valueHere is an example of what it look like: +
+An analysis report (notebook execution exported in HTML) wil be available in TheHive:
+ +You can return new artifacts/observables from the notebook to TheHive by using a tag named "artifacts
" on the code block that will contain the artifacts.
Once you've add the tag to the block, ensure that the code block is given json outputs containing information about new artifacts to return. As you can see, you can have several artifacts separated by a newline ("/n"). In this example, we are returning two artifacts.
+Within TheHive, you'll be able to see the artifacts proposed to be imported and with the given information:
+ +Short reports can be built directly from the executed notebooks as artifacts thanks to the tag named "taxonomies
".
Once you've add the tag to the block, ensure that the code block is given json outputs containing information about taxonomies to return. As you can see, you can have several taxonomies separated by a newline ("/n"). In this example, we are returning two taxonomies.
++
+All taxonomies must follow the same pattern:
+level
: Indicates the level of the taxonomy (used for the color). Values can be "info", "safe", "suspicious" or "malicious".namespace
: Indicates the namespace of the taxonomy. We recommand to use the default value set to "Jupyter".predicate
: Indicates a specific subname for the given namespace.value
: Indicates the value associated to the predicate.The long report template is used to render the notebook execution from a HTML export of the same notebook. In the raw data sent back to TheHive, you can have the all detail of the execution additionally to the HTML embedded code (be sure to set any_generate_html
to True accordingly). If you don't want to have the render directly in TheHive and lower the size of the response, please set this parameter to False.
jupyter_client.kernelspec.NoSuchKernel: No such kernel named python3
on the Cortex instance#This means that you are missing librairies on your local Cortex instance to be able to run your notebooks. It must have a dedicated folder for the cortex user with the kernel spec to be able to run it. +You have to execute those commands on the Cortex instance to fix the issue:
+console
+root#> mkdir /home/cortex
+root#> chown cortex: /home/cortex
+root#> su cortex
+cortex#> ipython kernel install --name "python3" --user
papermill/iorw.py
#If you're using a hostname input or output starting with "http(s)", please check that you applied the patch mentionned above as expected. Otherwise, please raise an issue.
+You can reach the developer directly by email: letmer00t@gmail.com
++ +
+ +Author: Alexandre Demeyer
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - hostname
+ - ip
+ - url
+ - fqdn
+ - uri_path
+ - user-agent
+ - hash
+ - mail
+ - mail_subject
+ - registry
+ - regexp
+ - other
+ - filename
+ - mail-subject
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A
Execute a parameterized notebook in Jupyter
+input_hostname | +[INPUT] Hostname representing the Jupyter(Hub) instance (or Azure, S3 etc location) to reach to get the input notebook. See https://github.com/nteract/papermill#supported-name-handlers for more information. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
input_handler_http_service_api_token | +[HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate an API token used by a dedicated service, otherwise don't take this parameter into account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
input_handler_http_is_jupyterhub | +[INPUT][HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate if you're behind a JupyterHub instance or not, otherwise don't take this parameter into account | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
input_handler_http_execute_remotely | +[INPUT][HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate if you want to run your code locally (papermill) or remotely (websocket through HTTP), otherwise don't take this parameter into account | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
input_paths | +[INPUT] List of paths of the notebooks you want to run | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
output_hostname | +[OUTPUT] Hostname representing the Jupyter(Hub) instance (or Azure, S3 etc location) to reach to store the output notebook. See https://github.com/nteract/papermill#supported-name-handlers for more information. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
output_handler_http_service_api_token | +[HTTP Handler] If you want to use the REST API to store the output notebook, you must indicate an API token used by a dedicated service, otherwise don't take this parameter into account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
output_handler_http_is_jupyterhub | +[OUTPUT][HTTP Handler] If you want to use the REST API to store the output notebook, you must indicate if you're behind a JupyterHub instance or not, otherwise don't take this parameter into account | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
output_folder | +[OUTPUT] Folder path in which executed notebooks will be stored. This field is supporting datetime format (see 'strftime' function). | +
---|---|
Default value if not configured | +/ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
any_handler_http_user | +[ANY][HTTP Handler] If you want to use the REST API directly (HTTP handler), you must indicate which user will be used as the reference for having the original notebooks, otherwise don't take this parameter into account. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
any_generate_html | +[ANY] Indicates if you want the HTML generation within the response. This setting is helpful if you want to reduce the size of the answer returned by the script and manage the HTML render yourself. | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Peter Juhas
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Analyze IP address, domain or hash via Kaspersky Threat Intelligence Portal
+key | +API key for Kaspersky Threat Intelligence Portal | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Florian Perret @cyber_pescadito
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - username
+ - mail
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Query your LDAP server to harvest informations about an user of your organization
+LDAP_address | +Should contain the protocol. Eg: ldaps://myldap.myorg.com | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
LDAP_port | +Should contain the ldap port. Eg: 389 or 636 | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
LDAP_username | +Usernae of the account that will be used to bind to LDAP server. The Account should have permissions to read ldap objects and attributes. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
LDAP_password | +Password of the account used to bind to LDAP server. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
base_DN | +The base DN to use in your LDAP. Eg: dc=myorg,dc=com | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
uid_search_field | +Specify here the field to use when searching by username. Eg: uid or sAMAccountName | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
attributes | +Specify here the attributes you want to harvest. Eg: mail | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+MISP A threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.
+The analyzer comes in a single flavour that will return MISP additional information for provided observable.
+You need a valid MISP API integration to use the analyzer.
+key
parameter.+ +
+ +Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.1
+Supported observables types:
+ - domain
+ - ip
+ - url
+ - fqdn
+ - uri_path
+ - user-agent
+ - hash
+ - mail
+ - mail_subject
+ - registry
+ - regexp
+ - other
+ - filename
+ - mail-subject
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: https://www.misp-project.org/
Query multiple MISP instances for events containing an observable.
+name | +Name of MISP servers | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +False | +
url | +URL of MISP servers | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
key | +API key for each server | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
cert_check | +Verify server certificate | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
cert_path | +Path to the CA on the system used to check server certificate | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +False | +
README
+MISPWarningLists are lists of well-known indicators that can be associated to potential false positives, errors or mistakes.
+The analyzer comes in a single flavour that will check observables against MISP Warninglists to filter false positives.
+Option 1 low performances:
+ - Clone the MISPWarningLists GitHub repository.
+ - In the analyzer parameters configure the path
of WarningLists folder.
Option 2 high performances:
+ - Clone the MISPWarningLists GitHub repository.
+ - Install PostgreSQL database.
+ - Set conn_string
and warninglists_path
located inside script warninglists_create_db.py
and run it in order to parse all MISPWarningLists and insert into PostgreSQL.
+ - In the analyzer parameters configure the conn
to DB (for example: postgresql+psycopg2://user:password@localhost:5432/warninglists').
+ +
+ +Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - hash
+ - domain
+ - fqdn
+ - url
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://github.com/MISP/misp-warninglists
Check IoCs/Observables against MISP Warninglists to filter false positives.
+path | +path to Warninglists folder | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
conn | +sqlalchemy connection string | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
README
+This responder allows you to revoke the session tokens for an Microsoft Entra ID user. Requires the UPN of the account in question, which should be entered as a "mail" oberservable in TheHive.
+To enable the responder, you need three values: +1. Microsoft Entra ID Tenant ID +2. Application ID +3. Application Secret
+The first two values can be found at any time in the application's Overview page in the Microsoft Entra ID portal. The secret must be generated and then stored in a safe place, as it is only fully visible when you first make it.
+You can also specify the limits for how far back the analyzer requests sign ins. You can specify time and count for how many sign ins get returned.
+Finally, you can specify a state and country/region. These are used as taxonomies. If you run a query on a particular user and they return a few out-of-state sign ins, a taxonomy label will be added to the observable to reflect that. Likewise for the country/region. By default, this analyzer does not support selecting multiple states or countries, so if you have more than one that users will be signing in to, feel free to leave them blank. If the value is not configured, then the analyzer will simply not use the taxonomies.
+User account with the Cloud Application Administrator role. +User account with the Global Administrator Role (most of the steps can be done with only the Cloud App Administrator role, but the final authorization for its API permissions requires GA).
+Using a GA account, select the "Grant admin consent for TENANTNAME" button.
+Place the relevant values into the config within Cortex.
+It is possible to add a color coding system to the long report as viewed from TheHive. Specifically, you can color code the Sign Ins table so that certain ones stand out.
+Let's say you are in an organization where almost all of your users will be signing in from a single state. You could color code the table so that out-of-state sign ins are highlighted yellow, and out-of-country sign ins are highlighted in red. To enable customization like this, you must modify this analyzer's long.html to check for values within the full JSON report using the ng-style tag in the table body > table row element. An example exists as a comment in the long.html file at line 34.
+Author: @jahamilto
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - mail
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.microsoft.com/security/business/identity-access/microsoft-entra-id
Pull all Microsoft Entra ID sign ins for a user within the specified amount of time.
+tenant_id | +Microsoft Entra ID Tenant ID | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
client_id | +Client ID/Application ID of Microsoft Entra ID Registered App | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
client_secret | +Secret for Microsoft Entra ID Registered Application | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
lookup_range | +Check for sign ins in the last X days. Should be between 1 and 31 days. | +
---|---|
Default value if not configured | +7 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
lookup_limit | +Display no more than this many sign ins. | +
---|---|
Default value if not configured | +12 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
state | +Expected sign in state (used as a taxonomy when sign ins appear outside of this area). | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
country | +Expected sign in country or region (used as a taxonomy when sign ins appear outside of this area). | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Check files against Malpedia YARA rules.
+path | +Rulepath | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +Username | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
password | +Password | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+This analyzer lets you query the free Maltiverse Threat Intelligence platform for enrichment information about a particular hash, domain, ip or url.
+The analyzer comes in a single flavour that will return Maltiverse additional information categorization for provided ip.
+You can specify time interval between two requests attempts for the report with the polling_interval
parameter.
+ +
+ +Author: ottimo
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+ - domain
+ - ip
+ - url
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://maltiverse.com/search
Get the latest Maltiverse report for an hash, domain or an IP address.
+polling_interval | +Define time interval between two requests attempts for the report | +
---|---|
Default value if not configured | +60 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
api_key | +Auth token to use when requesting data to Maltiverse | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
README
+MalwareBazaar is a project operated by abuse.ch. The purpose of the project is to collect and share malware samples, helping IT-security researchers and threat analysts protecting their constituency and customers from cyber threats.
+The analyzer comes in a single flavour that takes as input an hash and enrich it with additional intelligence .
+You need a valid MalwareBazaar API subscription to use the analyzer.
+key
parameter.+ +
+ +Author: Andrea Garavaglia, Davide Arcuri - LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://bazaar.abuse.ch/
Search hashes on MalwareBazaar.
+api_key | +MalwareBazaar api key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
README
+- [neo4j db instance](https://neo4j.com/download/)
+- pip3 install -r requirements
+
- bulk import known malware samples in db from:
+ - [cloned malpedia repo](https://malpedia.caad.fkie.fraunhofer.de/)
+ - folder with some malicious sample with optional json malpedia like definition
+
from malwareclustering_api import Api
+test = Api(host='127.0.0.1', port=7474, user='neo4j', password='password', threshold=40, folder_path='/home/user/malware_samples')
+test.process()
+
Author: LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+ - hash
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service:
Uses ApiVectors to find similarities between malware samples.
+n4j_host | +Neo4j server host | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
n4j_port | +Neo4j server port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
n4j_user | +Neo4j server user | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
n4j_pwd | +Neo4j server password | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
threshold | +ApiScout correlation threshold | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
README
+Malwares is a web service to collect, analyze and detect various malicious codes or malwares such as Trojans, Viruses, Worms so that customers or end-users can make proper security policies to take countermeasures against security threats.
+The analyzer comes in a two flavour that permit you to query different data types (file, hash, domain, ip) or submit new sample for analysis (file, hash).
+You need a valid Malware API subscription to use the analyzer.
+key
parameter.+ +
+ +Author: LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+ - hash
+ - domain
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.malwares.com/
Get the latest Malwares report for a file, hash, domain or an IP address.
+key | +Malwares.com API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
+ +
+ +Author: LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.malwares.com/
Use Malwares' API to scan a file or URL.
+key | +Malwares.com API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: CERT-BDF
+License: AGPL-V3
+Version: 4.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use MaxMind to geolocate an IP address.
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Get the latest MetaDefender Cloud report for hash.
+key | +API key for MetaDefender | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
url | +url address for MetaDefender server | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Get the latest MetaDefender Core report for hash.
+key | +API key for MetaDefender | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
url | +url address for MetaDefender server | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - url
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Get the latest MetaDefender Cloud reputation report .
+key | +API key for MetaDefender | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
url | +url address for MetaDefender server | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Scan a file with MetaDefender Core
+key | +API key for MetaDefender | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
url | +url address for MetaDefender server | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
polling | +Define time interval between two requests attempts for the report | +
---|---|
Default value if not configured | +10 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Scan a file with MetaDefender Cloud
+key | +API key for MetaDefender | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
url | +url address for MetaDefender server | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
polling | +Define time interval between two requests attempts for the report | +
---|---|
Default value if not configured | +10 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Michael Stensrud, Nordic Financial CERT
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - ip
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Query IP addresses and domains against Mnemonic pDNS public service.
+No specific configuration required.
+No template samples to display.
+Author: Michael Stensrud, Nordic Financial CERT
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - ip
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Query IP addresses and domains against Mnemonic pDNS restricted service.
+key | +Define the API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: CERT-BDF
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Parse Outlook MSG files and extract the main artifacts.
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+NERD is a service provided by CESNET which collects information about malicious IP addresses +from CESNET's own detection systems as well as several public sources. +It keeps a profile of each known malicious IP address, containing all security-relevant information about the +address, and it summarizes it into a reputation score - a number from 0.0 (good) to 1.0 (bad) representing the amount +and confidence of recently received reports about that address.
+The analyzer comes in a single flavour that will return the reputation score and various tags for provided IP.
+You need a valid NERD API integration subscription to use the analyzer.
+key
parameter.url
parameter, but you could override it.+ +
+ +Author: Vaclav Bartos, CESNET
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - ip
+Registration required: True
+Subscription required: False
+Free subscription: True
+Third party service: https://nerd.cesnet.cz/
Get Reputation score and other basic information from Network Entity Reputation Database (NERD)
+key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
url | +Base URL of the NERD instance | +
---|---|
Default value if not configured | +https://nerd.cesnet.cz/nerd/ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
Author: Andrea Garavaglia, Davide Arcuri - LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+ - filename
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Query NSRL
+conn | +sqlalchemy connection string | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
grep_path | +path of grep | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
nsrl_folder | +path of NSRL folder | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Guillaume Rousse
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use Nessus Professional to scan hosts.
+url | +Define the URL to the Nessus service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
login | +Define the login to Nessus | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
password | +Define the password to the Nessus account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
policy | +Define the policy used to run scans | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
ca_bundle | +Define the path to the Nessus CA | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
allowed_network | +Define networks allowed to be scanned | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+OXT Alienvault is the world’s first and largest truly open threat intelligence community. OTX provides access to a global community of threat researchers and security professionals, with more than 100,000 participants in 140 countries, who contribute over 19 million threat indicators daily. OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques, thereby helping one another strengthen cyber defenses and raise awareness of emerging threats on a global level.
+You need a valid OXT Alienvault API subscription to use the analyzer.
+key
parameter.+ +
+ +Author: Eric Capuano
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - url
+ - domain
+ - file
+ - hash
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://otx.alienvault.com/
Query AlienVault OTX for IPs, domains, URLs, or file hashes.
+key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: Martin Jaan Leesment
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - mail
+Registration required: True
+Subscription required: False
+Free subscription: False
+Third party service: https://developer.okta.com/docs/reference/api/users/
Okta User Lookup is an analyzer for TheHive to enrich mail observables from data through the Okta users API
+OktaOrgUrl | +Must contain your okta organisation URL. Eg: https:// |
+
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
OktaToken | +Must contain the Okta access token. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + ++ +
+ +Author: Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.onyphe.io
Retrieve summary information Onyphe has for given ip, domain or fqdn.
+key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
verbose_taxonomies | +Set true if you want detailed taxonomies for port, subnet, geoloc, domain | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
+ +
+ +Author: Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.onyphe.io
Retrieve vulnerability data from ONYPHE vulnscan category for a given ip, domain, fqdn or hash (sha256 TLS fingerprint)
+key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
time_filter | +Specify ONYPHE time filter to be used for searches (see https://www.onyphe.io/docs/onyphe-query-language) | +
---|---|
Default value if not configured | +-since:1M | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
only_vulnerable | +Only return results where a CVE exists (-exists:cve) | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
auto_import | +Automatically import artifacts as observables (risks, cves, assets, ...) | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
+ +
+ +Author: Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.onyphe.io
Retrieve summary information Onyphe has for given ip, domain, or fqdn.
+key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
verbose_taxonomies | +Set true if you want detailed taxonomies for port, subnet, geoloc, domain | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
+ +
+ +Author: Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.onyphe.io
Retrieve results from ONYPHE Search API for a given ip, domain or fqdn from specified category
+key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
time_filter | +Specify ONYPHE time filter to be used for searches (see https://www.onyphe.io/docs/onyphe-query-language) | +
---|---|
Default value if not configured | +-since:1M | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
fields_filter | +[!!Advanced!!] Modify ONYPHE fields to return in raw data (see https://www.onyphe.io/docs/onyphe-query-language) | +
---|---|
Default value if not configured | +ip,port,protocol,tag,tls,cpe,cve,hostname,domain,alternativeip,forward,url,organization,transport,organization,device.class,device.product,device.productvendor,device.productversion,product,productvendor,productversion | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
auto_import | +Automatically import artifacts as observables (risks, cves, assets, ...) | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
+ +
+ +Author: Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.onyphe.io
Retrieve results from ONYPHE Search API for a given ip, domain, fqdn or hash (sha256 TLS fingerprint) from specified category
+key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
category | +Specify ONYPHE category to be used for search API (default datascan) | +
---|---|
Default value if not configured | +datascan | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
time_filter | +Specify ONYPHE time filter to be used for searches (see https://www.onyphe.io/docs/onyphe-query-language) | +
---|---|
Default value if not configured | +-since:1M | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
auto_import | +Automatically import artifacts as observables (risks, cves, assets, ...) | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
README
+OpenCTI is an open cyber threat intelligence platform which aims at providing a powerful knowledge management database with an enforced schema especially tailored for cyber threat intelligence and cyber operations and based on STIX 2.
+The analyzer comes in only one flavor to look for an observable in the platform. +The analyzer comes in two flavors to search for an observable in the platform:
+The OpenCTI analyzer requires you to have access to one or several OpenCTI + instances. You can also deploy your own instance. + instances in version 4. You can also deploy your own instance.
+Three parameters are required for each instance to make the analyzer work:
+url
: URL of the instance, e.g. "https://demo.opencti.io"+ +
+ +Author: ANSSI
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - ip
+ - url
+ - fqdn
+ - uri_path
+ - user-agent
+ - hash
+ - mail
+ - mail_subject
+ - registry
+ - regexp
+ - other
+ - filename
+ - mail-subject
+Registration required: True
+Subscription required: False
+Free subscription: False
+Third party service: https://www.opencti.io
Query multiple OpenCTI instances for a specific observable.
+name | +Name of OpenCTI servers | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +False | +
url | +URL of OpenCTI servers | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
key | +API key for each server | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
cert_check | +Verify server certificate | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
++ +
+ +Author: ANSSI
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - ip
+ - url
+ - fqdn
+ - uri_path
+ - user-agent
+ - hash
+ - mail
+ - mail_subject
+ - registry
+ - regexp
+ - other
+ - filename
+ - mail-subject
+Registration required: True
+Subscription required: False
+Free subscription: False
+Third party service: https://www.opencti.io
Query multiple OpenCTI instances for a list of observables matching a pattern.
+name | +Name of OpenCTI servers | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +False | +
url | +URL of OpenCTI servers | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
key | +API key for each server | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
cert_check | +Verify server certificate | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+WildFire® is the industry's largest, most integrated cloud malware protection engine that utilizes patented machine learning models for real-time detection of previously unseen, targeted malware and advanced persistent threats, keeping your organization protected.
+When you submit observables to WildFire, they are analyzed in a sandboxed environment using multiple techniques: +* Dynamic analysis observes the files as they execute +* Machine learning extracts unique feathres form each file +* Static analysis provides instant identification of malware variants +* Uses a custom hypervisor to prevent malware evasion techniques
+This analyzer supports "file", "url", and "hash" observables to be submitted to WildFire and produces a nicely formatted report in TheHive with all the pertinent information.
+Product website: https://www.paloaltonetworks.com/network-security/wildfire
++ +
+ +Author: Ignacio Rodriguez Paez, Joe Lazaro
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+ - url
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.paloaltonetworks.com/network-security/wildfire
Run Palo Alto WildFire analysis on a file, hash, or URL
+api_host | +You can send requests to the WildFire global cloud (U.S., default option) or to the WildFire regional clouds that Palo Alto Networks owns and maintains. See the WildFire Public Cloud documentation for a list of valid servers. | +
---|---|
Default value if not configured | +wildfire.paloaltonetworks.com | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +API key for WildFire | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
polling_interval | +Define time interval between two requests attempts for the report | +
---|---|
Default value if not configured | +60 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - hash
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
PassiveTotal SSL Certificate History Lookup.
+username | +Define the username of the account used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
PassiveTotal Enrichment Lookup.
+username | +Define the username of the account used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
PassiveTotal Unique Resolutions Lookup.
+username | +Define the username of the account used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: Brandon Dixon (9bplus)
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
PassiveTotal Host Pairs Lookup.
+username | +Define the username of the account used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - hash
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
PassiveTotal SSL Certificate Details Lookup.
+username | +Define the username of the account used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.1
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
PassiveTotal Passive DNS Lookup.
+username | +Define the username of the account used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: Brandon Dixon (9bplus)
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
PassiveTotal Trackers Lookup.
+username | +Define the username of the account used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: Brandon Dixon (9bplus)
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
PassiveTotal Components Lookup.
+username | +Define the username of the account used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
PassiveTotal OSINT Lookup.
+username | +Define the username of the account used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
PassiveTotal Whois Details Lookup.
+username | +Define the username of the account used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
PassiveTotal Malware Lookup.
+username | +Define the username of the account used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+Get the current Patrowl report for a fdqn, a domain or an IP address.
+The analyzer comes in only one flavor called Patrowl_GetReport.
+You need a running Patrowl instance or to have access to one to use the analyzer. Supply the following parameters to the analyzer in order to use it:
+url
: The PatrowlManager service URLapi_key
: A valid API Key of a Patrowl user+ +
+ +Author: Nicolas Mattiocco
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - fqdn
+ - domain
+ - ip
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://patrowl.io/home
Get the current Patrowl report for a fdqn, a domain or an IP address.
+url | +Define the PatrOwl url | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +Define the PatrOwl API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: Emmanuel Torquato
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
PayloadSecurity Sandbox Url Analysis
+url | +Define the url of the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
secret | +Define the secret used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
environmentId | +Define the environment Id used by the service | +
---|---|
Default value if not configured | +100 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
timeout | +Define the timeout of requests to the service | +
---|---|
Default value if not configured | +15 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
verifyssl | +Verify SSL certificate | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: Emmanuel Torquato
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
PayloadSecurity Sandbox File Analysis
+url | +Define the url of the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
secret | +Define the secret used to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
environmentId | +Define the environment Id used by the service | +
---|---|
Default value if not configured | +100 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
timeout | +Define the timeout of requests to the service | +
---|---|
Default value if not configured | +15 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
verifyssl | +Verify SSL certificate | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+PhishTank is a free community site where anyone can submit, verify, track and share phishing data.
+The analyzer comes in a single flavour that returns the availability of submitted url in PhishTank database.
+You need a valid PhishTank API subscription to use the analyzer.
+key
parameter.+ +
+ +Author: Eric Capuano
+License: AGPL-V3
+Version: 2.1
+Supported observables types:
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://phishtank.com/
Use PhishTank to check if a URL is a verified phishing site.
+key | +Define the API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
README
+Phishing-Initiative ables any Internet user to help fight against phishing attacks. When reporting us the address of a suspected phishing website, we’ll analyze it and have it blocked in the participating Web browsers.
+The analyzer comes in two flavours: lookup and scan. The first search in the database and can be used with basic API access while the second one requires higher profile role.
+You need a valid Phishing-Initiative API integration subscription to use the analyzer.
+key
parameter.+ +
+ +Author: Remi Pointel
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://phishing-initiative.fr/
Use Phishing Initiative to scan a URL.
+key | +Define the API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
++ +
+ +Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://phishing-initiative.fr/
Use Phishing Initiative to check if a URL is a verified phishing site.
+key | +Define the API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Emmanuel Torquato
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+ - file
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Check URL, file, SHA256 against ProofPoint forensics
+url | +URL of the Proofpoint API, the default should be okay. | +
---|---|
Default value if not configured | +https://tap-api-v2.proofpoint.com | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
apikey | +API key to use | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
secret | +Secret to the API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
verifyssl | +Verify server's SSL certificate | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Nils Kuhnert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+ - domain
+ - ip
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Search Pulsedive.com for a giver domain name, hash, ip or url
+key | +Define the API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+QrDecode is a QR code analyzer used to extracts and categorizes data from QR codes embedded in various file formats. It supports images in JPEG, PNG, GIF formats, and PDF documents.
+The following dependencies are required for QrDecode:
+sudo apt-get install libzbar0
+sudo apt-get install poppler-utils
+
cortexutils
+pyzbar
+pdf2image
+pillow
+
To install the Python libraries, run:
+pip install -r requirements.txt
+
Once installed and configured, QrDecode analyzes files containing QR codes. The analyzer extracts data from QR codes, categorizes it, and returns the results in a structured format. For PDF files, the analyzer automatically converts each page to an image format for comprehensive analysis. It also efficiently processes multiple QR codes within a single image or PDF.
+To run the analyzer, submit a file through The Hive or Cortex interface, selecting QrDecode as the analyzer. The analyzer will process the file and return results including:
+When the analyze is finished, the report can display: +* A Summary: with qualitative information about the detection
+ +Moreover, these domains, IP addresses, URLs, bitcoin addresses, email addresses are added to the extracted Observables, ready to be imported and actioned in TheHive.
+ +The analyzer includes a set of predefined errors to handle cases such as unsupported file formats, failed PDF conversion, and QR code reading issues. These errors are reported back in the analysis results.
+QrDecode is licensed under the AGPL-V3 license.
+1.0
+Author: THA-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Extracts data from one or more QR codes.
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+This analyzer will return Recorded Future Intelligence for the following datatypes: +* ip +* domain +* fqdn +* hash +* url
+Enriched observables can display: +* Risk Summary: Risk Score, Criticality, and link to the Intelligence Card +* Recorded Future AI Insights
+ ++ +
+ +Author: Recorded Future
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - hash
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: N/A
+Third party service: https://www.recordedfuture.com/
Enrich IP, Domain, FQDN, URL, or Hash with Recorded Future context: Risk Score, Risk Details, AI Insights, Links, Threat Actor, Attack Vector, Malware Category / Family, and Related Entities (IPs, Domains, and Hashes)
+key | +API Token | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ Whois lookup for an indicator.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ: Illuminate / PassiveTotal projects that contain an artifact which matches an IOC.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ Illuminate and PassiveTotal datasets with records for an indicator.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ: Illuminate / PassiveTotal project artifacts that match an indicator.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ: cookies observed during crawls on a hostname.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ: web components observed during crawls on a hostname.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ: hosts with a child web component relationship to an IOC.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ Illuminate Reputation Score for an indicator.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ: PDNS resolutions for an IOC.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ: hosts with a parent web component relationship to an IOC.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - fqdn
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ: subdomains observed historically in pDNS records.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ: services observed on an IP address.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ: malware hashes from various sources associated with an IOC.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ: OSINT articles that reference an indicator.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ: trackers observed during a crawl on a host.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
RiskIQ: SSL/TLS certificates associated with an indicator.
+username | +API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key of the RiskIQ Illuminate or PassiveTotal account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
days_back | +Number of days back to search for date-bounded historical queries | +
---|---|
Default value if not configured | +180 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Nils Kuhnert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Check IPs using the Robtex reverse passive DNS API.
+No specific configuration required.
+No template samples to display.
+Author: Nils Kuhnert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Check domains and FQDNs using the Robtex passive DNS API.
+No specific configuration required.
+No template samples to display.
+Author: Nils Kuhnert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Check IPs using the Robtex IP API.
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+Get more context around domain names, IP adresses, urls and file hashes using the + SEKOIA.IO Intelligence Database.
+The analyzer comes in 3 flavors:
+You need an active SEKOIA.IO Intelligence Center subscription to use the analyzer:
+api_key
parameter.To get any help don't hesitate to contact support@sekoia.io.
++ +
+ +Author: SEKOIA
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - url
+ - hash
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://sekoia.io/
Query the Intelligence Center to retrieve indicators
+api_key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
url | +Base URL (default to https://app.sekoia.io) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: SEKOIA
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - url
+ - hash
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://sekoia.io/
Query the Intelligence Center to retrieve the context of an observable
+api_key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
url | +Base URL (default to https://app.sekoia.io) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: SEKOIA
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - url
+ - hash
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://sekoia.io/
Query the Intelligence Center to retrieve known observables
+api_key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
url | +Base URL (default to https://app.sekoia.io) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
Author: Manabu Niseki, @ninoseki
+License: MIT
+Version: 1.0
+Supported observables types:
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
SecurityTrails Whois Lookup.
+api_key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: Manabu Niseki, @ninoseki
+License: MIT
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
SecurityTrails Passive DNS Lookup.
+api_key | +Define the API key to use to connect the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Joe Vasquez
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Query Sentinel One Deep Visibility API v2.1 for hosts that have requested DNS lookups for a domain/URL/FQDN.
+s1_console_url | +Console URL | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
s1_api_key | +API Key, don't forget this will expire! | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
s1_account_id | +Account ID | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
hours_ago | +Number of hours ago for the fromDate of the query. ToDate will be now. Default is 12. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: ANSSI
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Retrieve Shodan history scan results for an IP address.
+key | +Define the API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: ANSSI
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Retrieve domain resolutions on Shodan.
+key | +Define the API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: Sebastien Larinier @Sebdraven
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - other
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Search query on Shodan
+key | +Define the API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: ANSSI
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Retrieve ip reverse DNS resolutions on Shodan.
+key | +Define the API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: Sebastien Larinier @Sebdraven
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Retrieve key Shodan information on an IP address.
+key | +Define the API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+Author: ANSSI
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Retrieve key Shodan information on a domain.
+key | +Define the API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Mark Kikta, RedLegg Cybersecurity Solutions
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - mail
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Check if ip is sinkholed via the new sinkdb.abuse.ch HTTPS API. Original analyzer can be found at https://github.com/BSI-CERT-Bund/sinkdb-analyzer
+key | +Define the HTTPS API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Michael Stensrud, Nordic Financial CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - ip
+ - url
+ - fqdn
+ - uri_path
+ - user-agent
+ - hash
+ - mail
+ - mail_subject
+ - registry
+ - regexp
+ - other
+ - filename
+ - mail-subject
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Query against Soltra Edge.
+token | +Define the Token Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +Define the Username | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
base_url | +Base API URL for Soltra Edge Server. (Example: https://test.soltra.com/api/stix) | +
---|---|
Default value if not configured | +https://feed.yourdomain./api/stix | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
verify_ssl | +Verify server certificate | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: SOL
+License: AGPL-V3
+Version: 0.1
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use SophosLabs machine learning to understand the characteristics of your suspicious file allowing you to see if the file is similar to known malware. For more information or to sign up for SophosLabs Intelix (with a free tier) see https://www.sophos.com/en-us/labs/intelix.aspx
+clientID | +Client ID for Sophos Labs Intelix | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
clientSecret | +Client Secret for Sophos Labs Intelix | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
polling_interval | +Define time interval between two requests attempts for the report | +
---|---|
Default value if not configured | +60 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: SOL
+License: AGPL-V3
+Version: 0.1
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Detonate your suspicious file in SophosLabs Sandbox and find what behaviours the file has. For more information or to sign up for SophosLabs Intelix (with a free tier) see https://www.sophos.com/en-us/labs/intelix.aspx
+clientID | +Client ID for Sophos Labs Intelix | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
clientSecret | +Client Secret for Sophos Labs Intelix | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
polling_interval | +Define time interval between two requests attempts for the report | +
---|---|
Default value if not configured | +60 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+Author: SOL
+License: AGPL-V3
+Version: 0.3
+Supported observables types:
+ - hash
+ - domain
+ - fqdn
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Fast and easy way to find out if the file is known Good, PUA (Potentially Unwanted Application), or, Malware. For more information or to sign up for SophosLabs Intelix (with a free tier) see https://www.sophos.com/en-us/labs/intelix.aspx
+clientID | +Client ID for Sophos Labs Intelix | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
clientSecret | +Client Secret for Sophos Labs Intelix | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
polling_interval | +Define time interval between two requests attempts for the report | +
---|---|
Default value if not configured | +60 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + ++ +
+ +Author: Davide Arcuri - LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://spamassassin.apache.org/
Get spam score from local SpamAssassin instance
+url | +SpamAssassin url | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port | +SpamAssassin port | +
---|---|
Default value if not configured | +783 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
spam_score | +Minimum score to consider mail as spam | +
---|---|
Default value if not configured | +5 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
timeout | +Timout for socket operations in seconds | +
---|---|
Default value if not configured | +20 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
Author: Wes Lambert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Perform domain lookup to Spamhaus DBL
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+This analyzer allows you to execute a list of searches in Splunk by passing the element you are looking for as a parameter
+This analyzer comes in 10 flavors:
+You need to have access to a Splunk instance with a dedicated account. For any saved search you want to use, you have to group them in the same Application and with the same owner. +When you configure an analyzer, it will ask you these information:
+All arguments can be retrieve using "$args.DATATYPE$". As an example is better than a long speech, here it is:
+Imagine that you have a search with this query:
+index=myindex_internet sourcetype=mysourcetype url=$args.url$*
+| stats count by user, url, src_ip
+
This query will recover the data using $args.url$.
+So, you can recover your data using :
+They are 5 taxonomies available on this analyzer:
+As mentionned above, your saved searches can return a field named "level" which will be interpreted by Cortex/TheHive as a taxonomy and will create reports accordingly to the value (info,safe,suspicious or malicious)
++ +
+ +Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - mail
+ - email
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A
Execute a savedsearch on a Splunk instance with a mail/email as argument
+host | +Splunk API host or IP | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port | +Splunk API port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port_gui | +Splunk GUI port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +User account used for searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
password | +User password of the previous mentionned account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
application | +Spunk application in which the saved searches are stored | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
owner | +Username that corresponds to the owner of the saved searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
saved_searches | +Name of the saved searches to use | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
earliest_time | +If not empty, this will set the earliest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
latest_time | +If not empty, this will set the latest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
max_count | +Maximum number of results to return for a search | +
---|---|
Default value if not configured | +1000 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - user-agent
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A
Execute a savedsearch on a Splunk instance with a user agent as argument
+host | +Splunk API host or IP | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port | +Splunk API port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port_gui | +Splunk GUI port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +User account used for searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
password | +User password of the previous mentionned account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
application | +Spunk application in which the saved searches are stored | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
owner | +Username that corresponds to the owner of the saved searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
saved_searches | +Name of the saved searches to use | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
earliest_time | +If not empty, this will set the earliest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
latest_time | +If not empty, this will set the latest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
max_count | +Maximum number of results to return for a search | +
---|---|
Default value if not configured | +1000 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - ip
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A
Execute a savedsearch on a Splunk instance with an IP as argument
+host | +Splunk API host or IP | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port | +Splunk API port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port_gui | +Splunk GUI port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +User account used for searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
password | +User password of the previous mentionned account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
application | +Spunk application in which the saved searches are stored | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
owner | +Username that corresponds to the owner of the saved searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
saved_searches | +Name of the saved searches to use | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
earliest_time | +If not empty, this will set the earliest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
latest_time | +If not empty, this will set the latest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
max_count | +Maximum number of results to return for a search | +
---|---|
Default value if not configured | +1000 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - hash
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A
Execute a savedsearch on a Splunk instance with a hash as argument
+host | +Splunk API host or IP | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port | +Splunk API port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port_gui | +Splunk GUI port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +User account used for searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
password | +User password of the previous mentionned account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
application | +Spunk application in which the saved searches are stored | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
owner | +Username that corresponds to the owner of the saved searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
saved_searches | +Name of the saved searches to use | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
earliest_time | +If not empty, this will set the earliest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
latest_time | +If not empty, this will set the latest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
max_count | +Maximum number of results to return for a search | +
---|---|
Default value if not configured | +1000 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - other
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A
Execute a savedsearch on a Splunk instance with a user ID as argument
+host | +Splunk API host or IP | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port | +Splunk API port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port_gui | +Splunk GUI port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +User account used for searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
password | +User password of the previous mentionned account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
application | +Spunk application in which the saved searches are stored | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
owner | +Username that corresponds to the owner of the saved searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
saved_searches | +Name of the saved searches to use | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
earliest_time | +If not empty, this will set the earliest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
latest_time | +If not empty, this will set the latest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
max_count | +Maximum number of results to return for a search | +
---|---|
Default value if not configured | +1000 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - registry
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A
Execute a savedsearch on a Splunk instance with a registry data as argument
+host | +Splunk API host or IP | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port | +Splunk API port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port_gui | +Splunk GUI port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +User account used for searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
password | +User password of the previous mentionned account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
application | +Spunk application in which the saved searches are stored | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
owner | +Username that corresponds to the owner of the saved searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
saved_searches | +Name of the saved searches to use | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
earliest_time | +If not empty, this will set the earliest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
latest_time | +If not empty, this will set the latest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
max_count | +Maximum number of results to return for a search | +
---|---|
Default value if not configured | +1000 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - other
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A
Execute a savedsearch on a Splunk instance with an unidentified data as argument
+host | +Splunk API host or IP | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port | +Splunk API port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port_gui | +Splunk GUI port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +User account used for searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
password | +User password of the previous mentionned account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
application | +Spunk application in which the saved searches are stored | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
owner | +Username that corresponds to the owner of the saved searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
saved_searches | +Name of the saved searches to use | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
earliest_time | +If not empty, this will set the earliest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
latest_time | +If not empty, this will set the latest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
max_count | +Maximum number of results to return for a search | +
---|---|
Default value if not configured | +1000 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - url
+ - uri_path
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A
Execute a savedsearch on a Splunk instance with an URL or a URI path as argument
+host | +Splunk API host or IP | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port | +Splunk API port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port_gui | +Splunk GUI port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +User account used for searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
password | +User password of the previous mentionned account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
application | +Spunk application in which the saved searches are stored | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
owner | +Username that corresponds to the owner of the saved searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
saved_searches | +Name of the saved searches to use | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
earliest_time | +If not empty, this will set the earliest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
latest_time | +If not empty, this will set the latest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
max_count | +Maximum number of results to return for a search | +
---|---|
Default value if not configured | +1000 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A
Execute a savedsearch on a Splunk instance with a domain or a FQDN as argument
+host | +Splunk API host or IP | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port | +Splunk API port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port_gui | +Splunk GUI port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +User account used for searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
password | +User password of the previous mentionned account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
application | +Spunk application in which the saved searches are stored | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
owner | +Username that corresponds to the owner of the saved searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
saved_searches | +Name of the saved searches to use | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
earliest_time | +If not empty, this will set the earliest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
latest_time | +If not empty, this will set the latest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
max_count | +Maximum number of results to return for a search | +
---|---|
Default value if not configured | +1000 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - file
+ - filename
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A
Execute a savedsearch on a Splunk instance with a file/filename as argument
+host | +Splunk API host or IP | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port | +Splunk API port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port_gui | +Splunk GUI port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +User account used for searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
password | +User password of the previous mentionned account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
application | +Spunk application in which the saved searches are stored | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
owner | +Username that corresponds to the owner of the saved searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
saved_searches | +Name of the saved searches to use | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
earliest_time | +If not empty, this will set the earliest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
latest_time | +If not empty, this will set the latest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
max_count | +Maximum number of results to return for a search | +
---|---|
Default value if not configured | +1000 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - mail_subject
+ - mail-subject
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A
Execute a savedsearch on a Splunk instance with a mail subject as argument
+host | +Splunk API host or IP | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port | +Splunk API port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
port_gui | +Splunk GUI port | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +User account used for searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
password | +User password of the previous mentionned account | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
application | +Spunk application in which the saved searches are stored | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
owner | +Username that corresponds to the owner of the saved searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
saved_searches | +Name of the saved searches to use | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
earliest_time | +If not empty, this will set the earliest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
latest_time | +If not empty, this will set the latest time of the searches | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
max_count | +Maximum number of results to return for a search | +
---|---|
Default value if not configured | +1000 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
Author: Stamus Networks
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Get information from your Scirius Security Platform for an IP address.
+url | +Base URL of Scirius Security Platform | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +API key for Scirius Security Platform | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
ssl_verify | +Verify TLS certificate when connection to Scirius Security Platform | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
tenant | +Tenant value for organization in Scirius Security Platform | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Robert Nixon
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+ - url
+ - hash
+ - mail
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Fetch observable details from an Anomali STAXX instance.
+auth_url | +Define the URL of the auth endpoint | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
query_url | +Define the URL of the intelligence endpoint | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
username | +STAXX User Name | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
password | +STAXX Password | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
cert_check | +Verify server certificate | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
cert_path | +Path to the CA on the system used to check the server certificate | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Marc-Andre Doll, STARC by EXAPROBE
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - mail
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Query http://www.stopforumspam.com to check if an IP or email address is a known spammer.
+suspicious_confidence_level | +Confidence threshold above which the artifact should be marked as suspicious | +
---|---|
Default value if not configured | +0.0 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
malicious_confidence_level | +Confidence threshold above which the artifact should be marked as malicious | +
---|---|
Default value if not configured | +90.0 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Gabriel Antonio da Silva
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Get the Talos IP reputation
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Wes Lambert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Submit hash to Team Cymru's Malware Hash Registry
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Cisco Security
+License: MIT
+Version: 1.0
+Supported observables types:
+ - file
+ - url
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Threat Grid Sandbox
+tg_host | +Threat Grid Host | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +Threat Grid API Key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Peter Juhas
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
WHOIS queries from threatminer.org
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Cisco Security
+License: MIT
+Version: 1.0
+Supported observables types:
+ - domain
+ - filename
+ - fqdn
+ - hash
+ - ip
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Threat Response
+region | +Threat Response Region (us, eu, or apjc). Will default to 'us' region if left blank | +
---|---|
Default value if not configured | +__ | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
client_id | +Threat Response Client ID | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
client_password | +Threat Response API Client Password | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
extract_amp_targets | +Would you like to extract AMP connector GUIDs as artifacts? | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Rémi Allain, Cyberprotect
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - mail
+ - ip
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Look up domains, mail and IP addresses on ThreatCrowd.
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+The Thunderstorm analyzer submits a file sample to a local or public THOR Thunderstorm service and processes the scan result
+THOR Thunderstorm is a web service version of the well-known scanner THOR. THOR focuses on APTs, hacking activity, traces of hacking activity and file anomalies like obfuscation techniques, suspicious PE packers or PE header anomalies.
+The reports contain useful meta data and a list of matching rules. Each rule links to a related public report or states that the rules was based on internal research.
+The reports include a total score and sub scores defined in the matching YARA rules.
+The score and level indicate the criticality of the finding.
+THOR Thunderstorm is a high-speed, multi-threaded, caching scan service that is licensed and installed on-premise on the Linux system of your choice. Nextron systems offers access to test systems with the FQDN thunderstorm.nextron-systems.com on request.
++ +
+ +Author: Florian Roth
+License: AGPL-V3
+Version: 0.3.1
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.nextron-systems.com/thor-thunderstorm/
Submits sample to an on-premise THOR Thunderstorm web service and processes the scan result
+thunderstorm_server | +Thunderstorm Server | +
---|---|
Default value if not configured | +thunderstorm.nextron-systems.com | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
thunderstorm_port | +Thunderstorm Port | +
---|---|
Default value if not configured | +8080 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
thunderstorm_source | +Source System | +
---|---|
Default value if not configured | +cortex-analyzer | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
thunderstorm_ssl | +Use an SSL encrypted HTTP connection | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
thunderstorm_ssl_verify | +Verify the SSL certificate of the remote service | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
Author: Marc-André DOLL, STARC by EXAPROBE
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: https://torstatus.rueckgr.at
Query https://torstatus.rueckgr.at/query_export.php/Tor_query_EXPORT.csv (formerly TorBlutmagie) for TOR exit nodes IP addresses or names.
+cache.duration | +Define the cache duration | +
---|---|
Default value if not configured | +3600 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
cache.root | +Define the path to the stored data | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Marc-André DOLL, STARC by EXAPROBE
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Query https://check.torproject.org/exit-addresses for TOR exit nodes IP addresses.
+ttl | +Define the TTL | +
---|---|
Default value if not configured | +86400 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
cache.duration | +Define the cache duration | +
---|---|
Default value if not configured | +3600 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
cache.root | +Define the path to the stored data | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+Triage Sandbox is a commercial malware sandbox that let's you run malware in a safe way.
+You can read more about the underlying solutions at: https://hatching.io/
+This analyzer requires you to have a commercial license for the Recorded Future sandbox and Private sandbox.
++ +
+ +Author: Mikael Keri
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - url
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://tria.ge
Submit artifacts to the Recorded Future Triage sandbox service. This analyzer requires a paid subscription for the Private and Recorded Future sandboxes.
+api_key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_url | +Sandbox API URL: public sandbox (https://tria.ge/api), private sandbox (https://private.tria.ge/api), or Recorded Future sandbox (https://sandbox.recordedfuture.com/api) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
timeout | +Sandbox run timeout in seconds (default: 200) | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
zip_pw | +Zip archive password | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
Author: ninoseki, Nils Kuhnert
+License: MIT
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - url
+ - hash
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Search domains, IPs, URLs or hashes on URLhaus.
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Kyle Parrish
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Query the Umbrella Reporting API for recent DNS queries and their status.
+api_key | +Api Key provided by Umbrella Admin Console. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_secret | +Api Secret provided by Umbrella Admin Console. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
organization_id | +Organization ID provided by Umbrella Admin Console. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
query_limit | +Maximum number of results to return. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Remi Pointel, CERT-BDF
+License: AGPL-V3
+Version: 1.2
+Supported observables types:
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use UnshortenLink to reveal the real URL.
+No specific configuration required.
+No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: ninoseki, Kyle Parrish (@arnydo)
+License: MIT
+Version: 0.1.1
+Supported observables types:
+ - ip
+ - domain
+ - hash
+ - fqdn
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Search IPs, domains, hashes or URLs on urlscan.io
+No specific configuration required.
+No template samples to display.
+Author: ninoseki, Kyle Parrish (@arnydo)
+License: MIT
+Version: 0.1.0
+Supported observables types:
+ - url
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Scan URLs on urlscan.io
+key | +API key for Urlscan.io | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 4.1
+Supported observables types:
+ - hash
+ - file
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
VMRay Sandbox file and URL analysis.
+url | +Define the URL of the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
certverify | +Verify certificates | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
certpath | +Path to certificate file, in case of self-signed etc. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
verdict_only | +If set to true, only the verdict (or the score for VMRay versions < 4.0) will be added as labels. | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
query_retry_wait | +The amount of seconds to wait before trying to fetch the results. | +
---|---|
Default value if not configured | +10 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
recursive_sample_limit | +The maximum amount of recursive samples which will be analyzed. 0 disables recursion. | +
---|---|
Default value if not configured | +10 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
reanalyze | +If set to true, known samples will be re-analyzed on submission. This is enabled by default. | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
shareable | +If set to true, the hash of the sample will be shared with VirusTotal if the TLP level is white or green. | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
archive_password | +The password that will be used to extract archives. | +
---|---|
Default value if not configured | +malware | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
archive_compound_sample | +If set to true, files inside archives are treated as a single, compound sample. Otherwise, each file is treated as its own sample. | +
---|---|
Default value if not configured | +False | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
max_jobs | +Limits the amount of jobs that can be created by jobrules for a submission. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
enable_reputation | +If set to true, reputation lookups will be performed for submitted samples and analysis artifacts (file hash and URL lookups) by the VMRay cloud reputation service and additional third party services. The user analyzer setting is used as default value for this parameter. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
enable_whois | +If set to true, domains seen during analyses are queried with external WHOIS service. The user analyzer setting is used as default value for this parameter. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
analyzer_mode | +Specifies which types of analyzers will be used for analyzing this sample. Supported strings are 'reputation', 'reputation_static', 'reputation_static_dynamic', 'static_dynamic', and 'static'. The user analyzer setting is used as default value for this parameter. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
known_malicious | +If set to true, triage will be used to pre-filter known malicious samples by results of reputation lookup (if allowed) and static analysis. The user analyzer setting is used as default value for this parameter. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
known_benign | +If set to true, triage will be used to pre-filter known benign samples by results of reputation lookup (if allowed) and static analysis. The user analyzer setting is used as default value for this parameter. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
tags | +Tags to attach to the sample. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +False | +
timeout | +Analysis timeout in seconds. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
net_scheme_name | +Name of the network schema. | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+The Valhalla analyzer queries the Valhalla YARA rule databased and retrieves the matching YARA rules.
+The result contains all matching YARA rules including
+The result does not contain matches with YARA rules
+The database contains YARA rule matches on samples submitted to Virustotal and Nextron's internal sample matching, which accounts for less than 1% of the matches within that database. The database does not contain information on samples that have not been transmitted to Virustotal.
+The matches in the long report link to rule info pages that contain more information, like other matching samples, a report or public source in which the sample from which that rule was derived has been mentioned.
+They also include the Antivirus detection rate at the moment of the first submission to Virustotal, which gives a good indication of the overall coverage.
++ +
+ +Author: Florian Roth
+License: AGPL-V3
+Version: 0.3.1
+Supported observables types:
+ - hash
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://valhalla.nextron-systems.com
Gets matching YARA rules for a given sample SHA256 hash
+key | +API key for Valhalla | +
---|---|
Default value if not configured | +1111111111111111111111111111111111111111111111111111111111111111 | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: Peter Juhas
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - mail
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Analyze e-mail address via Verifalia
+login | +Username for Verifalia | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
password | +Password for Verifalia | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+This analyzer let you run Virustotal services on several datatypes:
+The program uses VirusTotal API v3.
+Major improvements have been added with VirusTotal_GetReport flavor. Now, with the classical scan results, the report can display:
+Moreover, these domains, IP addresses, URLs as well as detection YARA and IDS rules reported are added to the extracted Observables, ready +to be imported and actioned in TheHive.
+ ++ +
+ +Author: CERT-BDF, StrangeBee
+License: AGPL-V3
+Version: 3.1
+Supported observables types:
+ - file
+ - hash
+ - domain
+ - fqdn
+ - ip
+ - url
+Registration required: True
+Subscription required: False
+Free subscription: N/A
+Third party service: https://www.virustotal.com/
Get the latest VirusTotal report for a file, hash, domain or an IP address.
+key | +API key for Virustotal | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
polling_interval | +Define time interval between two requests attempts for the report | +
---|---|
Default value if not configured | +60 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
rescan_hash_older_than_days | +Rescan hash observable if report is older than selected days | +
---|---|
Default value if not configured | +30 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
highlighted_antivirus | +Add taxonomy if selected AV don't recognize observable | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +False | +
download_sample | +Download automatically sample as observable when looking for hash | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
download_sample_if_highlighted | +Download automatically sample as observable if highlighted antivirus didn't recognize | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
+ +
+ +Author: LDO-CERT
+License: AGPL-V3
+Version: 3.1
+Supported observables types:
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: N/A
+Third party service: https://www.virustotal.com/
Use VirusTotal to download the original file for an hash.
+key | +API private key for Virustotal | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
++ +
+ +Author: CERT-LDO
+License: AGPL-V3
+Version: 3.1
+Supported observables types:
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: N/A
+Third party service: https://www.virustotal.com/
Use VirusTotal to run new analysis on hash.
+key | +API key for Virustotal | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
polling_interval | +Define time interval between two requests attempts for the report | +
---|---|
Default value if not configured | +60 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
highlighted_antivirus | +Add taxonomy if selected AV don't recognize observable | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +False | +
download_sample | +Download automatically sample as observable when looking for hash | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
download_sample_if_highlighted | +Download automatically sample as observable if highlighted antivirus didn't recognize | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
No template samples to display.
++ +
+ +Author: CERT-BDF, StrangeBee
+License: AGPL-V3
+Version: 3.1
+Supported observables types:
+ - file
+ - url
+Registration required: True
+Subscription required: False
+Free subscription: N/A
+Third party service: https://www.virustotal.com/
Use VirusTotal to scan a file or URL.
+key | +API key for Virustotal | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
polling_interval | +Define time interval between two requests attempts for the report | +
---|---|
Default value if not configured | +60 | +
Type of the configuration item | +number | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
highlighted_antivirus | +Add taxonomy if selected AV don't recognize observable | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +False | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+VirusShare is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of live malicious code.
+The analyzer enables local searching for md5 hashes in Virusshare.com hash list.
+getHashes.sh
script is provided path
of downloaded hashlists folder.+ +
+ +Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - hash
+ - file
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://virusshare.com/
Search for MD5 hashes in Virusshare.com hash list
+path | +Define the path to the stored data | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
README
+This analyzer consists of 2 parts. +1. Vulners_IOC: As a result of collaboration between Vulners and RST Threat Feed, the idea was to send IOC analysis results through theHive analyzer: blog post +2. Vulners_CVE: Vulners have a strong vulnerability database. This data is useful if: +"if the case (incident) is related to the exploitation of a vulnerability, then the analyst (manually / automatically) can add it to observables and quickly get all the basic information on it in order to continue analyzing the case."
+Vulners API key required.
+Get your Vulners api key:
+Add your Vulners API in Cortex settings:
+By default theHive does not have a "cve" type to be observables, so we have to add it to Administrator Settings:
+
+Short template:
+ +Long template:
+ + +Short template:
+ +Long template:
+ ++ +
+ +Author: Dmitry Uchakin, Vulners team
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - cve
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://vulners.com
Get information about CVE from powerful Vulners database.
+key | +API key for Vulners | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
+ +
+ +Author: Dmitry Uchakin, Vulners team
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+ - domain
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://vulners.com
Get information from the RST Threat Feed, which integrated with Vulners, for a domain, url or an IP address.
+key | +API key for Vulners | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
Author: Andrea Garavaglia, Davide Arcuri, LDO-CERT
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Use Web of Trust to check a domain's reputation.
+user | +Define the API user | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
key | +Define the API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Check files against YARA rules.
+rules | +Define the path rules folder | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +Author: CERT-BDF
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+ - url
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A
Fetch observable details from a YETI instance.
+url | +Define the URL of the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +Define the api key of the service | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +False | +
verify_ssl | +Verify SSL certificate | +
---|---|
Default value if not configured | +True | +
Type of the configuration item | +boolean | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
No template samples to display.
+ + + + + + + + + + + + + + + + + + + + +README
+You will need to have an active Zscaler ZIA subscription to be able to utilize this analyzer.
+Full credit should go to Simon Lavigne for creating this analyzer in the first place.
++ +
+ +Author: Simon Lavigne, Mikael Keri
+License: AGPL-V3
+Version: 1.3
+Supported observables types:
+ - ip
+ - domain
+ - url
+ - fqdn
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.zscaler.com/
Check Zscaler category for a domain, fqdn, IP address or FQDN. This analyzer requires a paid subscription to Zscaler ZIA
+username | +Zscaler username | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
password | +Zscaler password | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
api_key | +API key | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
base_uri | +The base URL of your Zscaler subscription | +
---|---|
Default value if not configured | +N/A | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +False | +
Is required | +True | +
malicious_categories | +List of Zscaler categories to be considered as malicious | +
---|---|
Default value if not configured | +['PHISHING', 'MALWARE_SITE', 'BOTNET', 'SPYWARE_OR_ADWARE', 'ADSPYWARE_SITES', 'ADWARE_OR_SPYWARE', 'CRYPTOMINING', 'WEB_SPAM', 'MALICIOUS_TLD'] | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +
suspicious_categories | +List of Zscaler categories to be considered as suspicious | +
---|---|
Default value if not configured | +['SHAREWARE_DOWNLOAD', 'REMOTE_ACCESS', 'MISCELLANEOUS_OR_UNKNOWN', 'NEWLY_REG_DOMAINS', 'OTHER_ILLEGAL_OR_QUESTIONABLE', 'COPYRIGHT_INFRINGEMENT', 'GAMBLING', 'COMPUTER_HACKING', 'ANONYMIZER', 'MISCELLANEOUS_OR_UNKNOWN', 'DNS_OVER_HTTPS', 'ENCR_WEB_CONTENT'] | +
Type of the configuration item | +string | +
The configuration item can contain multiple values | +True | +
Is required | +True | +