From 9a086d751c979fea4413e9e4390cb34c5ef668e5 Mon Sep 17 00:00:00 2001
From: Christopher Racky <christopher.racky@t-systems.com>
Date: Fri, 2 Nov 2018 08:45:20 +0100
Subject: [PATCH] Added HIBP Analyzer with templates

---
 analyzers/HIBP_Query/HIBP_Query.json        | 15 ++++
 analyzers/HIBP_Query/hibpquery_analyzer.py  | 95 +++++++++++++++++++++
 analyzers/HIBP_Query/input                  |  8 ++
 thehive-templates/HIBP_Query_1_0/long.html  | 53 ++++++++++++
 thehive-templates/HIBP_Query_1_0/short.html |  3 +
 5 files changed, 174 insertions(+)
 create mode 100644 analyzers/HIBP_Query/HIBP_Query.json
 create mode 100755 analyzers/HIBP_Query/hibpquery_analyzer.py
 create mode 100644 analyzers/HIBP_Query/input
 create mode 100644 thehive-templates/HIBP_Query_1_0/long.html
 create mode 100644 thehive-templates/HIBP_Query_1_0/short.html

diff --git a/analyzers/HIBP_Query/HIBP_Query.json b/analyzers/HIBP_Query/HIBP_Query.json
new file mode 100644
index 000000000..6e95c594b
--- /dev/null
+++ b/analyzers/HIBP_Query/HIBP_Query.json
@@ -0,0 +1,15 @@
+{
+    "name": "HIBP_Query",
+    "version": "1.0",
+    "author": "Matt Erasmus",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Query haveibeenpwned.com for a compromised email address",
+    "dataTypeList": ["mail"],
+    "baseConfig": "HIBP_Query",
+    "config": {
+      "service": "query",
+      "url": "https://haveibeenpwned.com/api/v2/breachedaccount/"
+    },
+    "command": "HIBP_Query/hibpquery_analyzer.py"
+}
diff --git a/analyzers/HIBP_Query/hibpquery_analyzer.py b/analyzers/HIBP_Query/hibpquery_analyzer.py
new file mode 100755
index 000000000..272b52e9b
--- /dev/null
+++ b/analyzers/HIBP_Query/hibpquery_analyzer.py
@@ -0,0 +1,95 @@
+#!/usr/bin/env python
+# encoding: utf-8
+import json
+import requests
+import ast
+
+from cortexutils.analyzer import Analyzer
+
+
+class HIBPQueryAnalyzer(Analyzer):
+
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.service = self.getParam(
+            'config.service', None, 'Service parameter is missing')
+        self.api_url = self.getParam('config.url', None, 'Missing API URL')
+
+    @staticmethod
+    def cleanup(return_data):
+
+        response = dict()
+        matches = []
+        found = False
+        count = 0
+
+        for entry in return_data:
+            found = True
+            x = ast.literal_eval(str(entry))
+	    matches.append(x)
+        response['CompromisedAccounts'] = matches
+
+        return response
+
+    def hibp_query(self, data):
+        results = dict()
+
+        try:
+            hibpurl = self.api_url + data
+	    headers = {
+                'User-Agent': 'curl/7.38.0'
+	    }
+
+            _query = requests.get(hibpurl, headers=headers)
+            if _query.status_code == 200:
+                if _query.text == "[]":
+                    return dict()
+                else:
+                    return self.cleanup(_query.json())
+            elif _query.status_code == 404:
+                return dict()
+            else:
+                self.error('API Access error: %s' % _query.text)
+
+        except Exception as e:
+            self.error('API Request error: %s' % str(e))
+
+        return results
+
+    def summary(self, raw):
+        taxonomies = []
+        level = "info"
+        namespace = "HIBP"
+        predicate = "Compromised"
+        if len(raw) == 0:
+            level = "safe"
+            namespace = "HIBP"
+            predicate = "Compromised"
+            value = "False"
+        elif len(raw) > 0:
+            level = "malicious"
+            namespace = "HIBP"
+            predicate = "Compromised"
+            value = "True"
+
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+
+        return {"taxonomies": taxonomies}
+
+    def run(self):
+
+        if self.service == 'query':
+            if self.data_type == 'mail':
+                data = self.getParam('data', None, 'Data is missing')
+
+                rep = self.hibp_query(data)
+                self.report(rep)
+
+            else:
+                self.error('Invalid data type')
+        else:
+            self.error('Invalid service')
+
+
+if __name__ == '__main__':
+    HIBPQueryAnalyzer().run()
diff --git a/analyzers/HIBP_Query/input b/analyzers/HIBP_Query/input
new file mode 100644
index 000000000..765047801
--- /dev/null
+++ b/analyzers/HIBP_Query/input
@@ -0,0 +1,8 @@
+{
+    "dataType":"mail",
+    "data": "matt.erasmus@gmail.com",
+    "config":{
+        "service": "query",
+        "url": "https://haveibeenpwned.com/api/v2/breachedaccount/"
+    }
+}
diff --git a/thehive-templates/HIBP_Query_1_0/long.html b/thehive-templates/HIBP_Query_1_0/long.html
new file mode 100644
index 000000000..48bce1d23
--- /dev/null
+++ b/thehive-templates/HIBP_Query_1_0/long.html
@@ -0,0 +1,53 @@
+<div class="panel panel-info" ng-if="success">
+    <div class="panel-heading">
+        HIBP Data of <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+		<!-- Domain details -->
+        <p ng-if="content.CompromisedAccounts.length == 0">
+            Account was not Compromised.
+        </p>
+		<!-- Accounts -->
+        <p ng-if="content.CompromisedAccounts.length != 0">
+        Compromised Accounts:
+        </p>
+        <table class="table" ng-if="content.CompromisedAccounts.length != 0">
+            <thead>
+                <th>PwnCNT</th>
+                <th>Domain</th>
+                <th>IsSensitive</th>
+                <th>Name</th>
+                <th>Title</th>                
+                <th>DataClasses</th>
+                <th>AddedDate</th>
+                <th>IsVerified</th>                
+                <th>Description</th>                                
+            </thead>
+            <tbody ng-repeat="r in content.CompromisedAccounts">
+                <tr>
+                    <td>{{r.PwnCount}}</td>
+                    <td>{{r.Domain}}</td>                    
+                    <td>{{r.IsSensitive}}</td>
+                    <td>{{r.Name}}</td>
+                    <td>{{r.Title}}</td>              
+                    <td><p ng-repeat="x in r.DataClasses">{{x}}</p></td>
+                    <td>{{r.AddedDate}}</td>
+                    <td>{{r.IsVerified}}</td>
+                    <td>{{r.Description}}</td>                    
+                </tr>
+            </tbody>
+        </table>
+    </div>    
+
+
+</div>
+
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
+
diff --git a/thehive-templates/HIBP_Query_1_0/short.html b/thehive-templates/HIBP_Query_1_0/short.html
new file mode 100644
index 000000000..3baac6a5a
--- /dev/null
+++ b/thehive-templates/HIBP_Query_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>
\ No newline at end of file