Analyzers and Responders are autonomous applications managed by and run through the Cortex core engine. Analyzers allow analysts and security researchers to analyze observables and IOCs such as domain names, IP addresses, hashes, files, URLs at scale. While many analyzers are free to use, some require special access while others necessitate a valid service subscription or product license, even though the analyzers themselves are released under an the AGPL (Affero General Public License).
Responders are programs that perform different actions and apply to alerts, cases, tasks, task logs, and observables.
This document outlines the information needed to:
- install the Cortex analyzers and responders.
- update them when needed.
- configure them.
This documents also specifies whether the service that the analyzer is based on is free or requires special access or valid subscription or product license.
- Introduction
- Free Analyzers
- Abuse_Finder
- AbuseIPDB
- Backscatter.io
- C1fApp
- Censys.io
- Clamav
- Crtsh
- CuckooSandbox
- Cybercrime-Tracker
- Cyberprotect
- Cymon
- DNSSinkhole
- DShield
- EmailRep
- EmlParser
- FileInfo
- FireHOLBlocklists
- Fortiguard
- GoogleDNS
- GoogleSafeBrowsing
- Hashdd
- HIBP
- Hippocampe
- HybridAnalysis
- Hunterio_DomainSearch
- Maltiverse
- MalwareClustering
- MaxMind
- MISP
- MISP Warninglists
- Msg_Parser
- NSLR
- Onyphe
- OpenCTI
- OTXQuery
- Patrowl
- PhishTank
- PhishingInitiative
- Pulsedive
- Robtex
- SpamhausDBL
- StaxxSearch
- StopForumSpam
- Talos Reputation
- Team Cymru MHR
- ThreatCrowd
- Tor Blutmagie
- Tor Project
- Unshortenlink
- UrlScan.io
- URLhaus
- Virusshare
- WOT
- Yara
- Yeti
- Analyzers Requiring Special Access
- Subscription and License-based Analyzers
- Free Responders
- Subscription and License-based Responders
All analyzer and responder configuration settings must be made using the Cortex Web UI. Please refer to the Administration Guide for further details.
By default, and within every freshly created organization, all analyzers and responders are disabled. If you want to enable and configure them, use the Web UI (Organization > Configurations and Organization > Analyzers tabs).
Use CERT-SG's Abuse Finder to find abuse contacts associated with domain names, URLs, IPs and email addresses.
The analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Get AbuseIPDB information related to an IP address.
This analyzer comes in only one flavor.
This analyzer requires you to have an account on AbuseIPDB and an API key.
To configure the analyzer you need to supply the key as a value of the key
parameter.
Brings observations and enrichment data from Backscatter.io scanning service.
This analyzer comes in 2 flavors:
- BackscatterIO_GetObservations: determine whether a value has a known scanning activity.
- BackscatterIO_Enrichment: enrich values.
This analyzer requires you to have an account on Backscatter.io and an API key.
To configure the analyzer you need to supply the key as a value of the key
parameter.
Get C1fApp information related to an IP address, a domain or a URL.
The analyzer comes in only one flavor.
This analyzer requires you to have an account on c1fapp.com and an API key.
To configure the analyzer you need to supply the key as a value of the key
parameter.
Get Censys.io information about certificates using the associated IP, domain or hash.
The analyzer comes in only one flavor.
Provide your API ID and the API secret as values for uid
and key
parameters.
Clamav is a powerful and open source antivirus engine that allows writing your custom signature using Yara and sigtool . This analyzer allows TheHive to communicate with a local clamav-daemon.
A detailed configuration guide is available on Hetstat's website.
The analyzer comes in only one flavor.
Get Crt.sh certificate transparency lists associated with a domain name. Crt.sh is an online service operated by the Comodo Certificate Authority.
The analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Analyze URLs and files using Cuckoo Sandbox.
The analyzer comes in two flavors:
- CuckooSandbox_File_Analysis_Inet: analyze files with Internet access.
- CuckooSandbox_Url_Analysis: analyze URLs.
The CuckooSandbox analyzer requires you to have a local instance of Cuckoo Sandbox deployed. It is a FOSS that is free for use but needs to be manually deployed in your environment. Please go to https://cuckoosandbox.org/ for more information on setting it up.
To configure the analyzer you need to supply the API URL of your local instance
as a value of the url
parameter.
In addition, since Cuckoo 2.0.7, you need to specify an API token used for authentication.
This token can be found in your configuration, in the Cuckoo Working Directory ($CWD/conf/cuckoo.conf
).
Finally, if you secured your API calls thanks to HTTPS, using a custom CA, you can specify it in
the cert_path
parameter (/etc/ssl/certs/my-custom-ca.pem
). Alternatively, you can disable TLS
certificate verification setting the cert_check
parameter to false.
Use the Cybercrime-tracker.net service to assess whether an IP address, URL, domain, or FQDN has a C2 (Command & Control) entry in its database.
This analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Use the Cyberprotect ThreatScore service to get the cyber threat score of a domain or IP address, based on the Cyberprotect system.
This analyzer comes in only one flavor called Cyberprotect_ThreatScore.
No configuration is required. It can be used out of the box.
Checks IP addresses against Cymon.io.
This analyzer comes in only one flavor.
You need to sign up to the service at https://cymon.io/user/signup. Once you do, provide your API key as the value to the key
parameter.
Checks if an IP address is registered in your sinkhole.
This analyzer comes in only one flavor.
You need to provide the IP address of your sinkhole as the value of theip
parameter and the sinkholed IP address as the value ofsink_ip
.
Checks IP addresses against SANS ISC DShield database.
The analyzer comes in only one flavor called DShield_lookup.
No configuration is required. It can be used out of the box.
Checks the reputation of an email address against the emailrep.io database.
This analyzer comes in only one flavor, and no specific configuration is required.
Use the eml_parser python library to parse EML email and extract useful information.
No configuration is required. It can be used out of the box.
Parse files in several formats such as OLE and OpenXML to detect VBA macros,
extract their source code, generate useful information on PE, PDF and Microsoft Office documents, Outlook msg
files and much more.
The analyzer comes in only one flavor.
Some configuration is required for the Manalyze submodule. This submodule needs to run binary program of Manalyze. There are two differents ways to do this:
- Compile binary program by following instructions on the Github pages. Then enable
manalyze_enable
,manalyze_enable_binary
and specifymanalyze_binary_path
options in Cortex. - Use docker on your Cortex server by setting up
manalyze_enable
andmanalyze_enable_docker
options in Cortex. The submodule program use theevanowe/manalyze
container when running with Docker. The first analysis using this option could be long unless you first rundocker pull evanowe/manalyze
on your Cortex server.
Check IP addresses against the FireHOL blocklists.
The analyzer comes in only one flavor.
This analyzer needs you to download the FireHOL block lists first to a
directory. Use git
for that purpose:
$ mkdir /path/to/firehol
$ cd /path/to/firehol
$ git clone https://github.com/firehol/blocklist-ipsets
We advise you to keep the lists fresh by adding a cron entry to
regularly download them for example (using git pull
).
Specify the directory where the lists have been downloaded using the
blocklistpath
paramater and an optional ignoreolderthandays
parameter to
ignore all lists that have not been updated in the last N days.
Check the Fortiguard category of a URL or a domain.
The analyzer comes in only one flavor called Fortiguard_URLCategory.
This anlyzer comes with a default configuration regarding categories and their maliciousness. If needed, this can be customized your own by selecting the categories from the Fortiguard website. Select which categories you want to be considered malicious or suspicious, and others will be considered by the analyzer as info. Analyzed observables that are not categorised by Fortigard service is considered as safe.
Query Google DNS information regarding a domain, FQDN or IP address.
The analyzer comes in only one flavor called GoogleDNS. No configuration is required. It can be used out of the box.
Check URLs against Google Safebrowsing.
The analyzer comes in only one flavor.
You need to obtain an API key from Google.
Provide your API key as a value of the key
parameter.
Check file hashes against the Hashdd web service.
The analyzer comes in two flavors:
- Status: query hashdd without an API key for the threat level only.
- Detail: use an API key and obtain additional meta data about the sample.
As long as you are using the Status flavor you don't need API key. If you want more details using the Detail flavor, you need to sign up for a hashdd.com account and obtain an API.
Check email addresses against Have I Been Pwned.
The analyzer comes in only one flavor called HIBP_Query.
The analyzer comes with an optional parameter to include unverified breaches within search results. If you do not want to include the optional parameter, the analyzer can be used out of the box.
Query threat feeds through Hippocampe, a FOSS tool from TheHive Project that centralizes feeds and allows you to associate a confidence level to each one of them (that can be changed over time) and get a score indicating the data quality.
The analyzer comes in two flavors:
- HippoMore: get the Hippocampe detailed report for an IP address, a domain or a URL.
- Hipposcore: get the Hippocampe Score report associated with an IP address, a domain or a URL.
The Hippocampe analyzer requires you to have a local instance of Hippocampe deployed/configured. It is a FOSS product that needs to be manually deployed in your environment. Please go to https://github.com/TheHive-Project/Hippocampe for more information on setting it up.
To configure the analyzer you need to supply the URL of your local instance
using the url
parameter.
Fetch Hybrid Analysis reports associated with hashes and filenames.
This analyzer comes in only one flavor called HybridAnalysis_GetReport.
You need to have or create a free Hybrid Analysis account.
Follow the instructions outlined on the Hybrid Analysis API page to generate an API key/secret pair.
Provide the API key as a value for the key
parameter and the secret as a
value to the secret
parameter.
Query https://hunter.io/ and find emails associated with a given domain name.
This analyzer comes in only one flavor called Hunterio_DomainSearch.
You need to have or create a free Hunter.io account.
Provide the API key as a value for the key
parameter.
Query the free Maltiverse Threat Intelligence platform for enrichment information.
This analyzer comes in only one flavor, and no specific configuration is required.
Get the latest malware report for a file, hash, domain or an IP address. Refer to Andrea Garavaglia's presentation to learn more about this analyzer. In order to use it, you need to point it to a Neo4j server and provide:
n4j_host
: host address of the Neo4j servern4j_port
: port number of the Neo4j servern4j_user
: the Neo4j server usernamen4j_pwd
: the Neo4j server passwordthreshold
: ApiScout's correlation threshold
Geolocate an IP Address via MaxMind GeoLite2 free City and Country databases.
Cortex does not refresh those databases automatically. It is up to you to create a cron job to refresh them at the frequency you want. The files to update are:
MaxMind/GeoLite2-City.mmdb
MaxMind/GeoLite2-Country.mmdb
You can fetch up-to-date versions from https://dev.maxmind.com/geoip/geoip2/geolite2/.
The analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Query multiple MISP (Malware Information Sharing Platform) instances for events containing an observable.
MISP is a FOSS threat sharing platform. It is considered the de facto standard in the field. You'd benefit greatly from using it in conjunction to Cortex and TheHive as these 3 products make an interesting Threat Intelligence, Incident Response and Digital Forensics ecosystem.
The analyzer comes in only one flavor.
The MISP analyzer requires you to have access to one or several MISP instances. You can also deploy your own instance.
Four parameters are required to make the analyzer work:
url
key
certpath
name
You need the URL for each MISP instance you'd like to search. Those URLs go
in the url
dict. You'll also need the authentication key associated with
your account on each of those instances. To obtain the key, log into the MISP
instance's Web UI, click on your username on the top navigation bar and
retrieve the value of the Authkey
parameter. Each Authkey
must be added,
in the same order as the URLs to the key
dict.
Another important parameter is the certpath
dict. For each MISP instance:
- Use
false
if you don't want to validate the instance's X.509 certificate or if the instance use old plain HTTP. - Use
"/etc/ssl/certs"
or another file to validate the instance's X.509 certificate.
Last but not least, give each instance a name and add it in the order you
specified URLs and keys above to the name
dict.
Check IP addresses, hashes, domains, FQDNs and URLs against MISP WarningLists.
The analyzer comes in only one flavor.
This analyzer needs you to download the MISP WarningLists first to a
directory. Use git
for that purpose:
$ mkdir /path/to/misp-warninglists/repository
$ cd /path/to/misp-warninglists/repository
$ git clone https://github.com/MISP/misp-warninglists
We advise you to keep the lists fresh by adding a cron entry to regularly download them for example (using git pull
).
Specify the directory where the WarningLists have been downloaded or updated using the
path
paramater.
Parse Outlook message files automatically and show the key information it contains such as headers, attachments etc. Please note that the analyzer doesn't extract attachments.
The analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Check a hash or filename against NSLR database, and ensure this is a good known one.
The analyzer comes in only one flavor.
This analyzer needs you to download the and extract NSRLFile files from NIST website.
- Set these files in a folder and configure it in the
nsrl_folder
parameter - Add the path for grep command in parameter
- Alternatively you can import all these data in a postgresql database to improve response speed. If so, set the
conn
parameter
More information on how to set it up and install in this detailed blog post.
Get publicly available information from Onyphe for IP addresses.
The analyzer comes in five flavors:
- Onyphe_Forward: retrieve forward DNS lookup information Onyphe has for the given IPv{4,6} address with history of changes.
- Onyphe_Geolocate: retrieve geolocation information for the given IPv{4,6} address.
- Onyphe_Ports: retrieve SYN scan information Onyphe has for the given IPv{4,6} address with history of changes.
- Onyphe_Reverse: retrieve reverse DNS lookup information Onyphe has for the given IPv{4,6} address with history of changes.
- Onyphe_Threats: retrieve Onyphe threat information for the given IPv{4,6} address with history.
- Onyphe_Inetnum: retrieve Onyphe information about network information about an IPv4 or IPv6
- Onyphe_Datascan: retrieve Onyphe datascan information about a given IPv4, IPv6 or a any other string, with history of changes
Provide the API key as a value for the key
parameter.
Query multiple OpenCTI instances for observables and reports containing them.
OpenCTI is an open cyber threat intelligence platform which aims at providing a powerful knowledge management database with an enforced schema especially tailored for cyber threat intelligence and cyber operations and based on STIX 2.
The analyzer comes in only one flavor to look for an observable in the platform.
The OpenCTI analyzer requires you to have access to one or several OpenCTI instances. You can also deploy your own instance.
Three parameters are required for each instance to make the analyzer work:
url
# URL of the instance, e.g. "https://demo.opencti.io"key
# API key of an account, e.g. "2b4f29e3-5ea8-4890-8cf5-a76f61f1e2b2"name
# A custom name to distiguish beteen several instances, e.g. "Demo"
A global parameter cert_check
is used to enable or disable TLS certificates verification.
Query AlienVault's Open Threat Exchange for IPs, domains, URLs, or file hashes.
The analyzer comes in only one flavor.
You need to sign up for an OTX account or use an existing one.
Log in to your OTX account, click on your username on the top
navigation bar then on Settings and retrieve your OTX key and use it as the
value of the key
parameter.
Get the current Patrowl report for a fdqn, a domain or an IP address.
The analyzer comes in only one flavor called Patrowl_GetReport.
You need a running Patrowl instance or to have access to one to use the analyzer. Supply the following parameters to the analyzer in order to use it:
url
: The PatrowlManager service URLapi_key
: A valid API Key of a Patrowl user
Query PhishTank to assess whether a URL has been flagged as a phishing site.
The analyzer comes in only one flavor called PhishTank_CheckURL.
You need to sign up for a PhishTank account or use an existing one.
Log in to your PhishTank account, click on the Developers tab then on
Manage Applications, register an application by giving it a name and
entering a CAPTCHA code. You'll obtain an API key that you'll need to supply
as the value to the key
configuration parameter for this analyzer to work.
Query Phishing Initiative to assess whether a URL has been flagged as a phishing site.
This analyzer comes in two flavors called PhishingInitiative_Lookup and PhishingInitiative_Scan.
You need to sign up for a Phishing Initiative account or use an existing one.
Log in to your Phishing Initiative account, click on the icon representing
your account details then on API. Retrieve the API key value and supply
it as the value to the key
configuration parameter.
Query Pulsedive and get information about a domain name, hash, IP or URL.
This analyzer comes in only one flavor called Pulsedive_GetIndicator.
You need to sign up for a Pulsedive account or use an existing one.
Provide the API key as a value for the key
parameter.
Query the Robtex database and retrieve information about a domain, a FQDN or an IP address.
This analyzer comes in three flavors:
- Robtex_Forward_PDNS_Query: check domains/FQDNs using the Robtex passive DNS database.
- Robtex_IP_Query: make IP lookups against the Robtex DB.
- Robtex_Reverse_PDNS_Query: check IPs in Robtex reverse passive DNS database.
The analyzer uses the free Robtex API which needs no subsequent configuration. However, the free API has limits with regard to rates and amount of data returned.
This analyzer queries the Spamhaus Domain Block List (DBL), which provides domain reputation information.
This analyzer comes in only one flavor, DBLLookup
.
No configuration is needed. It can be used out of the box.
Fetch observable details from an Anomali STAXX instance.
This analyzer comes in only one flavor.
You need to install an Anomali STAXX instance or to have access to one to use the analyzer. Supply the following parameters to the analyzer in order to use it:
auth_url
: URL of the authentication endpoint.query_url
: URL of the intelligence endpoint.username
: the STAXX user name.password
: the STAXX password.cert_check
: boolean indicating whether the certificate of the endpoint must be checked or not.cert_path
: path to the CA on the system to validate the endpoint's certificate ifcert_check
is true.
Query StopForumSpam to check if an IP or email address is a known spammer.
You need to define the thresholds above which the analyzed observable should be marked as suspicious
or malicious
.
This analyzer lets you determine whether an IP address has been reported as a threat on Cisco Talos Intelligence service. No special access to is required to run the analyzer.
This analyzer comes in only one flavor.
No configuration is needed. It can be used out of the box.
This analyzer allows you to submit a file hash to Team Cymru's Malware Hash Registry, and return an evaluation (detection percentage).
The analyzer comes in only one flavor called HashLookup
.
No configuration is required. It can be used out of the box.
Look up domains, mail and IP addresses on ThreatCrowd, a service powered by AlienVault.
This analyzer comes in only one flavor.
No configuration is needed. It can be used out of the box.
Check if an IP address, a domain or a FQDN is known by Blutmagie to be linked to a Tor node.
This analyzer comes in only one flavor.
In order to check if an IP, domain or FQDN is a Tor exit node, this analyzer queries the Tor status service at Blutmagie.de. The analyzer uses a caching mechanism in order to save some time when doing multiple queries, so the configuration includes parameter regarding the cache directory and the duration of caching.
Check if an IP address is known to be a Tor node. The information source is the official Tor network status.
This analyzer comes in only one flavor.
The analyzer uses a caching mechanism in order to save some time when doing multiple queries, so the configuration includes parameter regarding the cache directory and the duration of caching. This analyzer also accepts a ttl
parameter, which is the threshold in seconds for exit nodes before they get discarded.
Follow redirects of shortened URLs to reveal the real ones.
This analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Warning: using this analyzer without extra caution might lead to unexpected consequences. For example, if the URL you are seeking to unshorten is an attacker-controlled one, you may end up leaving undesired traces in the threat actor's infrastructure logs. The TLP values Cortex allows you to configure to prevent the use of an analyzer if the TLP associated with an observable is above the authorized level won't be of much help since Unshortenlink have to access the shortened URL. Please do not activate this analyzer unless you (and your fellow analysts) know what they are doing.
Search IPs, domains, hashes or URLs on urlscan.io.
This analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Check if a domain, URL or hash is known by Abuse.ch and stored in the URLhaus database, and get a report about its 'maliciousness'.
This analyzer comes in only one flavor.
No configuration is needed. It can be used out of the box.
Check whether a file or hash is available on VirusShare.com.
This analyzer comes in only one flavor.
Prior to using the analyzer, you need to retrieve the Virusshare hash lists
using the download_hashes.py
script that is located in the same directory
as the analyzer. To keep your lists fresh, you may want to regularly
download them using a cron entry or a similar system.
Indicate the path where you have downloaded the hash lists using the path
parameter.
Check a domain against Web of Trust, a website reputation service.
This analyzer comes in only one flavor called WOT_Lookup.
An account with Web of Trust is required to get an API key, which is necessary to configure the analyzer. You can sign up for an account at https://www.mywot.com/en/signup?destination=profile/api.
Supply the API key you'll find under https://www.mywot.com/en/signup?destination=profile/api
as the value for the key
parameter.
Check files against YARA rules using yara-python.
The analyzer comes in only one flavor.
You need to point your analyzer to multiple files and/or directories containing your YARA rules. If you supply a directory, the analyzer expects to find an index.yar or index.yas file. The index file can include other rule files. An example can be found in the Yara-rules repository.
Add each file and/or directory containing YARA rules to the rules
dict.
YETI is a FOSS platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. The analyzer for this platform lets you make API calls to YETI and retrieve all available information pertaining to a domain, a fully qualified domain name, an IP address, a URL or a hash.
This analyzer comes in only one flavor.
The Yeti analyzer requires you to have a local instance of YETI deployed/configured. It is an open source tool that is free for use but needs to be manually deployed in your environment.
Provide the URL of your YETI instance as a value for the url
parameter. Yhe analyzer also allow you to use an API key if needed.
Check CERT.at Passive DNS Service for a given domain.
This analyzer comes in only one flavor.
Access to the CERT.at service is allowed to trusted partners only. If you think you qualify, please contact CERT.at.
No configuration is required. It can be used out of the box if CERT.at positively answers your access request.
Check CIRCL's Passive DNS for a given domain.
This analyzer comes in only one flavor.
Access to CIRCL Passive DNS is only allowed to trusted partners in Luxembourg and abroad. Contact CIRCL if you would like access. Include your affiliation and the foreseen use of the Passive DNS data.
If the CIRCL positively answers your access request, you'll obtain a username and password which are needed to make the analyzer work.
supply your username as the value for the user
parameter and your password
as the value for the password
parameter.
Check CIRCL's Passive SSL service for a given IP address or certificate hash.
This analyzer comes in only one flavor.
Access to CIRCL Passive SSL is allowed to partners including security researchers or incident analysts worldwide. Contact CIRCL if you would like access.
If the CIRCL positively answers your access request, you'll obtain a username and password which are needed to make the analyzer work.
Supply your username as the value for the user
parameter and your password
as the value for the password
parameter.
Determine whether an IP has known scanning activity using GreyNoise.
This analyzer comes in only one flavor.
The analyzer can be used out of the box without configuration. However, if you make many requests, you need to obtain an API key. Please contact GreyNoise to ask for one.
Once you get the API key, provide it as the value of the key
parameter.
Query domains, IPs, hashes and URLs against IBM X-Force Threat Intelligence sharing platform.
This analyzer comes in only one flavor.
Access to IBM X-Force Threat Exchange requires an IBM ID.
Once you have access to the service, supply the URL of the service as value for the url
parameter, the API key associated with your account as value for the key
parameter and the associated password as the value of the pwd
parameter.
Get enrichment information from the ipinfo.io service. This analyzer comes in two flavors:
- IPinfo_Details : IPinfo details lookup.
- IPinfo_Hosted_Domains : Host domain lookup.
To query the service, you need to provide an API key as value of the api_key
parameter.
Submit a file to Intezer Analyze™ and get an analysis report. This analyzer comes in only one flavor.
To query the service, you need to provide an API key as value of the key
parameter.
Scan files against YARA rules automatically downloaded every 10 hours by the analyzer from Malpedia.
If a rule matches, the analyzer tries to retrieve more info from Malpedia such as the malware family (currently more than 600) and the actor group (tracked through MISP Galaxies).
This analyzer comes in only one flavor.
You need access to Malpedia to use this analyzer. Please note that Malpedia does not feature open registration. It is operated as an invite-only trust group. If you believe you qualify for an account, please see Malpedia's Terms of Services for contact details.
If you have access to Malpedia, provide your username as the value for the username
parameter and the associated password as the value of the password
parameter then specify a location where the analyzer will download the YARA rules to using the path
parameter.
Query Malwares.com and get reports on files, hashes, domain names and IP addresses.
The analyzer comes in two flavors:
- Malwares_GetReport: get the latest Malwares report for a file, hash, domain or an IP address.
- Malwares_Scan: scan a file or URL.
You need to sign up for a Malwares.com account.
An API key to use the service's API should be associated with your account. Supply it as the value of the key
parameter.
Query IP addresses and domain names against Mnemonic Passive DNS service.
This analyzer comes in two flavors:
- Mnemonic_pDNS_Public: query Mnemonic's public service.
- Mnemonic_pDNS_Closed: query Mnemonic's closed service.
When using the public service, the analyzer can be used out of the box with no further configuration.
When using the closed service, you need to contact Mnemonic to get an API key which you'll need to supply as the value of the key
parameter.
Check SinkDB service from abuse.ch fort a given IP address.
This analyzer comes in only one flavor.
SinkDB is a private service provided by abuse.ch which collects sinkholed IPs. Access to this service is restricted to trusted partners. Request an access using the form available on the SinkDB website if you would like access.
Provide the API key as a value for the key
parameter.
Retrieve key Shodan information on domains and IP addresses.
This analyzer comes in 6 flavors:
- Shodan_Host: get Shodan information on a host.
- Shodan_Search: get Shodan search result on a domain.
- Shodan_DNSResolve: get Shodan domain resolutions.
- Shodan_Host_History: get Shodan history scan results for an IP.
- Shodan_InfoDomain: get Shodan information on a domain.
- Shodan_ReverseDNS: get Shodan reverse DNS resolutions on an IP.
You need to create a Shodan account and retrieve the associated API Key. For best results, it is advised to get a Membership level account, otherwise a free one can be used.
Supply the API key as the value for the key
parameter.
Autofocus is a commercial Threat Intelligence Platform provided by Palo Alto Networks.
This analyzer comes in 3 flavors:
- AUTOFOCUS_GetSampleAnalysis: fetch the full analysis of a sample based on its hash.
- AUTOFOCUS_SearchIOC: fetch samples linked to a specific IoC (domain, fqdn, user-agent, imphash, ip, mutex, url , tag). Please note that mutex and tag are not default datatypes in TheHive. You need to create them in TheHive before you can leverage them.
- AUTOFOCUS_SearchJSON: fetch samples matching a complex search in JSON format (other).
You need to be an Autofocus customer of Palo Alto Networks to have access to their API and be able to use the analyzer.
Provide your API key as the value of the apikey
parameter.
Leverage Farsight Security's DNSDB for Passive DNS.
This analyzer comes in three flavors:
- DNSDB_DomainName: fetch historical records for a domain.
- DNSDB_IPHistory: fetch historical records for an IP address.
- DNSDB_NameHistory: fetch historical records for a fully-qualified domain name.
You need a valid subscription to Farsight Security's DNSDB service to use the analyzer.
Provide the URL of the DNSDB API service to the server
parameter. The
default (https://api.dnsdb.info
) should work. If it doesn't, contact
Farsight Security.
Provide your API key as a value to the key
parameter.
Look up domain names, IP addresses, WHOIS records, etc. using the popular DomainTools service API.
The analyzer comes in 10 flavors:
- DomainTools_HostingHistory: get a list of historical registrant, name servers and IP addresses for a domain.
- DomainTools_ReverseIP: get a list of domain names sharing the same IP address.
- DomainTools_ReverseIPWhois: get a list of IP addresses which share the same registrant information. It applies to a mail, IP, or domain.
- DomainTools_ReverseNameServer: get a list of domain names that share the same primary or secondary name server.
- DomainTools_ReverseWhois: get a list of domain names which share the same registrant information.
- DomainTools_WhoisHistory: get a list of historical Whois records associated with a domain name.
- DomainTools_WhoisLookup: get the ownership record for a domain or IP address with basic registration details parsed.
- DomainTools_WhoisLookupUnparsed: get the ownership record for an IP address or domain with basic registration details without parsing.
- DomainTools_Risk: get a risk score for a given domain name.
- DomainTools_Reputation: get a reputation score for a given domain name.
You need a valid DomainTools API integration subscription to use the analyzer.
Provide your username as a value for the username
parameter and API key as
a value for the key
parameter.
Look up domain names, IP addresses, e-mail addresses, and SSL hashes using the popular DomainTools Iris service API.
The analyzer comes in 2 flavors:
- DomainToolsIris_Investigate: Use DomainTools Iris API to investigate a domain.
- DomainToolsIris_Pivot: Use DomainTools Iris API to pivot on ssl_hash, ip, or email.
You need a valid DomainTools API integration subscription to use the analyzer:
- Provide your username as a value for the
username
parameter and API key as a value for thekey
parameter. - Set the
pivot_count_threshold
parameter to highlight any item below that value as being of interest in the report's template.
Leverage Proofpoint's Emerging Threats Intelligence to assess the reputation of various observables and obtain additional and valuable information on malware.
The service comes in three flavors:
- EmergingThreats_DomainInfo: retrieve ET reputation, related malware, and IDS requests for a given domain.
- EmergingThreats_IPInfo: retrieve ET reputation, related malware, and IDS requests for a given IP address.
- EmergingThreats_MalwareInfo: retrieve ET details and info related to a malware hash.
You need a valid Proofpoint Emerging Threats Intelligence subscription to use the analyzer.
Retrieve the API key associated with your account and provide it as a value
to the key
parameter.
Leverage FireEye iSIGHT Threat Intelligence to qualify domains, IP addresses, hashes and URLs.
This analyzer comes in only one flavor.
You need a valid FireEye iSIGHT Threat Intelligence subscription to use the analyzer.
Retrieve the API key associated with your account and provide it as a value
to the key
parameter. Obtain the password associated with the API key and provide it as a value to the pwd
parameter.
Analyze URLs and files using the powerful Joe Sandbox malware analysis solution.
Joe Sandbox is a commercial solution by Joe Security LLC. It comes in several versions. The analyzer has been tested with Joe Sandbox Cloud, Joe Sandbox Ultimate and Joe Sandbox Complete.
The analyzer comes in 3 flavors:
- JoeSandbox_File_Analysis_Inet: analyze files while providing Internet access.
- JoeSandbox_File_Analysis_Noinet: analyze files without providing Internet access.
- JoeSandbox_Url_Analysis: analyze URLs.
Provide the URL of your on-premises Joe Sandbox instance or the cloud version
to the url
parameter and supply the associated API key as a value for the
key
parameter.
Leverage Cisco Umbrella Investigate to qualify a domain, a FQDN or a hash.
The analyzer comes in 2 flavors:
- Investigate_Categorization: analyze domain or FQDN
- Investigate_Sample: analyze a hash.
Retrieve the API key associated with your account and provide it as a value for the key
parameter.
This analyzer leverages the IP reputation check on apivoid.com, the API of the ipvoid.com web service.
This analyzer comes in only one flavor.
Retrieve the API key associated with your account on apivoid.com and provide it as a value for the key
parameter.
Use Nessus Professional, a popular vulnerability scanner to scan an IP address or a FQDN. This analyzer works with Nessus 6 or earlier. Tenable has removed API access starting from version 7 rendering this analyzer useless with that version.
The analyzer comes in only one flavor.
You must have a locally deployed instance of Nessus Professional 6 or earlier to use the analyzer. The scanner must have at least a scan policy defined. You must not scan assets that do not belong to you, unless you really know what you are doing. That’s why safeguards were built in the analyzer’s configuration.
To configure the analyzer, you must supply four parameters:
url
: URL of your Nessus scanner.login
: username to log to the scanner.password
: password of your login account.policy
: the scan policy to use.ca_bundle
: an optional parameter to validate the X.509 certificate of the scanner. This parameter must be omitted if no validation is needed.allowed_networks
: a list of networks in CIDR notation that the scanner is allowed to probe.
Leverage RiskIQ's PassiveTotal service to gain invaluable insight on observables, identify overlapping infrastructure using Passive DNS, WHOIS, SSL certificates and more.
The analyzer comes in 8 flavors:
- PassiveTotal_Enrichment: enrichment Lookup.
- PassiveTotal_Malware: malware Lookup.
- PassiveTotal_Osint: OSINT Lookup.
- PassiveTotal_Passive_Dns: passive DNS Lookup.
- PassiveTotal_Ssl_Certificate_Details: SSL Certificate Details.
- PassiveTotal_Ssl_Certificate_History: Ssl Certificate History Lookup.
- PassiveTotal_Unique_Resolutions: Unique Resolutions Lookup.
- PassiveTotal_Whois_Details: Whois Details Lookup.
- PassiveTotal_Trackers: tracker lookups.
- PassiveTotal_Host_Pairs: host pair lookups.
- PassiveTotal_Components: Component lookups.
You need a PassiveTotal account to obtain the API key which is required to use the analyzer. If you sign up for a Community Edition Account, you'll have a very limited number of queries. You can purchase a PassiveTotal subscription for a higher number of queries per day.
Provide your account's username as the value of the username
parameter and
the associated API key as value for the key
parameter.
Submit files or URLs to an on premise PayloadSecurity sandbox and fetch the associated reports.
This analyzer comes in only one flavor.
Five parameters are required to make the analyzer work:
url
key
secret
environmentid
verifyssl
Provide the API key as a value for the key
parameter and the secret as a
value to the secret
parameter. the url
parameter should be the address of your on premise service. environmentid
should also be gathered from your custom configuration.
Get the latest risk data from RecordedFuture for a hash, domain or an IP address.
This analyzer comes in only one flavor RecordedFuture.
Retrieve the API key associated with your account and provide it as a value for the key
parameter.
Get Whois and Passive DNS details using SecurityTrails.
The analyzer comes in 2 flavors:
- SecurityTrails_Passive_Dns: Passive DNS Lookup.
- SecurityTrails_Whois: Whois Details Lookup.
You need a SecurityTrails account to obtain the API key which is required to use the analyzer.
Provide your account's API Key as the value of the api_key
parameter.
Get information about any observable dataType from a SoltraEdge server.
An account an a token from a SoltraEdge server are required to use this analyzer. Provide this information as values of account
,token
and base_url
parameters.
The Cisco Threat Grid analyzer has the following features:
- Submit a
file
for analysis - Submit a
url
for analysis - Query Threat Grid for a
hash
(MD5, SHA1, SHA256) and get the highest scoring analysis results - Pivot into Threat Grid report to view the analysis
- Pivot into Threat Grid report to a specific Behavioral Indicator
- Pivot into Threat Grid report to a specific TCP/IP Stream
The analyzer comes in only one flavor.
You must have a Cisco Threat Grid Premium account with API access.
To configure the analyzer, you must supply two parameters:
tg_host
: hostname of your Threat Grid instance.api_key
: API key to authenticate to your Threat Grid instance.
The Cisco Threat Response analyzer has the following features:
- Query Threat Response for Verdicts and Sightings for:
domain
filename
fqdn
hash
(MD5, SHA1, SHA256)ip
url
- Pivot into a Threat Response investigation of an observable
- If the AMP for Endpoints module is configured in Threat Response and the feature is enabled on the analyzer: when a target is returned from the AMP for Endpoints module the analyzer will extract the connector GUIDs as Artifacts to enable seamless use of the AMP for Endpoints Responder.
The analyzer comes in only one flavor.
You must have a Cisco Threat Response account and a Threat Response API Client ID with the enrich
scope.
To configure the analyzer, you must supply three parameters:
region
: The Threat Response region your account is in (US, EU, APJC).client_id
: Threat Response API Client ID with appropriate scopes.client_password
: Password for the Threat Response API Client.
Query the Umbrella Reporting API for recent DNS queries and their status, for a domain.
This analyzer comes in only one flavor Umbrella_Report.
Four parameters are required to make the analyzer work:
api_key
api_secret
organization_id
query_limit
, defaults to 20
Provide the API key as a value for the api_key
parameter and the secret as a value to the api_secret
parameter. The organization_id
parameter should be provided by the Umbrella Admin Console. query_limit
is optional, and represents the maximum number of results to return.
Look up files, URLs and hashes in VirusTotal.
The analyzer comes in two flavors:
- VirusTotal_GetReport: get the latest VirusTotal report for a file, hash, domain, URL or an IP address.
- VirusTotal_Scan: scan a file or URL.
You need a VirusTotal community account or a Private API subscription, a premium service.
Please note that a community account is highly limited in the number of API queries it can make. If you can afford them, subscribe to the premium services.
Provide the API key associated with your account as a value to the key
parameter.
Analyze files using the VMRay Analyzer Platform commercial sandbox.
The analyzer comes in only one flavor. It lets you run a file in a local or remote (cloud) VMRay sandbox. The analyzer also lets you check existing analysis reports.
You need a VMRay Analyzer Platform to use the analyzer.
To configure the analyzer, provide the URL of the platform as a value for the
url
parameter and the API key as a value for the key
parameter.
To validate the X.509 certificate of your VMRay Analyzer Platform instance,
use the certpath
parameter.
This responder can be used to create an issue in the Redmine ticketing system from a case. It will use the case title as the issue subject and the case description as the issue body.
To set it up in Cortex, you will need:
- To define a user to allow Cortex to connect to Redmine and with access to the various projects in which issues should be created
- Define three custom fields in TheHive that will be used to select the project, the tracker and, optionally, the assignee of the issue. These fields can be free form or can be custom fields with preset values.
The following options are required in the Redmin Responder configuration:
instance_name
: Name of the Redmine instanceurl
: URL where to find the Redmine APIusername
: Username to log into Redminepassword
: Password to log into Redmineproject_field
: Name of the custom field containing the Redmine project to use when creating the issuetracker_field
: Name of the custom field containing the Redmine tracker to use when creating the issueassignee_field
: Name of the custom field containing the Redmine assignee to use when creating the issuereference_field
: Name of the case custom field in which to store the opened issue. If not defined, this information will not be storedopening_status
: Status used when opening a Redmine issue (if not defined here, the responder will use the default opening status from the Redmine Workflow)closing_task
: Closing the task after successfully creating the Redmine issue
This responder performs actions on Wazuh, the open source security monitoring platform. It currently supports ad-hoc firewall blocking of ip observables.
The responder will use the provided wazuh_agent_id
(custom field) to call back to the defined Wazuh manager to
implement the active response action.
The following options are required in the Wazuh Responder configuration:
wazuh_manager
: The Wazuh manager API address/portwazuh_user
: The Wazuh API userwazuh_password
: The Wazuh API password
The following custom fields should be created and populated in related records:
wazuh_agent_id
: The ID of the Wazuh agent that witnessed activity to generate the alertwazuh_alert_id
: The Wazuh alert ID generated by the Wazuh managerwazuh_rule_id
: The rule ID associated with the Wazuh alert
This responder sends observables you select to a Palo Alto Minemeld instance.
The following options are required in the Palo Alto Minemeld Responder configuration:
minemeld_url
: URL of the Minemeld instance to which you will be posting indicatorsminemeld_user
: user accessing the Minemeld instanceminemeld_password
: password for the user accessing the Minemeld instanceminemeld_indicator_list
: name of Minemeld indicator list (already created in Minemeld)minemeld_share_level
: share level for indicators (defaults tored
)minemeld_confidence
: confidence level for indicators (defaults to100
)minemeld_ttl
: TTL for indicators (defaults to86400
seconds)
The Cisco AMP for Endpoints responder has the following features:
- Add a SHA256 to a Simple Custom Detection List
- TheHive's case ID and description are appended to the description
- Remove a SHA256 from a Simple Custom Detection List
- Move a connector GUID to a new group
- Start Host Isolation
- Can set a custom unlock code, if a custom unlock code isn't provided it is randomly generated
- Stop Host Isolation
The analyzer comes in 5 flavors:
- AMPforEndpoints_IsolationStart: Start Host Isolation.
- AMPforEndpoints_IsolationStop: Stop Host Isolation.
- AMPforEndpoints_MoveGUID: Move Connector GUID to a new group.
- AMPforEndpoints_SCDAdd: Add SHA256 to a Simple Custom Detection List.
- AMPforEndpoints_SCDRemove: Remove SHA256 from a Simple Custom Detection List.
You must have an AMP for Endpoints account and API Credentials with Read/Write API access.
To configure the analyzer, you must supply five parameters:
amp_cloud
: The FQDN AMP for Endpoints Cloud your account is in.client_id
: AMP for Endpoints API Client ID.api_key
: Password for the AMP for Endpoints API Client.group_guid
: The Group GUID to move connectors into.scd_guid
: The Simple Custom Detection List GUID to add and remove SHA256s.
Submit observables from alerts and cases to the Crowdstrike Falcon Custom IOC API.
To configure the responder, provide the URL of the platform as a value for the falconapi_url
parameter, the api user as the falconapi_user
parameter and the api key as the falconapi_key
parameter.
This responder allows the integration between TheHive/Cortex and KnowBe4's User Events API. If a mail observable is tagged with a specified tag, corresponding to the responder's configuration, (e.g. phished), then the associated user will have a custom event added to their profile in KnowBe4.
You must provide:
- An API key as a value for the
api_key
parameter to access the User Events API. API documentation to retrieve your key is located at User Event API - The appropriate
base_url
parameter dependent on your geographic location. More information available at User Events API - The appropriate
hive_url
parameter so that TheHive case can be referenced in the KnowBe4 Users' Timeline - The appropriate
event_type
parameter so that Cortex can create the correct type of event in the Users' timeline.
Add tag saying that the observable and case have a malicious tag based on iris tags short summary from the DomainTools Iris investigate analyzer.
To configure the responder, provide a set of values for the monitored_iris_tags
parameter.
Add tag saying that the observable and case contains a risky DNS based on risk score short summary from the DomainTools Iris investigate analyzer.
To configure the responder, provide a value for the high_risk_threshold
parameter.
Add domain from observables in cases to Umbrella blacklist.
To configure the responder, provide the url of the service as a value for the integration_url
parameter.