Skip to content

Latest commit

 

History

History
1461 lines (1071 loc) · 63.3 KB

analyzer_requirements.md

File metadata and controls

1461 lines (1071 loc) · 63.3 KB

Cortex Analyzer & Responder Requirements Guide

Analyzers and Responders are autonomous applications managed by and run through the Cortex core engine. Analyzers allow analysts and security researchers to analyze observables and IOCs such as domain names, IP addresses, hashes, files, URLs at scale. While many analyzers are free to use, some require special access while others necessitate a valid service subscription or product license, even though the analyzers themselves are released under an the AGPL (Affero General Public License).

Responders are programs that perform different actions and apply to alerts, cases, tasks, task logs, and observables.

This document outlines the information needed to:

  • install the Cortex analyzers and responders.
  • update them when needed.
  • configure them.

This documents also specifies whether the service that the analyzer is based on is free or requires special access or valid subscription or product license.

Table of Contents

Introduction

All analyzer and responder configuration settings must be made using the Cortex Web UI. Please refer to the Administration Guide for further details.

By default, and within every freshly created organization, all analyzers and responders are disabled. If you want to enable and configure them, use the Web UI (Organization > Configurations and Organization > Analyzers tabs).

Free Analyzers

Abuse_Finder

Use CERT-SG's Abuse Finder to find abuse contacts associated with domain names, URLs, IPs and email addresses.

The analyzer comes in only one flavor.

No configuration is required. It can be used out of the box.

AbuseIPDB

Get AbuseIPDB information related to an IP address.

This analyzer comes in only one flavor.

Requirements

This analyzer requires you to have an account on AbuseIPDB and an API key.

To configure the analyzer you need to supply the key as a value of the key parameter.

Backscatter.io

Brings observations and enrichment data from Backscatter.io scanning service.

This analyzer comes in 2 flavors:

  • BackscatterIO_GetObservations: determine whether a value has a known scanning activity.
  • BackscatterIO_Enrichment: enrich values.

Requirements

This analyzer requires you to have an account on Backscatter.io and an API key.

To configure the analyzer you need to supply the key as a value of the key parameter.

C1fApp

Get C1fApp information related to an IP address, a domain or a URL.

The analyzer comes in only one flavor.

Requirements

This analyzer requires you to have an account on c1fapp.com and an API key.

To configure the analyzer you need to supply the key as a value of the key parameter.

Censys.io

Get Censys.io information about certificates using the associated IP, domain or hash.

The analyzer comes in only one flavor.

Requirements

Provide your API ID and the API secret as values for uid and key parameters.

Clamav

Clamav is a powerful and open source antivirus engine that allows writing your custom signature using Yara and sigtool . This analyzer allows TheHive to communicate with a local clamav-daemon.

A detailed configuration guide is available on Hetstat's website.

The analyzer comes in only one flavor.

Crtsh

Get Crt.sh certificate transparency lists associated with a domain name. Crt.sh is an online service operated by the Comodo Certificate Authority.

The analyzer comes in only one flavor.

No configuration is required. It can be used out of the box.

CuckooSandbox

Analyze URLs and files using Cuckoo Sandbox.

The analyzer comes in two flavors:

  • CuckooSandbox_File_Analysis_Inet: analyze files with Internet access.
  • CuckooSandbox_Url_Analysis: analyze URLs.

Requirements

The CuckooSandbox analyzer requires you to have a local instance of Cuckoo Sandbox deployed. It is a FOSS that is free for use but needs to be manually deployed in your environment. Please go to https://cuckoosandbox.org/ for more information on setting it up.

To configure the analyzer you need to supply the API URL of your local instance as a value of the url parameter.

In addition, since Cuckoo 2.0.7, you need to specify an API token used for authentication. This token can be found in your configuration, in the Cuckoo Working Directory ($CWD/conf/cuckoo.conf).

Finally, if you secured your API calls thanks to HTTPS, using a custom CA, you can specify it in the cert_path parameter (/etc/ssl/certs/my-custom-ca.pem). Alternatively, you can disable TLS certificate verification setting the cert_check parameter to false.

Cybercrime-Tracker

Use the Cybercrime-tracker.net service to assess whether an IP address, URL, domain, or FQDN has a C2 (Command & Control) entry in its database.

This analyzer comes in only one flavor.

No configuration is required. It can be used out of the box.

Cyberprotect

Use the Cyberprotect ThreatScore service to get the cyber threat score of a domain or IP address, based on the Cyberprotect system.

This analyzer comes in only one flavor called Cyberprotect_ThreatScore.

No configuration is required. It can be used out of the box.

Cymon

Checks IP addresses against Cymon.io.

This analyzer comes in only one flavor.

Requirements

You need to sign up to the service at https://cymon.io/user/signup. Once you do, provide your API key as the value to the key parameter.

DNSSinkhole

Checks if an IP address is registered in your sinkhole.

This analyzer comes in only one flavor.

Requirements

You need to provide the IP address of your sinkhole as the value of theip parameter and the sinkholed IP address as the value ofsink_ip.

DShield

Checks IP addresses against SANS ISC DShield database.

The analyzer comes in only one flavor called DShield_lookup.

No configuration is required. It can be used out of the box.

EmailRep

Checks the reputation of an email address against the emailrep.io database.

This analyzer comes in only one flavor, and no specific configuration is required.

EmlParser

Use the eml_parser python library to parse EML email and extract useful information.

No configuration is required. It can be used out of the box.

FileInfo

Parse files in several formats such as OLE and OpenXML to detect VBA macros, extract their source code, generate useful information on PE, PDF and Microsoft Office documents, Outlook msg files and much more.

The analyzer comes in only one flavor.

Requirements

Some configuration is required for the Manalyze submodule. This submodule needs to run binary program of Manalyze. There are two differents ways to do this:

  • Compile binary program by following instructions on the Github pages. Then enable manalyze_enable, manalyze_enable_binary and specify manalyze_binary_path options in Cortex.
  • Use docker on your Cortex server by setting up manalyze_enable and manalyze_enable_docker options in Cortex. The submodule program use the evanowe/manalyze container when running with Docker. The first analysis using this option could be long unless you first run docker pull evanowe/manalyze on your Cortex server.

FireHOLBlocklists

Check IP addresses against the FireHOL blocklists.

The analyzer comes in only one flavor.

Requirements

This analyzer needs you to download the FireHOL block lists first to a directory. Use git for that purpose:

$ mkdir /path/to/firehol
$ cd /path/to/firehol
$ git clone https://github.com/firehol/blocklist-ipsets

We advise you to keep the lists fresh by adding a cron entry to regularly download them for example (using git pull).

Specify the directory where the lists have been downloaded using the blocklistpath paramater and an optional ignoreolderthandays parameter to ignore all lists that have not been updated in the last N days.

Fortiguard

Check the Fortiguard category of a URL or a domain.

The analyzer comes in only one flavor called Fortiguard_URLCategory.

Requirements

This anlyzer comes with a default configuration regarding categories and their maliciousness. If needed, this can be customized your own by selecting the categories from the Fortiguard website. Select which categories you want to be considered malicious or suspicious, and others will be considered by the analyzer as info. Analyzed observables that are not categorised by Fortigard service is considered as safe.

GoogleDNS

Query Google DNS information regarding a domain, FQDN or IP address.

The analyzer comes in only one flavor called GoogleDNS. No configuration is required. It can be used out of the box.

GoogleSafeBrowsing

Check URLs against Google Safebrowsing.

The analyzer comes in only one flavor.

Requirements

You need to obtain an API key from Google.

Provide your API key as a value of the key parameter.

Hashdd

Check file hashes against the Hashdd web service.

The analyzer comes in two flavors:

  • Status: query hashdd without an API key for the threat level only.
  • Detail: use an API key and obtain additional meta data about the sample.

Requirements

As long as you are using the Status flavor you don't need API key. If you want more details using the Detail flavor, you need to sign up for a hashdd.com account and obtain an API.

HIBP

Check email addresses against Have I Been Pwned.

The analyzer comes in only one flavor called HIBP_Query.

Requirements

The analyzer comes with an optional parameter to include unverified breaches within search results. If you do not want to include the optional parameter, the analyzer can be used out of the box.

Hippocampe

Query threat feeds through Hippocampe, a FOSS tool from TheHive Project that centralizes feeds and allows you to associate a confidence level to each one of them (that can be changed over time) and get a score indicating the data quality.

The analyzer comes in two flavors:

  • HippoMore: get the Hippocampe detailed report for an IP address, a domain or a URL.
  • Hipposcore: get the Hippocampe Score report associated with an IP address, a domain or a URL.

Requirements

The Hippocampe analyzer requires you to have a local instance of Hippocampe deployed/configured. It is a FOSS product that needs to be manually deployed in your environment. Please go to https://github.com/TheHive-Project/Hippocampe for more information on setting it up.

To configure the analyzer you need to supply the URL of your local instance using the url parameter.

HybridAnalysis

Fetch Hybrid Analysis reports associated with hashes and filenames.

This analyzer comes in only one flavor called HybridAnalysis_GetReport.

Requirements

You need to have or create a free Hybrid Analysis account.

Follow the instructions outlined on the Hybrid Analysis API page to generate an API key/secret pair.

Provide the API key as a value for the key parameter and the secret as a value to the secret parameter.

Hunterio_DomainSearch

Query https://hunter.io/ and find emails associated with a given domain name.

This analyzer comes in only one flavor called Hunterio_DomainSearch.

Requirements

You need to have or create a free Hunter.io account.

Provide the API key as a value for the key parameter.

Maltiverse

Query the free Maltiverse Threat Intelligence platform for enrichment information.

This analyzer comes in only one flavor, and no specific configuration is required.

MalwareClustering

Get the latest malware report for a file, hash, domain or an IP address. Refer to Andrea Garavaglia's presentation to learn more about this analyzer. In order to use it, you need to point it to a Neo4j server and provide:

  • n4j_host: host address of the Neo4j server
  • n4j_port: port number of the Neo4j server
  • n4j_user: the Neo4j server username
  • n4j_pwd: the Neo4j server password
  • threshold: ApiScout's correlation threshold

MaxMind

Geolocate an IP Address via MaxMind GeoLite2 free City and Country databases.

Cortex does not refresh those databases automatically. It is up to you to create a cron job to refresh them at the frequency you want. The files to update are:

  • MaxMind/GeoLite2-City.mmdb
  • MaxMind/GeoLite2-Country.mmdb

You can fetch up-to-date versions from https://dev.maxmind.com/geoip/geoip2/geolite2/.

The analyzer comes in only one flavor.

No configuration is required. It can be used out of the box.

MISP

Query multiple MISP (Malware Information Sharing Platform) instances for events containing an observable.

MISP is a FOSS threat sharing platform. It is considered the de facto standard in the field. You'd benefit greatly from using it in conjunction to Cortex and TheHive as these 3 products make an interesting Threat Intelligence, Incident Response and Digital Forensics ecosystem.

The analyzer comes in only one flavor.

Requirements

The MISP analyzer requires you to have access to one or several MISP instances. You can also deploy your own instance.

Four parameters are required to make the analyzer work:

  • url
  • key
  • certpath
  • name

You need the URL for each MISP instance you'd like to search. Those URLs go in the url dict. You'll also need the authentication key associated with your account on each of those instances. To obtain the key, log into the MISP instance's Web UI, click on your username on the top navigation bar and retrieve the value of the Authkey parameter. Each Authkey must be added, in the same order as the URLs to the key dict.

Another important parameter is the certpath dict. For each MISP instance:

  • Use false if you don't want to validate the instance's X.509 certificate or if the instance use old plain HTTP.
  • Use "/etc/ssl/certs" or another file to validate the instance's X.509 certificate.

Last but not least, give each instance a name and add it in the order you specified URLs and keys above to the name dict.

MISP Warninglists

Check IP addresses, hashes, domains, FQDNs and URLs against MISP WarningLists.

The analyzer comes in only one flavor.

Requirements

This analyzer needs you to download the MISP WarningLists first to a directory. Use git for that purpose:

$ mkdir /path/to/misp-warninglists/repository
$ cd /path/to/misp-warninglists/repository
$ git clone https://github.com/MISP/misp-warninglists

We advise you to keep the lists fresh by adding a cron entry to regularly download them for example (using git pull).

Specify the directory where the WarningLists have been downloaded or updated using the path paramater.

Msg_Parser

Parse Outlook message files automatically and show the key information it contains such as headers, attachments etc. Please note that the analyzer doesn't extract attachments.

The analyzer comes in only one flavor.

No configuration is required. It can be used out of the box.

NSLR

Check a hash or filename against NSLR database, and ensure this is a good known one.

The analyzer comes in only one flavor.

Requirements

This analyzer needs you to download the and extract NSRLFile files from NIST website.

  • Set these files in a folder and configure it in the nsrl_folder parameter
  • Add the path for grep command in parameter
  • Alternatively you can import all these data in a postgresql database to improve response speed. If so, set the conn parameter

More information on how to set it up and install in this detailed blog post.

Onyphe

Get publicly available information from Onyphe for IP addresses.

The analyzer comes in five flavors:

  • Onyphe_Forward: retrieve forward DNS lookup information Onyphe has for the given IPv{4,6} address with history of changes.
  • Onyphe_Geolocate: retrieve geolocation information for the given IPv{4,6} address.
  • Onyphe_Ports: retrieve SYN scan information Onyphe has for the given IPv{4,6} address with history of changes.
  • Onyphe_Reverse: retrieve reverse DNS lookup information Onyphe has for the given IPv{4,6} address with history of changes.
  • Onyphe_Threats: retrieve Onyphe threat information for the given IPv{4,6} address with history.
  • Onyphe_Inetnum: retrieve Onyphe information about network information about an IPv4 or IPv6
  • Onyphe_Datascan: retrieve Onyphe datascan information about a given IPv4, IPv6 or a any other string, with history of changes

Requirements

Provide the API key as a value for the key parameter.

OpenCTI

Query multiple OpenCTI instances for observables and reports containing them.

OpenCTI is an open cyber threat intelligence platform which aims at providing a powerful knowledge management database with an enforced schema especially tailored for cyber threat intelligence and cyber operations and based on STIX 2.

The analyzer comes in only one flavor to look for an observable in the platform.

Requirements

The OpenCTI analyzer requires you to have access to one or several OpenCTI instances. You can also deploy your own instance.

Three parameters are required for each instance to make the analyzer work:

  • url # URL of the instance, e.g. "https://demo.opencti.io"
  • key # API key of an account, e.g. "2b4f29e3-5ea8-4890-8cf5-a76f61f1e2b2"
  • name # A custom name to distiguish beteen several instances, e.g. "Demo"

A global parameter cert_check is used to enable or disable TLS certificates verification.

OTXQuery

Query AlienVault's Open Threat Exchange for IPs, domains, URLs, or file hashes.

The analyzer comes in only one flavor.

Requirements

You need to sign up for an OTX account or use an existing one.

Log in to your OTX account, click on your username on the top navigation bar then on Settings and retrieve your OTX key and use it as the value of the key parameter.

Patrowl

Get the current Patrowl report for a fdqn, a domain or an IP address.

The analyzer comes in only one flavor called Patrowl_GetReport.

Requirements

You need a running Patrowl instance or to have access to one to use the analyzer. Supply the following parameters to the analyzer in order to use it:

  • url: The PatrowlManager service URL
  • api_key: A valid API Key of a Patrowl user

PhishTank

Query PhishTank to assess whether a URL has been flagged as a phishing site.

The analyzer comes in only one flavor called PhishTank_CheckURL.

Requirements

You need to sign up for a PhishTank account or use an existing one.

Log in to your PhishTank account, click on the Developers tab then on Manage Applications, register an application by giving it a name and entering a CAPTCHA code. You'll obtain an API key that you'll need to supply as the value to the key configuration parameter for this analyzer to work.

PhishingInitiative

Query Phishing Initiative to assess whether a URL has been flagged as a phishing site.

This analyzer comes in two flavors called PhishingInitiative_Lookup and PhishingInitiative_Scan.

Requirements

You need to sign up for a Phishing Initiative account or use an existing one.

Log in to your Phishing Initiative account, click on the icon representing your account details then on API. Retrieve the API key value and supply it as the value to the key configuration parameter.

Pulsedive

Query Pulsedive and get information about a domain name, hash, IP or URL.

This analyzer comes in only one flavor called Pulsedive_GetIndicator.

Requirements

You need to sign up for a Pulsedive account or use an existing one.

Provide the API key as a value for the key parameter.

Robtex

Query the Robtex database and retrieve information about a domain, a FQDN or an IP address.

This analyzer comes in three flavors:

  • Robtex_Forward_PDNS_Query: check domains/FQDNs using the Robtex passive DNS database.
  • Robtex_IP_Query: make IP lookups against the Robtex DB.
  • Robtex_Reverse_PDNS_Query: check IPs in Robtex reverse passive DNS database.

The analyzer uses the free Robtex API which needs no subsequent configuration. However, the free API has limits with regard to rates and amount of data returned.

SpamhausDBL

This analyzer queries the Spamhaus Domain Block List (DBL), which provides domain reputation information.

This analyzer comes in only one flavor, DBLLookup.

No configuration is needed. It can be used out of the box.

StaxxSearch

Fetch observable details from an Anomali STAXX instance.

This analyzer comes in only one flavor.

Requirements

You need to install an Anomali STAXX instance or to have access to one to use the analyzer. Supply the following parameters to the analyzer in order to use it:

  • auth_url: URL of the authentication endpoint.
  • query_url: URL of the intelligence endpoint.
  • username: the STAXX user name.
  • password: the STAXX password.
  • cert_check: boolean indicating whether the certificate of the endpoint must be checked or not.
  • cert_path: path to the CA on the system to validate the endpoint's certificate if cert_check is true.

StopForumSpam

Query StopForumSpam to check if an IP or email address is a known spammer.

Requirements

You need to define the thresholds above which the analyzed observable should be marked as suspicious or malicious.

Talos Reputation

This analyzer lets you determine whether an IP address has been reported as a threat on Cisco Talos Intelligence service. No special access to is required to run the analyzer.

This analyzer comes in only one flavor.

No configuration is needed. It can be used out of the box.

Team Cymru MHR

This analyzer allows you to submit a file hash to Team Cymru's Malware Hash Registry, and return an evaluation (detection percentage).

The analyzer comes in only one flavor called HashLookup.

No configuration is required. It can be used out of the box.

ThreatCrowd

Look up domains, mail and IP addresses on ThreatCrowd, a service powered by AlienVault.

This analyzer comes in only one flavor.

No configuration is needed. It can be used out of the box.

Tor Blutmagie

Check if an IP address, a domain or a FQDN is known by Blutmagie to be linked to a Tor node.

This analyzer comes in only one flavor.

Requirements

In order to check if an IP, domain or FQDN is a Tor exit node, this analyzer queries the Tor status service at Blutmagie.de. The analyzer uses a caching mechanism in order to save some time when doing multiple queries, so the configuration includes parameter regarding the cache directory and the duration of caching.

Tor Project

Check if an IP address is known to be a Tor node. The information source is the official Tor network status.

This analyzer comes in only one flavor.

Requirements

The analyzer uses a caching mechanism in order to save some time when doing multiple queries, so the configuration includes parameter regarding the cache directory and the duration of caching. This analyzer also accepts a ttl parameter, which is the threshold in seconds for exit nodes before they get discarded.

Unshortenlink

Follow redirects of shortened URLs to reveal the real ones.

This analyzer comes in only one flavor.

No configuration is required. It can be used out of the box.

Warning: using this analyzer without extra caution might lead to unexpected consequences. For example, if the URL you are seeking to unshorten is an attacker-controlled one, you may end up leaving undesired traces in the threat actor's infrastructure logs. The TLP values Cortex allows you to configure to prevent the use of an analyzer if the TLP associated with an observable is above the authorized level won't be of much help since Unshortenlink have to access the shortened URL. Please do not activate this analyzer unless you (and your fellow analysts) know what they are doing.

UrlScan.io

Search IPs, domains, hashes or URLs on urlscan.io.

This analyzer comes in only one flavor.

No configuration is required. It can be used out of the box.

URLhaus

Check if a domain, URL or hash is known by Abuse.ch and stored in the URLhaus database, and get a report about its 'maliciousness'.

This analyzer comes in only one flavor.

No configuration is needed. It can be used out of the box.

Virusshare

Check whether a file or hash is available on VirusShare.com.

This analyzer comes in only one flavor.

Requirements

Prior to using the analyzer, you need to retrieve the Virusshare hash lists using the download_hashes.py script that is located in the same directory as the analyzer. To keep your lists fresh, you may want to regularly download them using a cron entry or a similar system.

Indicate the path where you have downloaded the hash lists using the path parameter.

WOT

Check a domain against Web of Trust, a website reputation service.

This analyzer comes in only one flavor called WOT_Lookup.

Requirements

An account with Web of Trust is required to get an API key, which is necessary to configure the analyzer. You can sign up for an account at https://www.mywot.com/en/signup?destination=profile/api.

Supply the API key you'll find under https://www.mywot.com/en/signup?destination=profile/api as the value for the key parameter.

Yara

Check files against YARA rules using yara-python.

The analyzer comes in only one flavor.

Requirements

You need to point your analyzer to multiple files and/or directories containing your YARA rules. If you supply a directory, the analyzer expects to find an index.yar or index.yas file. The index file can include other rule files. An example can be found in the Yara-rules repository.

Add each file and/or directory containing YARA rules to the rules dict.

Yeti

YETI is a FOSS platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. The analyzer for this platform lets you make API calls to YETI and retrieve all available information pertaining to a domain, a fully qualified domain name, an IP address, a URL or a hash.

This analyzer comes in only one flavor.

Requirements

The Yeti analyzer requires you to have a local instance of YETI deployed/configured. It is an open source tool that is free for use but needs to be manually deployed in your environment.

Provide the URL of your YETI instance as a value for the url parameter. Yhe analyzer also allow you to use an API key if needed.

Analyzers Requiring Special Access

CERTatPassiveDNS

Check CERT.at Passive DNS Service for a given domain.

This analyzer comes in only one flavor.

Requirements

Access to the CERT.at service is allowed to trusted partners only. If you think you qualify, please contact CERT.at.

No configuration is required. It can be used out of the box if CERT.at positively answers your access request.

CIRCLPassiveDNS

Check CIRCL's Passive DNS for a given domain.

This analyzer comes in only one flavor.

Requirements

Access to CIRCL Passive DNS is only allowed to trusted partners in Luxembourg and abroad. Contact CIRCL if you would like access. Include your affiliation and the foreseen use of the Passive DNS data.

If the CIRCL positively answers your access request, you'll obtain a username and password which are needed to make the analyzer work.

supply your username as the value for the user parameter and your password as the value for the password parameter.

CIRCLPassiveSSL

Check CIRCL's Passive SSL service for a given IP address or certificate hash.

This analyzer comes in only one flavor.

Requirements

Access to CIRCL Passive SSL is allowed to partners including security researchers or incident analysts worldwide. Contact CIRCL if you would like access.

If the CIRCL positively answers your access request, you'll obtain a username and password which are needed to make the analyzer work.

Supply your username as the value for the user parameter and your password as the value for the password parameter.

GreyNoise

Determine whether an IP has known scanning activity using GreyNoise.

This analyzer comes in only one flavor.

Requirements

The analyzer can be used out of the box without configuration. However, if you make many requests, you need to obtain an API key. Please contact GreyNoise to ask for one.

Once you get the API key, provide it as the value of the key parameter.

IBM X-Force

Query domains, IPs, hashes and URLs against IBM X-Force Threat Intelligence sharing platform.

This analyzer comes in only one flavor.

Requirements

Access to IBM X-Force Threat Exchange requires an IBM ID.

Once you have access to the service, supply the URL of the service as value for the url parameter, the API key associated with your account as value for the key parameter and the associated password as the value of the pwd parameter.

IPInfo

Get enrichment information from the ipinfo.io service. This analyzer comes in two flavors:

  • IPinfo_Details : IPinfo details lookup.
  • IPinfo_Hosted_Domains : Host domain lookup.

To query the service, you need to provide an API key as value of the api_key parameter.

IntezerCommunity

Submit a file to Intezer Analyze™ and get an analysis report. This analyzer comes in only one flavor.

To query the service, you need to provide an API key as value of the key parameter.

Malpedia

Scan files against YARA rules automatically downloaded every 10 hours by the analyzer from Malpedia.

If a rule matches, the analyzer tries to retrieve more info from Malpedia such as the malware family (currently more than 600) and the actor group (tracked through MISP Galaxies).

This analyzer comes in only one flavor.

Requirements

You need access to Malpedia to use this analyzer. Please note that Malpedia does not feature open registration. It is operated as an invite-only trust group. If you believe you qualify for an account, please see Malpedia's Terms of Services for contact details.

If you have access to Malpedia, provide your username as the value for the username parameter and the associated password as the value of the password parameter then specify a location where the analyzer will download the YARA rules to using the path parameter.

Malwares

Query Malwares.com and get reports on files, hashes, domain names and IP addresses.

The analyzer comes in two flavors:

  • Malwares_GetReport: get the latest Malwares report for a file, hash, domain or an IP address.
  • Malwares_Scan: scan a file or URL.

Requirements

You need to sign up for a Malwares.com account.

An API key to use the service's API should be associated with your account. Supply it as the value of the key parameter.

MnemonicPDNS

Query IP addresses and domain names against Mnemonic Passive DNS service.

This analyzer comes in two flavors:

  • Mnemonic_pDNS_Public: query Mnemonic's public service.
  • Mnemonic_pDNS_Closed: query Mnemonic's closed service.

Requirements

When using the public service, the analyzer can be used out of the box with no further configuration.

When using the closed service, you need to contact Mnemonic to get an API key which you'll need to supply as the value of the key parameter.

SinkDB

Check SinkDB service from abuse.ch fort a given IP address.

This analyzer comes in only one flavor.

Requirements

SinkDB is a private service provided by abuse.ch which collects sinkholed IPs. Access to this service is restricted to trusted partners. Request an access using the form available on the SinkDB website if you would like access.

Provide the API key as a value for the key parameter.

Shodan

Retrieve key Shodan information on domains and IP addresses.

This analyzer comes in 6 flavors:

  • Shodan_Host: get Shodan information on a host.
  • Shodan_Search: get Shodan search result on a domain.
  • Shodan_DNSResolve: get Shodan domain resolutions.
  • Shodan_Host_History: get Shodan history scan results for an IP.
  • Shodan_InfoDomain: get Shodan information on a domain.
  • Shodan_ReverseDNS: get Shodan reverse DNS resolutions on an IP.

Requirements

You need to create a Shodan account and retrieve the associated API Key. For best results, it is advised to get a Membership level account, otherwise a free one can be used.

Supply the API key as the value for the key parameter.

Subscription and License-based Analyzers

Autofocus

Autofocus is a commercial Threat Intelligence Platform provided by Palo Alto Networks.

This analyzer comes in 3 flavors:

  • AUTOFOCUS_GetSampleAnalysis: fetch the full analysis of a sample based on its hash.
  • AUTOFOCUS_SearchIOC: fetch samples linked to a specific IoC (domain, fqdn, user-agent, imphash, ip, mutex, url , tag). Please note that mutex and tag are not default datatypes in TheHive. You need to create them in TheHive before you can leverage them.
  • AUTOFOCUS_SearchJSON: fetch samples matching a complex search in JSON format (other).

Requirements

You need to be an Autofocus customer of Palo Alto Networks to have access to their API and be able to use the analyzer.

Provide your API key as the value of the apikey parameter.

DNSDB

Leverage Farsight Security's DNSDB for Passive DNS.

This analyzer comes in three flavors:

  • DNSDB_DomainName: fetch historical records for a domain.
  • DNSDB_IPHistory: fetch historical records for an IP address.
  • DNSDB_NameHistory: fetch historical records for a fully-qualified domain name.

Requirements

You need a valid subscription to Farsight Security's DNSDB service to use the analyzer.

Provide the URL of the DNSDB API service to the server parameter. The default (https://api.dnsdb.info) should work. If it doesn't, contact Farsight Security.

Provide your API key as a value to the key parameter.

DomainTools

Look up domain names, IP addresses, WHOIS records, etc. using the popular DomainTools service API.

The analyzer comes in 10 flavors:

  • DomainTools_HostingHistory: get a list of historical registrant, name servers and IP addresses for a domain.
  • DomainTools_ReverseIP: get a list of domain names sharing the same IP address.
  • DomainTools_ReverseIPWhois: get a list of IP addresses which share the same registrant information. It applies to a mail, IP, or domain.
  • DomainTools_ReverseNameServer: get a list of domain names that share the same primary or secondary name server.
  • DomainTools_ReverseWhois: get a list of domain names which share the same registrant information.
  • DomainTools_WhoisHistory: get a list of historical Whois records associated with a domain name.
  • DomainTools_WhoisLookup: get the ownership record for a domain or IP address with basic registration details parsed.
  • DomainTools_WhoisLookupUnparsed: get the ownership record for an IP address or domain with basic registration details without parsing.
  • DomainTools_Risk: get a risk score for a given domain name.
  • DomainTools_Reputation: get a reputation score for a given domain name.

Requirements

You need a valid DomainTools API integration subscription to use the analyzer.

Provide your username as a value for the username parameter and API key as a value for the key parameter.

DomainTools Iris

Look up domain names, IP addresses, e-mail addresses, and SSL hashes using the popular DomainTools Iris service API.

The analyzer comes in 2 flavors:

  • DomainToolsIris_Investigate: Use DomainTools Iris API to investigate a domain.
  • DomainToolsIris_Pivot: Use DomainTools Iris API to pivot on ssl_hash, ip, or email.

Requirements

You need a valid DomainTools API integration subscription to use the analyzer:

  • Provide your username as a value for the username parameter and API key as a value for the key parameter.
  • Set the pivot_count_threshold parameter to highlight any item below that value as being of interest in the report's template.

EmergingThreats

Leverage Proofpoint's Emerging Threats Intelligence to assess the reputation of various observables and obtain additional and valuable information on malware.

The service comes in three flavors:

  • EmergingThreats_DomainInfo: retrieve ET reputation, related malware, and IDS requests for a given domain.
  • EmergingThreats_IPInfo: retrieve ET reputation, related malware, and IDS requests for a given IP address.
  • EmergingThreats_MalwareInfo: retrieve ET details and info related to a malware hash.

Requirements

You need a valid Proofpoint Emerging Threats Intelligence subscription to use the analyzer.

Retrieve the API key associated with your account and provide it as a value to the key parameter.

FireEye iSIGHT

Leverage FireEye iSIGHT Threat Intelligence to qualify domains, IP addresses, hashes and URLs.

This analyzer comes in only one flavor.

Requirements

You need a valid FireEye iSIGHT Threat Intelligence subscription to use the analyzer.

Retrieve the API key associated with your account and provide it as a value to the key parameter. Obtain the password associated with the API key and provide it as a value to the pwd parameter.

JoeSandbox

Analyze URLs and files using the powerful Joe Sandbox malware analysis solution.

Joe Sandbox is a commercial solution by Joe Security LLC. It comes in several versions. The analyzer has been tested with Joe Sandbox Cloud, Joe Sandbox Ultimate and Joe Sandbox Complete.

The analyzer comes in 3 flavors:

  • JoeSandbox_File_Analysis_Inet: analyze files while providing Internet access.
  • JoeSandbox_File_Analysis_Noinet: analyze files without providing Internet access.
  • JoeSandbox_Url_Analysis: analyze URLs.

Requirements

Provide the URL of your on-premises Joe Sandbox instance or the cloud version to the url parameter and supply the associated API key as a value for the key parameter.

Investigate

Leverage Cisco Umbrella Investigate to qualify a domain, a FQDN or a hash.

The analyzer comes in 2 flavors:

  • Investigate_Categorization: analyze domain or FQDN
  • Investigate_Sample: analyze a hash.

Requirements

Retrieve the API key associated with your account and provide it as a value for the key parameter.

IPVoid

This analyzer leverages the IP reputation check on apivoid.com, the API of the ipvoid.com web service.

This analyzer comes in only one flavor.

Requirements

Retrieve the API key associated with your account on apivoid.com and provide it as a value for the key parameter.

Nessus

Use Nessus Professional, a popular vulnerability scanner to scan an IP address or a FQDN. This analyzer works with Nessus 6 or earlier. Tenable has removed API access starting from version 7 rendering this analyzer useless with that version.

The analyzer comes in only one flavor.

Requirements

You must have a locally deployed instance of Nessus Professional 6 or earlier to use the analyzer. The scanner must have at least a scan policy defined. You must not scan assets that do not belong to you, unless you really know what you are doing. That’s why safeguards were built in the analyzer’s configuration.

To configure the analyzer, you must supply four parameters:

  • url: URL of your Nessus scanner.
  • login: username to log to the scanner.
  • password: password of your login account.
  • policy: the scan policy to use.
  • ca_bundle: an optional parameter to validate the X.509 certificate of the scanner. This parameter must be omitted if no validation is needed.
  • allowed_networks: a list of networks in CIDR notation that the scanner is allowed to probe.

PassiveTotal

Leverage RiskIQ's PassiveTotal service to gain invaluable insight on observables, identify overlapping infrastructure using Passive DNS, WHOIS, SSL certificates and more.

The analyzer comes in 8 flavors:

  • PassiveTotal_Enrichment: enrichment Lookup.
  • PassiveTotal_Malware: malware Lookup.
  • PassiveTotal_Osint: OSINT Lookup.
  • PassiveTotal_Passive_Dns: passive DNS Lookup.
  • PassiveTotal_Ssl_Certificate_Details: SSL Certificate Details.
  • PassiveTotal_Ssl_Certificate_History: Ssl Certificate History Lookup.
  • PassiveTotal_Unique_Resolutions: Unique Resolutions Lookup.
  • PassiveTotal_Whois_Details: Whois Details Lookup.
  • PassiveTotal_Trackers: tracker lookups.
  • PassiveTotal_Host_Pairs: host pair lookups.
  • PassiveTotal_Components: Component lookups.

Requirements

You need a PassiveTotal account to obtain the API key which is required to use the analyzer. If you sign up for a Community Edition Account, you'll have a very limited number of queries. You can purchase a PassiveTotal subscription for a higher number of queries per day.

Provide your account's username as the value of the username parameter and the associated API key as value for the key parameter.

PayloadSecurity

Submit files or URLs to an on premise PayloadSecurity sandbox and fetch the associated reports.

This analyzer comes in only one flavor.

Requirements

Five parameters are required to make the analyzer work:

  • url
  • key
  • secret
  • environmentid
  • verifyssl

Provide the API key as a value for the key parameter and the secret as a value to the secret parameter. the url parameter should be the address of your on premise service. environmentid should also be gathered from your custom configuration.

RecordedFuture

Get the latest risk data from RecordedFuture for a hash, domain or an IP address.

This analyzer comes in only one flavor RecordedFuture.

Requirements

Retrieve the API key associated with your account and provide it as a value for the key parameter.

SecurityTrails

Get Whois and Passive DNS details using SecurityTrails.

The analyzer comes in 2 flavors:

  • SecurityTrails_Passive_Dns: Passive DNS Lookup.
  • SecurityTrails_Whois: Whois Details Lookup.

Requirements

You need a SecurityTrails account to obtain the API key which is required to use the analyzer.

Provide your account's API Key as the value of the api_key parameter.

SoltraEdge

Get information about any observable dataType from a SoltraEdge server.

Requirements

An account an a token from a SoltraEdge server are required to use this analyzer. Provide this information as values of account,token and base_url parameters.

ThreatGrid

The Cisco Threat Grid analyzer has the following features:

  • Submit a file for analysis
  • Submit a url for analysis
  • Query Threat Grid for a hash (MD5, SHA1, SHA256) and get the highest scoring analysis results
  • Pivot into Threat Grid report to view the analysis
  • Pivot into Threat Grid report to a specific Behavioral Indicator
  • Pivot into Threat Grid report to a specific TCP/IP Stream

The analyzer comes in only one flavor.

Requirements

You must have a Cisco Threat Grid Premium account with API access.

To configure the analyzer, you must supply two parameters:

  • tg_host: hostname of your Threat Grid instance.
  • api_key: API key to authenticate to your Threat Grid instance.

Threat Response

The Cisco Threat Response analyzer has the following features:

  • Query Threat Response for Verdicts and Sightings for:
    • domain
    • filename
    • fqdn
    • hash (MD5, SHA1, SHA256)
    • ip
    • url
  • Pivot into a Threat Response investigation of an observable
  • If the AMP for Endpoints module is configured in Threat Response and the feature is enabled on the analyzer: when a target is returned from the AMP for Endpoints module the analyzer will extract the connector GUIDs as Artifacts to enable seamless use of the AMP for Endpoints Responder.

The analyzer comes in only one flavor.

Requirements

You must have a Cisco Threat Response account and a Threat Response API Client ID with the enrich scope.

To configure the analyzer, you must supply three parameters:

  • region: The Threat Response region your account is in (US, EU, APJC).
  • client_id: Threat Response API Client ID with appropriate scopes.
  • client_password: Password for the Threat Response API Client.

Umbrella

Query the Umbrella Reporting API for recent DNS queries and their status, for a domain.

This analyzer comes in only one flavor Umbrella_Report.

Requirements

Four parameters are required to make the analyzer work:

  • api_key
  • api_secret
  • organization_id
  • query_limit, defaults to 20

Provide the API key as a value for the api_key parameter and the secret as a value to the api_secret parameter. The organization_id parameter should be provided by the Umbrella Admin Console. query_limit is optional, and represents the maximum number of results to return.

VirusTotal

Look up files, URLs and hashes in VirusTotal.

The analyzer comes in two flavors:

  • VirusTotal_GetReport: get the latest VirusTotal report for a file, hash, domain, URL or an IP address.
  • VirusTotal_Scan: scan a file or URL.

Requirements

You need a VirusTotal community account or a Private API subscription, a premium service.

Please note that a community account is highly limited in the number of API queries it can make. If you can afford them, subscribe to the premium services.

Provide the API key associated with your account as a value to the key parameter.

VMRay

Analyze files using the VMRay Analyzer Platform commercial sandbox.

The analyzer comes in only one flavor. It lets you run a file in a local or remote (cloud) VMRay sandbox. The analyzer also lets you check existing analysis reports.

Requirements

You need a VMRay Analyzer Platform to use the analyzer.

To configure the analyzer, provide the URL of the platform as a value for the url parameter and the API key as a value for the key parameter.

To validate the X.509 certificate of your VMRay Analyzer Platform instance, use the certpath parameter.

Free Responders

Redmine

This responder can be used to create an issue in the Redmine ticketing system from a case. It will use the case title as the issue subject and the case description as the issue body.

To set it up in Cortex, you will need:

  • To define a user to allow Cortex to connect to Redmine and with access to the various projects in which issues should be created
  • Define three custom fields in TheHive that will be used to select the project, the tracker and, optionally, the assignee of the issue. These fields can be free form or can be custom fields with preset values.

Requirements

The following options are required in the Redmin Responder configuration:

  • instance_name: Name of the Redmine instance
  • url: URL where to find the Redmine API
  • username: Username to log into Redmine
  • password: Password to log into Redmine
  • project_field: Name of the custom field containing the Redmine project to use when creating the issue
  • tracker_field: Name of the custom field containing the Redmine tracker to use when creating the issue
  • assignee_field: Name of the custom field containing the Redmine assignee to use when creating the issue
  • reference_field: Name of the case custom field in which to store the opened issue. If not defined, this information will not be stored
  • opening_status: Status used when opening a Redmine issue (if not defined here, the responder will use the default opening status from the Redmine Workflow)
  • closing_task: Closing the task after successfully creating the Redmine issue

Wazuh

This responder performs actions on Wazuh, the open source security monitoring platform. It currently supports ad-hoc firewall blocking of ip observables.

The responder will use the provided wazuh_agent_id (custom field) to call back to the defined Wazuh manager to implement the active response action.

Requirements

The following options are required in the Wazuh Responder configuration:

  • wazuh_manager: The Wazuh manager API address/port
  • wazuh_user: The Wazuh API user
  • wazuh_password: The Wazuh API password

The following custom fields should be created and populated in related records:

  • wazuh_agent_id: The ID of the Wazuh agent that witnessed activity to generate the alert
  • wazuh_alert_id: The Wazuh alert ID generated by the Wazuh manager
  • wazuh_rule_id: The rule ID associated with the Wazuh alert

Palo Alto Minemeld

This responder sends observables you select to a Palo Alto Minemeld instance.

Requirements

The following options are required in the Palo Alto Minemeld Responder configuration:

  • minemeld_url : URL of the Minemeld instance to which you will be posting indicators
  • minemeld_user: user accessing the Minemeld instance
  • minemeld_password: password for the user accessing the Minemeld instance
  • minemeld_indicator_list: name of Minemeld indicator list (already created in Minemeld)
  • minemeld_share_level: share level for indicators (defaults to red)
  • minemeld_confidence: confidence level for indicators (defaults to 100)
  • minemeld_ttl: TTL for indicators (defaults to 86400 seconds)

Subscription and License-based Responders

AMP for Endpoints

The Cisco AMP for Endpoints responder has the following features:

  • Add a SHA256 to a Simple Custom Detection List
    • TheHive's case ID and description are appended to the description
  • Remove a SHA256 from a Simple Custom Detection List
  • Move a connector GUID to a new group
  • Start Host Isolation
    • Can set a custom unlock code, if a custom unlock code isn't provided it is randomly generated
  • Stop Host Isolation

The analyzer comes in 5 flavors:

  • AMPforEndpoints_IsolationStart: Start Host Isolation.
  • AMPforEndpoints_IsolationStop: Stop Host Isolation.
  • AMPforEndpoints_MoveGUID: Move Connector GUID to a new group.
  • AMPforEndpoints_SCDAdd: Add SHA256 to a Simple Custom Detection List.
  • AMPforEndpoints_SCDRemove: Remove SHA256 from a Simple Custom Detection List.

Requirements

You must have an AMP for Endpoints account and API Credentials with Read/Write API access.

To configure the analyzer, you must supply five parameters:

  • amp_cloud: The FQDN AMP for Endpoints Cloud your account is in.
  • client_id: AMP for Endpoints API Client ID.
  • api_key: Password for the AMP for Endpoints API Client.
  • group_guid: The Group GUID to move connectors into.
  • scd_guid: The Simple Custom Detection List GUID to add and remove SHA256s.

Crowdstrike Falcon

Submit observables from alerts and cases to the Crowdstrike Falcon Custom IOC API.

Requirements

To configure the responder, provide the URL of the platform as a value for the falconapi_url parameter, the api user as the falconapi_userparameter and the api key as the falconapi_key parameter.

KnowBe4

This responder allows the integration between TheHive/Cortex and KnowBe4's User Events API. If a mail observable is tagged with a specified tag, corresponding to the responder's configuration, (e.g. phished), then the associated user will have a custom event added to their profile in KnowBe4.

Requirements

You must provide:

  • An API key as a value for the api_key parameter to access the User Events API. API documentation to retrieve your key is located at User Event API
  • The appropriate base_url parameter dependent on your geographic location. More information available at User Events API
  • The appropriate hive_url parameter so that TheHive case can be referenced in the KnowBe4 Users' Timeline
  • The appropriate event_type parameter so that Cortex can create the correct type of event in the Users' timeline.

DomainTools Iris Malicious Tags

Add tag saying that the observable and case have a malicious tag based on iris tags short summary from the DomainTools Iris investigate analyzer.

Requirements

To configure the responder, provide a set of values for the monitored_iris_tags parameter.

DomainTools Iris Risky DNS

Add tag saying that the observable and case contains a risky DNS based on risk score short summary from the DomainTools Iris investigate analyzer.

Requirements

To configure the responder, provide a value for the high_risk_threshold parameter.

Umbrella Blacklister

Add domain from observables in cases to Umbrella blacklist.

Requirements

To configure the responder, provide the url of the service as a value for the integration_url parameter.