diff --git a/analyzers/Axur/README.md b/analyzers/Axur/README.md new file mode 100644 index 000000000..70a01833d --- /dev/null +++ b/analyzers/Axur/README.md @@ -0,0 +1,104 @@ +### Axur Ioc's analyzer + +The Axur IOC Analyzer is a tool for identifying and value potential threats in your data. It uses Axur's services and databases to perform analysis on a variety of data types. + +The Analyzer provides an efficient solution to evaluate potential threats by examining various data types including: + +* _domain_ +* _url_ +* _ip_ +* _fqdn_ +* _hash_ + +With the Axur IOC Analyzer, Axur clients have an easy way to make their data environment safer and more secure. + +#### Requirements +You need a valid Axur API key to use the analyzer. Available exclusively to our Axur clients. + +- Provide your API key as values for the `api_key` header. + +### Return example + +``` +{ + "success": true, + "summary": { + "taxonomies": [ + { + "level": "suspicious", + "namespace": "Axur", + "predicate": "IOC_FEED", + "value": 2 + }, + { + "level": "suspicious", + "namespace": "Axur", + "predicate": "EXPLORE", + "value": 1 + }, + { + "level": "suspicious", + "namespace": "Axur", + "predicate": "MALICIOUS_URL", + "value": 1 + } + ] + }, + "artifacts": [], + "operations": [], + "full": { + "type": "URL", + "value": "https://sso.ecometrica.com/accounts/login", + "results": [ + { + "source": "IOC_FEED", + "score": 2, + "hits": 2, + "context": [ + { + "tags": [ + "phishing" + ], + "detection": 1683945464000, + "risk": "UNDEFINED", + "platform": "AXUR" + }, + { + "tags": [], + "detection": 1642009957000, + "risk": "MEDIUM", + "platform": "AXUR" + } + ] + }, + { + "source": "EXPLORE", + "score": 2, + "hits": 1, + "context": [ + { + "content": "texto", + "detection": 1687187006704, + "platform": "AXUR" + } + ] + }, + { + "source": "MALICIOUS_URL", + "score": 2, + "hits": 1, + "context": [ + { + "riskLevel": 0.49, + "collectorName": "urlscan", + "detection": 1687187006704, + "ticketStatus": "open", + "platform": "AXUR" + } + ] + } + ], + "searchDate": 1687292305787 + } +} +``` diff --git a/analyzers/Axur/axur_analyzer.json b/analyzers/Axur/axur_analyzer.json new file mode 100644 index 000000000..b8da62c08 --- /dev/null +++ b/analyzers/Axur/axur_analyzer.json @@ -0,0 +1,24 @@ +{ + "name": "Axur", + "author": "Axur", + "version": "1.0", + "license": "AGPL-V3", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "description": "Search IPs, domains, hashes or URLs on axur.com", + "dataTypeList": ["domain", "fqdn", "ip", "url", "hash"], + "command": "Axur/axur_analyzer.py", + "baseConfig": "Axur", + "configurationItems": [ + { + "name": "api_key", + "description": "Define the API key", + "type": "string", + "multi": false, + "required": true + } + ], + "registration_required": true, + "subscription_required": true, + "free_subscription": false, + "service_homepage": "https://www.axur.com" +} diff --git a/analyzers/Axur/axur_analyzer.py b/analyzers/Axur/axur_analyzer.py new file mode 100644 index 000000000..f1f4160f5 --- /dev/null +++ b/analyzers/Axur/axur_analyzer.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.analyzer import Analyzer +from urllib.parse import quote_plus +import requests + + +class AxurAnalyzer(Analyzer): + + def __init__(self): + Analyzer.__init__(self) + self.api_key = self.get_param( + 'config.api_key', None, 'Missing Axur API key' + ) + + def run(self): + if self.data_type not in ['domain', 'fqdn', 'ip', 'url', 'hash']: + self.error('Wrong data type') + + encoded_data = quote_plus(self.get_data()) + url = f'https://api.axur.com/gateway/1.0/api/ioc-search/search/{self.data_type}/{encoded_data}' + + try: + response = requests.get(url, headers={'Authorization': f'Bearer {self.api_key}'}) + response.raise_for_status() + self.report(response.json()) + except requests.HTTPError as http_err: + self.error('HTTP error occurred: {}'.format(http_err)) + except Exception as err: + self.error('Error occurred: {}'.format(err)) + + def summary(self, raw): + taxonomies = [] + levels = ['info', 'safe', 'suspicious', 'malicious'] + + for data in raw['results']: + level = levels[data.get('score', 0)] + taxonomies.append( + self.build_taxonomy(level, 'Axur', data['source'], data.get('hits', 0)) + ) + + return {'taxonomies': taxonomies} + + +if __name__ == '__main__': + AxurAnalyzer().run() diff --git a/analyzers/Axur/requirements.txt b/analyzers/Axur/requirements.txt new file mode 100644 index 000000000..24c10f722 --- /dev/null +++ b/analyzers/Axur/requirements.txt @@ -0,0 +1,3 @@ +cortexutils +requests +urllib \ No newline at end of file diff --git a/thehive-templates/Axur_1_0/long.html b/thehive-templates/Axur_1_0/long.html new file mode 100644 index 000000000..616858389 --- /dev/null +++ b/thehive-templates/Axur_1_0/long.html @@ -0,0 +1,71 @@ +
+
+ Axur IOC Search Results +
+
+
+
+ {{result.source}} +
+
+
+
Source
+
{{result.source || "-"}}
+ +
Hits
+
{{result.hits || "-"}}
+ +
Score
+
{{result.score || "-"}}
+
+ +
+
+ +
+
+
Tags
+
{{context.tags.join(', ') || "-"}}
+ +
Detection
+
{{context.detection || "-"}}
+
+
+ +
+
+
Content
+
{{context.content || "-"}}
+ +
Detection
+
{{context.detection || "-"}}
+
+
+ +
+
+
Risk Level
+
{{context.riskLevel || "-"}}
+ +
Collector Name
+
{{context['collector-name'] || "-"}}
+ +
Detection
+
{{context.detection || "-"}}
+
+
+
+
+
+
+
+ + +
+
+ Error +
+
+ {{content.errorMessage}} +
+
diff --git a/thehive-templates/Axur_1_0/short.html b/thehive-templates/Axur_1_0/short.html new file mode 100644 index 000000000..5fc0dabfb --- /dev/null +++ b/thehive-templates/Axur_1_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}="{{t.value}}" +