TheHive Project Chefs are pleased to announce the immediate availability of Cortex-Analyzers 1.10.1. To install this new release and benefit from 11 new analyzers and some fixes:
$ cd /path/to/Cortex-Analyzers $ sudo git pull $ for I in analyzers/*/requirements.txt; do sudo -H pip2 install -r $I; done && \ for I in analyzers/*/requirements.txt; do sudo -H pip3 install -r $I || true; done
After running these commands, read the Analyzer Requirements Guide, log into the Cortex 2 Web UI as an
orgAdmin, click on the
Refresh Analyzers button in the Cortex Web UI, configure the new analyzers and enjoy!
If you are using TheHive, get the last version of the report templates and import them into TheHive.
We have added 11 analyzers to this release, bringing the total to 53 (83 if we count all the flavors):
- Crtsh: contributed by crackytsi
- Cybercrime-Tracker: contributed by ph34tur3
- FireEye iSIGHT: contributed by Davide Arcuri and Andrea Garavaglia from LDO-CERT
- GreyNoise: contributed by Nclose
- IBM X-Force: contributed by Davide Arcuri and Andrea Garavaglia from LDO-CERT
- Malwares: contributed by Davide Arcuri and Andrea Garavaglia from LDO-CERT
- MnemonicPDNS: contributed by Michael Stensrud from the Nordic Financial CERT
- StaxxSearch: contributed by Robert Nixon
- StopForumSpam: contributed by Marc-André Doll from STARC (by EXAPROBE)
- ThreatCrowd: contributed by Rémi Allain from Cyberprotect
- Unshortenlink: contributed by Rémi Pointel from CERT-BDF
Get Crt.sh certificate transparency lists associated with a domain name. Crt.sh is an online service operated by the Comodo Certificate Authority.
The analyzer comes in only one flavor. No configuration is required. It can be used out of the box.
Use the Cybercrime-tracker.net service to assess whether an IP address, URL, domain, or FQDN has a C2 (Command & Control) entry in its database.
This analyzer comes in only one flavor. No configuration is required. It can be used out of the box.
Leverage FireEye iSIGHT Threat Intelligence to qualify domains, IP addresses, hashes and URLs.
This analyzer comes in only one flavor. You need a valid FireEye iSIGHT Threat Intelligence subscription to use the analyzer. Retrieve the API key associated with your account and provide it as a value to the
key parameter. Obtain the password associated with the API key and provide it as a value to the
Determine whether an IP has known scanning activity using GreyNoise.
This analyzer comes in only one flavor. It can be used out of the box without configuration. However, if you make many requests, you need to obtain an API key. Please contact GreyNoise to ask for one. Once you get the API key, provide it as the value of the
Query domains, IPs, hashes and URLs against IBM X-Force Threat Intelligence sharing platform.
This analyzer comes in only one flavor. Access to IBM X-Force Threat Exchange requires an IBM ID. Once you have access to the service, supply the URL of the service as value for the
url parameter, the API key associated with your account as value for the
key parameter and the associated password as the value of the
Query Malwares.com and get reports on files, hashes, domain names and IP addresses.
The analyzer comes in two flavors:
– Malwares_pDNS_GetReport: get the latest Malwares report for a file,
hash, domain or an IP address.
– Malwares_pDNS_Scan: scan a file or URL.
You need to sign up for a Malwares.com account. An API key to use the service’s API should be associated with your account. Supply it as the value of the
Query IP addresses and domain names against Mnemonic Passive DNS service.
This analyzer comes in two flavors:
- Mnemonic_pDNS_Public: query Mnemonic’s public service.
- Mnemonic_pDNS_Closed: query Mnemonic’s closed service.
When using the public service, the analyzer can be used out of the box with no further configuration. When using the closed service, you need to contact Mnemonic to get an API key which you’ll need to supply as the value of the
Fetch observable details from an Anomali STAXX instance.
This analyzer comes in only one flavor. You need to install an Anomali STAXX instance or to have access to one to use the analyzer. Supply the following parameters to the analyzer in order to use it:
auth_url: URL of the authentication endpoint.
query_url: URL of the intelligence endpoint.
username: the STAXX user name.
password: the STAXX password.
cert_check: boolean indicating whether the certificate of the endpoint must be checked or not.
cert_path: path to the CA on the system to validate the endpoint’s certificate if
Query StopForumSpam to check if an IP or email address is a known spammer.
You need to define the thresholds above which the analyzed observable should be marked as
Look up domains, mail and IP addresses on [ThreatCrowd(https://www.threatcrowd.org/), a service powered by AlienVault.
This analyzer comes in only one flavor. No configuration is needed. It can be used out of the box.
Follow redirects of shortened URLs to reveal the real ones.
This analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Warning: using this analyzer without extra caution might lead to unexpected consequences. For example, if the URL you are seeking to unshorten is an attacker-controlled one, you may end up leaving undesired traces in the threat actor’s infrastructure logs. The TLP values Cortex allows you to configure to prevent the use of an analyzer if the TLP associated with an observable is above the authorized level won’t be of much help since Unshortenlink have to access the shortened URL. Please do not activate this analyzer unless you (and your fellow analysts) know what they are doing.
- YARA analyzer had a bug which was fixed in version 1.9.7 of the Cortex-analyzers repository. If you install 1.10, you’ll obviously benefit from the fix 😉
- A permission problem that prevented using the Cuckoo Sandbox analyzer was corrected (thanks Felix Bauer!)
Correction: June 6, 2018
An earlier version of this post mentioned that GreyNoise needs an API key. That’s only necessary if a certain level of requests are made. Also, to configure analyzers, you need to be