Spring is here and your favorite bees are busy buzzing flowers to prepare you the most palatable honey ever. In the meantime, we are pleased to announce the immediate availability of Cortex-Analyzers 1.16.0, which adds a new responder and three new analyzers to complete an already hefty collection, bringing the total to 117 analyzers and 3 responders!
One responder has been added:
- FalconCustomIOC, contributed by Michael (#421). We don’t know the last name of Michael. That could be Jordan. Who knows?
Three analyzers have been added:
- SoltraEdge, contributed by Mickael Strensrud from NFCERT (#268)
- AbuseIPDB, contributed by Matteo Lodi (#353)
- BackscatterIO, contributed by Brandon Dixon(#420)
We could not duly test some of these additions due to lack of access to the associated services or to our legendary laziness. So we would really appreciate it if you could test them and let us know whether they work or not.
The FalconCustomIOC responder let you submit observables from alerts or cases to Crowdstrike Falcon Custom IOC service.
Crowdstrike Falcon is a paid service. An account and an API key are required to configure and run this responder.
AbuseIPDB analyzer let you determine wether an IP has been reported as malicious or not to the AbuseIPDB web service.
An account and an API key is needed to configure and use this analyzer.
TheHive displays the analyzer results as follows:
The BackscatterIO analyzer lets you query the Backscatter.io service for IPs, networks or autonomous systems (AS). It comes in two flavors:
- BackscatterIO_GetObservations: determine whether an observables has a known scanning activity
- BackscatterIO_Enrichment: enrich your observables with additional information
TheHive displays this analyzer results as follow:
SoltraEdge analyzer lets you query any observable against theSoltra Edge platform.
To configure and use this analyzer, an account, a token key and the base URL of a SoltraEdge server are needed.
TheHive displays this analyzers result as follow:
Get It While Supply Lasts!
Each analyzer and responder comes with its own, pip compatible
requirements.txt file. To update your Cortex analyzers to 1.16.0, run the following commands:
for I in analyzers/*/requirements.txt; do sudo -H pip2 install -U -r $I || true; done && \
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
Once done, do not forget to login to Cortex as an
orgadmin and click on the Refresh Analyzers button. Refer to the online Cortex documentation for further details.
Update TheHive Report Templates
If you are using TheHive, you must import the new report templates in your instance as follows:
- download the updated package
- log in TheHive using an administrator account
- go to
- click on
Import templatesbutton and select the downloaded package