Amidst the ongoing COVID-19 crisis, we managed to release Cortex-Analyzers 2.6.0, which includes 4 new Analyzers, 2 new Responders, and a large number of bug fixes and improvements.
We’d like to thank all the contributors for their awesome work!
We truly appreciate the time they generously give away for helping our fellow cyberdefenders out there protect their environments against attackers who are also in lockdown mode. Attackers who, instead of playing board games or chess, are playing with our nerves and the hordes of teleworkers who are willing to click on anything that provide the ‘latest and greatest COVID-19 information’ or which can help them do their jobs (like this wonderful ‘Zoon’ video-conferencing application 😋).
What’s New?
New Analyzers
- DomainTools Iris Investigate, contributed by @ChuckWoodraska (#572)
- IntezerCommunity, contributed by @mlodic (#505)
- NSRL, contributed by @dadokkio & @garanews, who are both fresh members of TheHive Project (#712)
- URLScan.io Scan, contributed by @dadokkio & @garanews (#709)
New Responders
- DomainToolsIris_CheckMaliciousTags contributed by @ChuckWoodraska (#588)
- DomainToolsIris_AddRiskyDNSTag contributed by @ChuckWoodraska (#587)
Analyzers
DomainTools Iris
The Investigate flavour was missing from the DomainToolsIris analyzer that was included in Cortex-Analyzers 2.4.0. This is now fixed. This new flavour can be used to gather interesting information on a domain.
TheHive displays the analyzer results as follows:
IntezerCommunity
Intezer Analyze™ is a cloud-based malware analysis service that provides an extensive understanding of any executable file by comparing code on a massive scale to a comprehensive database of malware and trusted software.
This analyzer can be used to submit a file to the Intezer service for analysis.
TheHive displays the analyzer results as follows:
NSRL
The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organisations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations.
In order to use this analyzer, you must download and extract NSRLFile files from the NIST website. You can pick multiple files but you need to rename them in order to understand which file contains the required information.
The analyzer can operate in 2 different ways with 2 completely different performance profiles (we’re speaking around 30 secs vs 0.05 sec):
- lookup in plain files
- lookup in a database
If you are planning to use this analyzer for many searches, then the second option is suggested and we provide a script to help you parse, validate and insert data in a PostgreSQL database. If you choose this option, consider that the DB size can be around 4 times bigger than plain files.
UrlScan.io
The URLScan.io analyzer has been updated with a new Scan flavour. Until now, this analyzer allowed to request report regarding a url, domain, fqdn observable. With this new flavour, anyone with a valid API key, which can be obtained for free, can request a scan on observables of the same type.
Responders
DomainToolsIris_CheckMaliciousTags
Depending on the reports generated by the DomainToolsIris analyzer, this responder adds a tag at the Case and Observable level if something malicious is found. This responder can be updated to add more custom actions depending on your needs and environment.
DomainToolsIris_AddRiskyDNSTag
Depending on on the reports generated by the DomainToolsIris analyzer, this responder adds a tag at the Case and Observable level if one of the domain observables is considered risky. This responder can be updated to add more custom actions depending on your needs and environment.
Fixes and Improvements
- Improve TalosReputation analyzer (#521)
- MISP WarningList analyzer fixed (#538)
- Error fixed in ThreatCrowd (#518)
- Encoding related bug fixed in Mailer 1_0 (#573)
- API has changed: temporary fix for Crt_sh_Transparency_Logs_1_0 (#594)
- Analyzers missing cortexutils in requirements (#695)
- New mime types for Office documents in FileInfo (#705)
- UmbrellaBlacklister analyzer now support fqdn and url observables (#547)
- URLHaus analyzer support fqdn observables (#556)
- Abuselpdb now support APIv2 (#618)
Get It While Supply Lasts!
If you are still using the old-style way of installing analyzers and responders, run the following commands:
cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
Once done, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button. Refer to the online Cortex documentation for further details.
Update TheHive Report Templates
If you are using TheHive, you must import the new report templates in your instance as follows:
- download the updated package
- log in TheHive using an administrator account
- go to
Admin> Report templates` menu - click on
Import templatesbutton and select the downloaded package
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
TheHive Project 