Category: Responders

Cortex-Analyzers 2.9.0: Summer Edition!

Swimming
Source: https://m.xkcd.com/2155/

Didn’t you think we were going to holidays without letting few new stuff to play with ? 6 new Analyzers and 1 Responder complete the growing list of Neurons.

A Huge thanks to all the contributors for the great new features, without forgetting the work regarding improvements and bug fixes.

Documentation

Find the complete documentation of Analyzers and Responders at the dedicated website: https://thehive-project.github.io/Cortex-Analyzers/

For each Analyzer and Responder, a page details the purpose of each flavor, the configuration required and even some screenshots from report samples.

New Analyzers

New Responder

Fixes and Improvements

  • Fix a bug in Hashdd_Detail_1_0 analyzer (#831)
  • Fix a bug in PhishingInitiative_Scan_1_0 analyzer (#832)
  • Fix a bug related to dataType in MalwareBazaar_1_0 analyzer (#830)
  • Fix a bug in MISPWarninglists analyzer (#827)
  • Fix a bug in Mailer_1_0 responder (#835)

Analyzers

DomainMailSPFDMARC

This analyzer comes in 1 flavor and let you check SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting and Conformance) status of a domain or fqdn.

TheHive displays the analyzer results as follows:

DomainMailSPFDMARD short report
DomainMailSPFDMARD Long report

ForcepointWebsensePing

Forcepoint URL Filtering provides defenses against productivity draining web content and threats to operations. It ensures organizational productivity by delivering defenses against productivity draining web activity while providing the necessary security in a world of advanced threats.

Using WebsensePing utility is possible to query Master Database URL Categories that contains the industry’s most accurate, current and comprehensive classification of URLs. ForcePoint uses proprietary classification software and human inspection techniques to categorize and maintain definitions of more than 95 URL categories in more than 50 languages.

An active Forcepoint subscription is required to use the analyzer.

TheHive displays the analyzer results as follows:

ForcepointWebsensePing short report samples
ForcepointWebsensePing long report sample

NERD

This analyzer allows to query the NERD (Network Entity Reputation) database, and get score and basic information. Project NERD aims to build an extensive reputation database of known sources of cyber threats. That is, a list of known malicious IP addresses or other network entities (e.g. ASNs or domain names) together with all security-relevant information about each of them.

A valid API key is required to run this analyzer.

TheHive displays the analyzer results as follows:

NERD short report
NERD long report

SekoiaIntelligenceCenter

This analyzer allows you to gather more context related to domain names, IP adresses, urls and file hashes using the SEKOIA.IO Intelligence Database.

An active SEKOIA.IO Intelligence Center subscription is required to use the analyzer.

TheHive displays the analyzer results as follows:

SEKOIAIntelligenceCenter_Indicators long report

Spamassassin

This analyzer let you query a local SpamAssassin instance by sending a file, and get a SPAM score.

Apache SpamAssassin is the #1 Open Source anti-spam platform giving system administrators a filter to classify email and block spam (unsolicited bulk email). It uses a robust scoring framework and plug-ins to integrate a wide range of advanced heuristic and statistical analysis tests on email headers and body text including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases.

TheHive displays the analyzer results as follows:

Spamassassin short report
Spamassassin long report

Splunk

This analyzer allows you to execute a list of searches in Splunk by passing the element you are looking for as a parameter.

This analyzer comes in 10 flavors:

  • Splunk_Search_Domain_FQDN: Dispatch a list of saved searches on a given domain/fqdn
  • Splunk_Search_File_Filename: Dispatch a list of saved searches on a given file/filename
  • Splunk_Search_Hash: Dispatch a list of saved searches on a given hash
  • Splunk_Search_IP: Dispatch a list of saved searches on a given IP (IPv4 only)
  • Splunk_Search_Mail_Email: Dispatch a list of saved searches on a given mail/email
  • Splunk_Search_Mail_Subject: Dispatch a list of saved searches on a given mail_subject
  • Splunk_Search_Other: Dispatch a list of saved searches on a given data (any type)
  • Splunk_Search_Registry: Dispatch a list of saved searches on a given registry
  • Splunk_Search_URL_URI_Path: Dispatch a list of saved searches on a given url/uri_path
  • Splunk_Search_User_Agent: Dispatch a list of saved searches on a given user_agent
  • Splunk_Search_User: Dispatch a list of saved searches on a given user id (variable name is ‘other’)

A valid Splunk subscription is required to run this analyzer.

TheHive displays the analyzer results as follows:

Splunk_Search_Registry short report
Splunk_Search_Registry long report

Responders

Velociraptor

Velociraptor let you interrogate your endpoint for specific data. Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries.

This responder can be used to run a flow for a Velociraptor artifact.  This could include gathering data, or performing initial response.

It can be run on an observable type of ipfqdn, or other, and will look for a matching client via the Velociraptor server. If a client match is found for the last seen IP, or the hostname, the responder will kick off the flow, the results will be returned, and the client ID will be added as a tag to the case and the observable.

Get It While Supply Lasts!

If you are still using the old-style way of installing analyzers and responders, run the following commands:

cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done

Once done, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button. Refer to the online Cortex documentation for further details.

Update TheHive Report Templates

If you are using TheHive, you must import the new report templates in your instance as follows:

  • download the updated package
  • log in TheHive using an administrator account
  • go to Admin > Report templates menu ( Admin > Analyzer templates in TheHive 4.0)
  • click on Import templates button and select the downloaded package

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Cortex-Analyzers 2.8.0: to infinity and beyond!

Thanks to the community and all the contributors, this release comes with 1 new Analyzer, 2 new Responders, lots of improvements and bug fixes.

But there is more news from the front.

Starting from this milestone, bugfixes and new Analyzers or Responders should be released in a smoother way as we are improving few processes. Some changes and recommandations should appear in the next days for submission, and our release process will be improved to fix bugs easier and release new code faster.

We also plan to offer a better documentation. We already started to publish information regarding each Analyzer and Responder. This is a work in progress, and it will be updated with the current requirements guide.

DomainToolsIris documentation page

For each Analyzer and Responder, a page details the purpose of each flavors, the configuration required and even some screenshots from report samples. It will also allow developers to share their own notes if wanted.

New Analyzers

New Responders

Improvements

  • Refactor Onyphe using new v2 api (#736)
  • Improvement in Shodan: add vulns in template and taxonomies (#772 & #776)
  • Improvement in Mailer responder: tasks support and auth (#764, #737, #379)
  • Improvement in SinkDb: support for new api with new dataTypes supported (#483, #498, #756)

Analyzers

LastInfoSec

LastInfoSec offers innovative and automated solutions to collect data, refine it and turn it into useful and actionable information, quickly available to improve the protection, detection and investigation capabilities of companies and government organizations.

TheHive displays the analyzer results as follows:

Short template for LastInfoSec Report
Long Template for LastInfoSec Report

Onyphe

An important work has been made on Onyphe Analyzer to support APIv2. All 7 flavors from older version have been removed and merged into only one flavor named “Onyphe_Summary”. An API key is still needed to query Onyphe API.

TheHive displays the analyzer results as follows:

Onyphe_Summary short report
Onyphe_Summary long report

Responders

Sendgrid

Sendgrid is a customer communication platform for transactional and marketing email used when you have to ensure that your notifications and transactional emails are delivered quickly and securely.

This analyzer works like the Mailer one, but relying on SendGrid external service to delivery emails.

In order to use the service please follow the instruction being careful to the verify your email address.

VirusTotalDownloader

This responders runs on Observables of type “hash” and allows analyst to download corresponding file from VirusTotal. Once downloaded, the file is added to the current case observables in TheHive.

In order to use this responder, a Premium API key from VirusTotal is needed. An API key from TheHive is also needed to upload the file in the observables list.

Use the responder on the hash to add the sample in your Observables

Fixes and Improvements

  • Fix: some analyzer uses invalid “email” dataType (#799)
  • Fix in MalwareBazaar: wrong dataTypes in config (#794)
  • Fix in PhishTank: the JSON object must be str, not ‘bytes’ (#786)
  • Fix in VMRay: fix error in parsing and workflow (#785 & #784)
  • Fix in Wazuh: ipaddress import missing (#778)
  • Fix in Minemeld Responder: requests missing in requirements (#774)
  • Fix in WOT: moving to new endpoint (#771)
  • DomainTools Iris: update api urls (#760)
  • Fix in ThreatResponse: module_type key removed from response (#759)
  • Fix in Abuse_Finder: pythonwhois dependency (#742)

Get It While Supply Lasts!

If you are still using the old-style way of installing analyzers and responders, run the following commands:

cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done

Once done, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button. Refer to the online Cortex documentation for further details.

Update TheHive Report Templates

If you are using TheHive, you must import the new report templates in your instance as follows:

  • download the updated package
  • log in TheHive using an administrator account
  • go to Admin > Report templates` menu
  • click on Import templates button and select the downloaded package

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Cortex-Analyzers 2.7.0: 5 Analyzers, 1 Responder

Good morning (or evening if you are on that side of the planet) folks!

We had a very busy week, packed with announcements. First, we released TheHive 4.0-RC2 which you’ve certainly taken to test, then we announced two patch releases for TheHive 3.4. And guess what? Here are some additional Cortex analyzers, a responder and a number of fixes and improvements for existing ones, bringing the total to a whopping 146 analyzers and 18 responders!

New Analyzers

New Responders

Analyzers

ANY.RUN

ANY.RUN is a malware sandbox service in the cloud. By using this analyzer, an analyst can submit a suspicious file or URL to the service for analysis and get a report. The report can contain various information such as:

  • Interactive access
  • Research threats by filter in public submissions
  • File and URL dynamic analysis
  • Mitre ATT&CK mapping
  • Detailed malware reports
ANY.RUN short report
ANY.RUN long report

CyberChef

CyberChef is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.

This analyzer connects to a CyberChef-server and comes in 3 flavors:

  • CyberChef_FromBase64, that takes Base64 strings as input for CyberChef-server
  • CyberChef_FromCharCode, that takes CharCode as input for CyberChef-server and run this recipe
  • CyberChef_FromHex, that takes Hex strings as input for CyberChef-server

TheHive displays the analyzer results as follows:

CyberChef short report
image
CyberChef long report

MalwareBazaar

MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers.

This analyzer allows analysts to query the API of this service on observables of types ip, domain, fqdn, url, and hash.

TheHive displays the analyzer results as follows:

MalwareBazaar short report
MalwareBazaar long report

OpenCTI

OpenCTI is an open source platform allowing organisations to manage their Cyber Threat Intelligence knowledge and observables. It has been created in order to structure, store, organise and visualise technical and non-technical information about cyber threats.

This analyzer allows an analyst to query the API and request for information about observables of types domain, ip, url, fqdn, uri_path, user-agent, hash, email, mail, mail_subject, registry, regexp, filename and other.

TheHive displays the analyzer results as follows:

OpenCTI short report
OpenCTI long report

MISPWarningLists reloaded (need for speed aka DB support)

The previous version of this analyzer basically used to clone the MISP Warning lists repository and do a lookup in downloaded files. This can be very long to complete.

This new version introduces the optional support of PostgreSQL:

  • To store warning lists, in a similar way to the NSRL (National Software Reference Library) Analyzer.
  • Make lookups through these lists faster.

If you want to benefit from the performance boost, using a PostgreSQL server to store the data, you can simply install the requirements.txt, feed the database and configure the connection in the configuration as well:

  • First, sync with the misp-warninglists GitHub repository
  • In the analyzer folder, use the program warninglists_create_db.py to import the warning lists in PostgreSQL. Before running, edit the program file and update the path of where your lists are stored (warninglists_path = "misp-warninglists/**/list.json")
  • You can schedule these jobs (ex. with cron): first, sync a folder with the repository, and then run the program to update the database.

Once done, configure the analyzer with the conn parameter to connect to the database, or, if you prefer to continue using the previous behaviour and do your lookups in files, just specify the path of the folder:

MISPWarningList Configuration example

Templates have also been updated, and TheHive displays the analyzer results as follows:

MISPWarningList short report
MISPWarningList long report

Responders

RT4-CreateTicket

RT4 (Request Tracker) is a ticketing system. With this responder, an analyst can create a ticket in RT. CaseID is submitted to RT as a reference.

Unfortunately, like for some other analyzers and responders, we have not been able to test this responder on our side. Please feel free to share your feedback with us and also with Michael Davis, who we would like to thank for the hard work and for having shared this responder with the community.

Fixes and Improvements

  • Fix Inconsistent Key References in Shodan Analyzer (#748)
  • Fix SSL & python3 for Yeti Analyzer (#468 , #708)
  • Fix bug in Emlparser Analyzer (#730)
  • Fix in Shodan Analyzer: Inconsistent Key References (#748)
  • Support python3 in DNSDB Analyzer (#613)
  • Support APIKey for EmailRep Analyzer (#750)
  • Improvement: EmlParser now extracts some useful IOCs (#710)

Get It While Supply Lasts!

If you are still using the old-style way of installing analyzers and responders, run the following commands:

cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done

Once done, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button. Refer to the online Cortex documentation for further details.

Update TheHive Report Templates

If you are using TheHive, you must import the new report templates in your instance as follows:

  • download the updated package
  • log in TheHive using an administrator account
  • go to Admin > Report templates` menu
  • click on Import templates button and select the downloaded package

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Cortex-Analyzers 2.6.0: 146 Analyzers, 18 Responders

Amidst the ongoing COVID-19 crisis, we managed to release Cortex-Analyzers 2.6.0, which includes 4 new Analyzers, 2 new Responders, and a large number of bug fixes and improvements.

We’d like to thank all the contributors for their awesome work!

We truly appreciate the time they generously give away for helping our fellow cyberdefenders out there protect their environments against attackers who are also in lockdown mode. Attackers who, instead of playing board games or chess, are playing with our nerves and the hordes of teleworkers who are willing to click on anything that provide the ‘latest and greatest COVID-19 information’ or which can help them do their jobs (like this wonderful ‘Zoon’ video-conferencing application 😋).

Les Temps modernes - Film (1936) - SensCritique
Source: senscritique.com

What’s New?

New Analyzers

New Responders

Analyzers

DomainTools Iris

The Investigate flavour was missing from the DomainToolsIris analyzer that was included in Cortex-Analyzers 2.4.0. This is now fixed. This new flavour can be used to gather interesting information on a domain.

TheHive displays the analyzer results as follows:

DomainToolsIris_Investigate short reports
DomainToolsIris_Investigate long report

IntezerCommunity

Intezer Analyze™ is a cloud-based malware analysis service that provides an extensive understanding of any executable file by comparing code on a massive scale to a comprehensive database of malware and trusted software. 

This analyzer can be used to submit a file to the Intezer service for analysis.

TheHive displays the analyzer results as follows:

IntezerCommunity short report
IntezerCommunity long report

NSRL

The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organisations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations.

In order to use this analyzer, you must download and extract NSRLFile files from the NIST website. You can pick multiple files but you need to rename them in order to understand which file contains the required information.

All files are called NSRLFile.txt, renaming them permit to understand in which file the record has been found.

The analyzer can operate in 2 different ways with 2 completely different performance profiles (we’re speaking around 30 secs vs 0.05 sec):

  1. lookup in plain files
  2. lookup in a database

If you are planning to use this analyzer for many searches, then the second option is suggested and we provide a script to help you parse, validate and insert data in a PostgreSQL database. If you choose this option, consider that the DB size can be around 4 times bigger than plain files.

NSRL Lookup short template
NSRL Lookup long report

UrlScan.io

The URLScan.io analyzer has been updated with a new Scan flavour. Until now, this analyzer allowed to request report regarding a url, domain, fqdn observable. With this new flavour, anyone with a valid API key, which can be obtained for free, can request a scan on observables of the same type.

UrlScan.io short template
UrlScan.io long template

Responders

DomainToolsIris_CheckMaliciousTags

Depending on the reports generated by the DomainToolsIris analyzer, this responder adds a tag at the Case and Observable level if something malicious is found. This responder can be updated to add more custom actions depending on your needs and environment.

DomainToolsIris_AddRiskyDNSTag

Depending on on the reports generated by the DomainToolsIris analyzer, this responder adds a tag at the Case and Observable level if one of the domain observables is considered risky. This responder can be updated to add more custom actions depending on your needs and environment.

Fixes and Improvements

  • Improve TalosReputation analyzer (#521)
  • MISP WarningList analyzer fixed (#538)
  • Error fixed in ThreatCrowd (#518)
  • Encoding related bug fixed in Mailer 1_0 (#573)
  • API has changed: temporary fix for Crt_sh_Transparency_Logs_1_0 (#594)
  • Analyzers missing cortexutils in requirements (#695)
  • New mime types for Office documents in FileInfo (#705)
  • UmbrellaBlacklister analyzer now support fqdn and url observables (#547)
  • URLHaus analyzer support fqdn observables (#556)
  • Abuselpdb now support APIv2 (#618)

Get It While Supply Lasts!

If you are still using the old-style way of installing analyzers and responders, run the following commands:

cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done

Once done, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button. Refer to the online Cortex documentation for further details.

Update TheHive Report Templates

If you are using TheHive, you must import the new report templates in your instance as follows:

  • download the updated package
  • log in TheHive using an administrator account
  • go to Admin > Report templates` menu
  • click on Import templates button and select the downloaded package

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Cortex-Analyzers 2.5.0: 142 Analyzers, 16 Responders

Shortly after the release of Cortex-Analyzers 2.4.0, TheHive Project’s code Chefs are happy to announce Cortex-Analyzers 2.5.0, a new Cortex analyzer & responder release which brings the total to 142 analyzers and 16 responders, up from 138 and 10 respectively!

We’d like to thank all the contributors for their precious work which will certainly provide more options to fellow cyber defenders and cyber threat intelligence analysts for improving their efficiency and focus on what really matters.

Source: https://dilbert.com/strip/2007-08-03

What’s New?

New Analyzers

New Responders

Analyzers

Clamav

Clamav is a powerful and open source antivirus engine that allows writing custom signatures using Yara and sigtool. @Hestat contributed with this analyzer that permits to TheHive to communicate with a local clamav-daemon.

A detailed configuration guide is available on Hetstat’s website.

Clamav short report for safe and malicious samples

IPVoid

Contributed by @jdsnape, this analyzer leverages the IP reputation check of apivoid.com, the API of www.ipvoid.com. As you can probably guess by its name, this analyzer can be used to enrich ip observables.

In order to use this analyzer, an account and a valid subscription to apivoid.com are required. An API key needs then to be provided.

TheHive displays the analyzer results as follows:

IPVoid analyzer short report
IPVoid analyzer long report

ThreatResponse

This analyzer lets you leverage the Cisco Threat Response service. Query Threat Response for verdicts and sightings for observables of type domain, filename, fqdn, hash (MD5, SHA1, SHA256), ip and url.

The analyser report lets you pivot into a Threat Response investigation of an observable.

Combining it with AMP for Endpoints Responder

It will extract the connector GUIDs as new observables to enable seamless use of the AMP for Endpoints Responder if a target is returned from the AMP for Endpoints module. It requires the AMP for Endpoints module to be configured in Threat Response.

A valid Cisco ThreatResponse subscription is required, and you have to provide your client ID and password information to use this analyzer.

TheHive displays the analyzer results as follows:

ThreatResponse analyzer short report
ThreatResponser analyzer long report

ThreatGrid

This analyzer queries Cisco Threat Grid for file, url, or hash and deliver analysis report. It also lets you pivot into the Threat Grid report to access more information related to Behavioral indicators or TCP/IP stream.

A valid Cisco Threat Grid subscription is required, and you have to provide hostname and api key to use this analyzer.

TheHive displays the analyzer results as follows:

ThreatGrid analyzer short report
ThreatGrid analyzer long report

Responders

AMPForEndpoints

This responders performs several actions on Cisco AMP for Endpoints. It comes in 5 flavors:

  • AMPforEndpoints_IsolationStart: Start Host Isolation.
  • AMPforEndpoints_IsolationStop: Stop Host Isolation.
  • AMPforEndpoints_MoveGUID: Move Connector GUID to a new group.
  • AMPforEndpoints_SCDAdd: Add SHA256 to a Simple Custom Detection List. TheHive’s case ID and description are appended to the description
  • AMPforEndpoints_SCDRemove: Remove SHA256 from a Simple Custom Detetion List.

A valid Cisco AMP for Endpoints subscription is required, and you have to provide the client id, api key and several context information to use this responder.

Redmine

Redmine is a free and open source, web-based project management and issue tracking tool. It allows users to manage multiple projects and associated subprojects. 

This responder, contribuited by srilumpa, can be used to create an issue in the Redmine ticketing system from a case. It will use the case title as the issue subject and the case description as the issue body.

To set it up in Cortex, you will need:

  • To define a user to allow Cortex to connect to Redmine and with access to the various projects in which issues should be created
  • Define three custom fields in TheHive that will be used to select the project, the tracker and, optionally, the assignee of the issue. These fields can be free form or can be custom fields with preset values.
Custom fields in TheHive for Redmine integration

At the moment the responder has few capabilities. If you need any other integration feel free to discuss on the pull issue.

Cortex responder output and corresponding issue in Redmine

Fixes

  • Umbrella Investigate [#698]

Get It While Supply Lasts!

If you are still using the old-style way of installing analyzers and responders, run the following commands:

cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done

Once done, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button. Refer to the online Cortex documentation for further details.

Update TheHive Report Templates

If you are using TheHive, you must import the new report templates in your instance as follows:

  • download the updated package
  • log in TheHive using an administrator account
  • go to Admin > Report templates` menu
  • click on Import templates button and select the downloaded package

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Mum, Docker Docks Don’t Dock Well!

Soon after we released Cortex-Analyzers 2.4.0, Jérôme noticed that something was definitely wrong. And that something was plural.

As he set to retest a few things here and there, he realised that many docker images, for the latest and greatest analyzers and responders, were not automatically built. The code factory wasn’t working 😰

Source: https://www.flickr.com/photos/8021817@N07/6262431675

So he started digging. And the more he dug, the more bugs he discovered. Our user community also reported a few issues. He thought it was about time he opens that bottle of Aloxe-Corton, put a Makaya McCraven album to play on his turntable, and rolls his sleeves to address all these problems headfirst 🍷

After a few hours of intense work, he managed to fix the docker build process and release Cortex-Analyzers 2.4.1, a hotfix that corrects the following issues:

  • [#545] Message extraction using FileInfo doesn’t always work
  • [#610] The VirusTotal analyzer contains a typo which prevents it from running
  • [#614] Many analyzers fail to run due to incorrect permissions
  • [#619] Abuse Finder not working with docker after force usage of python3
  • [#620] Missing library prevented the build of the docker image corresponding to the new MalwareClustering analyzer

Finally, he took the opportunity to rename Palo Alto AUTOFOCUS analyzers to Autofocus, for consistency purposes.

Please refer to our previous blog post, pertaining to Cortex-Analyzers 2.4.0, for update instructions.

Thank you in advance for your understanding and happy cyberfighting! 💪🏼

Cortex-Analyzers 2.4.0: 138 Ways to Analyze, 10 Methods to Respond

Guess what? TheHive Project is still alive and well, as Saâd already mentioned in a previous blog post.

We’ve been certainly very busy lately, preparing the upcoming release of TheHive 4 and doing many other things beside working on our FOSS project. As a result, it took us a rather long time to merge several community contributions and reduce the sizeable pile of pull requests.

We would like to thank our contributors for their patience and we hope the cyberdefenders out there will enjoy the brand new Cortex-Analyzers 2.4.0 release, with many new analyzers, responders and some bug fixes & improvements, bringing the total to a whooping 138 analyzers (counting all flavors) and 10 responders!

Additionally, with this release, all analyzers are now using Python 3. No more Python 2 technodebt!

Photo by Saâd Kadhi

What’s New?

New Analyzers

8 new analyzers have been added to this release:

1 analyzer has new flavors:

New Responders

3 new responders have been added:

Overview of the New Analyzers

DomainToolsIris

This analyzer looks up domain names, IP addresses, e-mail addresses, and SSL hashes using the popular DomainTools Iris service API.

The analyzer comes in 2 flavors:

  • DomainToolsIris_Investigate: use DomainTools Iris API to investigate a domain.
  • DomainToolsIris_Pivot: use DomainTools Iris API to pivot on ssl_hash, ip, or email.

A valid DomainTools API integration subscription is needed to run this analyzer.

TheHive displays the analyzer results as follows:

DomainToolsIris short report
DomainToolsIris long report

EmailRep

The EmailRep analyzer checks the reputation of an email address against the emailrep.io database.

IPInfo

This analyzer accesses IP-centric features provided by ipinfo.io. While the EmailRep API can be used without a token for limited usage, the ipinfo.io analyzer requires the configuration of an API token before use.

Maltiverse

This analyzer lets you query the free Maltiverse Threat Intelligence platform for enrichment information about a particular hash, domain, ip or url.

TheHive displays the analyzer results as follows:

Maltiverse short report
Maltiverse long report

MalwareClustering

Andrea Garavaglia contributed this one a long time ago and we finally merged it into the Cortex-Analyzers repository. Andrea gave a talk about the background of this analyzer at the fourth MISP summit. You can watch it here.

Screenshots of the Malware Clustering analyzer, by Andrea Garavaglia

In order to use the analyzer, you need to point it to a Neo4j server (you need to supply the host, port, login & password).

PaloAlto Autofocus

This analyzer lets you leverage PaloAlto Autofocus services. Provided you are an Autofocus customer and you have access to their API, you need to configure the analyzer with your username and a token key.

The analyzer comes with 3 flavors:

  • AUTOFOCUS_GetSampleAnalysis lets you request a full report for a given hash.
  • AUTOFOCUS_SearchIOC lets you research for samples linked to specific IoCs with datatypes like domain, fqdn, user-agent, imphash, ip, mutex, tag and url. Please note that mutex and tag are not default datatypes in TheHive. You need to create them in TheHive before you can leverage them.
  • AUTOFOCUS_SearchJSON lets you research for samples based on a complex JSON query.

Important: TheHive has no templates corresponding to this analyzer have been published yet. They will be provided in the near future.

SpamhausDBL

This analyzer performs reputation lookups of a domain or a fqdn against Spamhaus Domain Block List (DBL).

TheHive displays the analyzer results as follows:

SpamhausDBL short report
SpamhausDBL long report

TeamCymruMHR

This analyzer queries Team Cymru’s Malware Hash Registry for known malware hashes (MD5 or SHA-1). If it is malware and known by the service, it returns the last time it has been seen along with an approximate anti-virus detection percentage.

Overview of the New Responders

KnowBe4

This responder allows the integration between TheHive/Cortex and KnowBe4’s User Events API.
If a mail observable is tagged with a specified tag, corresponding to the responder’s configuration (e.g. phished), then the associated user will have a custom event added to their profile in KnowBe4.

A valid account on KnowBe4 and an API key are required to run this responder.

Minemeld

This responder sends observables you select to a Palo Alto Minemeld instance.

To run this responder, a MineMeld Threat Intelligence Sharing account is needed.

Wazuh

This responder performs actions on Wazuh, the open source security monitoring platform. It currently supports ad-hoc firewall blocking of ip observables.

Improvements

New PassiveTotal flavors

Thanks to Brandon Dixon, the PassiveTotal analyzer gains 3 new flavors, bringing the total to 11:

  • PassiveTotal_Trackers let you make tracker lookups on observables of type domain, fqdn and ip.
  • PassiveTotal_Host_Pairs let you make host pair lookups on observables of type domain, fqdn and ip.
  • PassiveTotal_Components lets you make components lookup on observables of type domain, fqdn and ip.

They come with their own report templates.

GreyNoise Analyzer

The analyzer has been updated to support GreyNoise API v2, thanks to the contribution of Whitney Champion (#562).

New Data Types Supported by Some Analyzers

  • VirusTotal_GetReporthas been updated to allow requests for observables of type fqdn.
  • Threatcrowd has been updated to allow requests for observables of type domain.
  • Shodan has been updated to allow requests for observables of type fqdn.

Fixes

  • [#602] The MISP analyzer was bumped to version 2.1 and is ready to use PyMISP 2.4.120.

Get It While Supply Lasts!

I’m Hype

If you are using the dockerized analyzers & responders, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button.

I’m Country

If you are still using the old-style way of installing analyzers and responders, run the following commands:

cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done

Once done, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an orgadmin and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button. Refer to the online Cortex documentation for further details.

Update TheHive Report Templates

If you are using TheHive, you must import the new report templates in your instance as follows:

  • download the updated package
  • log in TheHive using an administrator account
  • go to Admin > Report templates menu
  • click on Import templates button and select the downloaded package

Running Into Trouble?

Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

A Short Story of Getting Work Done: TheHive 3.3.0

Some of our die-hard fans noticed that we silently released TheHive 3.3.0 a few days ago, after six release candidates. Well. Silently won’t be the right word to use in this case as we are drowning under work and feature requests and we sometimes postpone communication in favour of getting true real work done.

So, without any further ado, we are happy to announce the official availability of our latest (and of course greatest) release of the most-advanced, next-gen, HI (Human Intelligence), gluten-free, (add here any keyword that you fancy to help us get the Gartner attention and land in the Magic Quadrant™), free and open source Security Incident Response Platform Security Orchestration Automation & Response Platform.

As stated earlier, TheHive 3.3.0 went through the largest number of release candidates to date in order to ensure it contains more features than bugs (or unexpected functionality as our dear Nabil call them sometimes).

Since RC5 which we have blogged about on Feb 26, 2019, below is an outline of the changes we made. Check TheHive Installation Guide for installation instructions.

The new Related Alerts tab in Case View introduced in 3.3.0-RC5

Fixed Issues

  • #899: fix a crashing issue encountered with Firefox
  • #907: dynamic (auto-refresh) of cases was broken in 3.3.0-RC5
  • #930: merging cases by CaseID was broken

Implemented Enhancements

  • #666: add support for filtering tags by prefix and wildcard search
  • #901: remove the possibility of creating cases from scratch (i.e. empty cases) when explicitly disabled by an admin
  • #908: add support for text-based widgets to the dashboards
  • #912: responders can now add tags to alerts when triggered thanks to the new AddTagToAlert operation

Looking for Help?

Something does not work as expected? Then please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org.

Since You are Here

TheHive and Cortex are a huge success. According to our estimates, there are about a hundred organisations of different sizes and locations using or testing them. And as the number of users grows, so does the number of features, professional service and support requests. 

We tried finding a solution to keep TheHive Project as healthy as possible. So we created Creative Source, a nonprofit organisation (NPO), in the hope that we could leverage it to hire more developers thanks to the generous donations of our large user community. Sadly, not everyone in this world is generous and altruistic. At the end, all but one company (yes, exactly one) trusted us enough to make a donation and get tailored services for its needs in return. Most of the others either did not reply to our proposals or explained that their procurement process does not accommodate working with NPOs.

As we informed you a few weeks ago, some members of our core team are finalising an alternative option to ensure not only the viability of TheHive and Cortex as FOSS products on the long run but the ability to provide professional training, support, and services without making highly bureaucratic, think-in-the-box-but-never-outside procurement departments freak out.

Expect to hear from us soon…

On Spring, Bees and Cortex-Analyzers 1.16.0

Spring is here and your favorite bees are busy buzzing flowers to prepare you the most palatable honey ever. In the meantime, we are pleased to announce the immediate availability of Cortex-Analyzers 1.16.0, which adds a new responder and three new analyzers to complete an already hefty collection, bringing the total to 117 analyzers and 3 responders!

Release Overview

One responder has been added:

  • FalconCustomIOC, contributed by Michael (#421). We don’t know the last name of Michael. That could be Jordan. Who knows?

Three analyzers have been added:

We could not duly test some of these additions due to lack of access to the associated services or to our legendary laziness. So we would really appreciate it if you could test them and let us know whether they work or not.

FalconCustomIOC

The FalconCustomIOC responder let you submit observables from alerts or cases to Crowdstrike Falcon Custom IOC service.

Crowdstrike Falcon is a paid service. An account and an API key are required to configure and run this responder.

AbuseIPDB

AbuseIPDB analyzer let you determine wether an IP has been reported as malicious or not to the AbuseIPDB web service.

An account and an API key is needed to configure and use this analyzer.

TheHive displays the analyzer results as follows:

AbuseIPDB: short report
AbuseIPDB: long report

BackscatterIO

The BackscatterIO analyzer lets you query the Backscatter.io service for IPs, networks or autonomous systems (AS). It comes in two flavors:

  • BackscatterIO_GetObservations: determine whether an observables has a known scanning activity
  • BackscatterIO_Enrichment: enrich your observables with additional information

TheHive displays this analyzer results as follow:

Backscatter.io:short report
Backscatter.io GetObservations: long report
Bascatter.io GetObservations: long report

SoltraEdge

SoltraEdge analyzer lets you query any observable against theSoltra Edge platform.

To configure and use this analyzer, an account, a token key and the base URL of a SoltraEdge server are needed.

TheHive displays this analyzers result as follow:

SoltraEdge: short report
SoltraEdge: long report

Get It While Supply Lasts!

Each analyzer and responder comes with its own, pip compatible requirements.txt file. To update your Cortex analyzers to 1.16.0, run the following commands:

cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip2 install -U -r $I || true; done && \
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done

Once done, do not forget to login to Cortex as an orgadmin and click on the Refresh Analyzers button. Refer to the online Cortex documentation for further details.

Update TheHive Report Templates

If you are using TheHive, you must import the new report templates in your instance as follows:

  • download the updated package
  • log in TheHive using an administrator account
  • go to Admin > Report templates menu
  • click on Import templates button and select the downloaded package

Running Into Trouble?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

The Dockerization Will not be Televised

Do you know what the following set of commands achieve?

$ cd /opt/Cortex-Analyzers
$ sudo git pull
$ for I in $(find /opt/Cortex-Analyzers -name 'requirements.txt'); do sudo -H pip2 install -U -r $I; done \
&& for I in $(find /opt/Cortex-Analyzers -name 'requirements.txt'); do sudo -H pip3 install -U \
-r $I || true; done

The answer is obvious Doctor Watson, right? These highly readable commands (pun intended) allow you to update your Cortex analyzers and responders to the latest stable versions, downloading new ones in the process, going over all the Python 2 and Python 3 dependencies to install the missing ones and upgrade the old ones to make sure they work correctly. These operations take quite a long time and cause some headaches in the process (Hello, I have Python 3.X and this dependency is no longer required, or Hi, I have an old version of Python 2 and it seems I need this other dependency).

And if you are lucky enough to get it running smoothly, you are still not done as you need to log in to the Cortex UI as an organisation administrator (unlike TheHive, Cortex supports multi-tenancy), click on the Refresh analyzers button under Organization > Analyzers then go to Organization > Responders and click on Refresh responders.

So while the answer to the opening question might be simple, updating analyzers and responders is far from being straightforward, to say the least, even if we forget the ugly fact that both are stored in a repository “conveniently” named Cortex-Analyzers*:

thehive@thehive-training:/opt/Cortex-Analyzers$ ls -d a* r*
analyzers  responders

Unnecessary Complexity Must Die

Your lovely, hard-working bees hate unnecessary complexity. Our project’s front page blatantly states our mission to bring Security Incident Response to the masses. And we have to stand by our words even if TheHive and Cortex are free, open source solutions and we do not gain anything from them save for the huge satisfaction of helping our fellow incident handlers level the fight against cybercriminals & all kinds of other animals of the APT (Advanced Persistent Troll Threat) bestiary.

There is only one possible solution: simplify the installation and update process of the current, official 115 analyzers and responders we have as of this writing, the future ones and any private or unofficial ones written in other programming languages such as those developed in Go by Rosetelecom-CERT.

Docker all the Things!

Starting from Cortex 3.0, the next major release of your favourite analysis and active response engine, all analyzers and responders will be dockerized. It will no longer be necessary to install them along with their various dependencies. They will be dowloaded from our cortexengine Docker organisation. Sysadmins might also configure automatic updates.

As a side advantage of using Docker, analyzers, and responders will also be isolated from each other which gives more flexibility and possibilities.

© Steve Simson. This artwork and the title of this blog post are inspired by The Revolution will not be televised, a song from the late and great Gil Scott-Heron.

For those users who have private, custom analyzers and responders that they don’t want or can’t share with the community, several options will be available:

  • Continue managing their analyzers and responders in the same way as currently supported by Cortex 2 (i.e. launch them as processes, with no isolation whatsoever).
  • Dockerize them and store them locally on their Cortex instance.
  • Dockerize them and publish them on a Docker registry, either the official one or a private registry.

A Docker image of Cortex 3 will still be provided. It will contain a Docker engine to launch dockerized analyzers and responders using DIND (Docker in Docker).

It won’t be necessary to modify the code of the current, official analyzers and responders. A drone job will monitor the analyzer and responder repository and automatically build docker images when it detects changes.

The Cortex Web interface will be slightly modified to accommodate the whole process and allow adding in-house/private Certificate Authorities to allow Cortex to smoothly perform updates in those corporate environments where TLS/SSL inspection is enabled.

Nice Movie Trailer. When is it Coming to a Theatre near me?

We are working hard to get Cortex 3 out of the oven in Q1 (of this year, yes). We will reach out to you, dear reader, in due time, to help us test it and refine it before putting it on the digital shelf for free, as usual. We will provide a smooth migration path in order to move safely your current analyzers and responders and their configuration to Cortex 3.

So to paraphrase the late and great Gil Scott-Heron:

The dockerization will not be televised

The dockerization will not be televised

The dockerization will be live.

Since you are here

The success of TheHive and Cortex continue to grow, far more than we initially foresaw. As far as we know, there are about a hundred organisations of different sizes and locations using or testing them. And as the number of users grows, so does the number of features, professional service and support requests.

We have tried addressing these requests through Creative Source, a nonprofit organisation (NPO). All but one company trusted us enough to make a donation and get tailored services for its needs in return. Most of the others either did not reply to our proposals or explained that their procurement process does not accommodate working with NPOs.

Some members of our core team are actively working on alternative options to ensure not only the viability of TheHive and Cortex as FOSS products on the long run but the ability to provide professional training, support, and services without freaking out highly bureaucratic, think-in-the-box-but-never-outside procurement departments.

Stay tuned 🐝


(*) When the idea behind Cortex was born into our hive mind, we did not initially think about active response capabilities. So we naturally called the repository which was supposed to contain analyzers Cortex-Analyzers . When, at a later stage, we added responders, we put them in the same repository for obvious laziness pretences  ¯\_(ツ)_/¯.

Correction: February 15, 2019
Typographical errors have been corrected. Some rewording has been made for the sake of clarity.