There’s a new version of Cortex-Analyzers in cybertown and its has an awesome, mind-blowing name and that’s… wait for it… wait for it: 2.1.0.
In this new release, we added two analyzers which bring the total number to more than 120:
- DNSSinkhole, contributed by Andrea Garavaglia (#434)
- TalosReputation, contributed by mgabriel-silva (#427)
We could not duly test DNSSinkhole since we do not have access to the associated service. So we would really appreciate it if you could test it and let us know whether it works or not.
Others analyzers have been fixed or improved:
- Crt.sh (#439), contributed by agix
- EMLParser (#439, #484, #486) contributed by Florent Gaultier and mgabriel-silva
- FileInfo (#464, #465, #475)
- IBM XForce Lookup (#487, #488) contributed by Andrea Garavaglia
- Malwares_GetReport (#470)
- VirusTotal (#446), contributed by Nergie
- Yeti (#477, #478), contributed by siisar
This analyzer lets you check if an IP address has been registered in your DNS sinkhole. TheHive displays the analyzer results as follows:
This analyzer lets you determine whether an IP address has been reported as a threat on Cisco Talos Intelligence service. No special access to the service is required to run the analyzer.
TheHive displays the analyzer results as follows:
This analyzer has been enriched to display SHA-1 fingerprints. The long report format has been updated to reflect this new information.
FileInfo has been updated and is now able to parse PDF files and extract IOCs such as URLs, hosts, domains, IPs, hashes and many more.The analyzer does also support the last version of the
VirusTotal and Python3
The VirusTotal analyzer, including all its flavours, now uses Python3 and an updated
Yeti API key
An optional API key can now be configured and used by the Yeti analyzer.
A hash computation has been fixed in this analyzer.
A first fix has been introduced to avoid this analyzer to crash when there is no
content_header, and a second has been added to correct a header display issue.
IBM XForce Lookup
The analyzer has been improved to allow users to add a trailing
/ at the end of the API URL without breaking everything.
Updating your Analyzers in Cortex 2.x
Each analyzer and responder comes with its own, pip compatible
requirements.txt file. Run the following commands to update your Cortex analyzers to the latest version:
for I in analyzers/*/requirements.txt; do sudo -H pip2 install -U -r $I || true; done && \
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
Once done, do not forget to login to Cortex as an
orgadmin and click on the Refresh Analyzers button. Refer to the online Cortex documentation for further details.
Cortex 3.x gives you the opportunity to run dockerised analyzers and responders. This means that you no longer have to download all the
git repository of Cortex-Analyzers and run lengthy commands to update your analyzers and responders.
If you want to use dockerised analyzers and responders, ensure that the URL of the
catalog.json file corresponding to the Cortex-Analyzers repository is registered in
application.conf. Please note that this won’t work if you are tracking the stable catalog.
After doing so, do not forget to login to Cortex as an
orgadmin, click on the Refresh Analyzers button, then Disable and Enable again each analyzer and responder. Analyzer (and responder) updates should occur automatically as long as
docker.autoUpdate is set to
application.conf (this is the default setting).
Update TheHive Report Templates
If you are using TheHive, you must import the new report templates in your instance as follows:
- download the updated package
- log in TheHive using an administrator account
- go to
- click on
Import templatesbutton and select the downloaded package