Cortex has now 30 analyzers thanks to Daniil Yugoslavskiy, Davide Arcuri and Andrea Garavaglia (from LDO-CERT) as well as our longtime friend Sébastien Larinier. Their contributions, all under an AGPLv3 license, add handy ways to assess observables and obtain invaluable insight to an already solid Threat Intelligence and DFIR toolset.
In addition to these 3 new analyzers, v 1.7.0 of the Cortex-Analyzers repository also fixes a number of bugs and add a few improvements to existing analyzers as well.
To get the new release, go to your existing Cortex-Analyzers folder and run git pull.
HybridAnalysis
The HybridAnalysis analyzer has been contributed by Daniil Yugoslavskiy. It fetches Hybrid Analysis reports associated with hashes and filenames. This analyzer comes in only one flavor called HybridAnalysis_GetReport.
Requirements
You need to have or create a free Hybrid Analysis account. Follow the instructions outlined on the Hybrid Analysis API page to generate an API key/secret pair. Provide the API key as a value for the key parameter and the secret as a value to the secret parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.
HybridAnalysis {
secret = "mysecret"
key = "myAPIKEY"
}
When run from TheHive, the analyzer produces short and long reports such as the following:
EmergingThreats
The EmergingThreats analyzer has been submitted by Davide Arcuri and Andrea Garavaglia from LDO-CERT. It leverages Proofpoint’s Emerging Threats Intelligence service to assess the reputation of various observables and obtain additional and valuable information on malware.
The service comes in three flavors:
- EmergingThreats_DomainInfo: retrieve ET reputation, related malware, and IDS requests for a given domain.
- EmergingThreats_IPInfo: retrieve ET reputation, related malware, and IDS requests for a given IP address.
- EmergingThreats_MalwareInfo: retrieve ET details and info related to a malware hash.
Requirements
You need a valid Proofpoint ET Intelligence subscription. Retrieve the API key associated with your account and provide it as a value to the key parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.
EmergingThreats {
key="MYETINTELKEYGOESHERE"
}
When run from TheHive, it produces short and long reports such as the following:
Shodan
The Shodan analyzer is the first submission by Sébastien Larinier. It lets you retrieve key Shodan information on domains and IP addresses.
This analyzer comes in two flavors:
- Shodan_Host: get Shodan information on a host.
- Shodan_Search: get Shodan information on a domain.
Requirements
You need to create a Shodan account and retrieve the associated API Key. For
best results, it is advised to get a Membership level account, otherwise a free one can be used.
Supply the API key as the value for the key parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.
Shodan {
key= "myawesomeapikey"
}
When run from TheHive, it produces short and long reports such as the following:
Miscellaneous Fixes and Improvements
- #100 : support both Cuckoo versions – by Garavaglia Andrea
- #113 : Cuckoo Analyzer requires final slash – by Garavaglia Andrea
- #93 : VirusTotal URL Scan Bug
- #101 : Missing olefile in MsgParser requirements
- #126 : PhishTank analyzer doesn’t work – by Ilya Glotov
Update TheHive Report Templates
If you are using TheHive, get the last version of the report templates and import them into TheHive.
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
TheHive Project 