Few improvements have been introduced in this version :
Proofpoint analyzer has been updated to use python3 (#417)
Long report of Cuckoo Sandbox analyzer has been improved to be able to display Cuckoo v. 2.0.6 reports (#418)
URLhaus analyzer has also been updated to use the recently introduced API (#431)
On your Cortex server, update your analyzers with the following command:
$ cd /opt/Cortex-Analyzers && git pull $ for I in analyzers/*/requirements.txt; do sudo -H /usr/bin/python2 -m pip install -r $I $ for I in analyzers/*/requirements.txt; do sudo -H /usr/bin/python3 -m pip install -r $I
Updating analyzers should be followed by also updating report templates. Download new report templates and add the archive in TheHive report templates.
Detailed information
Cuckoo Sandbox
Thanks to @nicpenning Cuckoo analyzer is now able to display reports from version 2.0.6 of Cuckoo. With this version, remote connections part of the report has been fixed and is now well displayed
The new cuckoo analyzer template
Notice: This fix has been reviewed by our core team, unfortunately, we have not been able to test it.
URLhaus
Abuse.ch, the operator of URLhaus recently introduced a new API for their service in order to handle bulk queries and reduce costs for their main page that uses CDNs for delivery. Because of that, thanks to Nils Kuhnert, the URLhaus analyzer has been rewritten from scratch. Also, the templates changed because there are three different API endpoints used:
URL template for URLhaus analyzer
Domain and IP template for URLhaus analyzer
Hash template for URLhaus analyzer
The short reports now display the threat type – which currently is always malware_download and, for the hash observable type, the malware family – if given by URLhaus:
URLhaus analyzer short template for URLs, domains and IPs
URLhaus analyzer short template for hashes
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
TheHive Project’s Code Chefs are glad to announce that, thanks to the precious contributions of the user community, Cortex has broken the one hundred analyzer mark.
Cortex-Analyzers version 1.14.0 is out and includes new analyzers, some improvements and some bug fixes.
New Analyzers
New and enhanced analyzers, described below, are:
Cisco Investigate by Cisco Umbrella Research @opendns
Datascan and Inetnum flavors in Onyphe analyzer by Pierre Baudry and Adrien Barchapt
Again, huge thanks for the awesome work that has been performed by all our contributors!
Investigate
Cisco Umbrella Investigate provides threat intelligence about domains and IP addresses accross the Internet. The analyzer can be used to query the Cisco Umbrella (formerly OpenDNS) API and get information about an IP or a domain name. An API key is required to use this analyzer.
Results are displayed in TheHive in the following manner:
Cisco Investigate: short and long reports
Proofpoint Forensics Lookup
According to Proofpoint’s website, the Forensics API allows insight in detailed forensic evidences about individual threats or compaigns. The analyzer can be used to check observables against given indicators of compromise stored in the ProofPoint service.
Unfortunately, there are currently no sample report screenshots available, because TheHive’s Core Team does not have access to Proofpoint services. Also, due to the same reason, this analyzer could not be tested by us. If you have access to the service and can test the analyzer and/or provide report screenshots, please let us know.
RecordedFuture
This analyzer lets you get the latest risk data from RecordedFuture for a hash, domain or an IP address. It can be used to query the API and get information. An API key is required to use this analyzer.
Results are displayed in TheHive in the following manner:
RecordedFuture: short and long reports
Urlscan.io search
Urlscan.io is a service that scans and analyzes websites. Submitted pages will be browsed like a regular user would do and every activity gets recorded. The analyzer submitted by ninoseki queries urlscan without initiating a scan which would be publicly visible on the website. Accepted datatypes for this analyzer are URL, domain, hash and IP.
The templates which display the results of the analyzer look like the following screenshots:
Urlscan.io: short and long reports
Google DNS over HTTP
This analyzer provides DNS information for an IP, a domain or a FQDN by making calls to Google DNS-over-HTTP (DoH). No API key is required.
Results are displayed in TheHive in the following manner:
Google DNS: short and long reports
RTF files support in FileInfo
The FileInfo meta analyzer has been improved and now leverages the rtfobj tool provided in the Oletools suite by Decalage.
Results are displayed in TheHive in the following manner:
FileInfo with rtfobj: short and long reports
Datascan and Inetnum flavors in Onyphe analyzer
The Onyphe analyzer has been enhanced with two new flavors. Datascan provides information about known open ports on a specific IP, and Inetnum enumerates all known network information about the analyzed IP address.
An API key is required to use the analyzer and can be obtained by creating an account on the Onyphe website.
Results are displayed in TheHive in the following manner:
Onyphe Inetnum: short and long reports
Onyphe Datascan: long and short reports
Bug fixes and enhancements
#248: Improve error msg when VT Get Report does not have an entry for
#323: Fix an issue with HybridAnalysis analyzer filenames handler
#362: Fix file not found issue and empty result set in CERT.at passive DNS analyzer
Get It While Supply Lasts!
Each analyzer comes with its own, pip compatible requirements.txt file. To update your Cortex analyzers to 1.14.0, run the following commands:
cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip2 install -U -r $I || true; done && \
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
Once done, do not forget to login to Cortex as an orgadmin and click on the Refresh Analyzers button. Refer to the online Cortex documentation for further details.
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
Cortex has now 30 analyzers thanks to Daniil Yugoslavskiy, Davide Arcuri and Andrea Garavaglia (from LDO-CERT) as well as our longtime friend Sébastien Larinier. Their contributions, all under an AGPLv3 license, add handy ways to assess observables and obtain invaluable insight to an already solid Threat Intelligence and DFIR toolset.
In addition to these 3 new analyzers, v 1.7.0 of the Cortex-Analyzers repository also fixes a number of bugs and add a few improvements to existing analyzers as well.
To get the new release, go to your existing Cortex-Analyzers folder and run git pull.
HybridAnalysis
The HybridAnalysis analyzer has been contributed by Daniil Yugoslavskiy. It fetches Hybrid Analysis reports associated with hashes and filenames. This analyzer comes in only one flavor called HybridAnalysis_GetReport.
Requirements
You need to have or create a free Hybrid Analysis account. Follow the instructions outlined on the Hybrid Analysis API page to generate an API key/secret pair. Provide the API key as a value for the key parameter and the secret as a value to the secret parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.
When run from TheHive, the analyzer produces short and long reports such as the following:
TheHive: HybridAnalysis 1.0 Analyzer – Short and Long Report Samples
EmergingThreats
The EmergingThreats analyzer has been submitted by Davide Arcuri and Andrea Garavaglia from LDO-CERT. It leverages Proofpoint’s Emerging Threats Intelligence service to assess the reputation of various observables and obtain additional and valuable information on malware.
The service comes in three flavors:
EmergingThreats_DomainInfo: retrieve ET reputation, related malware, and IDS requests for a given domain.
EmergingThreats_IPInfo: retrieve ET reputation, related malware, and IDS requests for a given IP address.
EmergingThreats_MalwareInfo: retrieve ET details and info related to a malware hash.
Requirements
You need a valid Proofpoint ET Intelligence subscription. Retrieve the API key associated with your account and provide it as a value to the key parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.
EmergingThreats {
key="MYETINTELKEYGOESHERE"
}
When run from TheHive, it produces short and long reports such as the following:
TheHive: EmergingThreats 1.0 Analyzer – Short and Long Report Samples
Shodan
The Shodan analyzer is the first submission by Sébastien Larinier. It lets you retrieve key Shodan information on domains and IP addresses.
This analyzer comes in two flavors:
Shodan_Host: get Shodan information on a host.
Shodan_Search: get Shodan information on a domain.
Requirements
You need to create a Shodan account and retrieve the associated API Key. For
best results, it is advised to get a Membership level account, otherwise a free one can be used.
Supply the API key as the value for the key parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.
Shodan {
key= "myawesomeapikey"
}
When run from TheHive, it produces short and long reports such as the following:
TheHive: Shodan 1.0 Analyzer – Short and Long Report Samples
Miscellaneous Fixes and Improvements
#100 : support both Cuckoo versions – by Garavaglia Andrea
#113 : Cuckoo Analyzer requires final slash – by Garavaglia Andrea
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
TheHive Project 