Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AlienVault OTX Analyzer #39

Merged
merged 3 commits into from
Dec 21, 2016
Merged

AlienVault OTX Analyzer #39

merged 3 commits into from
Dec 21, 2016

Conversation

ecapuano
Copy link

Slightly more involved analyzer to query AlienVault OTX for related Pulses as well as indicator enrichment.

Can analyze ip, domain, url, and file/hash. Adds a short report that reveals how many related Pulses exist for the observable.

I feel like I might've overcomplicated in Python, but it's best I could do. If anyone has any pointers or improvements, please let me know. I am certain the reports could be done better, but the relevant info is displayed when present.

A free OTX API key will need to be added to application.conf

analyzer {
  # Directory that holds analyzers
  path = analyzers
  # Analyzer configuration
  config {
    OTXQuery {
	key="<api key>"
    }
  }
}

Sample short reports...

An observable with one or more matching OTX Pulses

And with no matching Pulses

Some sample long reports...

A file/hash query that matched an existing OTX Pulse

A URL query that returned other related URLs

A file/hash query with no Pulses, but analysis info

A domain query that returned passive DNS records

Basic error handling

@ecapuano ecapuano mentioned this pull request Nov 24, 2016
Closed
jeromeleonard added a commit that referenced this pull request Dec 10, 2016
@jeromeleonard
#39 Manage exception for a domain that does not exist : geo query ret…
107cae2 
…urns {} and the program raises an error
jeromeleonard added a commit that referenced this pull request Dec 12, 2016
@jeromeleonard
#32 #39 changed short report color to blue as sometimes results do no…
faed5fe 
…t refer to malicious content (ex: google.com)
@jeromeleonard jeromeleonard merged commit 6fe0386 into TheHive-Project:develop Dec 21, 2016
@nadouani nadouani added this to the 2.10.0 milestone Jan 31, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jeromeleonard jeromeleonard

Labels
analyzer
Projects
None yet
Milestone
2.10.0
Development

Successfully merging this pull request may close these issues.
3 participants
@ecapuano @nadouani @jeromeleonard