Merge branch 'release/3.5.20'

Author: nusantara-self

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## [3.5.19](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.5.19) (2025-07-24)
+
+[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.5.18...3.5.19)
+
+**Merged pull requests:**
+
+- JA4 FoxIO - JA4 fingerprint analyzer [\#1364](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1364) ([nusantara-self](https://github.com/nusantara-self))
+- Gatewatcher - Add new features [\#1363](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1363) ([remydewaGW](https://github.com/remydewaGW))
+- URLHaus - Add API Key requirement [\#1362](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1362) ([Lohuss](https://github.com/Lohuss))
+
 ## [3.5.18](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.5.18) (2025-06-23)
 
 [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.5.17...3.5.18)

analyzers/CIRCLVulnerabilityLookup/CIRCLVulnerabilityLookup.json

@@ -31,7 +31,7 @@
   "registration_required": true,
   "subscription_required": false,
   "free_subscription": true,
-  "serviceHomepage": "https://www.vulnerability-lookup.org/",
+  "service_homepage": "https://www.vulnerability-lookup.org/",
   "service_logo": {
     "path": "assets/circl_vulnerabilitylookup.png",
     "caption": "CIRCL Vulnerability Lookup logo"

analyzers/FoxIO/JA4_FoxIO.py

@@ -35,9 +35,9 @@ def run(self):
                     "ja4tscan_fingerprint"
                     ]
 
-            for item in jsoned:
-                if any(self.data == item.get(field) for field in fingerprint_fields):
-                    report_content.append(item)
+                for item in jsoned:
+                    if any(self.data == item.get(field) for field in fingerprint_fields):
+                        report_content.append(item)
 
             self.report({"report": report_content})
 
@@ -57,4 +57,4 @@ def summary(self, report_content):
 
 
 if __name__ == "__main__":
-    JA4_FoxIO().run()
+    JA4_FoxIO().run()

thehive-templates/DomainMailSPFDMARC_1_1/long.html

@@ -11,7 +11,10 @@ <h4 class="panel-title">Domain SPF & DMARC Information: <strong>{{artifact.data}
                     <dt>Base Domain:</dt>
                     <dd>{{content.DomainMailSPFDMARC.base_domain}}</dd>
                     <dt>DNSSEC:</dt>
-                    <dd>{{content.DomainMailSPFDMARC.dnssec}}</dd>
+                    <dd>
+                        <span ng-if="content.DomainMailSPFDMARC.dnssec">&#10003;</span>
+                        <span ng-if="!content.DomainMailSPFDMARC.dnssec">&#10007;</span>
+                    </dd>
                 </dl>
             </div>
             <div class="col-md-6">
@@ -21,37 +24,119 @@ <h4 class="panel-title">Domain SPF & DMARC Information: <strong>{{artifact.data}
                 </dl>
                 <dl class="dl-horizontal" ng-if="content.DomainMailSPFDMARC.ns.warnings.length">
                     <dt>NS Warnings:</dt>
-                    <dd><pre>{{content.DomainMailSPFDMARC.ns.warnings.join('\n')}}</pre></dd>
-                </dl>
-                <dl class="dl-horizontal" ng-if="content.DomainMailSPFDMARC.mx.hosts.length">
-                    <dt>MX Hosts:</dt>
-                    <dd>{{content.DomainMailSPFDMARC.mx.hosts.join(', ')}}</dd>
-                </dl>
-                <dl class="dl-horizontal" ng-if="content.DomainMailSPFDMARC.mx.warnings.length">
-                    <dt>MX Warnings:</dt>
-                    <dd><pre>{{content.DomainMailSPFDMARC.mx.warnings.join('\n')}}</pre></dd>
+                    <dd>
+                        <pre>{{content.DomainMailSPFDMARC.ns.warnings.join('\n')}}</pre>
+                    </dd>
                 </dl>
             </div>
         </div>
 
+        <dl class="dl-horizontal" ng-if="content.DomainMailSPFDMARC.mx.hosts.length">
+            <dt>MX Hosts:</dt>
+            <dd>
+                <table class="table table-striped">
+                    <thead>
+                        <tr>
+                            <th>Preference</th>
+                            <th>Hostname</th>
+                            <th>Addresses</th>
+                            <th>DNSSEC</th>
+                            <th>TLS</th>
+                            <th>STARTTLS</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        <tr ng-repeat="mx in content.DomainMailSPFDMARC.mx.hosts">
+                            <td>{{mx.preference}}</td>
+                            <td>{{mx.hostname}}</td>
+                            <td>{{mx.addresses.join(', ')}}</td>
+                            <td>
+                                <span ng-if="mx.dnssec">&#10003;</span>
+                                <span ng-if="!mx.dnssec">&#10007;</span>
+                            </td>
+                            <td>
+                                <span ng-if="mx.tls">&#10003;</span>
+                                <span ng-if="!mx.tls">&#10007;</span>
+                            </td>
+                            <td>
+                                <span ng-if="mx.starttls">&#10003;</span>
+                                <span ng-if="!mx.starttls">&#10007;</span>
+                            </td>
+                        </tr>
+                    </tbody>
+                </table>
+            </dd>
+        </dl>
+        <dl class="dl-horizontal" ng-if="content.DomainMailSPFDMARC.mx.warnings.length">
+            <dt>MX Warnings:</dt>
+            <dd>
+                <pre>{{content.DomainMailSPFDMARC.mx.warnings.join('\n')}}</pre>
+            </dd>
+        </dl>
+
         <hr>
 
         <h4 class="text-info">SPF Record</h4>
         <dl class="dl-horizontal">
             <dt>Record:</dt>
-            <dd>{{content.DomainMailSPFDMARC.spf.record}}</dd>
+            <dd><code>{{content.DomainMailSPFDMARC.spf.record}}</code></dd>
             <dt>Valid:</dt>
             <dd>{{content.DomainMailSPFDMARC.spf.valid}}</dd>
             <dt>Error:</dt>
             <dd>{{content.DomainMailSPFDMARC.spf.error || 'None'}}</dd>
+
+            <dt>DNS Lookups:</dt>
+            <dd>
+                {{content.DomainMailSPFDMARC.spf.dns_lookups}}
+                <span ng-if="content.DomainMailSPFDMARC.spf.dns_lookups > 10" class="text-danger">⚠ Too many
+                    lookups</span>
+            </dd>
+            <dt>Void Lookups:</dt>
+            <dd>{{content.DomainMailSPFDMARC.spf.dns_void_lookups}}</dd>
+
         </dl>
 
+        <div ng-if="content.DomainMailSPFDMARC.spf.parsed">
+            <h5 style="cursor: pointer;" ng-click="spfDetailsVisible = !spfDetailsVisible">
+                <span class="text-info">SPF Parsed Tree</span>
+                <span class="pull-right">
+                    <span ng-if="!spfDetailsVisible">[+]</span>
+                    <span ng-if="spfDetailsVisible">[−]</span>
+                </span>
+            </h5>
+            <div ng-show="spfDetailsVisible" style="margin-top:10px;">
+                <table class="table table-bordered table-condensed">
+                    <thead>
+                        <tr>
+                            <th>Mechanism</th>
+                            <th>Value</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        <tr ng-repeat="entry in content.DomainMailSPFDMARC.spf.parsed.pass">
+                            <td>pass ({{entry.mechanism}})</td>
+                            <td>{{entry.value}}</td>
+                        </tr>
+                        <tr ng-repeat="entry in content.DomainMailSPFDMARC.spf.parsed.include">
+                            <td>include</td>
+                            <td>{{entry.domain}}</td>
+                        </tr>
+                        <tr ng-if="content.DomainMailSPFDMARC.spf.parsed.all">
+                            <td>all</td>
+                            <td>{{content.DomainMailSPFDMARC.spf.parsed.all}}</td>
+                        </tr>
+                    </tbody>
+                </table>
+            </div>
+        </div>
+
+
         <hr>
 
         <h4 class="text-info">DMARC Record</h4>
         <dl class="dl-horizontal">
             <dt>Record:</dt>
-            <dd>{{content.DomainMailSPFDMARC.dmarc.record}}</dd>
+            <dd><code>{{content.DomainMailSPFDMARC.dmarc.record}}</code></dd>
             <dt>Valid:</dt>
             <dd>{{content.DomainMailSPFDMARC.dmarc.valid}}</dd>
             <dt>Error:</dt>
@@ -61,7 +146,9 @@ <h4 class="text-info">DMARC Record</h4>
         </dl>
         <dl class="dl-horizontal" ng-if="content.DomainMailSPFDMARC.dmarc.warnings.length">
             <dt>Warnings:</dt>
-            <dd><pre>{{content.DomainMailSPFDMARC.dmarc.warnings.join('\n')}}</pre></dd>
+            <dd>
+                <pre>{{content.DomainMailSPFDMARC.dmarc.warnings.join('\n')}}</pre>
+            </dd>
         </dl>
 
         <hr>
@@ -78,11 +165,59 @@ <h4 class="text-info">DMARC Tags</h4>
             <tbody>
                 <tr ng-repeat="(tag, value) in content.DomainMailSPFDMARC.dmarc.tags">
                     <td>{{tag}}</td>
-                    <td>{{value.value}}</td>
+                    <td>
+                        <span ng-if="tag === 'p'" ng-class="{
+                        'text-success': value.value === 'reject',
+                        'text-warning': value.value === 'quarantine',
+                        'text-danger': value.value === 'none'
+                      }">{{value.value}}</span>
+                        <span ng-if="tag !== 'p'">{{value.value}}</span>
+                    </td>
                     <td>{{value.explicit ? 'Yes' : 'No'}}</td>
                 </tr>
             </tbody>
         </table>
+
+        <hr>
+
+        <h4 class="text-info">MTA-STS</h4>
+        <dl class="dl-horizontal">
+            <dt>Valid:</dt>
+            <dd>{{content.DomainMailSPFDMARC.mta_sts.valid ? 'Yes' : 'No'}}</dd>
+            <dt>Error:</dt>
+            <dd>{{content.DomainMailSPFDMARC.mta_sts.error || 'None'}}</dd>
+        </dl>
+
+        <hr>
+
+        <h4 class="text-info">SMTP TLS Reporting</h4>
+        <dl class="dl-horizontal">
+            <dt>Valid:</dt>
+            <dd>{{content.DomainMailSPFDMARC.smtp_tls_reporting.valid ? 'Yes' : 'No'}}</dd>
+            <dt>Error:</dt>
+            <dd>{{content.DomainMailSPFDMARC.smtp_tls_reporting.error || 'None'}}</dd>
+        </dl>
+
+        <hr>
+
+        <h4 class="text-info">BIMI</h4>
+        <dl class="dl-horizontal">
+            <dt>Record:</dt>
+            <dd><code>{{content.DomainMailSPFDMARC.bimi.record}}</code></dd>
+            <dt>Valid:</dt>
+            <dd>{{content.DomainMailSPFDMARC.bimi.valid ? 'Yes' : 'No'}}</dd>
+            <dt>Selector:</dt>
+            <dd>{{content.DomainMailSPFDMARC.bimi.selector}}</dd>
+            <dt>Image Error:</dt>
+            <dd>{{content.DomainMailSPFDMARC.bimi.image.error || 'None'}}</dd>
+        </dl>
+        <dl class="dl-horizontal" ng-if="content.DomainMailSPFDMARC.bimi.warnings.length">
+            <dt>Warnings:</dt>
+            <dd>
+                <pre>{{content.DomainMailSPFDMARC.bimi.warnings.join('\n')}}</pre>
+            </dd>
+        </dl>
+
     </div>
 </div>
 
@@ -93,4 +228,4 @@ <h4 class="text-info">DMARC Tags</h4>
     <div class="panel-body">
         <p>{{content.errorMessage}}</p>
     </div>
-</div>
+</div>