Merge branch 'release/3.5.19'

Author: nusantara-self

CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [3.5.18](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.5.18) (2025-06-23)
+
+[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.5.17...3.5.18)
+
+**Closed issues:**
+
+- \[FR\] BitcoinAbuse analyzer fails – upstream API migrated to ChainAbuse [\#1360](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1360)
+
+**Merged pull requests:**
+
+- Migrates BitcoinAbuse analyzer to new ChainAbuse [\#1361](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1361) ([nusantara-self](https://github.com/nusantara-self))
+
 ## [3.5.17](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.5.17) (2025-06-13)
 
 [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.5.16...3.5.17)

analyzers/FoxIO/JA4_FoxIO.json

@@ -0,0 +1,17 @@
+{
+    "name": "JA4_FoxIO",
+    "version": "1.0",
+    "author": "Florian Perret @cyber_pescadito",
+    "url": "https://github.com/cyberpescadito/Cortex-Analyzers/tree/master/analyzers/JA4_FoxIO",
+    "license": "AGPL-V3",
+    "description": "JA4 Fingerprint analysis with FoxIO Database",
+    "dataTypeList": ["user-agent", "ja4-fingerprint"],
+    "command": "FoxIO/JA4_FoxIO.py",
+    "baseConfig": "FoxIO",
+    "configurationItems": [
+    ],
+    "registration_required": false,
+    "subscription_required": false,
+    "free_subscription": true,
+    "service_homepage": "https://ja4db.com/"
+  }

analyzers/FoxIO/JA4_FoxIO.py

@@ -0,0 +1,60 @@
+#!/usr/bin/env python3
+# Author: @cyber_pescadito
+from cortexutils.analyzer import Analyzer
+import requests
+import json
+
+class JA4_FoxIO(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.data = self.get_param('data', None, 'Data is missing')
+        self.data_type = self.get_param('dataType', None, 'dataType is missing')
+
+    def run(self):
+        Analyzer.run(self)
+        try:
+            db = requests.get('https://ja4db.com/api/read/')
+            jsoned = json.loads(db.text)
+
+            report_content = []
+
+            if self.data_type == 'user-agent':
+                for item in jsoned:
+                    user_agent_string = item.get('user_agent_string')
+                    if user_agent_string and self.data == user_agent_string:
+                        report_content.append(item)
+            elif self.data_type == 'ja4-fingerprint':
+                fingerprint_fields = [
+                    "ja4_fingerprint",
+                    "ja4_fingerprint_string",
+                    "ja4s_fingerprint",
+                    "ja4h_fingerprint",
+                    "ja4x_fingerprint",
+                    "ja4t_fingerprint",
+                    "ja4ts_fingerprint",
+                    "ja4tscan_fingerprint"
+                    ]
+
+            for item in jsoned:
+                if any(self.data == item.get(field) for field in fingerprint_fields):
+                    report_content.append(item)
+
+            self.report({"report": report_content})
+
+
+        except Exception as e:
+            self.error(str(e))
+
+    def summary(self, report_content):
+        taxonomies = []
+        level = 'info'
+        namespace = "JA4"
+        predicate = "Reports count"
+        value = str(len(report_content['report']))
+
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        return {"taxonomies": taxonomies}
+
+
+if __name__ == "__main__":
+    JA4_FoxIO().run()

analyzers/FoxIO/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+requests

analyzers/Gatewatcher_CTI/Gatewatcher_CTI.json

@@ -1,6 +1,6 @@
 {
   "name": "Gatewatcher_CTI",
-  "version": "1.0",
+  "version": "2.0",
   "author": "Gatewatcher",
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-3.0",
@@ -9,7 +9,9 @@
     "hash",
     "domain",
     "fqdn",
-    "url"
+    "url",
+    "ip",
+    "mail"
   ],
   "command": "Gatewatcher_CTI/Gatewatcher_CTI.py",
   "baseConfig": "Gatewatcher_CTI",

analyzers/Gatewatcher_CTI/Gatewatcher_CTI.py

@@ -7,34 +7,29 @@
 class GatewatcherCTI(Analyzer):
     def __init__(self):
         Analyzer.__init__(self)
-        self.api_key = self.get_param(
-            "config.apiKey", None, "Gatewatcher CTI API KEY is required"
-        )
-        self.extended_report = self.get_param(
-            "config.extendedReport", None, "Please set the Extended Report option"
-        )
-        self.max_relations= self.get_param(
-            "config.maxRelations", None
-        )
+        self.api_key = self.get_param("config.apiKey", None, "Gatewatcher CTI API KEY is required")
+        self.extended_report = self.get_param("config.extendedReport", None, "Please set the Extended Report option")
+        self.max_relations = self.get_param("config.maxRelations", None)
         self.observable_value = self.get_param("data", None, "Data is missing")
+        self.data_type = self.get_param("dataType", None, "Data type is missing")
+        self.base_url = "https://api.client.lastinfosec.com/v2/"
+        self.headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0"}
 
-    def run(self):
-        url = f"https://api.client.lastinfosec.com/v2/lis/search?api_key={self.api_key}"
-        if not self.extended_report:
-            url = f"{url}&extended_report=false"
-        data = {"value" : self.observable_value}
-        useragent = {
-            "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0"
-        }
-        response = requests.post(url, headers=useragent, json=data)
+    def _IOCs_search(self):
+        response = requests.post(
+            url=f"{self.base_url}lis/search",
+            headers=self.headers,
+            params={"api_key": self.api_key, "extended_report": self.extended_report},
+            json={"value": self.observable_value},
+        )
         info = self.check_response(response)
 
         additional = {}
         main = {}
-        records = {"IOCs": [], "is_on_gw": True}
+        records = {"IOCs": [], "IsOnGw": True}
 
         if response.status_code == 422:
-            records["is_on_gw"] = False
+            records["IsOnGw"] = False
         else:
             relations = []
             for item in info["message"][0]["IOCs"]:
@@ -50,8 +45,9 @@ def run(self):
                     has_max = False
                 total_found_relations = 0
                 for item in info["message"][0]["IOCs"]:
-                    if (total_found_relations == len(relations) or
-                            (has_max and total_found_relations >= self.max_relations)):
+                    if total_found_relations == len(relations) or (
+                        has_max and total_found_relations >= self.max_relations
+                    ):
                         break
 
                     if item["IocId"] in relations:
@@ -69,54 +65,100 @@ def run(self):
             main.update(additional)
             records["IOCs"].insert(0, main)
             if len(records["IOCs"]) == 1 and records["IOCs"][0]["Risk"].lower() == "unknown":
-                records["is_on_gw"] = False
+                records["IsOnGw"] = False
+        return records
 
+    def _get_by_ip(self):
+        response = requests.get(
+            url=f"{self.base_url}lis/ip/get_by_ip/{self.observable_value}",
+            headers=self.headers,
+            params={"api_key": self.api_key, "headers": False},
+        )
+        info = self.check_response(response)
+        if info.get("Score") == "Unknown":
+            info["IsOnGw"] = False
+        else:
+            info["IsOnGw"] = True
+        return info
+
+    def _get_by_email(self):
+        # TODO : check why headers false is always on 'InProgress' status on Cortex
+        response = requests.get(
+            url=f"{self.base_url}lis/leaked_emails/get_by_email/{self.observable_value}",
+            headers=self.headers,
+            params={"api_key": self.api_key, "headers": True},
+        )
+        info = self.check_response(response)
+        # get only data of the request
+        data = info.get("message")
+        if len(data) < 1:
+            return {"Value": self.observable_value, "IsOnGw": False}
+        else:
+            result = data[0]
+            result["IsOnGw"] = True
+            # Return number of passwords
+            if result.get("Passwords") is not None:
+                result["totalPasswords"] = len(result["Passwords"])
+            return result
+
+    def run(self):
+        if self.data_type == "ip":
+            records = self._get_by_ip()
+        elif self.data_type == "mail":
+            records = self._get_by_email()
+        else:
+            records = self._IOCs_search()
+        records["DataType"] = self.data_type
         self.report(records)
 
     def check_response(self, response):
         if response.status_code not in [200, 422]:
             try:
                 result = response.json()
-                if (
-                    "detail" in result
-                    and "details" in result["detail"]
-                    and "error" in result["detail"]["details"][0]
-                ):
-                    self.error(
-                        "Bad status: {0}. {1}".format(
-                            response.status_code,
-                            result["detail"]["details"][0]["error"],
-                        )
-                    )
+                if "detail" in result and "details" in result["detail"] and "error" in result["detail"]["details"][0]:
+                    self.error(f'Bad status: {response.status_code}. {result["detail"]["details"][0]["error"]}')
                 else:
-                    self.error("Bad status: {0}".format(response.status_code))
-            except Exception as ex:
-                self.error("Bad status: {0}".format(response.status_code))
+                    self.error(f"Bad status: {response.status_code}")
+            except Exception:
+                self.error(f"Bad status: {response.status_code}")
         else:
             try:
                 result = response.json()
                 return result
             except Exception as ex:
-                self.error("Bad Response: {0}".format(ex))
+                self.error(f"Bad Response: {ex}")
 
     def summary(self, raw):
         taxonomies = []
         level = "info"
         namespace = "Gatewatcher CTI"
         predicate = "GetReport"
         value = "not found"
-        data = next(
-            (ioc for ioc in raw["IOCs"] if ioc["Value"] == self.observable_value), None
-        )
-        if data is not None:
-            level = data["Risk"].lower()
-            if level == "malicious":
-                value = 100
-            elif level == "high suspicious":
-                value = 75
-            elif level == "suspicious":
-                value = 60
-
+        if self.data_type == "ip":
+            score = raw.get("Score")
+            if score == "Suspicious":
+                level = "suspicious"
+                value = 41
+            elif score == "Low suspicious":
+                value = 31
+            elif score == "Past suspicious":
+                value = 21
+        elif self.data_type == "mail":
+            # If no "creation date", api result is empty --> Email is not leaked
+            if raw.get("CreationDate") is None:
+                value = "not leaked"
+            else:
+                value = "leaked"
+        else:
+            data = next((ioc for ioc in raw["IOCs"] if ioc["Value"] == self.observable_value), None)
+            if data is not None:
+                level = data["Risk"].lower()
+                if level == "malicious":
+                    value = 100
+                elif level == "high suspicious":
+                    value = 75
+                elif level == "suspicious":
+                    value = 60
         taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
         return {"taxonomies": taxonomies}
 

analyzers/Gatewatcher_CTI/README.md

@@ -4,15 +4,46 @@ Gatewatcher is a European leader in advanced Threats detection, protecting criti
 ## Gatewatcher CTI
 The Gatewatcher CTI (Cyber Threat Intelligence) offer is compatible with all cybersecurity solutions. It immediately enhances your detection with contextual information about internal and external cyber threats specifically targeting your business.
 
-## Cortex Integration
-This cortex analyzer allows you to search for an IOC (url, hash, host/domain) in the Gatewatcher CTI database
-
 ## How to obtain credentials ?
 If you want to try our freemium offer your can obtain your API key : https://info.gatewatcher.com/en/lp-free-ioc-analysis-api-key
 
-If you want more you can contact us : https://info.gatewatcher.com/fr/speed-meeting-lastinfosec
+# How the analyzer works ?
+Gatewatcher CTI analyzer allows you to get information about hashes,urls,domains,fqdn,ips or emails.
+- To enable Gatewatcher_CTI analyzer:
+    - Navigate to "Organization" -> "Analyzers"
+    - Refresh analyzers to ensure that you have the lastest version.
+    - Search for "Gatewatcher_CTI".
+    - Enable it and configure its parameters (LIS API key is required).
+
+## Run on hashes/urls/domains/fqdns
+Search for an Indicator of Compromise (IoC: url, host/domain, hash) or vulnerability in the Gatewatcher CTI database.
+
+- Short report
+
+![alt text](assets/Gatewatcher_CTI_hash_short.png)
+
+- Long report
+
+![alt text](assets/Gatewatcher_CTI_hash_long.png)
+
+## Run on IPs
+Retrieves metadata, security threat alerts, and a contextualized timeline of events associated with a specific IP address from the Gatewatcher CTI database.
+
+- Short report
+
+![alt text](assets/Gatewatcher_CTI_IP_reputation_short.png)
+
+- Long report
+
+![alt text](assets/Gatewatcher_CTI_IP_reputation_long.png)
+
+## Run on emails
+Get all contextual informations (hash of password, url of connection...) for a targeted email address from the Gatewatcher CTI database.
+
+-  Short report
+
+![alt text](assets/Gatewatcher_CTI_leaked_email_short.png)
 
-## TheHive Integration
-With this cortex integration, we also provide you templates for TheHive available in the [thehive-templates](../../thehive-templates/Gatewatcher_CTI_1_0) directory.
+- Long report
 
-![](assets/Gatewatcher_CTI_long.png)
+![alt text](assets/Gatewatcher_CTI_leaked_email_long.png)