From e7b640be2d79f5fb18ab4669eb60b990be33cf1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Leonard?= Date: Sun, 9 Feb 2020 10:49:47 +0100 Subject: [PATCH] #608 #609 responders postponed --- .../DomainToolsIris_AddRiskyDNSTag.json | 28 ----------- .../domaintoolsiris_responder.py | 41 ----------------- .../requirements.txt | 0 .../DomainToolsIris_CheckMaliciousTags.json | 28 ----------- .../domaintoolsiris_responder.py | 46 ------------------- .../requirements.txt | 0 6 files changed, 143 deletions(-) delete mode 100644 responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json delete mode 100644 responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py delete mode 100644 responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt delete mode 100644 responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json delete mode 100644 responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py delete mode 100644 responders/DomainToolsIris_CheckMaliciousTags/requirements.txt diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json b/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json deleted file mode 100644 index fafd73f73..000000000 --- a/responders/DomainToolsIris_AddRiskyDNSTag/DomainToolsIris_AddRiskyDNSTag.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "name": "DomainToolsIris_AddRiskyDNSTag", - "version": "1.0", - "author": "DomainTools", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Add Tag saying that the case contains a risky DNS.", - "dataTypeList": ["thehive:case_artifact"], - "command": "DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py", - "baseConfig": "DomainToolsIris", - "configurationItems": [ - { - "name": "high_risk_threshold", - "description": "Risk score threshold to be considered high risk.", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 70 - }, - { - "name": "monitored_iris_tags", - "description": "Monitored Iris tags.", - "type": "string", - "multi": true, - "required": false - } - ] -} \ No newline at end of file diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py b/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py deleted file mode 100644 index 38062a18c..000000000 --- a/responders/DomainToolsIris_AddRiskyDNSTag/domaintoolsiris_responder.py +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/env python3 -# encoding: utf-8 - - -from cortexutils.responder import Responder - - -class DomainToolsIris(Responder): - def __init__(self): - Responder.__init__(self) - - def run(self): - Responder.run(self) - if self.get_param("data.dataType") == "domain": - self.report({"data": self.get_data()}) - else: - self.report({"data": 'Can only operate on "domain" observables'}) - - def operations(self, raw): - build_list = [] - taxonomies = ( - raw.get("data", {}) - .get("reports", {}) - .get("DomainToolsIris_Investigate_1_0", {}) - .get("taxonomies", None) - ) - - for x in taxonomies: - if x["predicate"] == "Risk Score": - if int(x["value"]) > int(self.get_param("config.high_risk_threshold")): - build_list.append( - self.build_operation("AddTagToCase", tag="DT:Risky DNS") - ) - build_list.append( - self.build_operation("AddTagToArtifact", tag="DT:Risky DNS") - ) - return build_list - - -if __name__ == "__main__": - DomainToolsIris().run() diff --git a/responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt b/responders/DomainToolsIris_AddRiskyDNSTag/requirements.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json b/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json deleted file mode 100644 index ef14d0828..000000000 --- a/responders/DomainToolsIris_CheckMaliciousTags/DomainToolsIris_CheckMaliciousTags.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "name": "DomainToolsIris_CheckMaliciousTags", - "version": "1.0", - "author": "DomainTools", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Add Tag saying that the observable and case have a malicious tag in their Iris Tags.", - "dataTypeList": ["thehive:case_artifact"], - "command": "DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py", - "baseConfig": "DomainToolsIris", - "configurationItems": [ - { - "name": "high_risk_threshold", - "description": "Risk score threshold to be considered high risk.", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 70 - }, - { - "name": "monitored_iris_tags", - "description": "Monitored Iris tags.", - "type": "string", - "multi": true, - "required": false - } - ] -} \ No newline at end of file diff --git a/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py b/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py deleted file mode 100644 index 8490a0a24..000000000 --- a/responders/DomainToolsIris_CheckMaliciousTags/domaintoolsiris_responder.py +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/env python3 -# encoding: utf-8 - - -from cortexutils.responder import Responder - - -class DomainToolsIris(Responder): - def __init__(self): - Responder.__init__(self) - - def run(self): - Responder.run(self) - if self.get_param("data.dataType") == "domain": - self.report({"data": self.get_data()}) - else: - self.report({"data": 'Can only operate on "domain" observables'}) - - def operations(self, raw): - build_list = [] - taxonomies = ( - raw.get("data", {}) - .get("reports", {}) - .get("DomainToolsIris_Investigate_1_0", {}) - .get("taxonomies", None) - ) - - for x in taxonomies: - if x["predicate"] == "IrisTags": - malicious_tags_set = set(self.get_param("config.monitored_iris_tags")) - domain_tags_set = set(x["value"].split(",")) - - if len(malicious_tags_set.intersection(domain_tags_set)): - build_list.append( - self.build_operation( - "AddTagToArtifact", tag="DT:Malicious Domain" - ) - ) - build_list.append( - self.build_operation("AddTagToCase", tag="DT:Malicious Domain") - ) - return build_list - - -if __name__ == "__main__": - DomainToolsIris().run() diff --git a/responders/DomainToolsIris_CheckMaliciousTags/requirements.txt b/responders/DomainToolsIris_CheckMaliciousTags/requirements.txt deleted file mode 100644 index e69de29bb..000000000