[ { "name": "AbuseIPDB", "version": "1.0", "author": "Matteo Lodi", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-v3", "description": "Determine whether an IP was reported or not as malicious by AbuseIPDB", "dataTypeList": [ "ip" ], "baseConfig": "AbuseIPDB", "configurationItems": [ { "name": "key", "description": "API key for AbuseIPDB", "type": "string", "multi": false, "required": true }, { "name": "days", "description": "Check for IP Reports in the last X days", "type": "number", "multi": false, "required": false, "defaultValue": 30 } ], "config": { "check_tlp": true, "max_tlp": 2, "auto_extract": false }, "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://www.abuseipdb.com/", "service_logo": { "path": "assets/abuseipdb.png", "caption": "abuseipdb logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "AbuseIPDB: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/abuseipdb:1" }, { "name": "Abuse_Finder", "version": "3.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Find abuse contacts associated with domain names, URLs, IPs and email addresses.", "dataTypeList": [ "ip", "domain", "fqdn", "url", "mail" ], "baseConfig": "Abuse_Finder", "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://github.com/certsocietegenerale/abuse_finder", "service_logo": { "path": "", "caption": "" }, "screenshots": [ { "path": "assets/abuse_finder_longreport.png", "caption": "Abuse_Finder: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/abuse_finder:3" }, { "name": "AnyRun_Sandbox_Analysis", "version": "1.1", "author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT; Nate Olsen, WSECU", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Any.Run Sandbox file analysis", "dataTypeList": [ "file", "url" ], "baseConfig": "AnyRun", "configurationItems": [ { "name": "token", "description": "API token", "type": "string", "multi": false, "required": false }, { "name": "privacy_type", "description": "Define the privacy setting (Allowed values: public, bylink, owner)", "type": "string", "multi": false, "required": true, "defaultValue": "bylink" }, { "name": "verify_ssl", "description": "Verify SSL certificate", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "env_bitness", "description": "default OS bitness; 32 or 64", "type": "number", "multi": false, "required": false, "defaultValue": 32 }, { "name": "env_version", "description": "Which version of Windows do you want to use by default? allowed values: \"vista\", \"7\", \"8.1\", \"10\"", "type": "string", "multi": false, "required": false, "defaultValue": "7" }, { "name": "env_type", "description": "How much do you want pre-installed in the runtime environment? allowed values: \"clean\", \"office\", \"complete\"", "type": "string", "multi": false, "required": false, "defaultValue": "complete" }, { "name": "opt_network_connect", "description": "Do you want to disable networking? set false to disable", "type": "boolean", "multi": false, "required": false, "defaultValue": true }, { "name": "opt_network_fakenet", "description": "FakeNet feature status; set true to enable.", "type": "boolean", "multi": false, "required": false, "defaultValue": false }, { "name": "opt_network_tor", "description": "TOR using.", "type": "Boolean", "multi": false, "required": false, "defaultValue": false }, { "name": "opt_network_mitm", "description": "HTTPS MITM proxy option.", "type": "Boolean", "multi": false, "required": false, "defaultValue": false }, { "name": "opt_network_geo", "description": "Geo location option. Allowed values: \"fastest\", \"AU\", \"BR\", \"DE\", \"CH\", \"FR\", \"KR\", \"US\", \"RU\", \"GB\", \"IT\"", "type": "String", "multi": false, "required": false, "defaultValue": "fastest" }, { "name": "opt_kernel_heavyevasion", "description": "Heavy evasion option. Default value: false", "type": "Boolean", "multi": false, "required": false, "defaultValue": false }, { "name": "opt_timeout", "description": "Timeout option. Size range: 10-660", "type": "Number", "multi": false, "required": false, "defaultValue": "60" }, { "name": "obj_ext_startfolder", "description": "Start object from. Allowed values: \"desktop\", \"home\", \"downloads\", \"appdata\", \"temp\", \"windows\", \"root\"", "type": "String", "multi": false, "required": false, "defaultValue": "temp" }, { "name": "obj_ext_browser", "description": "Choose which browser to use. Allowed values: \"Google Chrome\", \"Mozilla Firefox\", \"Opera\", \"Internet Explorer\"", "type": "String", "multi": false, "required": false, "defaultValue": "Internet Explorer" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://any.run/", "service_logo": { "path": "assets/anyrun.png", "caption": "AnyRun logo" }, "screenshots": [ { "path": "assets/short_report.png", "caption": "AnyRun: Short report template" }, { "path": "assets/long_report.png", "caption": "AnyRun: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/anyrun_sandbox_analysis:1" }, { "name": "Autofocus_GetSampleAnalysis", "version": "1.0", "author": "ANSSI", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "baseConfig": "Autofocus", "config": { "service": "get_sample_analysis" }, "description": "Get full analysis from a sample based on its hash", "dataTypeList": [ "hash" ], "configurationItems": [ { "name": "apikey", "description": "Autofocus API key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/autofocus_getsampleanalysis:1" }, { "name": "Autofocus_SearchIOC", "version": "1.0", "author": "ANSSI", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "baseConfig": "Autofocus", "config": { "service": "search_ioc" }, "description": "Search samples in Autofocus based on a single IOC", "dataTypeList": [ "domain", "fqdn", "user-agent", "imphash", "ip", "mutex", "tag", "url" ], "configurationItems": [ { "name": "apikey", "description": "Autofocus API key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/autofocus_searchioc:1" }, { "name": "Autofocus_SearchJSON", "version": "1.0", "author": "ANSSI", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "baseConfig": "Autofocus", "config": { "service": "search_json" }, "description": "Search samples in Autofocus with a full search query in JSON", "dataTypeList": [ "other" ], "configurationItems": [ { "name": "apikey", "description": "Autofocus API key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/autofocus_searchjson:1" }, { "name": "Axur", "author": "Axur", "version": "1.0", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "description": "Search IPs, domains, hashes or URLs on axur.com", "dataTypeList": [ "domain", "fqdn", "ip", "url", "hash" ], "baseConfig": "Axur", "configurationItems": [ { "name": "api_key", "description": "Define the API key", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.axur.com", "dockerImage": "ghcr.io/thehive-project/axur:1" }, { "name": "BackscatterIO_Enrichment", "version": "1.0", "author": "brandon@backscatter.io", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "APLv2", "description": "Enrich values using Backscatter.io data.", "dataTypeList": [ "ip", "network", "autonomous-system", "port" ], "baseConfig": "BackscatterIO", "configurationItems": [ { "name": "key", "description": "API key for Backscatter.io", "type": "string", "multi": false, "required": true } ], "config": { "check_tlp": true, "max_tlp": 2, "auto_extract": true, "service": "enrichment" }, "dockerImage": "ghcr.io/thehive-project/backscatterio_enrichment:1" }, { "name": "BackscatterIO_GetObservations", "version": "1.0", "author": "brandon@backscatter.io", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "APLv2", "description": "Determine whether a value has known scanning activity using Backscatter.io data.", "dataTypeList": [ "ip", "network", "autonomous-system" ], "baseConfig": "BackscatterIO", "configurationItems": [ { "name": "key", "description": "API key for Backscatter.io", "type": "string", "multi": false, "required": true } ], "config": { "check_tlp": true, "max_tlp": 2, "auto_extract": true, "service": "observations" }, "dockerImage": "ghcr.io/thehive-project/backscatterio_getobservations:1" }, { "name": "BitcoinAbuse", "version": "1.0", "author": "Peter Juhas", "url": "https://github.com/pjuhas/Cortex-Analyzers", "license": "AGPL-V3", "description": "Check Bitcoin address against Bitcoin Abuse database", "dataTypeList": [ "btc_address" ], "baseConfig": "BitcoinAbuse", "configurationItems": [ { "name": "key", "description": "API key for Bitcoin Abuse", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/bitcoinabuse:1" }, { "name": "C1fApp", "version": "1.0", "author": "etz69", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query C1fApp OSINT Aggregator for IPs, domains and URLs", "dataTypeList": [ "url", "domain", "fqdn", "ip" ], "baseConfig": "C1fApp", "configurationItems": [ { "name": "url", "description": "URL of C1fApp service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "API key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/c1fapp:1" }, { "name": "CERTatPassiveDNS", "author": "Nils Kuhnert, CERT-Bund", "license": "AGPL-V3", "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", "version": "2.0", "description": "Checks CERT.at Passive DNS for a given domain.", "dataTypeList": [ "domain", "fqdn", "ip" ], "baseConfig": "CERTatPassiveDNS", "configurationItems": [ { "name": "limit", "description": "Define the maximum number of results per request", "type": "number", "multi": false, "required": true, "defaultValue": 100 } ], "dockerImage": "ghcr.io/thehive-project/certatpassivedns:2" }, { "name": "CIRCLHashlookup", "author": "Mikael Keri", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.1", "description": "CIRCL hashlookup uses a public API to lookup hash values against databases of known good files", "dataTypeList": [ "hash" ], "baseConfig": "CIRCLHashlookup", "config": { "check_tlp": true, "max_tlp": 2, "check_pap": true, "max_pap": 2 }, "registration_required": false, "subscription_required": false, "free_subscription": true, "service_homepage": "https://hashlookup.circl.lu/", "service_logo": { "path": "assets/circlhashlookup_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/circlhashlookup_long_report.png", "caption:": "CIRCLHashlookup analyzer full report" }, { "path": "assets/circlhashlookup_verdict.png", "caption:": "CIRCLHashlookup analyzer verdict" } ], "dockerImage": "ghcr.io/thehive-project/circlhashlookup:1" }, { "name": "CIRCLPassiveDNS", "author": "Nils Kuhnert, CERT-Bund", "license": "AGPL-V3", "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", "version": "2.0", "description": "Check CIRCL's Passive DNS for a given domain or URL.", "dataTypeList": [ "domain", "url", "ip" ], "baseConfig": "CIRCL", "configurationItems": [ { "name": "user", "description": "Username", "type": "string", "multi": false, "required": true }, { "name": "password", "description": "Password", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://www.circl.lu/services/passive-dns/", "service_logo": { "path": "assets/passivedns.png", "caption": "logo" }, "screenshots": [ { "path": "assets/sc-short-circlpassivedns.png", "caption": "CIRCLPassiveDNS: short report" }, { "path": "assets/sc-long-circlpassivedns.png", "caption": "CIRCLPassiveDNS: long report" } ], "dockerImage": "ghcr.io/thehive-project/circlpassivedns:2" }, { "name": "CIRCLPassiveSSL", "author": "Nils Kuhnert, CERT-Bund", "license": "AGPL-V3", "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", "version": "2.0", "description": "Check CIRCL's Passive SSL for a given IP address or a X509 certificate hash.", "dataTypeList": [ "ip", "certificate_hash", "hash" ], "baseConfig": "CIRCL", "configurationItems": [ { "name": "user", "description": "Username", "type": "string", "multi": false, "required": true }, { "name": "password", "description": "Password", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://www.circl.lu/services/passive-ssl/", "service_logo": { "path": "assets/pssl.png", "caption": "PSSL logo" }, "screenshots": [ { "path": "assets/sc-short-circlpassivessl.png", "caption": "CIRCLPassiveSSL: short report" }, { "path": "assets/sc-long-circlpassivessl.png", "caption": "CIRCLPassiveSSL: long report" } ], "dockerImage": "ghcr.io/thehive-project/circlpassivessl:2" }, { "name": "CISMCAP", "version": "1.0", "author": "Joe Lazaro", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Malicious Code Analysis Platform (MCAP) by the Center for Internet Security (CIS). Submit files for analysis or check feeds for known indicators of compromise for other data types.", "dataTypeList": [ "ip", "hash", "url", "domain", "fqdn", "file" ], "baseConfig": "CISMCAP", "registration_required": true, "subscription_required": false, "free_subscription": false, "service_homepage": "https://www.cisecurity.org/ms-isac/services", "service_logo": { "path": "assets/cis_mcap_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/CISMCAP_file.png", "caption": "Analyzer report for a file" }, { "path": "assets/CISMCAP_IP.png", "caption:": "Analyzer report for an IP address" } ], "configurationItems": [ { "name": "key", "description": "API key", "type": "string", "multi": false, "required": true }, { "name": "private_samples", "description": "Submitted samples will not be shared with other members of the portal", "type": "boolean", "multi": false, "required": true }, { "name": "minimum_confidence", "description": "Restrict to IOCs with this confidence score or higher.", "type": "number", "multi": false, "required": false, "defaultValue": 80 }, { "name": "minimum_severity", "description": "Restrict to IOCs with this severity score or higher.", "type": "number", "multi": false, "required": false, "defaultValue": 80 }, { "name": "polling_interval", "description": "Interval (seconds) between requests for sample status.", "type": "number", "multi": false, "required": false, "defaultValue": 120 }, { "name": "max_sample_result_wait", "description": "Maximum time to retry requests for sample status.", "type": "number", "multi": false, "required": false, "defaultValue": 1000 } ], "dockerImage": "ghcr.io/thehive-project/cismcap:1" }, { "name": "Capa", "version": "1.0", "author": "Wes Lambert; Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Analyze files with Capa", "dataTypeList": [ "file" ], "baseConfig": "Capa", "config": { "service": "CapaAnalyze" }, "configurationItems": [ { "name": "capa_path", "description": "Path to Capa binary (if installed locally, should be /opt/Cortex-Analyzers/analyzers/Capa/capa)", "type": "string", "multi": false, "required": true, "defaultValue": "/worker/Capa/capa" } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://github.com/mandiant/capa", "service_logo": { "path": "assets/capa.png", "caption": "CAPA logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "CAPA: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/capa:1" }, { "name": "Censys", "author": "Nils Kuhnert, CERT-Bund; Fabien Bloume, StrangeBee", "license": "AGPL-V3", "url": "https://github.com/BSI-CERT-Bund/censys-analyzer", "version": "2.0", "description": "Check IPs, certificate hashes or domains against censys.io.", "dataTypeList": [ "ip", "hash", "domain" ], "baseConfig": "Censys", "configurationItems": [ { "name": "uid", "description": "UID for Censys", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "API key", "type": "string", "multi": false, "required": true }, { "name": "max_records", "description": "Maximum number of records for domains", "type": "number", "multi": false, "required": true, "defaultvalue": 10 } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://censys.io/", "service_logo": { "path": "assets/censys.png", "caption": "Censys logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "Censys: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/censys:2" }, { "name": "CheckPhish", "version": "1.0", "author": "Peter Juhas", "url": "https://github.com/pjuhas/Cortex-Analyzers", "license": "AGPL-V3", "service_homepage": "https://checkphish.ai", "description": "Check url address via CheckPhish using jobID returned from CheckPhish_Submit", "dataTypeList": [ "string" ], "baseConfig": "CheckPhish", "configurationItems": [ { "name": "key", "description": "Api key for CheckPhish", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/checkphish:1" }, { "name": "CheckPhish_Submit", "version": "1.0", "author": "Peter Juhas", "url": "https://github.com/pjuhas/Cortex-Analyzers", "license": "AGPL-V3", "service_homepage": "https://checkphish.ai", "description": "Submit url address to CheckPhish", "dataTypeList": [ "url" ], "baseConfig": "CheckPhish", "configurationItems": [ { "name": "key", "description": "Api key for CheckPhish", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/checkphish_submit:1" }, { "name": "ClamAV_FileInfo", "version": "1.1", "author": "Brian Laskowski", "url": "https://github.com/Hestat/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use Clamscan with custom rules", "dataTypeList": [ "file" ], "baseConfig": "ClamAV", "dockerImage": "ghcr.io/thehive-project/clamav_fileinfo:1" }, { "name": "C25CortexAnalyzer_Investigate", "version": "1.0", "author": "Cluster25", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use Cluster25's CTI API to investigate an observable.", "dataTypeList": [ "domain", "file", "hash", "ip", "mail", "url" ], "baseConfig": "c25-cortex-analyzer", "config": { "check_tlp": false, "check_pap": false, "auto_extract_artifacts": true, "service": "investigate" }, "configurationItems": [ { "name": "client_id", "description": "Cluster25 CTI API credentials", "type": "string", "multi": false, "required": true }, { "name": "client_key", "description": "Cluster25 CTI API credentials", "type": "string", "multi": false, "required": true }, { "name": "base_url", "description": "Cluster25 CTI API base url", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.duskrise.com/the-c25-intelligence/", "service_logo": { "path": "assets/cluster25_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/short_report_sample.png", "caption": "report sample" }, { "path": "assets/long_report_sample.png", "caption:": "report sample" } ], "dockerImage": "ghcr.io/thehive-project/c25cortexanalyzer_investigate:1" }, { "name": "Crowdsec_Analyzer", "version": "1.1", "author": "CERT-ARKEA", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query Crowdsec API", "dataTypeList": [ "ip" ], "baseConfig": "Crowdsec", "configurationItems": [ { "name": "api_key", "description": "Crowdsec API key", "type": "string", "multi": false, "required": true }, { "name": "taxonomy_reputation", "description": "Create taxonomy for reputation", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "taxonomy_as_name", "description": "Create taxonomy for AS name", "type": "boolean", "multi": false, "required": true, "defaultValue": false }, { "name": "taxonomy_ip_range_score", "description": "Create taxonomy for IP range score", "type": "boolean", "multi": false, "required": true, "defaultValue": false }, { "name": "taxonomy_last_seen", "description": "Create taxonomy for last seen date", "type": "boolean", "multi": false, "required": true, "defaultValue": false }, { "name": "taxonomy_attack_details", "description": "Create taxonomy for attack details", "type": "boolean", "multi": false, "required": true, "defaultValue": false }, { "name": "taxonomy_behaviors", "description": "Create taxonomy for behaviors", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "taxonomy_mitre_techniques", "description": "Create taxonomy for mitre techniques", "type": "boolean", "multi": false, "required": true, "defaultValue": false }, { "name": "taxonomy_cves", "description": "Create taxonomy for cves", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "taxonomy_not_found", "description": "Create taxonomy for not found IP", "type": "boolean", "multi": false, "required": true, "defaultValue": true } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://www.crowdsec.net/product/threat-intelligence", "service_logo": { "path": "assets/crowdsec-logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/crowdsec-report-long.png", "caption": "CrowdSec analyzer: long report" }, { "path": "assets/crowdsec-analyzer-result-example.png", "caption": "CrowdSec analyzer: short report" } ], "dockerImage": "ghcr.io/thehive-project/crowdsec_analyzer:1" }, { "name": "CrowdstrikeFalcon_GetDeviceVulnerabilities", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "baseConfig": "CrowdstrikeFalcon", "config": { "check_tlp": false, "max_tlp": 3, "service": "" }, "description": "Get device vulnerabilities from hostname", "dataTypeList": [ "hostname" ], "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" }, { "name": "vuln_fields", "description": "Specific field values to keep in resulting payload for vulnerabilities", "type": "string", "multi": true, "required": true, "defaultValue": [ "vulnerability_id", "status", "created_timestamp", "updated_timestamp", "apps.product_name_version", "confidence", "cve", "host_info.asset_criticality", "host_info.internet_exposure", "remediation.entities.action" ] } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/short-report-vulns.png", "caption": "Crowdstrike: Short report template" }, { "path": "assets/long-report-vulns.png", "caption": "Crowdstrike: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_getdevicevulnerabilities:1" }, { "name": "CrowdstrikeFalcon_Sandbox_Android", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "baseConfig": "CrowdstrikeFalcon", "config": { "check_tlp": false, "max_tlp": 3, "service": 200 }, "description": "Send a file to CrowdstrikeFalcon Sandbox", "dataTypeList": [ "file" ], "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" }, { "name": "network_settings", "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline", "type": "string", "multi": false, "required": true, "defaultValue": "default" }, { "name": "action_script", "description": "Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles", "type": "string", "multi": false, "required": true, "defaultValue": "default" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/short-report-sandbox.png", "caption": "Crowdstrike: Short report template" }, { "path": "assets/long-report-sandbox.png", "caption": "Crowdstrike: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_sandbox_android:1" }, { "name": "CrowdstrikeFalcon_Sandbox_Linux", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "baseConfig": "CrowdstrikeFalcon", "config": { "check_tlp": false, "max_tlp": 3, "service": 300 }, "description": "Send a file to CrowdstrikeFalcon Sandbox", "dataTypeList": [ "file" ], "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" }, { "name": "network_settings", "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline", "type": "string", "multi": false, "required": true, "defaultValue": "default" }, { "name": "action_script", "description": "Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles", "type": "string", "multi": false, "required": true, "defaultValue": "default" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/short-report-sandbox.png", "caption": "Crowdstrike: Short report template" }, { "path": "assets/long-report-sandbox.png", "caption": "Crowdstrike: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_sandbox_linux:1" }, { "name": "CrowdstrikeFalcon_Sandbox_MacOS", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "baseConfig": "CrowdstrikeFalcon", "config": { "check_tlp": false, "max_tlp": 3, "service": 400 }, "description": "Send a file to CrowdstrikeFalcon Sandbox", "dataTypeList": [ "file" ], "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" }, { "name": "network_settings", "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline", "type": "string", "multi": false, "required": true, "defaultValue": "default" }, { "name": "action_script", "description": "Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles", "type": "string", "multi": false, "required": true, "defaultValue": "default" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/short-report-sandbox.png", "caption": "Crowdstrike: Short report template" }, { "path": "assets/long-report-sandbox.png", "caption": "Crowdstrike: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_sandbox_macos:1" }, { "name": "CrowdstrikeFalcon_Sandbox_Win10", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "baseConfig": "CrowdstrikeFalcon", "config": { "check_tlp": false, "max_tlp": 3, "service": 160 }, "description": "Send a file to CrowdstrikeFalcon Sandbox", "dataTypeList": [ "file" ], "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" }, { "name": "network_settings", "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline", "type": "string", "multi": false, "required": true, "defaultValue": "default" }, { "name": "action_script", "description": "Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles", "type": "string", "multi": false, "required": true, "defaultValue": "default" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/short-report-sandbox.png", "caption": "Crowdstrike: Short report template" }, { "path": "assets/long-report-sandbox.png", "caption": "Crowdstrike: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_sandbox_win10:1" }, { "name": "CrowdstrikeFalcon_Sandbox_Win11", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "baseConfig": "CrowdstrikeFalcon", "config": { "check_tlp": false, "max_tlp": 3, "service": 140 }, "description": "Send a file to CrowdstrikeFalcon Sandbox", "dataTypeList": [ "file" ], "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" }, { "name": "network_settings", "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline", "type": "string", "multi": false, "required": true, "defaultValue": "default" }, { "name": "action_script", "description": "Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles", "type": "string", "multi": false, "required": true, "defaultValue": "default" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/short-report-sandbox.png", "caption": "Crowdstrike: Short report template" }, { "path": "assets/long-report-sandbox.png", "caption": "Crowdstrike: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_sandbox_win11:1" }, { "name": "CrowdstrikeFalcon_Sandbox_Win7", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "baseConfig": "CrowdstrikeFalcon", "config": { "check_tlp": false, "max_tlp": 3, "service": 100 }, "description": "Send a file to CrowdstrikeFalcon Sandbox", "dataTypeList": [ "file" ], "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" }, { "name": "network_settings", "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline", "type": "string", "multi": false, "required": true, "defaultValue": "default" }, { "name": "action_script", "description": "Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles", "type": "string", "multi": false, "required": true, "defaultValue": "default" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/short-report-sandbox.png", "caption": "Crowdstrike: Short report template" }, { "path": "assets/long-report-sandbox.png", "caption": "Crowdstrike: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_sandbox_win7:1" }, { "name": "CrowdstrikeFalcon_Sandbox_Win7_64", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "baseConfig": "CrowdstrikeFalcon", "config": { "check_tlp": false, "max_tlp": 3, "service": 110 }, "description": "Send a file to CrowdstrikeFalcon Sandbox", "dataTypeList": [ "file" ], "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" }, { "name": "network_settings", "description": "Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline", "type": "string", "multi": false, "required": true, "defaultValue": "default" }, { "name": "action_script", "description": "Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles", "type": "string", "multi": false, "required": true, "defaultValue": "default" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/short-report-sandbox.png", "caption": "Crowdstrike: Short report template" }, { "path": "assets/long-report-sandbox.png", "caption": "Crowdstrike: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_sandbox_win7_64:1" }, { "name": "CrowdstrikeFalcon_getDeviceAlerts", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "baseConfig": "CrowdstrikeFalcon", "config": { "check_tlp": false, "max_tlp": 3, "service": "" }, "description": "Get Device alerts from Crowdstrike Falcon", "dataTypeList": [ "hostname" ], "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" }, { "name": "alert_fields", "description": "Fields to return for each invidividual alerts", "type": "string", "multi": true, "required": true, "defaultValue": [ "timestamp", "description", "status", "user_name", "severity", "severity_name", "scenario", "filename", "filepath", "confidence", "cmdline" ] }, { "name": "days_before", "description": "Only query alerts from the past X days.", "type": "number", "multi": false, "required": true, "defaultValue": 30 } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/short-report-alerts.png", "caption": "Crowdstrike: Short report template" }, { "path": "assets/long-report-alerts.png", "caption": "Crowdstrike: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_getdevicealerts:1" }, { "name": "CrowdstrikeFalcon_getDeviceDetails", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "baseConfig": "CrowdstrikeFalcon", "config": { "check_tlp": false, "max_tlp": 3, "service": "" }, "description": "Get device information from Crowdstrike Falcon", "dataTypeList": [ "hostname" ], "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/short-report-deviceinfo.png", "caption": "Crowdstrike: Short report template" }, { "path": "assets/long-report-deviceinfo.png", "caption": "Crowdstrike: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_getdevicedetails:1" }, { "name": "Crt_sh_Transparency_Logs", "author": "crackytsi", "license": "AGPL-V3", "url": "https://crt.sh", "version": "1.0", "baseConfig": "Crtsh", "config": { "check_tlp": false, "max_tlp": 3 }, "description": "Query domains against the certificate transparency lists available at crt.sh.", "dataTypeList": [ "domain" ], "configurationItems": [], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://crt.sh/", "service_logo": { "path": "assets/logo.png", "caption": "Sectigo logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "Crt: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/crt_sh_transparency_logs:1" }, { "name": "CuckooSandbox_File_Analysis_Inet", "version": "1.2", "author": "Andrea Garavaglia, LDO-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Cuckoo Sandbox file analysis with Internet access.", "dataTypeList": [ "file" ], "baseConfig": "CuckooSandbox", "configurationItems": [ { "name": "url", "description": "URL", "type": "string", "multi": false, "required": true }, { "name": "token", "description": "API token", "type": "string", "multi": false, "required": false }, { "name": "verifyssl", "description": "Verify SSL certificate", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "cert_path", "description": "Path to the CA on the system used to check server certificate", "type": "string", "multi": false, "required": false } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://cuckoosandbox.org/", "service_logo": { "path": "assets/cuckoosandbox.png", "caption": "CuckooSandbox logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "CuckooSandbox: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/cuckoosandbox_file_analysis_inet:1" }, { "name": "CuckooSandbox_Url_Analysis", "version": "1.2", "author": "Andrea Garavaglia, LDO-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Cuckoo Sandbox URL analysis.", "dataTypeList": [ "url" ], "baseConfig": "CuckooSandbox", "configurationItems": [ { "name": "url", "description": "URL", "type": "string", "multi": false, "required": true }, { "name": "token", "description": "API token", "type": "string", "multi": false, "required": false }, { "name": "verifyssl", "description": "Verify SSL certificate", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "cert_path", "description": "Path to the CA on the system used to check server certificate", "type": "string", "multi": false, "required": false } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://cuckoosandbox.org/", "service_logo": { "path": "assets/cuckoosandbox.png", "caption": "CuckooSandbox logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "CuckooSandbox: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/cuckoosandbox_url_analysis:1" }, { "name": "CyberChef_FromBase64", "version": "1.0", "author": "Wes Lambert", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Convert Base64 with CyberChef Server", "dataTypeList": [ "other" ], "baseConfig": "CyberChef", "config": { "service": "FromBase64" }, "configurationItems": [ { "name": "url", "description": "CyberChef Server URL", "type": "string", "multi": false, "required": true, "defaultValue": "http://192.168.1.178:3000/" } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://github.com/gchq/CyberChef-server", "service_logo": { "path": "assets/cyberchef.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "Cyberchef: long report" } ], "dockerImage": "ghcr.io/thehive-project/cyberchef_frombase64:1" }, { "name": "CyberChef_FromCharCode", "version": "1.0", "author": "Wes Lambert", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Convert Char Code with CyberChef Server", "dataTypeList": [ "other" ], "baseConfig": "CyberChef", "config": { "service": "FromCharCode" }, "configurationItems": [ { "name": "url", "description": "CyberChef Server URL", "type": "string", "multi": false, "required": true, "defaultValue": "http://192.168.1.178:3000/" } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://github.com/gchq/CyberChef-server", "service_logo": { "path": "assets/cyberchef.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "Cyberchef: long report" } ], "dockerImage": "ghcr.io/thehive-project/cyberchef_fromcharcode:1" }, { "name": "CyberChef_FromHex", "version": "1.0", "author": "Wes Lambert", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Convert Hex with CyberChef Server", "dataTypeList": [ "other" ], "baseConfig": "CyberChef", "config": { "service": "FromHex" }, "configurationItems": [ { "name": "url", "description": "CyberChef Server URL", "type": "string", "multi": false, "required": true, "defaultValue": "http://192.168.1.178:3000/" } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://github.com/gchq/CyberChef-server", "service_logo": { "path": "assets/cyberchef.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "Cyberchef: long report" } ], "dockerImage": "ghcr.io/thehive-project/cyberchef_fromhex:1" }, { "name": "CyberCrime-Tracker", "author": "ph34tur3", "license": "AGPL-V3", "url": "https://github.com/ph34tur3/Cortex-Analyzers", "version": "1.0", "description": "Search cybercrime-tracker.net for C2 servers.", "dataTypeList": [ "domain", "fqdn", "ip", "url", "other" ], "baseConfig": "CyberCrimeTracker", "config": { "check_tlp": true, "max_tlp": 2 }, "configurationItems": [], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://cybercrime-tracker.net/", "service_logo": { "path": "assets/cybercrime.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "cybercrime: long report" } ], "dockerImage": "ghcr.io/thehive-project/cybercrime-tracker:1" }, { "name": "Cyberprotect_ThreatScore", "author": "Rémi Allain, Cyberprotect", "license": "AGPL-V3", "url": "https://github.com/Cyberprotect/Cortex-Analyzers", "version": "3.0", "description": "ThreatScore is a cyber threat scoring system provided by Cyberprotect", "dataTypeList": [ "domain", "hash", "ip", "url", "user-agent" ], "baseConfig": "Cyberprotect", "config": { "service": "ThreatScore", "check_tlp": true }, "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://console.threatscore.cyberprotect.cloud/", "service_logo": { "path": "assets/threatscore.jpg", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "cyberprotect: long report" } ], "dockerImage": "ghcr.io/thehive-project/cyberprotect_threatscore:3" }, { "name": "Cylance", "author": "Mikael Keri", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "description": "Search for a specific hash, if there is a match, coresponding client information", "dataTypeList": [ "hash" ], "baseConfig": "Cylance", "config": { "check_tlp": true, "max_tlp": 2, "check_pap": true, "max_pap": 2 }, "configurationItems": [ { "name": "ten_id", "description": "Tenant ID", "type": "string", "multi": false, "required": true }, { "name": "app_id", "description": "App ID", "type": "string", "multi": false, "required": true }, { "name": "app_secret", "description": "App Secret", "type": "string", "multi": false, "required": true }, { "name": "region", "description": "Portal region, : NA, US, APN, JP, APS, AU, EU, GOV, SA, SP", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.blackberry.com/", "service_logo": { "path": "assets/cylance_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/cylance_sample_lookup_long.png", "caption": "Cylance Lookup sample Information full report" }, { "path": "assets/cylance_host_lookup_long.png", "caption": "Cylance Lookup sample, client information full report" }, { "path": "assets/cylance_sample_lookup_short.png", "caption:": "Cylance Lookup sample mini report" } ], "dockerImage": "ghcr.io/thehive-project/cylance:1" }, { "name": "DNSDB_DomainName", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DNSDB to fetch historical records for a domain.", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "DNSDB", "config": { "service": "domain_name" }, "configurationItems": [ { "name": "server", "description": "DNSDB server name", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.dnsdb.info" }, { "name": "key", "description": "Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/dnsdb_domainname:2" }, { "name": "DNSDB_IPHistory", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DNSDB to fetch historical records for an IP address.", "dataTypeList": [ "ip" ], "baseConfig": "DNSDB", "config": { "service": "ip_history" }, "configurationItems": [ { "name": "server", "description": "DNSDB server name", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.dnsdb.info" }, { "name": "key", "description": "Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/dnsdb_iphistory:2" }, { "name": "DNSDB_NameHistory", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DNSDB to fetch historical records for a fully-qualified domain name.", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "DNSDB", "config": { "service": "name_history" }, "configurationItems": [ { "name": "server", "description": "DNSDB server name", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.dnsdb.info" }, { "name": "key", "description": "Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/dnsdb_namehistory:2" }, { "name": "DNS_Lookingglass", "version": "1.0", "author": "Dennis Perto, Conscia", "url": "https://github.com/xme/thehive/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query the SANS ISC Global DNS Lookingglass API to check a domain name for resolved IP addresses.", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "DNSLookingglass.json", "config": { "service": "query" }, "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://isc.sans.edu/", "service_logo": { "path": "assets/dshield.png", "caption": "logo" }, "screenshots": [ { "path": "assets/DNS_Lookingglass_long.png", "caption": "DNS Lookingglass: Long report template" }, { "path": "assets/DNS_Lookingglass_artifacts.png", "caption": "DNS Lookingglass: artifacts" } ], "dockerImage": "ghcr.io/thehive-project/dns_lookingglass:1" }, { "name": "DNSSinkhole", "author": "Andrea Garavaglia, LDO-CERT", "license": "AGPL-V3", "url": "https://github.com/LDO-CERT/cortex-analyzer", "version": "1.0", "description": "Check if a domain is sinkholed via DNS Sinkhole server", "dataTypeList": [ "domain" ], "baseConfig": "DNSSinkhole", "configurationItems": [ { "name": "ip", "description": "Define the DNS Sinkhole Server IP", "type": "string", "multi": false, "required": true }, { "name": "sink_ip", "description": "Define the sinkholed response address IP", "required": true, "multi": false, "type": "string" } ], "dockerImage": "ghcr.io/thehive-project/dnssinkhole:1" }, { "name": "DNSdumpster_report", "version": "1.0", "author": "Keijo Korte - @korteke", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query domain information from DNSdumpster.com.", "dataTypeList": [ "domain" ], "baseConfig": "DNSdumpster", "configurationItems": [], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://dnsdumpster.com", "dockerImage": "ghcr.io/thehive-project/dnsdumpster_report:1" }, { "name": "DShield_lookup", "version": "1.0", "author": "Xavier Xavier, SANS ISC", "url": "https://github.com/xme/thehive/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query the SANS ISC DShield API to check for an IP address reputation.", "dataTypeList": [ "ip" ], "baseConfig": "DShield", "config": { "service": "query" }, "registration_required": false, "subscription_required": false, "free_subscription": true, "service_homepage": "https://isc.sans.edu/", "service_logo": { "path": "assets/dshield.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "DShield: long report" } ], "dockerImage": "ghcr.io/thehive-project/dshield_lookup:1" }, { "name": "Diario_GetReport", "version": "1.0", "author": "Ignacio Rodriguez Paez", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get the latest Diario report for a file or hash.", "dataTypeList": [ "file", "hash" ], "baseConfig": "Diario", "config": { "service": "get" }, "configurationItems": [ { "name": "client_id", "description": "Client id for Diario", "type": "string", "multi": false, "required": true }, { "name": "secret", "description": "Secret for Diario", "type": "string", "multi": false, "required": true }, { "name": "polling_interval", "description": "Define time interval between two requests attempts for the report", "type": "number", "multi": false, "required": false, "defaultValue": 60 } ], "registration_required": true, "subscription_required": true, "service_homepage": "https://diario.elevenpaths.com/", "service_logo": { "path": "assets/logo.png", "caption": "DIARIO logo" }, "screenshots": [ { "path": "assets/diario_get_report_short.png", "caption": "DIARIO: short report" }, { "path": "assets/diario_get_report_long.png", "caption": "DIARIO: long report" } ], "dockerImage": "ghcr.io/thehive-project/diario_getreport:1" }, { "name": "Diario_Scan", "version": "1.0", "author": "Ignacio Rodriguez Paez", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use Diario to scan a file, it can be DOC*, XLS*, PPTX or PDF.", "dataTypeList": [ "file" ], "baseConfig": "Diario", "config": { "service": "scan" }, "configurationItems": [ { "name": "client_id", "description": "Client id for Diario", "type": "string", "multi": false, "required": true }, { "name": "secret", "description": "Secret for Diario", "type": "string", "multi": false, "required": true }, { "name": "polling_interval", "description": "Define time interval between two requests attempts for the report", "type": "number", "multi": false, "required": false, "defaultValue": 60 } ], "registration_required": true, "subscription_required": true, "service_homepage": "https://diario.elevenpaths.com/", "service_logo": { "path": "assets/logo.png", "caption": "DIARIO logo" }, "screenshots": [ { "path": "assets/diario_scan_short.png", "caption": "DIARIO: short report" }, { "path": "assets/diario_scan_long.png", "caption": "DIARIO: long report" } ], "dockerImage": "ghcr.io/thehive-project/diario_scan:1" }, { "name": "DomainMailSPFDMARC", "version": "1.1", "url": "https://thehive-project.org", "author": "torsolaso", "license": "AGPL-V3", "description": "DomainMailSPFDMARC", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "DomainMailSPFDMARC", "config": { "service": "get" }, "configurationItems": [], "registration_required": false, "subscription_required": false, "free_subscription": false, "screenshots": [ { "path": "assets/DomainMailSPFDMARC_long.png", "caption": "DomainMailSPFDMARC long report sample" }, { "path": "assets/DomainMailSPFDMARC_short.png", "caption": "DomainMailSPFDMARC mini report sample" } ], "dockerImage": "ghcr.io/thehive-project/domainmailspfdmarc:1" }, { "name": "DomainTools_HostingHistory", "version": "2.0", "author": "ANSSI", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DomainTools to get a list of historical registrant, name servers and IP addresses for a domain name.", "dataTypeList": [ "domain" ], "baseConfig": "DomainTools", "config": { "service": "hosting-history" }, "configurationItems": [ { "name": "username", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/domaintools_hostinghistory:2" }, { "name": "DomainTools_Reputation", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DomainTools to get a reputation score on a domain or fqdn", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "DomainTools", "config": { "service": "reputation" }, "configurationItems": [ { "name": "username", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/domaintools_reputation:2" }, { "name": "DomainTools_ReverseIP", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DomainTools to get a list of domain names sharing the same IP address.", "dataTypeList": [ "ip", "domain", "fqdn" ], "baseConfig": "DomainTools", "config": { "service": "reverse-ip" }, "configurationItems": [ { "name": "username", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/domaintools_reverseip:2" }, { "name": "DomainTools_ReverseIPWhois", "version": "2.0", "author": "ANSSI", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DomainTools to get a list of IP addresses which share the same registrant information.", "dataTypeList": [ "mail", "ip", "domain", "other" ], "baseConfig": "DomainTools", "config": { "service": "reverse-ip-whois" }, "configurationItems": [ { "name": "username", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/domaintools_reverseipwhois:2" }, { "name": "DomainTools_ReverseNameServer", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DomainTools to get a list of domain names that share the same primary or secondary name server.", "dataTypeList": [ "domain" ], "baseConfig": "DomainTools", "config": { "service": "name-server-domains" }, "configurationItems": [ { "name": "username", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/domaintools_reversenameserver:2" }, { "name": "DomainTools_ReverseWhois", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DomainTools to get a list of domain names which share the same registrant information.", "dataTypeList": [ "mail", "ip", "domain", "other" ], "baseConfig": "DomainTools", "config": { "service": "reverse-whois" }, "configurationItems": [ { "name": "username", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/domaintools_reversewhois:2" }, { "name": "DomainTools_Risk", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DomainTools to get a risk score and evidence details on a domain or fqdn", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "DomainTools", "config": { "service": "risk_evidence" }, "configurationItems": [ { "name": "username", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/domaintools_risk:2" }, { "name": "DomainTools_WhoisHistory", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DomainTools to get a list of historical Whois records associated with a domain name.", "dataTypeList": [ "domain" ], "baseConfig": "DomainTools", "config": { "service": "whois/history" }, "configurationItems": [ { "name": "username", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/domaintools_whoishistory:2" }, { "name": "DomainTools_WhoisLookup", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DomainTools to get the ownership record for a domain or an IP address with basic registration details parsed.", "dataTypeList": [ "domain", "ip" ], "baseConfig": "DomainTools", "config": { "service": "whois/parsed" }, "configurationItems": [ { "name": "username", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/domaintools_whoislookup:2" }, { "name": "DomainTools_WhoisLookupUnparsed", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DomainTools to get the ownership record for an IP address or a domain without parsing.", "dataTypeList": [ "ip", "domain" ], "baseConfig": "DomainTools", "config": { "service": "whois" }, "configurationItems": [ { "name": "username", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "DomainTools API credentials", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/domaintools_whoislookupunparsed:2" }, { "name": "DomainToolsIris_Investigate", "version": "1.0", "author": "DomainTools", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DomainTools Iris API to investigate a domain.", "dataTypeList": [ "domain" ], "baseConfig": "DomainToolsIris", "config": { "service": "investigate-domain" }, "configurationItems": [ { "name": "username", "description": "DomainTools Iris API credentials", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "DomainTools Iris API credentials", "type": "string", "multi": false, "required": true }, { "name": "pivot_count_threshold", "description": "Pivot count threshold.", "type": "number", "multi": false, "required": false, "defaultValue": 500 } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.domaintools.com", "service_logo": { "path": "assets/domaintools_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/DomainToolsIris_Investigate_long.png", "caption": "DomainToolsIris_Investigate long report sample" }, { "path": "assets/DomainToolsIris_Investigate_short.png", "caption": "DomainToolsIris_Investigate mini report sample" } ], "dockerImage": "ghcr.io/thehive-project/domaintoolsiris_investigate:1" }, { "name": "DomainToolsIris_Pivot", "version": "1.0", "author": "DomainTools", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use DomainTools Iris API to pivot on ssl_hash, ip, or email.", "dataTypeList": [ "hash", "ip", "mail" ], "baseConfig": "DomainToolsIris", "config": { "service": "pivot" }, "configurationItems": [ { "name": "username", "description": "DomainTools Iris API credentials", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "DomainTools Iris API credentials", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.domaintools.com", "service_logo": { "path": "assets/domaintools_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/DomainToolsIris_Pivot_long.png", "caption": "DomainToolsIris_Pivot long report sample" }, { "path": "assets/DomainToolsIris_Pivot_short.png", "caption": "DomainToolsIris_Pivot mini report sample" } ], "dockerImage": "ghcr.io/thehive-project/domaintoolsiris_pivot:1" }, { "name": "EchoTrail", "version": "1.0", "author": "Joe Lazaro", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "EchoTrail Insights takes a Windows filename or hash and provides several unique pieces of analytical context including prevalence & rank scores, process ancestry, behavioral analysis, and security analysis.", "dataTypeList": [ "hash", "filename" ], "baseConfig": "EchoTrail", "registration_required": true, "subscription_required": false, "free_subscription": true, "service_homepage": "https://www.echotrail.io/", "service_logo": { "path": "assets/echotrail_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/echotrail_filename_report.png", "caption": "Sample long form report on a filename from a Windows system" } ], "configurationItems": [ { "name": "key", "description": "API key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/echotrail:1" }, { "name": "EclecticIQ_SearchObservable", "author": "BW", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers/", "version": "2.0", "description": "Query EclecticIQ Intelligence Center for a specific observable.", "dataTypeList": [ "domain", "ip", "url", "fqdn", "uri_path", "user-agent", "hash", "mail", "mail_subject", "registry", "regexp", "other", "filename" ], "config": { "service": "search_observable" }, "baseConfig": "EclecticIQ", "configurationItems": [ { "name": "name", "description": "Name of EclecticIQ instance", "multi": false, "required": false, "type": "string" }, { "name": "url", "description": "URL of EclecticIQ instance", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "API key for EclecticIQ instance", "type": "string", "multi": false, "required": true }, { "name": "cert_check", "description": "Verify server certificate", "type": "boolean", "multi": false, "required": true, "defaultValue": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.eclecticiq.com", "service_logo": { "path": "assets/logo.png", "caption": "logo" }, "screenshots": [], "dockerImage": "ghcr.io/thehive-project/eclecticiq_searchobservable:2" }, { "name": "Elasticsearch_Analysis", "author": "Nick Prokop", "license": "MIT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "description": "Search for IoCs in Elasticsearch", "dataTypeList": [ "url", "domain", "ip", "hash", "filename", "fqdn" ], "baseConfig": "Elasticsearch", "configurationItems": [ { "name": "endpoints", "description": "Define the Elasticsearch endpoints", "type": "string", "multi": true, "required": true, "defaultValue": [ "http://127.0.0.1:9200" ] }, { "name": "keys", "description": "Set the Elasticsearch api keys for each endpoint. Note: Use api key or basic auth, but not both.", "type": "string", "multi": true, "required": false }, { "name": "users", "description": "Set the Elasticsearch users for each endpoint. Note: Use api key or basic auth, but not both.", "type": "string", "multi": true, "required": false }, { "name": "passwords", "description": "Set the Elasticsearch passwords for each endpoint. Note: Use api key or basic auth, but not both.", "type": "string", "multi": true, "required": false }, { "name": "kibana", "description": "Define the kibana address", "type": "string", "multi": false, "required": false }, { "name": "dashboard", "description": "Set the kibana dashboard id that will be linked in the report", "type": "string", "multi": false, "required": false }, { "name": "index", "description": "Define the Elasticsearch indices to use", "type": "string", "multi": true, "required": true, "defaultValue": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*" ] }, { "name": "field", "description": "Define the fields to query", "type": "string", "multi": true, "required": true, "defaultValue": [ "destination.ip", "dll.hash.md5", "dll.hash.sha256", "dns.question.name", "dns.resolved_ip", "file.hash.md5", "file.hash.sha256", "file.name", "hash.md5", "hash.sha256", "process.args", "process.hash.md5", "process.hash.sha256", "process.parent.hash.md5", "process.parent.hash.sha256", "source.ip", "url.domain", "url.full" ] }, { "name": "size", "description": "Define the number of hits per index to return", "type": "string", "multi": false, "required": true, "defaultValue": "10" }, { "name": "verifyssl", "description": "Verify SSL certificate", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "cert_path", "description": "Path to the CA on the system used to check server certificate", "type": "string", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/elasticsearch_analysis:1" }, { "name": "EmailRep", "version": "1.0", "author": "Manabu Niseki", "url": "https://github.com/ninoseki/emailrep-analyzer", "license": "MIT", "description": "emailrep.io lookup.", "dataTypeList": [ "mail" ], "baseConfig": "EmailRep", "configurationItems": [ { "name": "key", "description": "Define the API Key", "type": "string", "multi": false, "required": false } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_homepage": "https://emailrep.io/", "service_logo": { "path": "assets/emailrep.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "Emailrep: long report" } ], "dockerImage": "ghcr.io/thehive-project/emailrep:1" }, { "name": "EmergingThreats_DomainInfo", "version": "1.0", "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", "url": "https://github.com/dadokkio/Cortex-Analyzers", "license": "AGPL-V3", "description": "Retrieve ET reputation, related malware, and IDS requests for a given domain.", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "EmergingThreats", "configurationItems": [ { "name": "key", "description": "API key", "type": "string", "multi": false, "required": true } ], "config": { "check_tlp": true, "max_tlp": 2, "auto_extract": false }, "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://threatintel.proofpoint.com/", "service_logo": { "path": "assets/proofpoint.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report_domain.png", "caption": "EmergingThreats: domain long report" } ], "dockerImage": "ghcr.io/thehive-project/emergingthreats_domaininfo:1" }, { "name": "EmergingThreats_IPInfo", "version": "1.0", "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", "url": "https://github.com/dadokkio/Cortex-Analyzers", "license": "AGPL-V3", "description": "Retrieve ET reputation, related malware, and IDS requests for a given IP address.", "dataTypeList": [ "ip" ], "baseConfig": "EmergingThreats", "configurationItems": [ { "name": "key", "description": "API key", "type": "string", "multi": false, "required": true } ], "config": { "check_tlp": true, "max_tlp": 2, "auto_extract": false }, "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://threatintel.proofpoint.com/", "service_logo": { "path": "assets/proofpoint.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report_ip.png", "caption": "EmergingThreats: IP long report" } ], "dockerImage": "ghcr.io/thehive-project/emergingthreats_ipinfo:1" }, { "name": "EmergingThreats_MalwareInfo", "version": "1.0", "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", "url": "https://github.com/dadokkio/Cortex-Analyzers", "license": "AGPL-V3", "description": "Retrieve ET details and info related to a malware hash.", "dataTypeList": [ "file", "hash" ], "baseConfig": "EmergingThreats", "configurationItems": [ { "name": "key", "description": "API key", "type": "string", "multi": false, "required": true } ], "config": { "check_tlp": true, "max_tlp": 2, "auto_extract": false }, "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://threatintel.proofpoint.com/", "service_logo": { "path": "assets/proofpoint.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report_hash.png", "caption": "EmergingThreats: hash long report" } ], "dockerImage": "ghcr.io/thehive-project/emergingthreats_malwareinfo:1" }, { "name": "EmlParser", "version": "2.1", "author": "StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "baseConfig": "EmlParser", "config": { "check_tlp": false, "max_tlp": 3, "service": "" }, "description": "Parse and visualise EML email message. Submit a .eml formatted file and extract some useful information.", "dataTypeList": [ "file" ], "configurationItems": [ { "name": "email_visualisation", "description": "Enable email visualisation in report. This option requires the program `wkhtmltoimage` and installation of `wkhtmltopdf` package on the system. Docker image has this program installed. Refer to the documentation for more information. ", "type": "boolean", "defaultValue": false, "multi": false, "required": true }, { "name": "wkhtmltoimage_path", "description": "Path of wkhtmltoimage program on the system. This program is required to generate visualisation of the message as it seen in mail client program. If using Docker image, use default configuration.", "defaultValue": "/usr/bin/wkhtmltoimage", "type": "string", "multi": false, "required": true } ], "registration_required": false, "subscription_required": false, "service_homepage": "https://www.strangebee.com", "service_logo": { "path": "assets/sb-logo.jpg", "caption": "StrangeBee logo" }, "screenshots": [ { "path": "assets/emlparser-short.png", "caption": "EmlParser: short report" }, { "path": "assets/emlparser-long.png", "caption": "EmlParser: long report" } ], "dockerImage": "ghcr.io/thehive-project/emlparser:2" }, { "name": "FalconSandbox", "version": "1.0", "author": "Sebastian Schmerl - Computacenter", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-v3", "description": "Submit observables to the Crowdstrike FalconX Sandbox", "dataTypeList": [ "file" ], "baseConfig": "FalconSandbox", "configurationItems": [ { "name": "API_Base_Url", "description": "Crowdstrike Api Base Url", "type": "string", "multi": false, "required": true, "default": "https://api.crowdstrike.com" }, { "name": "Client_ID", "description": "Crowdstrike Api ClientID", "type": "string", "multi": false, "required": true }, { "name": "Client_Secret", "description": "Crowdstrike Api Client Secret", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "dockerImage": "ghcr.io/thehive-project/falconsandbox:1" }, { "name": "FileInfo", "version": "8.0", "author": "TheHive-Project", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Parse files in several formats such as OLE and OpenXML to detect VBA macros, extract their source code, generate useful information on PE, PDF files...", "dataTypeList": [ "file" ], "baseConfig": "FileInfo", "configurationItems": [ { "name": "manalyze_enable", "description": "Wether to enable manalyze submodule or not.", "type": "boolean", "required": true, "multi": false, "defaultValue": false }, { "name": "manalyze_enable_docker", "description": "Use docker to run Manalyze. Can be used only if not using the docker image of FileInfo", "type": "boolean", "required": false, "multi": false, "defaultValue": false }, { "name": "manalyze_enable_binary", "description": "Use local binary to run Manalyze. Need to compile it before!", "type": "boolean", "required": false, "multi": false, "defaultValue": true }, { "name": "manalyze_binary_path", "description": "Path to the Manalyze binary that was compiled before. Keep the default value if using the docker image of FileInfo ", "type": "string", "required": false, "multi": false, "defaultValue": "/worker/Manalyze/bin/manalyze" }, { "name": "floss_enable", "description": "Enable the use of FireEye FLARE FLOSS", "type": "boolean", "required": false, "multi": false, "default": false }, { "name": "floss_binary_path", "description": "Path to the FLOSS binary.", "type": "string", "required": false, "multi": false, "default": "/usr/bin/floss" }, { "name": "floss_minimal_string_length", "description": "Length of strings must be in order to be considered.", "type": "number", "required": false, "multi": false, "default": 4 } ], "dockerImage": "ghcr.io/thehive-project/fileinfo:8" }, { "name": "FireEyeiSight", "version": "1.0", "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", "url": "https://github.com/LDO-CERT/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query domains, IPs, hashes and URLs on FireEye's iSIGHT threat intelligence service.", "dataTypeList": [ "domain", "ip", "hash", "url" ], "baseConfig": "FireEyeiSight", "config": { "check_tlp": true, "max_tlp": 2, "service": "query" }, "configurationItems": [ { "name": "key", "description": "API key for FireEye iSIGHT.", "required": true, "type": "string", "multi": false }, { "name": "pwd", "description": "Password associated to the API key.", "required": true, "type": "string", "multi": false } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://intelligence.fireeye.com/", "service_logo": { "path": "assets/fireeyeisight.png", "caption": "FireEyeiSight logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "FireEyeiSight: Long report template" } ], "dockerImage": "ghcr.io/thehive-project/fireeyeisight:1" }, { "name": "FireHOLBlocklists", "author": "Nils Kuhnert, CERT-Bund", "license": "AGPL-V3", "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", "version": "2.0", "description": "Check IP addresses against the FireHOL blocklists", "dataTypeList": [ "ip" ], "baseConfig": "FireHOLBlocklists", "configurationItems": [ { "name": "blocklistpath", "description": "Path to blocklists", "type": "string", "multi": false, "required": true } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://iplists.firehol.org/", "service_logo": { "path": "assets/firehol.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "FireHOL Blocklists: long report" } ], "dockerImage": "ghcr.io/thehive-project/fireholblocklists:2" }, { "name": "ForcepointWebsensePing", "version": "1.0", "author": "Andrea Garavaglia, Davide Arcuri - LDO-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use ForcepointWebsensePing to determine which category a certain URL is assigned to.", "dataTypeList": [ "url", "ip", "domain", "fqdn" ], "baseConfig": "ForcepointWebsensePing", "config": { "service": "lookup" }, "configurationItems": [ { "name": "hostname", "description": "Forcepoint remote Filtering Service", "type": "string", "multi": false, "required": true }, { "name": "timeout", "description": "WebsensePing timeout-secs", "type": "number", "multi": false, "required": true, "defaultValue": 10 }, { "name": "path", "description": "WebsensePing path", "type": "string", "multi": false, "required": true, "defaultValue": "/opt/Websense/bin" }, { "name": "malicious_categories", "description": "List of Forcepoint categories to be considered as malicious", "type": "string", "multi": true, "required": true, "defaultValue": [ "Dynamic DNS", "Elevated Exposure", "Emerging Exploits", "Extended Protection", "Newly Registered Websites", "Suspicious Content", "Advanced Malware Command and Control", "Advanced Malware Payloads", "Botnets", "Bot Networks", "Compromised Websites", "Malicious Web Sites", "Custom-Encrypted Uploads", "Files Containing Passwords", "Keyloggers", "Malicious Embedded Link", "Malicious Embedded Iframe", "Malicious Websites", "Mobile Malware", "Phishing and Other Frauds", "Potentially Exploited Documents", "Potentially Unwanted Software", "Spyware", "Suspicious Embedded Link", "Elevated Exposure Newly Registered Websites", "Unauthorized Mobile Marketplaces", "User-Defined" ] }, { "name": "suspicious_categories", "description": "List of Forcepoint categories you would consider as suspicious", "type": "string", "multi": true, "required": true, "defaultValue": [ "Uncategorized", "Parked Domain", "Hacking", "Proxy Avoidance", "Intolerance", "Abused Drugs", "Adult Content", "Adult Material", "Advertisements", "Computer Security", "Drugs", "Dynamic Content", "Illegal or Questionable", "Marijuana", "Militancy and Extremist", "Network Errors", "Peer-to-Peer File Sharing", "Personal Network Storage and Backup", "Private IP Addresses", "Sex", "Tastelesstopics or to improper language", "Violence", "Web and Email Spam", "Security" ] }, { "name": "safe_categories", "description": "List of Forcepoint categories you would consider as safe", "type": "string", "multi": true, "required": true, "defaultValue": [ "Business and Economy", "Bandwidth", "Education", "Government", "News and Media", "Productivity", "Religion", "Society and Lifestyles", "Special Events", "Information Technology", "Abortion", "Advocacy Groups", "Entertainment", "Facebook Apps ", "Facebook Chat", "Facebook Commenting", "Facebook Events", "Facebook Friends", "Facebook Games", "Facebook Groups", "Facebook Mail", "Facebook Photo Upload", "Facebook Posting", "Facebook Questions", "Facebook Video Upload", "File Download Servers", "LinkedIn Connections", "LinkedIn Jobs", "LinkedIn Mail", "LinkedIn Updates", "Twitter Follow", "Twitter Mail", "Twitter Posting", "YouTube Commenting", "YouTube Sharing", "YouTube Video Upload", "Alternative Journals", "Application and Software Download", "Blog Commenting", "Blog Posting", "Blogs and Personal Sites", "Classified Posting", "Social and Affiliation Organizations", "Social Networking", "Social Organizations", "Social Web - Facebook", "Social Web - LinkedIn", "Social Web - Twitter", "Social Web - YouTube", "Social Web Controls - Various", "Sports", "Entertainment Video", "Financial Data and Services", "Instant Messaging", "Job Search", "Shopping", "Travel", "Vehicles", "Search Engines and Portals", "Alcohol and Tobacco", "Collaboration – Office", "Content Delivery Networks", "Cultural Institutions", "Educational Institutions", "Educational Materials", "Educational Video", "General Email", "Health", "Hobbies", "Gay or Lesbian or Bisexual Interest", "Gambling", "Games", "Hosted Business Applications", "Internet Auctions", "Internet Communication", "Internet Radio and TV", "Internet Telephony", "Media File Download", "Message Boards and Forums", "Non-Traditional Religion", "Nudity", "Nutrition", "Office - Apps", "Office - Documents", "Office - Drive", "Office - Mail", "Office Category used to manage the Office domain", "Online Brokerage and Trading", "Organizational Email", "Personals and Dating", "Pay-to-Surf", "Political Organizations", "Prescribed Medications", "Pro-Choice", "Pro-Life", "Professional and Worker Organizations", "Real Estate", "Reference Materials", "Restaurants and Dining", "Service and Philanthropic Organizations", "Sex Education", "Lingerie and Swimsuit", "Sport Hunting and Gun Clubs", "Streaming Media", "Surveillance", "Text and Media Messaging", "Traditional Religions", "Viral Video", "Weapons", "Web Analytics", "Web and Email Marketing", "Web Chat", "Web Collaboration", "Web Hosting", "Web Images", "Web Infrastructure", "Website Translation" ] } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.forcepoint.com", "service_logo": { "path": "assets/forcepoint_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/ForcepointWebsensePing_long.png", "caption": "ForcepointWebsensePing long report sample" }, { "path": "assets/ForcepointWebsensePing_short.png", "caption": "ForcepointWebsensePing mini report sample" } ], "dockerImage": "ghcr.io/thehive-project/forcepointwebsenseping:1" }, { "name": "GRR", "version": "0.1", "author": "pettai@sunet.se, SUNET", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Search GRR for the host agent.", "dataTypeList": [ "ip", "fqdn" ], "baseConfig": "GRR", "config": { "service": "query" }, "configurationItems": [ { "name": "url", "description": "URL of the GRR API.", "type": "string", "required": true, "multi": false }, { "name": "username", "description": "API user to use", "type": "string", "required": true, "multi": false }, { "name": "password", "description": "API password to the API user", "type": "string", "required": true, "multi": false } ], "dockerImage": "ghcr.io/thehive-project/grr:0" }, { "name": "Gatewatcher_CTI", "version": "1.0", "author": "Gatewatcher", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-3.0", "description": "Get Gatewatcher CTI Report", "dataTypeList": [ "hash", "domain", "fqdn", "url" ], "baseConfig": "Gatewatcher_CTI", "config": { "service": "get_report" }, "configurationItems": [ { "name": "apiKey", "description": "Gatewatcher CTI Api Key.", "type": "string", "multi": false, "required": true }, { "name": "extendedReport", "description": "Show reports for relations.", "type": "boolean", "required": true, "multi": false, "defaultValue": true }, { "name": "maxRelations", "description": "Max relation reports to display if you have enabled the extendReport option. Set -1 to show all report", "type": "number", "multi": false, "required": false, "defaultValue": 50 } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.gatewatcher.com/", "service_logo": { "path": "assets/Gatewatcher_CTI_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Gatewatcher_CTI_long.png", "caption": "Gatewatcher CTI long report sample" }, { "path": "assets/Gatewatcher_CTI_short.png", "caption:": "Gatewatcher CTI mini report sample" } ], "dockerImage": "ghcr.io/thehive-project/gatewatcher_cti:1" }, { "name": "GoogleDNS_resolve", "version": "1.0.0", "author": "CERT-LaPoste", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Request Google DNS over HTTPS service", "dataTypeList": [ "domain", "ip", "fqdn" ], "baseConfig": "GoogleDNS", "config": { "service": "get" }, "configurationItems": [], "dockerImage": "ghcr.io/thehive-project/googledns_resolve:1" }, { "name": "GoogleSafebrowsing", "author": "Nils Kuhnert, CERT-Bund", "license": "AGPL-V3", "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", "version": "2.0", "description": "Use Google Safebrowing to check URLs and domain names.", "dataTypeList": [ "url", "domain" ], "baseConfig": "GoogleSafebrowsing", "configurationItems": [ { "name": "client_id", "description": "Client identifier", "type": "string", "multi": false, "required": false, "defaultValue": "cortex" }, { "name": "key", "description": "API key", "type": "string", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/googlesafebrowsing:2" }, { "name": "GoogleVisionAPI_WebDetection", "version": "1.0.0", "author": "CERT-LaPoste", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Find look alike image via Google Cloud Vision API using the Web_Detection service ", "dataTypeList": [ "file", "url" ], "baseConfig": "GoogleVisionAPI", "config": { "service": "get" }, "configurationItems": [ { "name": "api_key", "description": "API key for this service", "type": "string", "multi": false, "required": true }, { "name": "max_result", "description": "Maximum number of url to fetch", "type": "string", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/googlevisionapi_webdetection:1" }, { "name": "GreyNoise", "version": "3.1", "author": "Nclose", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "APLv2", "description": "Determine whether an IP has known scanning activity using GreyNoise.", "dataTypeList": [ "ip" ], "baseConfig": "GreyNoise", "configurationItems": [ { "name": "key", "description": "API key for GreyNoise", "type": "string", "multi": false, "required": false }, { "name": "api_type", "description": "API Type to Match Key, either 'enterprise' or 'community'", "type": "string", "multi": false, "required": false } ], "config": { "check_tlp": true, "max_tlp": 2, "auto_extract": false }, "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://viz.greynoise.io/", "service_logo": { "path": "assets/greynoise.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "GreyNoise: long report" } ], "dockerImage": "ghcr.io/thehive-project/greynoise:3" }, { "name": "HIBP_Query", "version": "2.0", "author": "Matt Erasmus, Jonas Hergenhahn", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query haveibeenpwned.com for a compromised email address", "dataTypeList": [ "mail" ], "baseConfig": "HIBP", "config": { "service": "query", "url": "https://haveibeenpwned.com/api/v3/breachedaccount/" }, "configurationItems": [ { "name": "unverified", "description": "Include unverified breaches", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "truncate", "description": "Truncated response means only the name of data breaches", "type": "boolean", "multi": false, "required": true, "defaultValue": false }, { "name": "api_key", "description": "Api key for hibp", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "retries", "description": "Retries to request api while getting status code 429", "type": "number", "multi": false, "required": false, "defaultValue": 5 } ], "dockerImage": "ghcr.io/thehive-project/hibp_query:2" }, { "name": "Hashdd_Detail", "version": "2.0", "author": "iosonogio, dadokkio", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPLv3", "description": "Determine whether a hash is good or bad; if good then list what it is.", "dataTypeList": [ "hash" ], "baseConfig": "Hashdd", "config": { "service": "detail" }, "configurationItems": [ { "name": "api_key", "description": "API key for hashdd", "type": "string", "multi": false, "required": true } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_homepage": "https://www.hashdd.com/", "service_logo": { "path": "assets/hashdd.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "Hashdd: long report" } ], "dockerImage": "ghcr.io/thehive-project/hashdd_detail:2" }, { "name": "Hashdd_Status", "version": "2.0", "author": "iosonogio, dadokkio", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPLv3", "description": "Determine whether a hash is good or bad.", "dataTypeList": [ "hash" ], "baseConfig": "Hashdd", "config": { "service": "status" }, "configurationItems": [ { "name": "api_key", "description": "API key for hashdd", "type": "string", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/hashdd_status:2" }, { "name": "Hipposcore", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get the Hippocampe Score report associated with an IP address, a domain or a URL.", "dataTypeList": [ "ip", "domain", "fqdn", "url" ], "baseConfig": "Hippocampe", "config": { "service": "hipposcore" }, "configurationItems": [ { "name": "url", "description": "URL of the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/hipposcore:2" }, { "name": "HippoMore", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get the Hippocampe detailed report for an IP address, a domain or a URL.", "dataTypeList": [ "ip", "domain", "fqdn", "url" ], "baseConfig": "Hippocampe", "config": { "service": "more" }, "configurationItems": [ { "name": "url", "description": "URL of the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/hippomore:2" }, { "name": "Hunterio_DomainSearch", "author": "Rémi Allain, Cyberprotect", "license": "AGPL-V3", "url": "https://github.com/Cyberprotect/Cortex-Analyzers", "version": "1.0", "description": "hunter.io is a service to find email addresses from a domain.", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "Hunterio", "config": { "service": "domainsearch", "check_tlp": false }, "configurationItems": [ { "name": "key", "description": "api key of hunter.io", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://hunter.io/", "service_logo": { "path": "assets/hunter.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "Hunter: long report" } ], "dockerImage": "ghcr.io/thehive-project/hunterio_domainsearch:1" }, { "name": "HybridAnalysis_GetReport", "version": "1.0", "author": "Daniil Yugoslavskiy, Tieto", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "dataTypeList": [ "hash", "file", "filename", "url", "domain" ], "description": "Fetch Hybrid Analysis reports associated with hashes and filenames.", "baseConfig": "HybridAnalysis", "configurationItems": [ { "name": "key", "description": "API key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/hybridanalysis_getreport:1" }, { "name": "IBMXForce_Lookup", "version": "1.0", "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", "url": "https://github.com/LDO-CERT/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query domains, IPs, hashes and URLs against IBM X-Force threat intelligence sharing platform.", "dataTypeList": [ "domain", "ip", "hash", "url" ], "baseConfig": "IBMXForce", "config": { "service": "query" }, "configurationItems": [ { "name": "url", "description": "X-Force API URL", "required": true, "multi": false, "type": "string" }, { "name": "key", "description": "X-Force API Key", "required": true, "multi": false, "type": "string" }, { "name": "pwd", "description": "X-Force API Password", "required": true, "multi": false, "type": "string" }, { "name": "verify", "description": "Enable/Disable certificate verification", "required": false, "multi": false, "type": "boolean", "default": true }, { "name": "account", "description": "Account ID", "required": false, "multi": false, "type": "string" } ], "dockerImage": "ghcr.io/thehive-project/ibmxforce_lookup:1" }, { "name": "IP-API", "version": "1.1", "author": "Peter Juhas; Fabien Bloume, StrangeBee", "url": "https://github.com/pjuhas/Cortex-Analyzers", "license": "AGPL-V3", "description": "Check IP address or domain using ip-api.com", "dataTypeList": [ "ip", "domain" ], "baseConfig": "IP-API", "configurationItems": [ { "name": "key", "description": "API key for IP-API pro - Unlimited queries, SSL and commercial use", "type": "string", "multi": false, "required": false } ], "registration_required": false, "subscription_required": false, "service_homepage": "https://ip-api.com", "dockerImage": "ghcr.io/thehive-project/ip-api:1" }, { "name": "IPVoid", "version": "1.0", "author": "Joel Snape @ Nettitude", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-v3", "description": "Determine whether an IP is present on any of the feeds consumed by IPVoid", "dataTypeList": [ "ip" ], "baseConfig": "IPVoid", "configurationItems": [ { "name": "key", "description": "API key for IPVoid", "type": "string", "multi": false, "required": true } ], "config": { "check_tlp": true, "max_tlp": 2, "auto_extract": false }, "dockerImage": "ghcr.io/thehive-project/ipvoid:1" }, { "name": "IPinfo_Details", "version": "1.0", "author": "Manabu Niseki", "url": "https://github.com/ninoseki/ipinfo-analyzers", "license": "MIT", "description": "IPinfo details lookup.", "dataTypeList": [ "ip" ], "baseConfig": "IPinfo", "config": { "service": "details" }, "configurationItems": [ { "name": "api_key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/ipinfo_details:1" }, { "name": "IPinfo_Hosted_Domains", "version": "1.0", "author": "Manabu Niseki", "url": "https://github.com/ninoseki/ipinfo-analyzers", "license": "MIT", "description": "IPinfo hosted domains lookup.", "dataTypeList": [ "ip" ], "baseConfig": "IPinfo", "config": { "service": "hosted_domains" }, "configurationItems": [ { "name": "api_key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/ipinfo_hosted_domains:1" }, { "name": "IVRE", "version": "1.0", "author": "Pierre Lalet", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "service_homepage": "https://ivre.rocks/", "description": "Fetch details from an IVRE instance.", "dataTypeList": [ "autonomous-system", "certificate_hash", "domain", "fqdn", "ip", "network", "port", "user-agent" ], "baseConfig": "IVRE", "configurationItems": [ { "name": "use_data", "description": "Use data from the data purpose (MaxMind)", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "use_passive", "description": "Use data from the passive purpose", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "use_scans", "description": "Use data from the scans (nmap) purpose", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "db_url", "description": "The URL of the IVRE database (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration", "type": "string", "multi": false, "required": false }, { "name": "db_url_data", "description": "The URL of the IVRE database for the data purpose (e.g., maxmind:///usr/share/ivre/geoip or http://host/cgi); defaults to using IVRE's configuration", "type": "string", "multi": false, "required": false }, { "name": "db_url_passive", "description": "The URL of the IVRE database for the passive purpose (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration", "type": "string", "multi": false, "required": false }, { "name": "db_url_scans", "description": "The URL of the IVRE database for the scans (nmap) purpose (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration", "type": "string", "multi": false, "required": false } ], "config": { "check_tlp": false, "max_tlp": 3, "check_pap": false, "max_pap": 3, "auto_extract": false }, "service_logo": { "path": "assets/ivre_logo.png", "caption": "Logo" }, "dockerImage": "ghcr.io/thehive-project/ivre:1" }, { "name": "Inoitsu", "version": "1.0", "author": "Abdelkader Ben Ali", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "MIT", "description": "Query Inoitsu for a compromised email address.", "dataTypeList": [ "mail" ], "baseConfig": "Inoitsu", "configurationItems": [], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_homepage": "https://www.hotsheet.com/inoitsu/", "service_logo": { "path": "assets/inoitsu_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Inoitsu_long.png", "caption": "Inoitsu long report sample" }, { "path": "assets/Inoitsu_short.png", "caption": "Inoitsu mini report sample" } ], "dockerImage": "ghcr.io/thehive-project/inoitsu:1" }, { "name": "IntezerCommunity", "version": "1.0", "author": "Matteo Lodi", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-v3", "description": "Analyze a possible malicious file with Intezer Analyzer", "dataTypeList": [ "file", "hash" ], "baseConfig": "IntezerCommunity", "configurationItems": [ { "name": "key", "description": "API key for Intezer", "type": "string", "multi": false, "required": true } ], "config": { "check_tlp": true, "max_tlp": 2, "auto_extract": false }, "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://analyze.intezer.com/", "service_logo": { "path": "assets/intezer.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "Intezer: long report" } ], "dockerImage": "ghcr.io/thehive-project/intezercommunity:1" }, { "name": "Investigate_Categorization", "version": "1.0", "author": "Cisco Umbrella Research @opendns", "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Investigate", "license": "AGPL-V3", "description": "Retrieve Investigate categorization and security features for a domain.", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "Investigate", "config": { "service": "categorization" }, "configurationItems": [ { "name": "key", "description": "Define the Investigate API Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/investigate_categorization:1" }, { "name": "Investigate_Sample", "version": "1.0", "author": "Cisco Umbrella Research @opendns", "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Investigate", "license": "AGPL-V3", "description": "Retrieve sample data from Investigate for a hash. (Sample data provided by ThreatGrid)", "dataTypeList": [ "hash" ], "baseConfig": "Investigate", "config": { "service": "sample" }, "configurationItems": [ { "name": "key", "description": "Define the Investigate API Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/investigate_sample:1" }, { "name": "JoeSandbox_File_Analysis_Inet", "version": "3.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Joe Sandbox file analysis with Internet access.", "dataTypeList": [ "file" ], "baseConfig": "JoeSandbox", "config": { "service": "file_analysis_inet" }, "configurationItems": [ { "name": "url", "description": "URL of JoeSandbox service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "API key", "type": "string", "multi": false, "required": true }, { "name": "analysistimeout", "description": "Analysis timeout (seconds)", "type": "number", "multi": false, "required": true, "defaultValue": 1800 }, { "name": "networktimeout", "description": "Network timeout (second)", "type": "number", "multi": false, "required": true, "defaultValue": 30 }, { "name": "HTML_report", "description": "Download HTML report", "type": "boolean", "multi": false, "required": true, "defaultValue": false }, { "name": "images", "description": "Allow images in the report", "type": "boolean", "multi": false, "required": true, "defaultValue": false }, { "name": "observables", "description": "Creat observables form report", "type": "boolean", "multi": false, "required": true, "defaultValue": false } ], "registration_required": true, "subscription_required": true, "screenshots": [ { "path": "assets/HTML_report.png", "caption": "EmlParser: HTML report" }, { "path": "assets/images_preview.png", "caption": "EmlParser: images preview" }, { "path": "assets/IP_URL.png", "caption": "EmlParser: IP and URL" } ], "dockerImage": "ghcr.io/thehive-project/joesandbox_file_analysis_inet:3" }, { "name": "JoeSandbox_File_Analysis_Noinet", "version": "3.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Joe Sandbox file analysis without Internet access.", "dataTypeList": [ "file" ], "baseConfig": "JoeSandbox", "config": { "service": "file_analysis_noinet" }, "configurationItems": [ { "name": "url", "description": "URL of JoeSandbox service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "API key", "type": "string", "multi": false, "required": true }, { "name": "analysistimeout", "description": "Analysis timeout (seconds)", "type": "number", "multi": false, "required": true, "defaultValue": 1800 }, { "name": "networktimeout", "description": "Network timeout (second)", "type": "number", "multi": false, "required": true, "defaultValue": 30 }, { "name": "HTML_report", "description": "Download HTML report", "type": "boolean", "multi": false, "required": true, "defaultValue": false }, { "name": "images", "description": "Allow images in the report", "type": "boolean", "multi": false, "required": true, "defaultValue": false }, { "name": "observables", "description": "Creat observables form report", "type": "boolean", "multi": false, "required": true, "defaultValue": false } ], "registration_required": true, "subscription_required": true, "screenshots": [ { "path": "assets/HTML_report.png", "caption": "EmlParser: HTML report" }, { "path": "assets/images_preview.png", "caption": "EmlParser: images preview" } ], "dockerImage": "ghcr.io/thehive-project/joesandbox_file_analysis_noinet:3" }, { "name": "JoeSandbox_Url_Analysis", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Joe Sandbox URL analysis.", "dataTypeList": [ "url" ], "baseConfig": "JoeSandbox", "config": { "service": "url_analysis" }, "configurationItems": [ { "name": "url", "description": "URL of JoeSandbox service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "API key", "type": "string", "multi": false, "required": true }, { "name": "analysistimeout", "description": "Analysis timeout (seconds)", "type": "number", "multi": false, "required": true, "defaultValue": 1800 }, { "name": "networktimeout", "description": "Network timeout (second)", "type": "number", "multi": false, "required": true, "defaultValue": 30 } ], "dockerImage": "ghcr.io/thehive-project/joesandbox_url_analysis:2" }, { "name": "Jupyter_Run_Notebook_Analyzer", "version": "1.0", "url": "https://jupyter.org/", "author": "Alexandre Demeyer", "license": "AGPL-V3", "dataTypeList": [ "domain", "hostname", "ip", "url", "fqdn", "uri_path", "user-agent", "hash", "mail", "mail_subject", "registry", "regexp", "other", "filename", "mail-subject" ], "description": "Execute a parameterized notebook in Jupyter", "baseConfig": "Jupyter", "config": { "check_tlp": true, "max_tlp": 4, "check_pap": true, "max_pap": 3, "service": "Run_Notebook" }, "configurationItems": [ { "name": "input_hostname", "description": "[INPUT] Hostname representing the Jupyter(Hub) instance (or Azure, S3 etc location) to reach to get the input notebook. See https://github.com/nteract/papermill#supported-name-handlers for more information.", "type": "string", "multi": false, "required": true }, { "name": "input_handler_http_service_api_token", "description": "[HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate an API token used by a dedicated service, otherwise don't take this parameter into account", "type": "string", "multi": false, "required": false }, { "name": "input_handler_http_is_jupyterhub", "description": "[INPUT][HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate if you're behind a JupyterHub instance or not, otherwise don't take this parameter into account", "type": "boolean", "multi": false, "required": false, "defaultValue": true }, { "name": "input_handler_http_execute_remotely", "description": "[INPUT][HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate if you want to run your code locally (papermill) or remotely (websocket through HTTP), otherwise don't take this parameter into account", "type": "boolean", "multi": false, "required": false, "defaultValue": false }, { "name": "input_paths", "description": "[INPUT] List of paths of the notebooks you want to run", "type": "string", "multi": true, "required": true }, { "name": "output_hostname", "description": "[OUTPUT] Hostname representing the Jupyter(Hub) instance (or Azure, S3 etc location) to reach to store the output notebook. See https://github.com/nteract/papermill#supported-name-handlers for more information.", "type": "string", "multi": false, "required": true }, { "name": "output_handler_http_service_api_token", "description": "[HTTP Handler] If you want to use the REST API to store the output notebook, you must indicate an API token used by a dedicated service, otherwise don't take this parameter into account", "type": "string", "multi": false, "required": false }, { "name": "output_handler_http_is_jupyterhub", "description": "[OUTPUT][HTTP Handler] If you want to use the REST API to store the output notebook, you must indicate if you're behind a JupyterHub instance or not, otherwise don't take this parameter into account", "type": "boolean", "multi": false, "required": false, "defaultValue": true }, { "name": "output_folder", "description": "[OUTPUT] Folder path in which executed notebooks will be stored. This field is supporting datetime format (see 'strftime' function).", "type": "string", "multi": false, "required": true, "defaultValue": "/" }, { "name": "any_handler_http_user", "description": "[ANY][HTTP Handler] If you want to use the REST API directly (HTTP handler), you must indicate which user will be used as the reference for having the original notebooks, otherwise don't take this parameter into account.", "type": "string", "multi": false, "required": false }, { "name": "any_generate_html", "description": "[ANY] Indicates if you want the HTML generation within the response. This setting is helpful if you want to reduce the size of the answer returned by the script and manage the HTML render yourself.", "type": "boolean", "multi": false, "required": false, "defaultValue": true } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_logo": { "path": "assets/jupyter.png", "caption": "logo" }, "screenshots": [], "dockerImage": "ghcr.io/thehive-project/jupyter_run_notebook_analyzer:1" }, { "name": "KasperskyThreatIntelligencePortal", "version": "1.0", "author": "Peter Juhas", "url": "https://github.com/pjuhas/Cortex-Analyzers", "license": "AGPL-V3", "description": "Analyze IP address, domain or hash via Kaspersky Threat Intelligence Portal", "dataTypeList": [ "ip", "domain", "hash" ], "baseConfig": "KasperskyTIP", "configurationItems": [ { "name": "key", "description": "API key for Kaspersky Threat Intelligence Portal", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/kasperskythreatintelligenceportal:1" }, { "name": "Ldap_Query", "version": "3.0", "author": "Florian Perret @cyber_pescadito & THA-CERT @tha_cert", "url": "https://github.com/cyberpescadito/Cortex-Analyzers/tree/master/analyzers/LdapQuery", "license": "AGPL-V3", "description": "Query your LDAP server to harvest informations about an user of your organization", "dataTypeList": [ "username", "mail" ], "baseConfig": "LdapQuery", "configurationItems": [ { "name": "LDAP_address", "description": "Should contain the protocol. Eg: ldaps://myldap.myorg.com", "type": "string", "multi": false, "required": true }, { "name": "LDAP_port", "description": "Should contain the ldap port. Eg: 389 or 636", "type": "string", "multi": false, "required": true }, { "name": "LDAP_username", "description": "Username of the account that will be used to bind to LDAP server. The Account should have permissions to read ldap objects and attributes.", "type": "string", "multi": false, "required": true }, { "name": "LDAP_password", "description": "Password of the account used to bind to LDAP server.", "type": "string", "multi": false, "required": true }, { "name": "base_DN", "description": "The base DN to use in your LDAP. Eg: dc=myorg,dc=com", "type": "string", "multi": false, "required": true }, { "name": "uid_search_fields", "description": "Specify here one or multiple fields to use when searching by username. Eg: uid and/or sAMAccountName", "type": "string", "multi": true, "required": true }, { "name": "uid_search_filter", "description": "Restrict username format that you want to search on LDAP server, based on regular expression(s) matching. Eg: '^[0-9]{8}$' will request LDAP server only if username observable is a string of 8 digits", "type": "string", "multi": true, "required": false }, { "name": "mail_search_fields", "description": "Specify here one or multiple fields to use when searching by email. Eg: mail and/or mailAlias", "type": "string", "multi": true, "required": true }, { "name": "mail_search_filter", "description": "Restrict email domain names that you want to search on LDAP server. Eg: domain.org", "type": "string", "multi": true, "required": false }, { "name": "attributes", "description": "Specify here the attributes you want to harvest. Eg: mail", "type": "string", "multi": true, "required": true }, { "name": "attributes_to_extract", "description": "Specify here attributes that you want to extract as Observables. You need to specify the attibute name and observable type using ':' separator (attribute need to respect case sensivity). Format: 'attribute:datatype'. Eg: 'uid:username', 'mail:mail'", "type": "string", "multi": true, "required": false }, { "name": "autoimport_artifacts", "description": "Set on 'True' to auto-import extracted artifacts from LDAP response, as observables. False by default.", "type": "boolean", "required": false }, { "name": "attributes_to_tags", "description": "Specify here attributes that you want to extract as tags. Optionally, you can re-define tag's prefix, using ':' separator (attribute need to respect case sensivity). Format: 'attribute' | 'attribute:prefix'. Eg: 'mail' will add tag 'mail:jdoe@domain.org', 'mail:e-mail' will add tag 'e-mail:jdoe@domain.org'", "type": "string", "multi": true, "required": false }, { "name": "attributes_to_custom_fields", "description": "Specify here attributes that you want to extract as custom fields. You can re-define custom fields' names, using ':' separator (attribute need to respect case sensivity). Format: 'attribute:prefix'. Eg: 'c:Country' will add a 'Country' custom field 'France'", "type": "string", "multi": true, "required": false } ], "dockerImage": "ghcr.io/thehive-project/ldap_query:3" }, { "name": "MISP", "author": "Nils Kuhnert, CERT-Bund", "license": "AGPL-V3", "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", "version": "2.1", "description": "Query multiple MISP instances for events containing an observable.", "dataTypeList": [ "domain", "ip", "url", "fqdn", "uri_path", "user-agent", "hash", "mail", "mail_subject", "registry", "regexp", "other", "filename", "mail-subject" ], "baseConfig": "MISP", "configurationItems": [ { "name": "name", "description": "Name of MISP servers", "multi": true, "required": false, "type": "string" }, { "name": "url", "description": "URL of MISP servers", "type": "string", "multi": true, "required": true }, { "name": "key", "description": "API key for each server", "type": "string", "multi": true, "required": true }, { "name": "cert_check", "description": "Verify server certificate", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "cert_path", "description": "Path to the CA on the system used to check server certificate", "type": "string", "multi": true, "required": false } ], "config": { "check_tlp": true, "max_tlp": 2, "auto_extract": false }, "registration_required": false, "subscription_required": false, "free_subscription": true, "service_homepage": "https://www.misp-project.org/", "service_logo": { "path": "assets/misp.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "MISP: long report" } ], "dockerImage": "ghcr.io/thehive-project/misp:2" }, { "name": "MISPWarningLists", "author": "Nils Kuhnert, CERT-Bund", "license": "AGPL-V3", "url": "https://github.com/BSI-CERT-Bund/misp-warninglists-analyzer", "version": "2.0", "description": "Check IoCs/Observables against MISP Warninglists to filter false positives.", "dataTypeList": [ "ip", "hash", "domain", "fqdn", "url" ], "baseConfig": "MISPWarningLists", "configurationItems": [ { "name": "path", "description": "path to Warninglists folder", "type": "string", "multi": false, "required": false }, { "name": "conn", "description": "sqlalchemy connection string", "multi": false, "required": false, "type": "string" } ], "config": { "check_tlp": true, "max_tlp": 2, "auto_extract": false }, "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://github.com/MISP/misp-warninglists", "service_logo": { "path": "assets/misp.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "MISPWarningLists: long report" } ], "dockerImage": "ghcr.io/thehive-project/mispwarninglists:2" }, { "name": "MSEntraID_GetDirectoryAuditLogs", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Pull Microsoft Entra ID directory audit logs for a user within the specified timeframe.", "dataTypeList": [ "mail" ], "baseConfig": "MSEntraID", "config": { "service": "getDirectoryAuditLogs" }, "configurationItems": [ { "name": "tenant_id", "description": "Microsoft Entra ID Tenant ID", "type": "string", "multi": false, "required": true }, { "name": "client_id", "description": "Client ID/Application ID of Microsoft Entra ID Registered App", "type": "string", "multi": false, "required": true }, { "name": "client_secret", "description": "Secret for Microsoft Entra ID Registered Application", "type": "string", "multi": false, "required": true }, { "name": "lookup_range", "description": "Check for Directory Audit Logs in the last X days. Should be between 1 and 31 days.", "type": "number", "multi": false, "required": false, "defaultValue": 7 }, { "name": "lookup_limit", "description": "Display no more than this many Directory Audit Logs.", "type": "number", "multi": false, "required": false, "defaultValue": 12 } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.microsoft.com/security/business/identity-access/microsoft-entra-id", "dockerImage": "ghcr.io/thehive-project/msentraid_getdirectoryauditlogs:1" }, { "name": "MSEntraID_GetManagedDevicesInfo", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get Microsoft Intune Managed Device(s) Details from hostname or mail", "dataTypeList": [ "mail", "hostname" ], "baseConfig": "MSEntraID", "config": { "service": "getManagedDevicesInfo" }, "configurationItems": [ { "name": "tenant_id", "description": "Microsoft Entra ID Tenant ID", "type": "string", "multi": false, "required": true }, { "name": "client_id", "description": "Client ID/Application ID of Microsoft Entra ID Registered App", "type": "string", "multi": false, "required": true }, { "name": "client_secret", "description": "Secret for Microsoft Entra ID Registered Application", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.microsoft.com/security/business/identity-access/microsoft-entra-id", "dockerImage": "ghcr.io/thehive-project/msentraid_getmanageddevicesinfo:1" }, { "name": "MSEntraID_GetSignIns", "version": "1.0", "author": "@jahamilto", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Pull all Microsoft Entra ID sign ins for a user within the specified amount of time.", "dataTypeList": [ "mail" ], "baseConfig": "MSEntraID", "config": { "service": "getSignIns" }, "configurationItems": [ { "name": "tenant_id", "description": "Microsoft Entra ID Tenant ID", "type": "string", "multi": false, "required": true }, { "name": "client_id", "description": "Client ID/Application ID of Microsoft Entra ID Registered App", "type": "string", "multi": false, "required": true }, { "name": "client_secret", "description": "Secret for Microsoft Entra ID Registered Application", "type": "string", "multi": false, "required": true }, { "name": "lookup_range", "description": "Check for sign ins in the last X days. Should be between 1 and 31 days.", "type": "number", "multi": false, "required": false, "defaultValue": 7 }, { "name": "lookup_limit", "description": "Display no more than this many sign ins.", "type": "number", "multi": false, "required": false, "defaultValue": 12 }, { "name": "state", "description": "Expected sign in state (used as a taxonomy when sign ins appear outside of this area).", "type": "number", "multi": false, "required": false }, { "name": "country", "description": "Expected sign in country or region (used as a taxonomy when sign ins appear outside of this area).", "type": "number", "multi": false, "required": false } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.microsoft.com/security/business/identity-access/microsoft-entra-id", "dockerImage": "ghcr.io/thehive-project/msentraid_getsignins:1" }, { "name": "MSEntraID_GetUserInfo", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get information about the user from Microsoft Entra ID, using the mail", "dataTypeList": [ "mail" ], "baseConfig": "MSEntraID", "config": { "service": "getUserInfo" }, "configurationItems": [ { "name": "tenant_id", "description": "Microsoft Entra ID Tenant ID", "type": "string", "multi": false, "required": true }, { "name": "client_id", "description": "Client ID/Application ID of Microsoft Entra ID Registered App", "type": "string", "multi": false, "required": true }, { "name": "client_secret", "description": "Secret for Microsoft Entra ID Registered Application", "type": "string", "multi": false, "required": true }, { "name": "params_list", "description": "list of query params to get User information", "type": "string", "multi": true, "required": true, "defaultValue": [ "businessPhones", "givenName", "surname", "userPrincipalName", "displayName", "jobTitle", "mail", "mobilePhone", "officeLocation", "department", "accountEnabled", "onPremisesSyncEnabled", "onPremisesLastSyncDateTime", "onPremisesSecurityIdentifier", "proxyAddresses", "usageLocation", "userType", "createdDateTime" ] } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.microsoft.com/security/business/identity-access/microsoft-entra-id", "dockerImage": "ghcr.io/thehive-project/msentraid_getuserinfo:1" }, { "name": "Malpedia", "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", "license": "AGPL-V3", "url": "https://github.com/LDO-CERT/cortex-analyzers", "version": "1.0", "description": "Check files against Malpedia YARA rules.", "dataTypeList": [ "file" ], "baseConfig": "Malpedia", "configurationItems": [ { "name": "path", "description": "Rulepath", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "Username", "type": "string", "multi": false, "required": true }, { "name": "password", "description": "Password", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/malpedia:1" }, { "name": "Maltiverse_Report", "version": "1.0", "author": "ottimo", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get the latest Maltiverse report for an hash, domain or an IP address.", "dataTypeList": [ "hash", "domain", "ip", "url" ], "baseConfig": "Maltiverse", "config": { "service": "get" }, "configurationItems": [ { "name": "polling_interval", "description": "Define time interval between two requests attempts for the report", "type": "number", "multi": false, "required": false, "defaultValue": 60 }, { "name": "api_key", "description": "Auth token to use when requesting data to Maltiverse", "type": "string", "multi": false, "required": false, "defaultValue": "" } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://maltiverse.com/search", "service_logo": { "path": "assets/maltiverse.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "Maltiverse: long report" } ], "dockerImage": "ghcr.io/thehive-project/maltiverse_report:1" }, { "name": "MalwareBazaar", "author": "Andrea Garavaglia, Davide Arcuri - LDO-CERT", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "baseConfig": "MalwareBazaar", "description": "Search hashes on MalwareBazaar.", "dataTypeList": [ "hash" ], "configurationItems": [ { "name": "api_key", "description": "MalwareBazaar api key", "multi": false, "required": true, "type": "string" } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://bazaar.abuse.ch/", "service_logo": { "path": "assets/malwarebazaar.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "MalwareBazaar: long report" } ], "dockerImage": "ghcr.io/thehive-project/malwarebazaar:1" }, { "name": "MalwareClustering_Search", "version": "1.0", "author": "LDO-CERT", "url": "https://github.com/LDO-CERT/Cortex-Analyzers", "license": "AGPL-V3", "description": "Uses ApiVectors to find similarities between malware samples.", "dataTypeList": [ "file", "hash" ], "baseConfig": "MalwareClustering", "config": { "check_tlp": true, "service": "search", "max_tlp": 3 }, "configurationItems": [ { "name": "n4j_host", "description": "Neo4j server host", "type": "string", "multi": false, "required": true }, { "name": "n4j_port", "description": "Neo4j server port", "type": "number", "multi": false, "required": true }, { "name": "n4j_user", "description": "Neo4j server user", "type": "string", "multi": false, "required": true }, { "name": "n4j_pwd", "description": "Neo4j server password", "type": "string", "multi": false, "required": true }, { "name": "threshold", "description": "ApiScout correlation threshold", "type": "string", "multi": false, "required": true } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "", "screenshots": [ { "path": "assets/MalwareCustering_long.png", "caption": "MalwareCustering long report sample" } ], "dockerImage": "ghcr.io/thehive-project/malwareclustering_search:1" }, { "name": "Malwares_GetReport", "version": "1.0", "author": "LDO-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get the latest Malwares report for a file, hash, domain or an IP address.", "dataTypeList": [ "file", "hash", "domain", "ip" ], "baseConfig": "Malwares", "config": { "check_tlp": true, "max_tlp": 3, "service": "get" }, "configurationItems": [ { "name": "key", "description": "Malwares.com API Key", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://www.malwares.com/", "service_logo": { "path": "assets/malwares.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "Malwares: long report" } ], "dockerImage": "ghcr.io/thehive-project/malwares_getreport:1" }, { "name": "Malwares_Scan", "version": "1.0", "author": "LDO-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use Malwares' API to scan a file or URL.", "dataTypeList": [ "file", "url" ], "baseConfig": "Malwares", "config": { "check_tlp": true, "service": "scan", "max_tlp": 1 }, "configurationItems": [ { "name": "key", "description": "Malwares.com API Key", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://www.malwares.com/", "service_logo": { "path": "assets/malwares.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "Malwares: long report" } ], "dockerImage": "ghcr.io/thehive-project/malwares_scan:1" }, { "name": "MaxMind_GeoIP", "version": "4.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use MaxMind to geolocate an IP address.", "dataTypeList": [ "ip" ], "baseConfig": "MaxMind", "dockerImage": "ghcr.io/thehive-project/maxmind_geoip:4" }, { "name": "MetaDefenderCloud_GetReport", "version": "1.0", "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get the latest MetaDefender Cloud report for hash.", "dataTypeList": [ "hash" ], "baseConfig": "MetaDefender", "config": { "service": "query_cloud" }, "configurationItems": [ { "name": "key", "description": "API key for MetaDefender", "type": "string", "multi": false, "required": true }, { "name": "url", "description": "url address for MetaDefender server", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/metadefendercloud_getreport:1" }, { "name": "MetaDefenderCloud_Reputation", "version": "1.0", "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get the latest MetaDefender Cloud reputation report .", "dataTypeList": [ "ip", "url", "domain" ], "baseConfig": "MetaDefender", "config": { "service": "reputation_cloud" }, "configurationItems": [ { "name": "key", "description": "API key for MetaDefender", "type": "string", "multi": false, "required": true }, { "name": "url", "description": "url address for MetaDefender server", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/metadefendercloud_reputation:1" }, { "name": "MetaDefenderCloud_Scan", "version": "1.0", "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Scan a file with MetaDefender Cloud", "dataTypeList": [ "file" ], "baseConfig": "MetaDefender", "config": { "service": "scan_cloud" }, "configurationItems": [ { "name": "key", "description": "API key for MetaDefender", "type": "string", "multi": false, "required": true }, { "name": "url", "description": "url address for MetaDefender server", "type": "string", "multi": false, "required": true }, { "name": "polling", "description": "Define time interval between two requests attempts for the report", "type": "number", "multi": false, "required": false, "defaultValue": 10 } ], "dockerImage": "ghcr.io/thehive-project/metadefendercloud_scan:1" }, { "name": "MetaDefenderCore_GetReport", "version": "1.0", "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get the latest MetaDefender Core report for hash.", "dataTypeList": [ "hash" ], "baseConfig": "MetaDefender", "config": { "service": "query_core" }, "configurationItems": [ { "name": "key", "description": "API key for MetaDefender", "type": "string", "multi": false, "required": true }, { "name": "url", "description": "url address for MetaDefender server", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/metadefendercore_getreport:1" }, { "name": "MetaDefenderCore_Scan", "version": "1.0", "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Scan a file with MetaDefender Core", "dataTypeList": [ "file" ], "baseConfig": "MetaDefender", "config": { "service": "scan_core" }, "configurationItems": [ { "name": "key", "description": "API key for MetaDefender", "type": "string", "multi": false, "required": true }, { "name": "url", "description": "url address for MetaDefender server", "type": "string", "multi": false, "required": true }, { "name": "polling", "description": "Define time interval between two requests attempts for the report", "type": "number", "multi": false, "required": false, "defaultValue": 10 } ], "dockerImage": "ghcr.io/thehive-project/metadefendercore_scan:1" }, { "name": "Mnemonic_pDNS_Closed", "version": "3.0", "author": "Michael Stensrud, Nordic Financial CERT", "url": "https://passivedns.mnemonic.no/search", "license": "AGPL-V3", "description": "Query IP addresses and domains against Mnemonic pDNS restricted service.", "dataTypeList": [ "ip", "domain" ], "baseConfig": "Mnemonic_pDNS", "config": { "check_tlp": true, "service": "closed" }, "configurationItems": [ { "name": "key", "description": "Define the API Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/mnemonic_pdns_closed:3" }, { "name": "Mnemonic_pDNS_Public", "version": "3.0", "author": "Michael Stensrud, Nordic Financial CERT", "url": "https://passivedns.mnemonic.no/search", "license": "AGPL-V3", "description": "Query IP addresses and domains against Mnemonic pDNS public service.", "dataTypeList": [ "ip", "domain" ], "baseConfig": "Mnemonic_pDNS", "config": { "check_tlp": true, "service": "public" }, "configurationItems": [], "dockerImage": "ghcr.io/thehive-project/mnemonic_pdns_public:3" }, { "name": "Msg_Parser", "version": "3.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Parse Outlook MSG files and extract the main artifacts.", "dataTypeList": [ "file" ], "baseConfig": "MsgParser", "dockerImage": "ghcr.io/thehive-project/msg_parser:3" }, { "name": "NERD", "version": "1.1", "author": "Vaclav Bartos, CESNET", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get Reputation score and other basic information from Network Entity Reputation Database (NERD)", "dataTypeList": [ "ip" ], "baseConfig": "NERD", "configurationItems": [ { "name": "key", "description": "API key", "type": "string", "multi": false, "required": true }, { "name": "url", "description": "Base URL of the NERD instance", "type": "string", "multi": false, "required": false, "defaultValue": "https://nerd.cesnet.cz/nerd/" } ], "registration_required": true, "subscription_required": false, "free_subscription": true, "service_homepage": "https://nerd.cesnet.cz/", "service_logo": { "path": "assets/NERD_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/NERD_long.png", "caption": "NERD long report sample" }, { "path": "assets/NERD_short.png", "caption": "NERD mini report sample" } ], "dockerImage": "ghcr.io/thehive-project/nerd:1" }, { "name": "NSRL", "author": "Andrea Garavaglia, Davide Arcuri - LDO-CERT", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "description": "Query NSRL", "dataTypeList": [ "hash", "filename" ], "baseConfig": "NSRL", "configurationItems": [ { "name": "conn", "description": "sqlalchemy connection string", "multi": false, "required": false, "type": "string" }, { "name": "grep_path", "description": "path of grep", "type": "string", "multi": false, "required": false }, { "name": "nsrl_folder", "description": "path of NSRL folder", "type": "string", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/nsrl:1" }, { "name": "Nessus", "version": "2.0", "author": "Guillaume Rousse", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use Nessus Professional to scan hosts.", "dataTypeList": [ "ip", "fqdn" ], "baseConfig": "Nessus", "configurationItems": [ { "name": "url", "description": "Define the URL to the Nessus service", "type": "string", "multi": false, "required": true }, { "name": "login", "description": "Define the login to Nessus", "type": "string", "multi": false, "required": true }, { "name": "password", "description": "Define the password to the Nessus account", "type": "string", "multi": false, "required": true }, { "name": "policy", "description": "Define the policy used to run scans", "type": "string", "multi": false, "required": true }, { "name": "ca_bundle", "description": "Define the path to the Nessus CA", "type": "string", "multi": false, "required": false }, { "name": "allowed_network", "description": "Define networks allowed to be scanned", "type": "string", "multi": true, "required": true } ], "dockerImage": "ghcr.io/thehive-project/nessus:2" }, { "name": "ONYPHE_OnDemandScan", "version": "1.0", "author": "James Atack", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "description": "Perform active scan of an asset using a Scanyphe Entreprise On-Demand scanner", "dataTypeList": [ "ip", "domain", "fqdn" ], "baseConfig": "Onyphe", "config": { "service": "scanyphe", "base_uri": "/api/v3/", "base_url": "https://www.onyphe.io", "scanyphe_poll_interval": 30, "onyphe_import": false, "check_tlp": true, "max_tlp": 2, "check_pap": true, "max_pap": 1 }, "configurationItems": [ { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true }, { "name": "auto_import", "description": "Automatically import artifacts as observables (risks, cves, assets, ...)", "type": "boolean", "multi": false, "required": true, "defaultValue": false }, { "name": "maxscantime", "description": "Max scan time (default 120 seconds)", "type": "number", "multi": false, "required": false, "defaultValue": 120 }, { "name": "urlscan", "description": "Enable/disable urlscan stage", "type": "boolean", "multi": false, "required": false, "defaultValue": true }, { "name": "vulnscan", "description": "Enable/disable vulnscan stage", "type": "boolean", "multi": false, "required": false, "defaultValue": true }, { "name": "riskscan", "description": "Enable/disable riskscan stage", "type": "boolean", "multi": false, "required": false, "defaultValue": false }, { "name": "asm", "description": "Enable/disable asm stage", "type": "boolean", "multi": false, "required": false, "defaultValue": false }, { "name": "ports", "description": "list of ports to scan, comma-separated list (default to ONYPHE’s scanned ports)", "type": "string", "multi": false, "required": false, "defaultValue": "" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.onyphe.io", "service_logo": { "path": "assets/onyphe_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/onyphe_ondemandscan:1" }, { "name": "OTXQuery", "version": "2.0", "author": "Eric Capuano", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query AlienVault OTX for IPs, domains, URLs, or file hashes.", "dataTypeList": [ "url", "domain", "file", "hash", "ip" ], "baseConfig": "OTXQuery", "configurationItems": [ { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://otx.alienvault.com/", "service_logo": { "path": "assets/OTX.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "OTX Alienvault: long report" } ], "dockerImage": "ghcr.io/thehive-project/otxquery:2" }, { "name": "OktaUserLookup", "author": "Martin Jaan Leesment", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "description": "Okta User Lookup is an analyzer for TheHive to enrich mail observables from data through the Okta users API", "dataTypeList": [ "mail" ], "baseConfig": "OktaUserLookup", "configurationItems": [ { "name": "OktaOrgUrl", "description": "Must contain your okta organisation URL. Eg: https://.okta.com", "type": "string", "multi": false, "required": true }, { "name": "OktaToken", "description": "Must contain the Okta access token.", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": false, "free_subscription": false, "service_homepage": "https://developer.okta.com/docs/reference/api/users/", "dockerImage": "ghcr.io/thehive-project/oktauserlookup:1" }, { "name": "ONYPHE_ASM", "version": "1.1", "author": "Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "description": "Manage an attack surface from The Hive using ONYPHE riskscan category", "dataTypeList": [ "ip", "domain", "fqdn", "hash" ], "baseConfig": "Onyphe", "config": { "service": "asm", "base_uri": "/api/v2/", "base_url": "https://www.onyphe.io" }, "configurationItems": [ { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true }, { "name": "time_filter", "description": "Specify ONYPHE time filter to be used for searches (see https://www.onyphe.io/docs/onyphe-query-language)", "type": "string", "multi": false, "required": false, "defaultValue": "-since:1M" }, { "name": "fields_filter", "description": "[!!Advanced!!] Modify ONYPHE fields to return in raw data (see https://www.onyphe.io/docs/onyphe-query-language)", "type": "string", "multi": false, "required": false, "defaultValue": "ip,port,protocol,tag,tls,cpe,cve,hostname,domain,alternativeip,forward,url,organization,transport,organization,device.class,device.product,device.productvendor,device.productversion,product,productvendor,productversion" }, { "name": "auto_import", "description": "Automatically import artifacts as observables (risks, cves, assets, ...)", "type": "boolean", "multi": false, "required": true, "defaultValue": true } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://www.onyphe.io", "service_logo": { "path": "assets/onyphe_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/ONYPHE_ASM_long.png", "caption": "ONYPHE ASM report sample (IPs obscured) with click to expand accordion." }, { "path": "assets/ONYPHE_ASM_short.png", "caption": "ONYPHE ASM mini report showing no. of risks" } ], "dockerImage": "ghcr.io/thehive-project/onyphe_asm:1" }, { "name": "ONYPHE_Ctiscan", "version": "1.0", "author": "James Atack", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "description": "Query ONYPHE Ctiscan threat hunting data for open services (takes ip, domain, fqdn, autonomous-system or hash.)", "dataTypeList": [ "ip", "domain", "fqdn", "hash", "autonomous-system", "other" ], "baseConfig": "Onyphe", "config": { "service": "ctiscan", "base_uri": "/api/v2/", "base_url": "https://www.onyphe.io", "keep_all_tags": false, "check_tlp": true, "max_tlp": 2, "check_pap": true, "max_pap": 2 }, "configurationItems": [ { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true }, { "name": "time_filter", "description": "Specify ONYPHE time function to be used for searches (see https://www.onyphe.io/docs/onyphe-query-language)", "type": "string", "multi": false, "required": false, "defaultValue": "-since:1w" }, { "name": "return_other_artifacts", "description": "Analyzer will create ':' artifacts of type 'other' for each open service, with tags for technologies and protocols", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "auto_import", "description": "Automatically import artifacts as observables", "type": "boolean", "multi": false, "required": true, "defaultValue": false } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://www.onyphe.io", "service_logo": { "path": "assets/onyphe_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/ONYPHE_Ctiscan_long.png", "caption": "ONYPHE Ctiscan report sample (IPs obscured)" }, { "path": "assets/ONYPHE_Ctiscan_short.png", "caption": "ONYPHE Ctiscan mini report showing imported observables for open services" } ], "dockerImage": "ghcr.io/thehive-project/onyphe_ctiscan:1" }, { "name": "ONYPHE_Search", "version": "1.1", "author": "Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "description": "Retrieve results from ONYPHE Search API for a given ip, domain, fqdn or hash (sha256 TLS fingerprint) from specified category", "dataTypeList": [ "ip", "domain", "fqdn", "hash" ], "baseConfig": "Onyphe", "config": { "service": "search", "base_uri": "/api/v2/", "base_url": "https://www.onyphe.io" }, "configurationItems": [ { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true }, { "name": "category", "description": "Specify ONYPHE category to be used for search API (default datascan)", "type": "string", "multi": false, "required": true, "defaultValue": "datascan" }, { "name": "time_filter", "description": "Specify ONYPHE time filter to be used for searches (see https://www.onyphe.io/docs/onyphe-query-language)", "type": "string", "multi": false, "required": false, "defaultValue": "-since:1M" }, { "name": "auto_import", "description": "Automatically import artifacts as observables (risks, cves, assets, ...)", "type": "boolean", "multi": false, "required": true, "defaultValue": false } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://www.onyphe.io", "service_logo": { "path": "assets/onyphe_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/ONYPHE_Search_long.png", "caption": "ONYPHE Search report sample (IPs obscured)" }, { "path": "assets/ONYPHE_Search_short.png", "caption": "ONYPHE Search mini report showing no. of open ports" } ], "dockerImage": "ghcr.io/thehive-project/onyphe_search:1" }, { "name": "ONYPHE_Summary_API", "version": "1.2", "author": "Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "description": "Retrieve summary information Onyphe has for given ip, domain, or fqdn.", "dataTypeList": [ "ip", "domain", "fqdn" ], "baseConfig": "Onyphe", "config": { "service": "summary", "base_uri": "/api/v2/", "base_url": "https://www.onyphe.io" }, "configurationItems": [ { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true }, { "name": "verbose_taxonomies", "description": "Set true if you want detailed taxonomies for port, subnet, geoloc, domain", "type": "boolean", "multi": false, "required": true, "defaultValue": false } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://www.onyphe.io", "service_logo": { "path": "assets/onyphe_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Onyphe_Summary_long.png", "caption": "Onyphe_Summary long report sample" }, { "path": "assets/Onyphe_Summary_short.png", "caption": "Onyphe_Summary mini report sample" } ], "dockerImage": "ghcr.io/thehive-project/onyphe_summary_api:1" }, { "name": "ONYPHE_Vulnscan", "version": "1.1", "author": "Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "description": "Retrieve vulnerability data from ONYPHE vulnscan category for a given ip, domain, fqdn or hash (sha256 TLS fingerprint)", "dataTypeList": [ "ip", "domain", "fqdn", "hash" ], "baseConfig": "Onyphe", "config": { "service": "vulnscan", "base_uri": "/api/v2/", "base_url": "https://www.onyphe.io" }, "configurationItems": [ { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true }, { "name": "time_filter", "description": "Specify ONYPHE time filter to be used for searches (see https://www.onyphe.io/docs/onyphe-query-language)", "type": "string", "multi": false, "required": false, "defaultValue": "-since:1M" }, { "name": "only_vulnerable", "description": "Only return results where a CVE exists (-exists:cve)", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "auto_import", "description": "Automatically import artifacts as observables (risks, cves, assets, ...)", "type": "boolean", "multi": false, "required": true, "defaultValue": false } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://www.onyphe.io", "service_logo": { "path": "assets/onyphe_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/ONYPHE_Vulnscan_long.png", "caption": "ONYPHE Vulnscan report sample (IPs obscured)" }, { "path": "assets/ONYPHE_Vulnscan_short.png", "caption": "ONYPHE Vulnscan mini report showing no. of CVEs" } ], "dockerImage": "ghcr.io/thehive-project/onyphe_vulnscan:1" }, { "name": "OpenCTI_SearchExactObservable", "author": "ANSSI", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers/", "version": "2.0", "description": "Query multiple OpenCTI instances for a specific observable.", "dataTypeList": [ "domain", "ip", "url", "fqdn", "uri_path", "user-agent", "hash", "mail", "mail_subject", "registry", "regexp", "other", "filename", "mail-subject" ], "config": { "service": "search_exact" }, "baseConfig": "OpenCTI", "configurationItems": [ { "name": "name", "description": "Name of OpenCTI servers", "multi": true, "required": false, "type": "string" }, { "name": "url", "description": "URL of OpenCTI servers", "type": "string", "multi": true, "required": true }, { "name": "key", "description": "API key for each server", "type": "string", "multi": true, "required": true }, { "name": "cert_check", "description": "Verify server certificate", "type": "boolean", "multi": false, "required": true, "defaultValue": true } ], "registration_required": true, "subscription_required": false, "free_subscription": false, "service_homepage": "https://www.opencti.io", "service_logo": { "path": "assets/logo_opencti.png", "caption": "logo" }, "screenshots": [], "dockerImage": "ghcr.io/thehive-project/opencti_searchexactobservable:2" }, { "name": "OpenCTI_SearchObservables", "author": "ANSSI", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers/", "version": "2.0", "description": "Query multiple OpenCTI instances for a list of observables matching a pattern.", "dataTypeList": [ "domain", "ip", "url", "fqdn", "uri_path", "user-agent", "hash", "mail", "mail_subject", "registry", "regexp", "other", "filename", "mail-subject" ], "config": { "service": "search_observables" }, "baseConfig": "OpenCTI", "configurationItems": [ { "name": "name", "description": "Name of OpenCTI servers", "multi": true, "required": false, "type": "string" }, { "name": "url", "description": "URL of OpenCTI servers", "type": "string", "multi": true, "required": true }, { "name": "key", "description": "API key for each server", "type": "string", "multi": true, "required": true }, { "name": "cert_check", "description": "Verify server certificate", "type": "boolean", "multi": false, "required": true, "defaultValue": true } ], "registration_required": true, "subscription_required": false, "free_subscription": false, "service_homepage": "https://www.opencti.io", "service_logo": { "path": "assets/logo_opencti.png", "caption": "logo" }, "screenshots": [], "dockerImage": "ghcr.io/thehive-project/opencti_searchobservables:2" }, { "name": "PaloAltoWildFire", "version": "1.0", "author": "Ignacio Rodriguez Paez, Joe Lazaro", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Run Palo Alto WildFire analysis on a file, hash, or URL", "dataTypeList": [ "file", "url", "hash" ], "baseConfig": "PaloAltoWildFire", "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.paloaltonetworks.com/network-security/wildfire", "service_logo": { "path": "assets/palo_alto_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/wildfire_file.png", "caption": "WildFire file analysis long report sample" }, { "path": "assets/wildfire_url.png", "caption": "WildFire URL analysis long report sample" } ], "configurationItems": [ { "name": "api_host", "description": "You can send requests to the WildFire global cloud (U.S., default option) or to the WildFire regional clouds that Palo Alto Networks owns and maintains. See the WildFire Public Cloud documentation for a list of valid servers.", "type": "string", "multi": false, "required": true, "defaultValue": "wildfire.paloaltonetworks.com" }, { "name": "key", "description": "API key for WildFire", "type": "string", "multi": false, "required": true }, { "name": "polling_interval", "description": "Define time interval between two requests attempts for the report", "type": "number", "multi": false, "required": false, "defaultValue": 60 } ], "dockerImage": "ghcr.io/thehive-project/paloaltowildfire:1" }, { "name": "PassiveTotal_Components", "version": "2.0", "author": "Brandon Dixon (9bplus)", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "PassiveTotal Components Lookup.", "dataTypeList": [ "domain", "fqdn", "ip" ], "baseConfig": "PassiveTotal", "config": { "service": "components", "auto_extract": true }, "configurationItems": [ { "name": "username", "description": "Define the username of the account used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/passivetotal_components:2" }, { "name": "PassiveTotal_Enrichment", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "PassiveTotal Enrichment Lookup.", "dataTypeList": [ "domain", "fqdn", "ip" ], "baseConfig": "PassiveTotal", "config": { "service": "enrichment", "auto_extract": true }, "configurationItems": [ { "name": "username", "description": "Define the username of the account used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/passivetotal_enrichment:2" }, { "name": "PassiveTotal_Host_Pairs", "version": "2.0", "author": "Brandon Dixon (9bplus)", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "PassiveTotal Host Pairs Lookup.", "dataTypeList": [ "domain", "fqdn", "ip" ], "baseConfig": "PassiveTotal", "config": { "service": "host_pairs", "auto_extract": true }, "configurationItems": [ { "name": "username", "description": "Define the username of the account used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/passivetotal_host_pairs:2" }, { "name": "PassiveTotal_Malware", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "PassiveTotal Malware Lookup.", "dataTypeList": [ "domain", "fqdn", "ip" ], "baseConfig": "PassiveTotal", "config": { "service": "malware", "auto_extract": true }, "configurationItems": [ { "name": "username", "description": "Define the username of the account used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/passivetotal_malware:2" }, { "name": "PassiveTotal_Osint", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "PassiveTotal OSINT Lookup.", "dataTypeList": [ "domain", "fqdn", "ip" ], "baseConfig": "PassiveTotal", "config": { "service": "osint", "auto_extract": true }, "configurationItems": [ { "name": "username", "description": "Define the username of the account used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/passivetotal_osint:2" }, { "name": "PassiveTotal_Passive_Dns", "version": "2.1", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "PassiveTotal Passive DNS Lookup.", "dataTypeList": [ "domain", "fqdn", "ip" ], "baseConfig": "PassiveTotal", "config": { "service": "passive_dns", "auto_extract": true }, "configurationItems": [ { "name": "username", "description": "Define the username of the account used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/passivetotal_passive_dns:2" }, { "name": "PassiveTotal_Ssl_Certificate_Details", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "PassiveTotal SSL Certificate Details Lookup.", "dataTypeList": [ "hash", "ip" ], "baseConfig": "PassiveTotal", "config": { "service": "ssl_certificate_details", "auto_extract": true }, "configurationItems": [ { "name": "username", "description": "Define the username of the account used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/passivetotal_ssl_certificate_details:2" }, { "name": "PassiveTotal_Ssl_Certificate_History", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "PassiveTotal SSL Certificate History Lookup.", "dataTypeList": [ "hash", "ip" ], "baseConfig": "PassiveTotal", "config": { "service": "ssl_certificate_history", "auto_extract": true }, "configurationItems": [ { "name": "username", "description": "Define the username of the account used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/passivetotal_ssl_certificate_history:2" }, { "name": "PassiveTotal_Trackers", "version": "2.0", "author": "Brandon Dixon (9bplus)", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "PassiveTotal Trackers Lookup.", "dataTypeList": [ "domain", "fqdn", "ip" ], "baseConfig": "PassiveTotal", "config": { "service": "trackers", "auto_extract": true }, "configurationItems": [ { "name": "username", "description": "Define the username of the account used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/passivetotal_trackers:2" }, { "name": "PassiveTotal_Unique_Resolutions", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "PassiveTotal Unique Resolutions Lookup.", "dataTypeList": [ "domain", "fqdn", "ip" ], "baseConfig": "PassiveTotal", "config": { "service": "unique_resolutions", "auto_extract": true }, "configurationItems": [ { "name": "username", "description": "Define the username of the account used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/passivetotal_unique_resolutions:2" }, { "name": "PassiveTotal_Whois_Details", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "PassiveTotal Whois Details Lookup.", "dataTypeList": [ "domain", "fqdn", "ip" ], "baseConfig": "PassiveTotal", "config": { "service": "whois_details", "auto_extract": true }, "configurationItems": [ { "name": "username", "description": "Define the username of the account used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/passivetotal_whois_details:2" }, { "name": "Patrowl_GetReport", "version": "1.0", "author": "Nicolas Mattiocco", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get the current Patrowl report for a fdqn, a domain or an IP address.", "dataTypeList": [ "fqdn", "domain", "ip" ], "baseConfig": "Patrowl", "config": { "service": "getreport" }, "configurationItems": [ { "name": "url", "description": "Define the PatrOwl url", "type": "string", "multi": false, "required": true }, { "name": "api_key", "description": "Define the PatrOwl API Key", "type": "string", "multi": false, "required": true } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://patrowl.io/home", "service_logo": { "path": "assets/logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/patrowl-minireport.png", "caption": "Patrowl_GetReport: short report template" }, { "path": "assets/patrowl-longreport.png", "caption": "Patrowl_GetReport: long report template" } ], "dockerImage": "ghcr.io/thehive-project/patrowl_getreport:1" }, { "name": "PayloadSecurity_File_Analysis", "version": "1.0", "author": "Emmanuel Torquato", "url": "https://github.com/notset/Cortex-Analyzers", "license": "AGPL-V3", "description": "PayloadSecurity Sandbox File Analysis", "dataTypeList": [ "file" ], "baseConfig": "PayloadSecurity", "configurationItems": [ { "name": "url", "description": "Define the url of the service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "secret", "description": "Define the secret used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "environmentId", "description": "Define the environment Id used by the service", "type": "number", "multi": false, "required": true, "defaultValue": 100 }, { "name": "timeout", "description": "Define the timeout of requests to the service", "type": "number", "multi": false, "required": true, "defaultValue": 15 }, { "name": "verifyssl", "description": "Verify SSL certificate", "type": "boolean", "multi": false, "required": true, "defaultValue": true } ], "dockerImage": "ghcr.io/thehive-project/payloadsecurity_file_analysis:1" }, { "name": "PayloadSecurity_Url_Analysis", "version": "1.0", "author": "Emmanuel Torquato", "url": "https://github.com/notset/Cortex-Analyzers", "license": "AGPL-V3", "description": "PayloadSecurity Sandbox Url Analysis", "dataTypeList": [ "url" ], "baseConfig": "PayloadSecurity", "configurationItems": [ { "name": "url", "description": "Define the url of the service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "secret", "description": "Define the secret used to connect the service", "type": "string", "multi": false, "required": true }, { "name": "environmentId", "description": "Define the environment Id used by the service", "type": "number", "multi": false, "required": true, "defaultValue": 100 }, { "name": "timeout", "description": "Define the timeout of requests to the service", "type": "number", "multi": false, "required": true, "defaultValue": 15 }, { "name": "verifyssl", "description": "Verify SSL certificate", "type": "boolean", "multi": false, "required": true, "defaultValue": true } ], "dockerImage": "ghcr.io/thehive-project/payloadsecurity_url_analysis:1" }, { "name": "PhishTank_CheckURL", "version": "2.1", "author": "Eric Capuano", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use PhishTank to check if a URL is a verified phishing site.", "dataTypeList": [ "url" ], "baseConfig": "PhishTank", "configurationItems": [ { "name": "key", "description": "Define the API Key", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://phishtank.com/", "service_logo": { "path": "assets/phish_tank.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "PhishTank: long report" } ], "dockerImage": "ghcr.io/thehive-project/phishtank_checkurl:2" }, { "name": "PhishingInitiative_Lookup", "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use Phishing Initiative to check if a URL is a verified phishing site.", "dataTypeList": [ "url" ], "baseConfig": "PhishingInitiative", "config": { "service": "lookup" }, "configurationItems": [ { "name": "key", "description": "Define the API Key", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://phishing-initiative.fr/", "service_logo": { "path": "assets/phishing-initiative.png", "caption": "logo" }, "screenshots": [], "dockerImage": "ghcr.io/thehive-project/phishinginitiative_lookup:2" }, { "name": "PhishingInitiative_Scan", "version": "1.0", "author": "Remi Pointel", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use Phishing Initiative to scan a URL.", "dataTypeList": [ "url" ], "baseConfig": "PhishingInitiative", "config": { "service": "scan" }, "configurationItems": [ { "name": "key", "description": "Define the API Key", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://phishing-initiative.fr/", "service_logo": { "path": "assets/phishing-initiative.png", "caption": "logo" }, "screenshots": [], "dockerImage": "ghcr.io/thehive-project/phishinginitiative_scan:1" }, { "name": "ProofPoint_Lookup", "version": "1.0", "author": "Emmanuel Torquato", "url": "https://github.com/CERT-BDF/Cortex-Analyzers", "license": "AGPL-V3", "description": "Check URL, file, SHA256 against ProofPoint forensics", "dataTypeList": [ "url", "file", "hash" ], "baseConfig": "ProofPoint", "config": { "service": "query", "max_tlp": 1, "check_tlp": true }, "configurationItems": [ { "name": "url", "description": "URL of the Proofpoint API, the default should be okay.", "type": "string", "required": true, "defaultValue": "https://tap-api-v2.proofpoint.com", "multi": false }, { "name": "apikey", "description": "API key to use", "type": "string", "required": true, "multi": false }, { "name": "secret", "description": "Secret to the API key", "type": "string", "required": true, "multi": false }, { "name": "verifyssl", "description": "Verify server's SSL certificate", "type": "boolean", "defaultValue": true, "required": false, "multi": false } ], "dockerImage": "ghcr.io/thehive-project/proofpoint_lookup:1" }, { "name": "Pulsedive_GetIndicator", "version": "1.0", "author": "Nils Kuhnert", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Search Pulsedive.com for a giver domain name, hash, ip or url", "dataTypeList": [ "url", "domain", "ip", "hash" ], "baseConfig": "Pulsedive", "configurationItems": [ { "name": "key", "description": "Define the API Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/pulsedive_getindicator:1" }, { "name": "QrDecode", "version": "1.0", "author": "THA-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Extracts data from one or more QR codes.", "dataTypeList": [ "file" ], "baseConfig": "QrDecode", "dockerImage": "ghcr.io/thehive-project/qrdecode:1" }, { "name": "RecordedFuture", "version": "2.0", "author": "Recorded Future", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "dataTypeList": [ "ip", "domain", "fqdn", "hash", "url" ], "description": "Enrich IP, Domain, FQDN, URL, or Hash with Recorded Future context: Risk Score, Risk Details, AI Insights, Links, Threat Actor, Attack Vector, Malware Category / Family, and Related Entities (IPs, Domains, and Hashes)", "baseConfig": "RecordedFuture", "configurationItems": [ { "name": "key", "description": "API Token", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "service_homepage": "https://www.recordedfuture.com/", "service_logo": { "path": "assets/recordedfuture-logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/recordedfuture:2" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "articles" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "domain", "fqdn", "ip" ], "description": "RiskIQ: OSINT articles that reference an indicator.", "license": "AGPL-V3", "name": "RiskIQ_Articles", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_articles:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "artifacts" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "domain", "fqdn", "ip" ], "description": "RiskIQ: Illuminate / PassiveTotal project artifacts that match an indicator.", "license": "AGPL-V3", "name": "RiskIQ_Artifacts", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_artifacts:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "certificates" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "domain", "fqdn", "ip" ], "description": "RiskIQ: SSL/TLS certificates associated with an indicator.", "license": "AGPL-V3", "name": "RiskIQ_Certificates", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_certificates:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "components" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "domain", "fqdn", "ip" ], "description": "RiskIQ: web components observed during crawls on a hostname.", "license": "AGPL-V3", "name": "RiskIQ_Components", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_components:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "cookies" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "domain", "fqdn", "ip" ], "description": "RiskIQ: cookies observed during crawls on a hostname.", "license": "AGPL-V3", "name": "RiskIQ_Cookies", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_cookies:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "hostpair_children" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "domain", "fqdn", "ip" ], "description": "RiskIQ: hosts with a child web component relationship to an IOC.", "license": "AGPL-V3", "name": "RiskIQ_HostpairChildren", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_hostpairchildren:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "hostpair_parents" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "domain", "fqdn", "ip" ], "description": "RiskIQ: hosts with a parent web component relationship to an IOC.", "license": "AGPL-V3", "name": "RiskIQ_HostpairParents", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_hostpairparents:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "malware" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "domain", "fqdn", "ip" ], "description": "RiskIQ: malware hashes from various sources associated with an IOC.", "license": "AGPL-V3", "name": "RiskIQ_Malware", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_malware:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "projects" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "domain", "fqdn", "ip" ], "description": "RiskIQ: Illuminate / PassiveTotal projects that contain an artifact which matches an IOC.", "license": "AGPL-V3", "name": "RiskIQ_Projects", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_projects:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "reputation" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "domain", "fqdn", "ip" ], "description": "RiskIQ Illuminate Reputation Score for an indicator.", "license": "AGPL-V3", "name": "RiskIQ_Reputation", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_reputation:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "resolutions" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "domain", "fqdn", "ip" ], "description": "RiskIQ: PDNS resolutions for an IOC.", "license": "AGPL-V3", "name": "RiskIQ_Resolutions", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_resolutions:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "services" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "ip" ], "description": "RiskIQ: services observed on an IP address.", "license": "AGPL-V3", "name": "RiskIQ_Services", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_services:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "subdomains" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "fqdn", "domain" ], "description": "RiskIQ: subdomains observed historically in pDNS records.", "license": "AGPL-V3", "name": "RiskIQ_Subdomains", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_subdomains:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "summary" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "domain", "fqdn", "ip" ], "description": "RiskIQ Illuminate and PassiveTotal datasets with records for an indicator.", "license": "AGPL-V3", "name": "RiskIQ_Summary", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_summary:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "trackers" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "domain", "fqdn", "ip" ], "description": "RiskIQ: trackers observed during a crawl on a host.", "license": "AGPL-V3", "name": "RiskIQ_Trackers", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_trackers:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "auto_extract": true, "property": "whois" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": 180, "description": "Number of days back to search for date-bounded historical queries", "multi": false, "name": "days_back", "required": false, "type": "number" } ], "dataTypeList": [ "domain", "fqdn", "ip" ], "description": "RiskIQ Whois lookup for an indicator.", "license": "AGPL-V3", "name": "RiskIQ_Whois", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_whois:1" }, { "name": "Robtex_Forward_PDNS_Query", "version": "1.0", "author": "Nils Kuhnert", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Check domains and FQDNs using the Robtex passive DNS API.", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "Robtex", "config": { "service": "fpdnsquery" }, "dockerImage": "ghcr.io/thehive-project/robtex_forward_pdns_query:1" }, { "name": "Robtex_IP_Query", "version": "1.0", "author": "Nils Kuhnert", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Check IPs using the Robtex IP API.", "dataTypeList": [ "ip" ], "baseConfig": "Robtex", "config": { "service": "ipquery" }, "dockerImage": "ghcr.io/thehive-project/robtex_ip_query:1" }, { "name": "Robtex_Reverse_PDNS_Query", "version": "1.0", "author": "Nils Kuhnert", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Check IPs using the Robtex reverse passive DNS API.", "dataTypeList": [ "ip" ], "baseConfig": "Robtex", "config": { "service": "rpdnsquery" }, "dockerImage": "ghcr.io/thehive-project/robtex_reverse_pdns_query:1" }, { "name": "SEKOIAIntelligenceCenter_Context", "version": "1.0", "author": "SEKOIA", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query the Intelligence Center to retrieve the context of an observable", "dataTypeList": [ "domain", "fqdn", "url", "hash", "ip" ], "baseConfig": "SEKOIAIntelligenceCenter", "config": { "service": "context" }, "configurationItems": [ { "name": "api_key", "description": "API key", "type": "string", "multi": false, "required": true }, { "name": "url", "description": "Base URL (default to https://app.sekoia.io)", "type": "string", "multi": false, "required": false } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://sekoia.io/", "service_logo": { "path": "assets/sekoia_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/SEKOIAIntelligenceCenter_Context_long.png", "caption": "SEKOIAIntelligenceCenter_Context long report sample" } ], "dockerImage": "ghcr.io/thehive-project/sekoiaintelligencecenter_context:1" }, { "name": "SEKOIAIntelligenceCenter_Indicators", "version": "1.0", "author": "SEKOIA", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query the Intelligence Center to retrieve indicators", "dataTypeList": [ "domain", "fqdn", "url", "hash", "ip" ], "baseConfig": "SEKOIAIntelligenceCenter", "config": { "service": "indicators" }, "configurationItems": [ { "name": "api_key", "description": "API key", "type": "string", "multi": false, "required": true }, { "name": "url", "description": "Base URL (default to https://app.sekoia.io)", "type": "string", "multi": false, "required": false } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://sekoia.io/", "service_logo": { "path": "assets/sekoia_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/SEKOIAIntelligenceCenter_Indicators_long.png", "caption": "SEKOIAIntelligenceCenter_Indicators long report sample" } ], "dockerImage": "ghcr.io/thehive-project/sekoiaintelligencecenter_indicators:1" }, { "name": "SEKOIAIntelligenceCenter_Observables", "version": "1.0", "author": "SEKOIA", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query the Intelligence Center to retrieve known observables", "dataTypeList": [ "domain", "fqdn", "url", "hash", "ip" ], "baseConfig": "SEKOIAIntelligenceCenter", "config": { "service": "observables" }, "configurationItems": [ { "name": "api_key", "description": "API key", "type": "string", "multi": false, "required": true }, { "name": "url", "description": "Base URL (default to https://app.sekoia.io)", "type": "string", "multi": false, "required": false } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://sekoia.io/", "service_logo": { "path": "assets/sekoia_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/SEKOIAIntelligenceCenter_Context_long.png", "caption": "SEKOIAIntelligenceCenter_Context long report sample" } ], "dockerImage": "ghcr.io/thehive-project/sekoiaintelligencecenter_observables:1" }, { "name": "SecurityTrails_Passive_DNS", "version": "1.0", "author": "Manabu Niseki, @ninoseki", "url": "https://github.com/ninoseki/cortex-securitytrails", "license": "MIT", "description": "SecurityTrails Passive DNS Lookup.", "dataTypeList": [ "ip" ], "baseConfig": "SecurityTrails", "config": { "service": "passive_dns" }, "configurationItems": [ { "name": "api_key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/securitytrails_passive_dns:1" }, { "name": "SecurityTrails_Whois", "version": "1.0", "author": "Manabu Niseki, @ninoseki", "url": "https://github.com/ninoseki/cortex-securitytrails", "license": "MIT", "description": "SecurityTrails Whois Lookup.", "dataTypeList": [ "domain" ], "baseConfig": "SecurityTrails", "config": { "service": "whois" }, "configurationItems": [ { "name": "api_key", "description": "Define the API key to use to connect the service", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/securitytrails_whois:1" }, { "name": "SentinelOne_DeepVisibility_DNSQuery", "version": "1.0", "author": "Joe Vasquez", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query Sentinel One Deep Visibility API v2.1 for hosts that have requested DNS lookups for a domain/URL/FQDN.", "dataTypeList": [ "url", "domain", "fqdn" ], "baseConfig": "SentinelOne", "config": { "service": "dns-lookups" }, "configurationItems": [ { "name": "s1_console_url", "description": "Console URL", "type": "string", "multi": false, "required": true }, { "name": "s1_api_key", "description": "API Key, don't forget this will expire!", "type": "string", "multi": false, "required": true }, { "name": "s1_account_id", "description": "Account ID", "type": "string", "multi": false, "required": true }, { "name": "hours_ago", "description": "Number of hours ago for the fromDate of the query. ToDate will be now. Default is 12.", "type": "number", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/sentinelone_deepvisibility_dnsquery:1" }, { "name": "Shodan_DNSResolve", "version": "1.0", "author": "ANSSI", "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", "license": "AGPL-V3", "description": "Retrieve domain resolutions on Shodan.", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "Shodan", "config": { "service": "dns_resolve" }, "configurationItems": [ { "name": "key", "description": "Define the API Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/shodan_dnsresolve:1" }, { "name": "Shodan_Host", "version": "1.0", "author": "Sebastien Larinier @Sebdraven", "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", "license": "AGPL-V3", "description": "Retrieve key Shodan information on an IP address.", "dataTypeList": [ "ip" ], "baseConfig": "Shodan", "config": { "service": "host" }, "configurationItems": [ { "name": "key", "description": "Define the API Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/shodan_host:1" }, { "name": "Shodan_Host_History", "version": "1.0", "author": "ANSSI", "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", "license": "AGPL-V3", "description": "Retrieve Shodan history scan results for an IP address.", "dataTypeList": [ "ip" ], "baseConfig": "Shodan", "config": { "service": "host_history" }, "configurationItems": [ { "name": "key", "description": "Define the API Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/shodan_host_history:1" }, { "name": "Shodan_InfoDomain", "version": "1.0", "author": "ANSSI", "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", "license": "AGPL-V3", "description": "Retrieve key Shodan information on a domain.", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "Shodan", "config": { "service": "info_domain" }, "configurationItems": [ { "name": "key", "description": "Define the API Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/shodan_infodomain:1" }, { "name": "Shodan_ReverseDNS", "version": "1.0", "author": "ANSSI", "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", "license": "AGPL-V3", "description": "Retrieve ip reverse DNS resolutions on Shodan.", "dataTypeList": [ "ip" ], "baseConfig": "Shodan", "config": { "service": "reverse_dns" }, "configurationItems": [ { "name": "key", "description": "Define the API Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/shodan_reversedns:1" }, { "name": "Shodan_Search", "version": "2.0", "author": "Sebastien Larinier @Sebdraven", "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan", "license": "AGPL-V3", "description": "Search query on Shodan", "dataTypeList": [ "other" ], "baseConfig": "Shodan", "config": { "service": "search" }, "configurationItems": [ { "name": "key", "description": "Define the API Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/shodan_search:2" }, { "name": "SinkDB", "author": "Mark Kikta, RedLegg Cybersecurity Solutions", "license": "AGPL-V3", "url": "https://github.com/RedLegg/sinkdb-analyzer", "version": "1.1", "description": "Check if ip is sinkholed via the new sinkdb.abuse.ch HTTPS API. Original analyzer can be found at https://github.com/BSI-CERT-Bund/sinkdb-analyzer", "dataTypeList": [ "ip", "domain", "fqdn", "mail" ], "baseConfig": "SinkDB", "configurationItems": [ { "name": "key", "description": "Define the HTTPS API Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/sinkdb:1" }, { "name": "SoltraEdge", "version": "1.0", "author": "Michael Stensrud, Nordic Financial CERT", "url": "http://soltra.com/en/", "license": "AGPL-V3", "description": "Query against Soltra Edge.", "dataTypeList": [ "domain", "ip", "url", "fqdn", "uri_path", "user-agent", "hash", "mail", "mail_subject", "registry", "regexp", "other", "filename", "mail-subject" ], "baseConfig": "Soltra_Edge", "config": { "check_tlp": true, "service": "search" }, "configurationItems": [ { "name": "token", "description": "Define the Token Key", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "Define the Username", "type": "string", "multi": false, "required": true }, { "name": "base_url", "description": "Base API URL for Soltra Edge Server. (Example: https://test.soltra.com/api/stix)", "type": "string", "multi": false, "required": true, "defaultValue": "https://feed.yourdomain./api/stix" }, { "name": "verify_ssl", "description": "Verify server certificate", "type": "boolean", "multi": false, "required": true, "defaultValue": true } ], "dockerImage": "ghcr.io/thehive-project/soltraedge:1" }, { "name": "SophosIntelix_GetReport", "version": "0.3", "author": "SOL", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Fast and easy way to find out if the file is known Good, PUA (Potentially Unwanted Application), or, Malware. For more information or to sign up for SophosLabs Intelix (with a free tier) see https://www.sophos.com/en-us/labs/intelix.aspx", "dataTypeList": [ "hash", "domain", "fqdn", "url" ], "baseConfig": "SophosIntelix", "config": { "service": "get" }, "configurationItems": [ { "name": "clientID", "description": "Client ID for Sophos Labs Intelix", "type": "string", "multi": false, "required": true }, { "name": "clientSecret", "description": "Client Secret for Sophos Labs Intelix", "type": "string", "multi": false, "required": true }, { "name": "polling_interval", "description": "Define time interval between two requests attempts for the report", "type": "number", "multi": false, "required": false, "defaultValue": 60 } ], "dockerImage": "ghcr.io/thehive-project/sophosintelix_getreport:0" }, { "name": "SophosIntelix_Submit_Dynamic", "version": "0.1", "author": "SOL", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Detonate your suspicious file in SophosLabs Sandbox and find what behaviours the file has. For more information or to sign up for SophosLabs Intelix (with a free tier) see https://www.sophos.com/en-us/labs/intelix.aspx", "dataTypeList": [ "file" ], "baseConfig": "SophosIntelix", "config": { "service": "submit_dynamic" }, "configurationItems": [ { "name": "clientID", "description": "Client ID for Sophos Labs Intelix", "type": "string", "multi": false, "required": true }, { "name": "clientSecret", "description": "Client Secret for Sophos Labs Intelix", "type": "string", "multi": false, "required": true }, { "name": "polling_interval", "description": "Define time interval between two requests attempts for the report", "type": "number", "multi": false, "required": false, "defaultValue": 60 } ], "dockerImage": "ghcr.io/thehive-project/sophosintelix_submit_dynamic:0" }, { "name": "SophosIntelix_Submit_Static", "version": "0.1", "author": "SOL", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use SophosLabs machine learning to understand the characteristics of your suspicious file allowing you to see if the file is similar to known malware. For more information or to sign up for SophosLabs Intelix (with a free tier) see https://www.sophos.com/en-us/labs/intelix.aspx", "dataTypeList": [ "file" ], "baseConfig": "SophosIntelix", "config": { "service": "submit_static" }, "configurationItems": [ { "name": "clientID", "description": "Client ID for Sophos Labs Intelix", "type": "string", "multi": false, "required": true }, { "name": "clientSecret", "description": "Client Secret for Sophos Labs Intelix", "type": "string", "multi": false, "required": true }, { "name": "polling_interval", "description": "Define time interval between two requests attempts for the report", "type": "number", "multi": false, "required": false, "defaultValue": 60 } ], "dockerImage": "ghcr.io/thehive-project/sophosintelix_submit_static:0" }, { "name": "SpamAssassin", "author": "Davide Arcuri - LDO-CERT", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "description": "Get spam score from local SpamAssassin instance", "dataTypeList": [ "file" ], "baseConfig": "SpamAssassin", "configurationItems": [ { "name": "url", "description": "SpamAssassin url", "multi": false, "required": true, "type": "string" }, { "name": "port", "description": "SpamAssassin port", "type": "number", "defaultValue": 783, "multi": false, "required": true }, { "name": "spam_score", "description": "Minimum score to consider mail as spam", "type": "number", "multi": false, "required": false, "defaultValue": 5 }, { "name": "timeout", "description": "Timout for socket operations in seconds", "type": "number", "multi": false, "required": false, "defaultValue": 20 } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://spamassassin.apache.org/", "service_logo": { "path": "assets/SpamAssassin_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/SpamAssassin_long.png", "caption": "SpamAssassin long report sample" }, { "path": "assets/SpamAssassin_short.png", "caption": "SpamAssassin mini report sample" } ], "dockerImage": "ghcr.io/thehive-project/spamassassin:1" }, { "name": "SpamhausDBL", "version": "1.0", "author": "Wes Lambert", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Perform domain lookup to Spamhaus DBL", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "SpamhausDBL", "config": { "service": "DBLLookup" }, "configurationItems": [], "dockerImage": "ghcr.io/thehive-project/spamhausdbl:1" }, { "name": "Splunk_Search_Domain_FQDN", "version": "3.0", "url": "https://www.splunk.com", "author": "Unit777, LetMeR00t", "license": "AGPL-V3", "dataTypeList": [ "domain", "fqdn" ], "description": "Execute a savedsearch on a Splunk instance with a domain or a FQDN as argument", "baseConfig": "Splunk", "config": { "check_tlp": false, "max_tlp": 4, "service": "Search_Domain_FQDN" }, "configurationItems": [ { "name": "host", "description": "Splunk API host or IP", "type": "string", "multi": false, "required": true }, { "name": "port", "description": "Splunk API port", "type": "string", "multi": false, "required": true }, { "name": "port_gui", "description": "Splunk GUI port", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "User account used for searches", "type": "string", "multi": false, "required": false }, { "name": "password", "description": "User password of the previous mentionned account", "type": "string", "multi": false, "required": false }, { "name": "application", "description": "Spunk application in which the saved searches are stored", "type": "string", "multi": false, "required": true }, { "name": "owner", "description": "Username that corresponds to the owner of the saved searches", "type": "string", "multi": false, "required": true }, { "name": "saved_searches", "description": "Name of the saved searches to use", "type": "string", "multi": true, "required": true }, { "name": "earliest_time", "description": "If not empty, this will set the earliest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "latest_time", "description": "If not empty, this will set the latest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "max_count", "description": "Maximum number of results to return for a search", "type": "number", "multi": false, "required": false, "defaultValue": 1000 } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_logo": { "path": "assets/splunk_domain_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Splunk_Search_Domain_FQDN_long.png", "caption": "Splunk_Search_Domain_FQDN long report sample" }, { "path": "assets/Splunk_Search_Domain_FQDN_short.png", "caption": "Splunk_Search_Domain_FQDN short report sample" } ], "dockerImage": "ghcr.io/thehive-project/splunk_search_domain_fqdn:3" }, { "name": "Splunk_Search_File_Filename", "version": "3.0", "url": "https://www.splunk.com", "author": "Unit777, LetMeR00t", "license": "AGPL-V3", "dataTypeList": [ "file", "filename" ], "description": "Execute a savedsearch on a Splunk instance with a file/filename as argument", "baseConfig": "Splunk", "config": { "check_tlp": false, "max_tlp": 4, "service": "Search_File_Filename" }, "configurationItems": [ { "name": "host", "description": "Splunk API host or IP", "type": "string", "multi": false, "required": true }, { "name": "port", "description": "Splunk API port", "type": "string", "multi": false, "required": true }, { "name": "port_gui", "description": "Splunk GUI port", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "User account used for searches", "type": "string", "multi": false, "required": false }, { "name": "password", "description": "User password of the previous mentionned account", "type": "string", "multi": false, "required": false }, { "name": "application", "description": "Spunk application in which the saved searches are stored", "type": "string", "multi": false, "required": true }, { "name": "owner", "description": "Username that corresponds to the owner of the saved searches", "type": "string", "multi": false, "required": true }, { "name": "saved_searches", "description": "Name of the saved searches to use", "type": "string", "multi": true, "required": true }, { "name": "earliest_time", "description": "If not empty, this will set the earliest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "latest_time", "description": "If not empty, this will set the latest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "max_count", "description": "Maximum number of results to return for a search", "type": "number", "multi": false, "required": false, "defaultValue": 1000 } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_logo": { "path": "assets/splunk_file_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Splunk_Search_File_Filename_long.png", "caption": "Splunk_Search_File_Filename long report sample" }, { "path": "assets/Splunk_Search_File_Filename_short.png", "caption": "Splunk_Search_File_Filename short report sample" } ], "dockerImage": "ghcr.io/thehive-project/splunk_search_file_filename:3" }, { "name": "Splunk_Search_Hash", "version": "3.0", "url": "https://www.splunk.com", "author": "Unit777, LetMeR00t", "license": "AGPL-V3", "dataTypeList": [ "hash" ], "description": "Execute a savedsearch on a Splunk instance with a hash as argument", "baseConfig": "Splunk", "config": { "check_tlp": false, "max_tlp": 4, "service": "Search_Hash" }, "configurationItems": [ { "name": "host", "description": "Splunk API host or IP", "type": "string", "multi": false, "required": true }, { "name": "port", "description": "Splunk API port", "type": "string", "multi": false, "required": true }, { "name": "port_gui", "description": "Splunk GUI port", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "User account used for searches", "type": "string", "multi": false, "required": false }, { "name": "password", "description": "User password of the previous mentionned account", "type": "string", "multi": false, "required": false }, { "name": "application", "description": "Spunk application in which the saved searches are stored", "type": "string", "multi": false, "required": true }, { "name": "owner", "description": "Username that corresponds to the owner of the saved searches", "type": "string", "multi": false, "required": true }, { "name": "saved_searches", "description": "Name of the saved searches to use", "type": "string", "multi": true, "required": true }, { "name": "earliest_time", "description": "If not empty, this will set the earliest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "latest_time", "description": "If not empty, this will set the latest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "max_count", "description": "Maximum number of results to return for a search", "type": "number", "multi": false, "required": false, "defaultValue": 1000 } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_logo": { "path": "assets/splunk_hash_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Splunk_Search_Hash_long.png", "caption": "Splunk_Search_Hash long report sample" }, { "path": "assets/Splunk_Search_Hash_short.png", "caption": "Splunk_Search_Hash short report sample" } ], "dockerImage": "ghcr.io/thehive-project/splunk_search_hash:3" }, { "name": "Splunk_Search_IP", "version": "3.0", "url": "https://www.splunk.com", "author": "Unit777, LetMeR00t", "license": "AGPL-V3", "dataTypeList": [ "ip" ], "description": "Execute a savedsearch on a Splunk instance with an IP as argument", "baseConfig": "Splunk", "config": { "check_tlp": false, "max_tlp": 4, "service": "Search_IP" }, "configurationItems": [ { "name": "host", "description": "Splunk API host or IP", "type": "string", "multi": false, "required": true }, { "name": "port", "description": "Splunk API port", "type": "string", "multi": false, "required": true }, { "name": "port_gui", "description": "Splunk GUI port", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "User account used for searches", "type": "string", "multi": false, "required": false }, { "name": "password", "description": "User password of the previous mentionned account", "type": "string", "multi": false, "required": false }, { "name": "application", "description": "Spunk application in which the saved searches are stored", "type": "string", "multi": false, "required": true }, { "name": "owner", "description": "Username that corresponds to the owner of the saved searches", "type": "string", "multi": false, "required": true }, { "name": "saved_searches", "description": "Name of the saved searches to use", "type": "string", "multi": true, "required": true }, { "name": "earliest_time", "description": "If not empty, this will set the earliest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "latest_time", "description": "If not empty, this will set the latest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "max_count", "description": "Maximum number of results to return for a search", "type": "number", "multi": false, "required": false, "defaultValue": 1000 } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_logo": { "path": "assets/splunk_ip_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Splunk_Search_IP_long.png", "caption": "Splunk_Search_IP long report sample" }, { "path": "assets/Splunk_Search_IP_short.png", "caption": "Splunk_Search_IP short report sample" } ], "dockerImage": "ghcr.io/thehive-project/splunk_search_ip:3" }, { "name": "Splunk_Search_Mail_Email", "version": "3.0", "url": "https://www.splunk.com", "author": "Unit777, LetMeR00t", "license": "AGPL-V3", "dataTypeList": [ "mail", "email" ], "description": "Execute a savedsearch on a Splunk instance with a mail/email as argument", "baseConfig": "Splunk", "config": { "check_tlp": false, "max_tlp": 4, "service": "Search_Mail_Email" }, "configurationItems": [ { "name": "host", "description": "Splunk API host or IP", "type": "string", "multi": false, "required": true }, { "name": "port", "description": "Splunk API port", "type": "string", "multi": false, "required": true }, { "name": "port_gui", "description": "Splunk GUI port", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "User account used for searches", "type": "string", "multi": false, "required": false }, { "name": "password", "description": "User password of the previous mentionned account", "type": "string", "multi": false, "required": false }, { "name": "application", "description": "Spunk application in which the saved searches are stored", "type": "string", "multi": false, "required": true }, { "name": "owner", "description": "Username that corresponds to the owner of the saved searches", "type": "string", "multi": false, "required": true }, { "name": "saved_searches", "description": "Name of the saved searches to use", "type": "string", "multi": true, "required": true }, { "name": "earliest_time", "description": "If not empty, this will set the earliest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "latest_time", "description": "If not empty, this will set the latest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "max_count", "description": "Maximum number of results to return for a search", "type": "number", "multi": false, "required": false, "defaultValue": 1000 } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_logo": { "path": "assets/splunk_mail_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Splunk_Search_Mail_Email_long.png", "caption": "Splunk_Search_Mail_Email long report sample" }, { "path": "assets/Splunk_Search_Mail_Email_short.png", "caption": "Splunk_Search_Mail_Email short report sample" } ], "dockerImage": "ghcr.io/thehive-project/splunk_search_mail_email:3" }, { "name": "Splunk_Search_Mail_Subject", "version": "3.0", "url": "https://www.splunk.com", "author": "Unit777, LetMeR00t", "license": "AGPL-V3", "dataTypeList": [ "mail_subject", "mail-subject" ], "description": "Execute a savedsearch on a Splunk instance with a mail subject as argument", "baseConfig": "Splunk", "config": { "check_tlp": false, "max_tlp": 4, "service": "Search_Mail_Subject" }, "configurationItems": [ { "name": "host", "description": "Splunk API host or IP", "type": "string", "multi": false, "required": true }, { "name": "port", "description": "Splunk API port", "type": "string", "multi": false, "required": true }, { "name": "port_gui", "description": "Splunk GUI port", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "User account used for searches", "type": "string", "multi": false, "required": false }, { "name": "password", "description": "User password of the previous mentionned account", "type": "string", "multi": false, "required": false }, { "name": "application", "description": "Spunk application in which the saved searches are stored", "type": "string", "multi": false, "required": true }, { "name": "owner", "description": "Username that corresponds to the owner of the saved searches", "type": "string", "multi": false, "required": true }, { "name": "saved_searches", "description": "Name of the saved searches to use", "type": "string", "multi": true, "required": true }, { "name": "earliest_time", "description": "If not empty, this will set the earliest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "latest_time", "description": "If not empty, this will set the latest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "max_count", "description": "Maximum number of results to return for a search", "type": "number", "multi": false, "required": false, "defaultValue": 1000 } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_logo": { "path": "assets/splunk_mail_subject_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Splunk_Search_Mail_Subject_long.png", "caption": "Splunk_Search_Mail_Subject long report sample" }, { "path": "assets/Splunk_Search_Mail_Subject_short.png", "caption": "Splunk_Search_Mail_Subject short report sample" } ], "dockerImage": "ghcr.io/thehive-project/splunk_search_mail_subject:3" }, { "name": "Splunk_Search_Other", "version": "3.0", "url": "https://www.splunk.com", "author": "Unit777, LetMeR00t", "license": "AGPL-V3", "dataTypeList": [ "other" ], "description": "Execute a savedsearch on a Splunk instance with an unidentified data as argument", "baseConfig": "Splunk", "config": { "check_tlp": false, "max_tlp": 4, "service": "Search_Other" }, "configurationItems": [ { "name": "host", "description": "Splunk API host or IP", "type": "string", "multi": false, "required": true }, { "name": "port", "description": "Splunk API port", "type": "string", "multi": false, "required": true }, { "name": "port_gui", "description": "Splunk GUI port", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "User account used for searches", "type": "string", "multi": false, "required": false }, { "name": "password", "description": "User password of the previous mentionned account", "type": "string", "multi": false, "required": false }, { "name": "application", "description": "Spunk application in which the saved searches are stored", "type": "string", "multi": false, "required": true }, { "name": "owner", "description": "Username that corresponds to the owner of the saved searches", "type": "string", "multi": false, "required": true }, { "name": "saved_searches", "description": "Name of the saved searches to use", "type": "string", "multi": true, "required": true }, { "name": "earliest_time", "description": "If not empty, this will set the earliest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "latest_time", "description": "If not empty, this will set the latest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "max_count", "description": "Maximum number of results to return for a search", "type": "number", "multi": false, "required": false, "defaultValue": 1000 } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_logo": { "path": "assets/splunk_other_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Splunk_Search_Other_long.png", "caption": "Splunk_Search_Other long report sample" }, { "path": "assets/Splunk_Search_Other_short.png", "caption": "Splunk_Search_Other short report sample" } ], "dockerImage": "ghcr.io/thehive-project/splunk_search_other:3" }, { "name": "Splunk_Search_Registry", "version": "3.0", "url": "https://www.splunk.com", "author": "Unit777, LetMeR00t", "license": "AGPL-V3", "dataTypeList": [ "registry" ], "description": "Execute a savedsearch on a Splunk instance with a registry data as argument", "baseConfig": "Splunk", "config": { "check_tlp": false, "max_tlp": 4, "service": "Search_Registry" }, "configurationItems": [ { "name": "host", "description": "Splunk API host or IP", "type": "string", "multi": false, "required": true }, { "name": "port", "description": "Splunk API port", "type": "string", "multi": false, "required": true }, { "name": "port_gui", "description": "Splunk GUI port", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "User account used for searches", "type": "string", "multi": false, "required": false }, { "name": "password", "description": "User password of the previous mentionned account", "type": "string", "multi": false, "required": false }, { "name": "application", "description": "Spunk application in which the saved searches are stored", "type": "string", "multi": false, "required": true }, { "name": "owner", "description": "Username that corresponds to the owner of the saved searches", "type": "string", "multi": false, "required": true }, { "name": "saved_searches", "description": "Name of the saved searches to use", "type": "string", "multi": true, "required": true }, { "name": "earliest_time", "description": "If not empty, this will set the earliest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "latest_time", "description": "If not empty, this will set the latest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "max_count", "description": "Maximum number of results to return for a search", "type": "number", "multi": false, "required": false, "defaultValue": 1000 } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_logo": { "path": "assets/splunk_registry_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Splunk_Search_Registry_long.png", "caption": "Splunk_Search_Registry long report sample" }, { "path": "assets/Splunk_Search_Registry_short.png", "caption": "Splunk_Search_Registry short report sample" } ], "dockerImage": "ghcr.io/thehive-project/splunk_search_registry:3" }, { "name": "Splunk_Search_URL_URI_Path", "version": "3.0", "url": "https://www.splunk.com", "author": "Unit777, LetMeR00t", "license": "AGPL-V3", "dataTypeList": [ "url", "uri_path" ], "description": "Execute a savedsearch on a Splunk instance with an URL or a URI path as argument", "baseConfig": "Splunk", "config": { "check_tlp": false, "max_tlp": 4, "service": "Search_URL_URI_Path" }, "configurationItems": [ { "name": "host", "description": "Splunk API host or IP", "type": "string", "multi": false, "required": true }, { "name": "port", "description": "Splunk API port", "type": "string", "multi": false, "required": true }, { "name": "port_gui", "description": "Splunk GUI port", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "User account used for searches", "type": "string", "multi": false, "required": false }, { "name": "password", "description": "User password of the previous mentionned account", "type": "string", "multi": false, "required": false }, { "name": "application", "description": "Spunk application in which the saved searches are stored", "type": "string", "multi": false, "required": true }, { "name": "owner", "description": "Username that corresponds to the owner of the saved searches", "type": "string", "multi": false, "required": true }, { "name": "saved_searches", "description": "Name of the saved searches to use", "type": "string", "multi": true, "required": true }, { "name": "earliest_time", "description": "If not empty, this will set the earliest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "latest_time", "description": "If not empty, this will set the latest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "max_count", "description": "Maximum number of results to return for a search", "type": "number", "multi": false, "required": false, "defaultValue": 1000 } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_logo": { "path": "assets/splunk_url_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Splunk_Search_URL_URI_Path_long.png", "caption": "Splunk_Search_URL_URI_Path long report sample" }, { "path": "assets/Splunk_Search_URL_URI_Path_short.png", "caption": "Splunk_Search_URL_URI_Path short report sample" } ], "dockerImage": "ghcr.io/thehive-project/splunk_search_url_uri_path:3" }, { "name": "Splunk_Search_User", "version": "3.0", "url": "https://www.splunk.com", "author": "LetMeR00t", "license": "AGPL-V3", "dataTypeList": [ "other" ], "description": "Execute a savedsearch on a Splunk instance with a user ID as argument", "baseConfig": "Splunk", "config": { "check_tlp": false, "max_tlp": 4, "service": "Search_User" }, "configurationItems": [ { "name": "host", "description": "Splunk API host or IP", "type": "string", "multi": false, "required": true }, { "name": "port", "description": "Splunk API port", "type": "string", "multi": false, "required": true }, { "name": "port_gui", "description": "Splunk GUI port", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "User account used for searches", "type": "string", "multi": false, "required": false }, { "name": "password", "description": "User password of the previous mentionned account", "type": "string", "multi": false, "required": false }, { "name": "application", "description": "Spunk application in which the saved searches are stored", "type": "string", "multi": false, "required": true }, { "name": "owner", "description": "Username that corresponds to the owner of the saved searches", "type": "string", "multi": false, "required": true }, { "name": "saved_searches", "description": "Name of the saved searches to use", "type": "string", "multi": true, "required": true }, { "name": "earliest_time", "description": "If not empty, this will set the earliest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "latest_time", "description": "If not empty, this will set the latest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "max_count", "description": "Maximum number of results to return for a search", "type": "number", "multi": false, "required": false, "defaultValue": 1000 } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_logo": { "path": "assets/splunk_user_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Splunk_Search_User_long.png", "caption": "Splunk_Search_User long report sample" }, { "path": "assets/Splunk_Search_User_short.png", "caption": "Splunk_Search_User short report sample" } ], "dockerImage": "ghcr.io/thehive-project/splunk_search_user:3" }, { "name": "Splunk_Search_User_Agent", "version": "3.0", "url": "https://www.splunk.com", "author": "Unit777, LetMeR00t", "license": "AGPL-V3", "dataTypeList": [ "user-agent" ], "description": "Execute a savedsearch on a Splunk instance with a user agent as argument", "baseConfig": "Splunk", "config": { "check_tlp": false, "max_tlp": 4, "service": "Search_User_Agent" }, "configurationItems": [ { "name": "host", "description": "Splunk API host or IP", "type": "string", "multi": false, "required": true }, { "name": "port", "description": "Splunk API port", "type": "string", "multi": false, "required": true }, { "name": "port_gui", "description": "Splunk GUI port", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "User account used for searches", "type": "string", "multi": false, "required": false }, { "name": "password", "description": "User password of the previous mentionned account", "type": "string", "multi": false, "required": false }, { "name": "application", "description": "Spunk application in which the saved searches are stored", "type": "string", "multi": false, "required": true }, { "name": "owner", "description": "Username that corresponds to the owner of the saved searches", "type": "string", "multi": false, "required": true }, { "name": "saved_searches", "description": "Name of the saved searches to use", "type": "string", "multi": true, "required": true }, { "name": "earliest_time", "description": "If not empty, this will set the earliest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "latest_time", "description": "If not empty, this will set the latest time of the searches", "type": "string", "multi": false, "required": false }, { "name": "max_count", "description": "Maximum number of results to return for a search", "type": "number", "multi": false, "required": false, "defaultValue": 1000 } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_logo": { "path": "assets/splunk_user_agent_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Splunk_Search_User_Agent_long.png", "caption": "Splunk_Search_User_Agent long report sample" }, { "path": "assets/Splunk_Search_User_Agent_short.png", "caption": "Splunk_Search_User_Agent short report sample" } ], "dockerImage": "ghcr.io/thehive-project/splunk_search_user_agent:3" }, { "name": "StamusNetworks_HostID", "version": "1.0", "author": "Stamus Networks", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get information from your Scirius Security Platform for an IP address.", "dataTypeList": [ "ip" ], "baseConfig": "StamusNetworks", "config": { "service": "get" }, "configurationItems": [ { "name": "url", "description": "Base URL of Scirius Security Platform", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "API key for Scirius Security Platform", "type": "string", "multi": false, "required": true }, { "name": "ssl_verify", "description": "Verify TLS certificate when connection to Scirius Security Platform", "type": "boolean", "multi": false, "required": true }, { "name": "tenant", "description": "Tenant value for organization in Scirius Security Platform", "type": "string", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/stamusnetworks_hostid:1" }, { "name": "StaxxSearch", "author": "Robert Nixon", "license": "AGPL-V3", "url": "https://github.com/robertnixon2003/Cortex-Analyzers", "version": "1.0", "description": "Fetch observable details from an Anomali STAXX instance.", "dataTypeList": [ "domain", "fqdn", "ip", "url", "hash", "mail" ], "baseConfig": "staxx", "configurationItems": [ { "name": "auth_url", "description": "Define the URL of the auth endpoint", "type": "string", "multi": false, "required": true }, { "name": "query_url", "description": "Define the URL of the intelligence endpoint", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "STAXX User Name", "type": "string", "multi": false, "required": true }, { "name": "password", "description": "STAXX Password", "type": "string", "multi": false, "required": true }, { "name": "cert_check", "description": "Verify server certificate", "type": "boolean", "multi": false, "required": true, "defaultValue": true }, { "name": "cert_path", "description": "Path to the CA on the system used to check the server certificate", "type": "string", "multi": true, "required": false } ], "dockerImage": "ghcr.io/thehive-project/staxxsearch:1" }, { "name": "StopForumSpam", "author": "Marc-Andre Doll, STARC by EXAPROBE", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "baseConfig": "StopForumSpam", "config": { "check_tlp": true, "max_tlp": 2 }, "configurationItems": [ { "name": "suspicious_confidence_level", "description": "Confidence threshold above which the artifact should be marked as suspicious", "type": "number", "multi": false, "required": false, "defaultValue": 0.0 }, { "name": "malicious_confidence_level", "description": "Confidence threshold above which the artifact should be marked as malicious", "type": "number", "multi": false, "required": false, "defaultValue": 90.0 } ], "description": "Query http://www.stopforumspam.com to check if an IP or email address is a known spammer.", "dataTypeList": [ "ip", "mail" ], "dockerImage": "ghcr.io/thehive-project/stopforumspam:1" }, { "name": "TeamCymruMHR", "version": "1.0", "author": "Wes Lambert; Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Submit hash to Team Cymru's Malware Hash Registry", "dataTypeList": [ "hash" ], "baseConfig": "TeamCymruMHR", "config": { "service": "HashLookup" }, "configurationItems": [], "registration_required": false, "subscription_required": false, "free_subscription": false, "serviceHomepage": "https://hash.cymru.com", "dockerImage": "ghcr.io/thehive-project/teamcymrumhr:1" }, { "name": "TestAnalyzer", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Just a simple test analyzer! No real-world use-case covered by this one, for testing, reference, dev and any other purpose only!", "dataTypeList": [ "ip", "domain", "url", "fqdn", "mail", "hash", "filename", "uri_path", "user-agent", "mail-subject" ], "baseConfig": "TestAnalyzer", "config": { "service": "testing" }, "configurationItems": [ { "name": "some_string", "description": "placeholder string", "type": "string", "multi": false, "required": false, "defaultValue": "some string.." }, { "name": "some_list", "description": "placeholder list", "type": "string", "multi": true, "required": false, "defaultValue": [ "item1", "item2", "item3" ] }, { "name": "some_number", "description": "placeholder number", "type": "number", "multi": false, "required": false, "defaultValue": 1 }, { "name": "throw_error", "description": "throw an error!", "type": "boolean", "multi": false, "required": true, "defaultValue": false } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "serviceHomepage": "None", "dockerImage": "ghcr.io/thehive-project/testanalyzer:1" }, { "name": "ThreatGrid", "license": "MIT", "author": "Cisco Security", "url": "https://github.com/CiscoSecurity", "version": "1.0", "description": "Threat Grid Sandbox", "dataTypeList": [ "file", "url", "hash" ], "baseConfig": "ThreatGrid", "configurationItems": [ { "name": "tg_host", "description": "Threat Grid Host", "type": "string", "multi": false, "required": true }, { "name": "api_key", "description": "Threat Grid API Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/threatgrid:1" }, { "name": "ThreatMiner", "version": "1.0", "author": "Peter Juhas", "url": "https://github.com/pjuhas/Cortex-Analyzers", "license": "AGPL-V3", "description": "WHOIS queries from threatminer.org", "dataTypeList": [ "ip", "domain" ], "baseConfig": "ThreatMiner", "dockerImage": "ghcr.io/thehive-project/threatminer:1" }, { "name": "ThreatResponse", "license": "MIT", "author": "Cisco Security", "url": "https://github.com/CiscoSecurity", "version": "1.0", "description": "Threat Response", "dataTypeList": [ "domain", "filename", "fqdn", "hash", "ip", "url" ], "baseConfig": "ThreatResponse", "configurationItems": [ { "name": "region", "description": "Threat Response Region (us, eu, or apjc). Will default to 'us' region if left blank", "type": "string", "multi": false, "required": false, "defaultValue": "" }, { "name": "client_id", "description": "Threat Response Client ID", "type": "string", "multi": false, "required": true }, { "name": "client_password", "description": "Threat Response API Client Password", "type": "string", "multi": false, "required": true }, { "name": "extract_amp_targets", "description": "Would you like to extract AMP connector GUIDs as artifacts?", "type": "boolean", "required": false, "defaultValue": false, "multi": false } ], "dockerImage": "ghcr.io/thehive-project/threatresponse:1" }, { "name": "THOR_Thunderstorm_ScanSample", "version": "0.3.1", "author": "Florian Roth", "url": "https://github.com/NextronSystems/Cortex-Analyzers", "license": "AGPL-V3", "description": "Submits sample to an on-premise THOR Thunderstorm web service and processes the scan result", "dataTypeList": [ "file" ], "baseConfig": "Thunderstorm", "configurationItems": [ { "name": "thunderstorm_server", "description": "Thunderstorm Server", "type": "string", "multi": false, "required": true, "defaultValue": "thunderstorm.nextron-systems.com" }, { "name": "thunderstorm_port", "description": "Thunderstorm Port", "type": "number", "multi": false, "required": true, "defaultValue": 8080 }, { "name": "thunderstorm_source", "description": "Source System", "type": "string", "multi": false, "required": false, "defaultValue": "cortex-analyzer" }, { "name": "thunderstorm_ssl", "description": "Use an SSL encrypted HTTP connection", "type": "boolean", "multi": false, "required": false, "defaultValue": false }, { "name": "thunderstorm_ssl_verify", "description": "Verify the SSL certificate of the remote service", "type": "boolean", "multi": false, "required": false, "defaultValue": false } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.nextron-systems.com/thor-thunderstorm/", "service_logo": { "path": "assets/thor_thunderstorm_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/THOR_Thunderstorm_ScanSample_long.png", "caption": "THOR Thunderstorm long report sample" }, { "path": "assets/THOR_Thunderstorm_ScanSample_short.png", "caption:": "THOR Thunderstorm short report sample" }, { "path": "assets/THOR_Thunderstorm_ScanSample_raw.png", "caption": "THOR Thunderstorm raw JSON" } ], "dockerImage": "ghcr.io/thehive-project/thor_thunderstorm_scansample:0" }, { "name": "TorBlutmagie", "author": "Marc-André DOLL, STARC by EXAPROBE", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "description": "Query https://torstatus.rueckgr.at/query_export.php/Tor_query_EXPORT.csv (formerly TorBlutmagie) for TOR exit nodes IP addresses or names.", "dataTypeList": [ "ip", "domain", "fqdn" ], "baseConfig": "TorBlutmagie", "configurationItems": [ { "name": "cache.duration", "description": "Define the cache duration", "type": "number", "multi": false, "required": true, "defaultValue": 3600 }, { "name": "cache.root", "description": "Define the path to the stored data", "type": "string", "multi": false, "required": false } ], "registration_required": false, "subscription_required": false, "free_subscription": true, "service_homepage": "https://torstatus.rueckgr.at", "dockerImage": "ghcr.io/thehive-project/torblutmagie:1" }, { "name": "TorProject", "author": "Marc-André DOLL, STARC by EXAPROBE", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "description": "Query https://check.torproject.org/exit-addresses for TOR exit nodes IP addresses.", "dataTypeList": [ "ip" ], "baseConfig": "TorProject", "configurationItems": [ { "name": "ttl", "description": "Define the TTL", "type": "number", "multi": false, "required": true, "defaultValue": 86400 }, { "name": "cache.duration", "description": "Define the cache duration", "type": "number", "multi": false, "required": true, "defaultValue": 3600 }, { "name": "cache.root", "description": "Define the path to the stored data", "type": "string", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/torproject:1" }, { "name": "Triage", "author": "Mikael Keri", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "2.0", "description": "Submit artifacts to the Recorded Future Triage sandbox service. This analyzer requires a paid subscription for the Private and Recorded Future sandboxes.", "dataTypeList": [ "ip", "url", "file" ], "baseConfig": "Triage", "config": { "check_tlp": true, "max_tlp": 2, "check_pap": true, "max_pap": 2 }, "configurationItems": [ { "name": "api_key", "description": "API key", "type": "string", "multi": false, "required": true }, { "name": "api_url", "description": "Sandbox API URL: public sandbox (https://tria.ge/api), private sandbox (https://private.tria.ge/api), or Recorded Future sandbox (https://sandbox.recordedfuture.com/api)", "type": "string", "multi": false, "required": true }, { "name": "timeout", "description": "Sandbox run timeout in seconds (default: 200)", "type": "string", "multi": false, "required": false }, { "name": "zip_pw", "description": "Zip archive password", "type": "string", "multi": false, "required": false } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://tria.ge", "service_logo": { "path": "assets/recorded_future_triage_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/triage_cortex_settings.png", "caption": "Triage analyzer cortex setting" }, { "path": "assets/triage_long_report.png", "caption:": "Triage analyzer full report" }, { "path": "assets/triage_verdict.png", "caption:": "Triage analyzer verdict" } ], "dockerImage": "ghcr.io/thehive-project/triage:2" }, { "name": "URLhaus", "author": "ninoseki, Nils Kuhnert", "license": "MIT", "url": "https://github.com/ninoseki/cortex_URLhaus_analyzer", "version": "2.0", "baseConfig": "URLhaus", "description": "Search domains, IPs, URLs or hashes on URLhaus.", "dataTypeList": [ "domain", "fqdn", "url", "hash", "ip" ], "configurationItems": [], "dockerImage": "ghcr.io/thehive-project/urlhaus:2" }, { "name": "Umbrella_Report", "version": "1.0", "author": "Kyle Parrish", "url": "https://github.com/arnydo/thehive/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query the Umbrella Reporting API for recent DNS queries and their status.", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "Umbrella", "config": { "service": "get" }, "configurationItems": [ { "name": "api_key", "description": "Api Key provided by Umbrella Admin Console.", "type": "string", "multi": false, "required": true }, { "name": "api_secret", "description": "Api Secret provided by Umbrella Admin Console.", "type": "string", "multi": false, "required": true }, { "name": "organization_id", "description": "Organization ID provided by Umbrella Admin Console.", "type": "string", "multi": false, "required": true }, { "name": "query_limit", "description": "Maximum number of results to return.", "type": "number", "multi": false, "required": false, "default": 20 } ], "dockerImage": "ghcr.io/thehive-project/umbrella_report:1" }, { "name": "UnshortenLink", "version": "1.2", "author": "Remi Pointel, CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use UnshortenLink to reveal the real URL.", "dataTypeList": [ "url" ], "baseConfig": "UnshortenLink", "dockerImage": "ghcr.io/thehive-project/unshortenlink:1" }, { "name": "Urlscan.io_Scan", "author": "ninoseki, Kyle Parrish (@arnydo)", "license": "MIT", "url": "https://github.com/arnydo/Cortex-Analyzers", "version": "0.1.0", "description": "Scan URLs on urlscan.io", "dataTypeList": [ "url", "domain", "fqdn" ], "baseConfig": "Urlscan.io", "config": { "service": "scan" }, "configurationItems": [ { "name": "key", "description": "API key for Urlscan.io", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/urlscan.io_scan:0" }, { "name": "Urlscan.io_Search", "author": "ninoseki, Kyle Parrish (@arnydo)", "license": "MIT", "url": "https://github.com/arnydo/Cortex-Analyzers", "version": "0.1.1", "description": "Search IPs, domains, hashes or URLs on urlscan.io", "dataTypeList": [ "ip", "domain", "hash", "fqdn", "url" ], "baseConfig": "Urlscan.io", "config": { "service": "get" }, "dockerImage": "ghcr.io/thehive-project/urlscan.io_search:0" }, { "name": "VMRay", "license": "AGPL-V3", "author": "Nils Kuhnert, CERT-Bund", "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", "version": "4.1", "description": "VMRay Sandbox file and URL analysis.", "dataTypeList": [ "hash", "file", "url" ], "baseConfig": "VMRay", "configurationItems": [ { "name": "url", "description": "Define the URL of the service", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key", "type": "string", "multi": false, "required": true }, { "name": "certverify", "description": "Verify certificates", "type": "boolean", "multi": false, "required": false, "defaultValue": true }, { "name": "certpath", "description": "Path to certificate file, in case of self-signed etc.", "type": "string", "multi": false, "required": false }, { "name": "verdict_only", "description": "If set to true, only the verdict (or the score for VMRay versions < 4.0) will be added as labels.", "type": "boolean", "multi": false, "required": false, "defaultValue": false }, { "name": "query_retry_wait", "description": "The amount of seconds to wait before trying to fetch the results.", "type": "number", "multi": false, "required": false, "defaultValue": 10 }, { "name": "recursive_sample_limit", "description": "The maximum amount of recursive samples which will be analyzed. 0 disables recursion.", "type": "number", "multi": false, "required": false, "defaultValue": 10 }, { "name": "reanalyze", "description": "If set to true, known samples will be re-analyzed on submission. This is enabled by default.", "type": "boolean", "multi": false, "required": false, "defaultValue": true }, { "name": "shareable", "description": "If set to true, the hash of the sample will be shared with VirusTotal if the TLP level is white or green.", "type": "boolean", "multi": false, "required": false, "defaultValue": false }, { "name": "archive_password", "description": "The password that will be used to extract archives.", "type": "string", "multi": false, "required": true, "defaultValue": "malware" }, { "name": "archive_compound_sample", "description": "If set to true, files inside archives are treated as a single, compound sample. Otherwise, each file is treated as its own sample.", "type": "boolean", "multi": false, "required": true, "defaultValue": false }, { "name": "max_jobs", "description": "Limits the amount of jobs that can be created by jobrules for a submission.", "type": "number", "multi": false, "required": false }, { "name": "enable_reputation", "description": "If set to true, reputation lookups will be performed for submitted samples and analysis artifacts (file hash and URL lookups) by the VMRay cloud reputation service and additional third party services. The user analyzer setting is used as default value for this parameter.", "type": "boolean", "multi": false, "required": false }, { "name": "enable_whois", "description": "If set to true, domains seen during analyses are queried with external WHOIS service. The user analyzer setting is used as default value for this parameter.", "type": "boolean", "multi": false, "required": false }, { "name": "analyzer_mode", "description": "Specifies which types of analyzers will be used for analyzing this sample. Supported strings are 'reputation', 'reputation_static', 'reputation_static_dynamic', 'static_dynamic', and 'static'. The user analyzer setting is used as default value for this parameter.", "type": "string", "multi": false, "required": false }, { "name": "known_malicious", "description": "If set to true, triage will be used to pre-filter known malicious samples by results of reputation lookup (if allowed) and static analysis. The user analyzer setting is used as default value for this parameter.", "type": "boolean", "multi": false, "required": false }, { "name": "known_benign", "description": "If set to true, triage will be used to pre-filter known benign samples by results of reputation lookup (if allowed) and static analysis. The user analyzer setting is used as default value for this parameter.", "type": "boolean", "multi": false, "required": false }, { "name": "tags", "description": "Tags to attach to the sample.", "type": "string", "multi": true, "required": false }, { "name": "timeout", "description": "Analysis timeout in seconds.", "type": "number", "multi": false, "required": false }, { "name": "net_scheme_name", "description": "Name of the network schema.", "type": "string", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/vmray:4" }, { "name": "Valhalla_GetRuleMatches", "version": "0.3.1", "author": "Florian Roth", "url": "https://github.com/NextronSystems/Cortex-Analyzers", "license": "AGPL-V3", "description": "Gets matching YARA rules for a given sample SHA256 hash", "dataTypeList": [ "hash" ], "baseConfig": "Valhalla", "configurationItems": [ { "name": "key", "description": "API key for Valhalla", "type": "string", "multi": false, "required": true, "defaultValue": "1111111111111111111111111111111111111111111111111111111111111111" } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://valhalla.nextron-systems.com", "service_logo": { "path": "assets/Valhalla_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/Valhalla_GetMatches_short.png", "caption": "Valhalla Get Hashes short report sample" }, { "path": "assets/Valhalla_GetMatches_long.png", "caption:": "Valhalla Get Hashes long report sample" } ], "dockerImage": "ghcr.io/thehive-project/valhalla_getrulematches:0" }, { "name": "ValidateObservable", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use regexes and libraries to indicate if observable is valid", "dataTypeList": [ "ip", "domain", "url", "fqdn", "mail", "hash", "filename", "uri_path", "user-agent" ], "baseConfig": "ValidateObservable", "config": { "service": "validateObservable" }, "configurationItems": [], "registration_required": false, "subscription_required": false, "free_subscription": false, "dockerImage": "ghcr.io/thehive-project/validateobservable:1" }, { "name": "Verifalia", "version": "1.0", "author": "Peter Juhas", "url": "https://github.com/pjuhas/Cortex-Analyzers", "license": "AGPL-V3", "description": "Analyze e-mail address via Verifalia", "dataTypeList": [ "mail" ], "baseConfig": "Verifalia", "configurationItems": [ { "name": "login", "description": "Username for Verifalia", "type": "string", "multi": false, "required": true }, { "name": "password", "description": "Password for Verifalia", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/verifalia:1" }, { "name": "VirusTotal_DownloadSample", "version": "3.1", "author": "LDO-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use VirusTotal to download the original file for an hash.", "dataTypeList": [ "hash" ], "baseConfig": "VirusTotal", "config": { "service": "download" }, "configurationItems": [ { "name": "key", "description": "API private key for Virustotal", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "service_homepage": "https://www.virustotal.com/", "service_logo": { "path": "assets/virustotal-logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/virustotal_downloadsample:3" }, { "name": "VirusTotal_GetReport", "version": "3.1", "author": "CERT-BDF, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get the latest VirusTotal report for a file, hash, domain or an IP address.", "dataTypeList": [ "file", "hash", "domain", "fqdn", "ip", "url" ], "baseConfig": "VirusTotal", "config": { "service": "get" }, "configurationItems": [ { "name": "key", "description": "API key for Virustotal", "type": "string", "multi": false, "required": true }, { "name": "polling_interval", "description": "Define time interval between two requests attempts for the report", "type": "number", "multi": false, "required": false, "defaultValue": 60 }, { "name": "rescan_hash_older_than_days", "description": "Rescan hash observable if report is older than selected days", "type": "number", "multi": false, "required": false, "defaultValue": 30 }, { "name": "highlighted_antivirus", "description": "Add taxonomy if selected AV don't recognize observable", "type": "string", "multi": true, "required": false }, { "name": "download_sample", "description": "Download automatically sample as observable when looking for hash", "type": "boolean", "multi": false, "required": false }, { "name": "download_sample_if_highlighted", "description": "Download automatically sample as observable if highlighted antivirus didn't recognize", "type": "boolean", "multi": false, "required": false } ], "registration_required": true, "subscription_required": false, "service_homepage": "https://www.virustotal.com/", "service_logo": { "path": "assets/virustotal-logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/virustotal-scan.png", "caption": "VirusTotal: long report" } ], "dockerImage": "ghcr.io/thehive-project/virustotal_getreport:3" }, { "name": "VirusTotal_Rescan", "version": "3.1", "author": "CERT-LDO", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use VirusTotal to run new analysis on hash.", "dataTypeList": [ "hash" ], "baseConfig": "VirusTotal", "config": { "service": "rescan" }, "configurationItems": [ { "name": "key", "description": "API key for Virustotal", "type": "string", "multi": false, "required": true }, { "name": "polling_interval", "description": "Define time interval between two requests attempts for the report", "type": "number", "multi": false, "required": false, "defaultValue": 60 }, { "name": "highlighted_antivirus", "description": "Add taxonomy if selected AV don't recognize observable", "type": "string", "multi": true, "required": false }, { "name": "download_sample", "description": "Download automatically sample as observable when looking for hash", "type": "boolean", "multi": false, "required": false }, { "name": "download_sample_if_highlighted", "description": "Download automatically sample as observable if highlighted antivirus didn't recognize", "type": "boolean", "multi": false, "required": false } ], "registration_required": true, "subscription_required": true, "service_homepage": "https://www.virustotal.com/", "service_logo": { "path": "assets/virustotal-logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/virustotal_rescan:3" }, { "name": "VirusTotal_Scan", "version": "3.1", "author": "CERT-BDF, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use VirusTotal to scan a file or URL.", "dataTypeList": [ "file", "url" ], "baseConfig": "VirusTotal", "config": { "service": "scan" }, "configurationItems": [ { "name": "key", "description": "API key for Virustotal", "type": "string", "multi": false, "required": true }, { "name": "polling_interval", "description": "Define time interval between two requests attempts for the report", "type": "number", "multi": false, "required": false, "defaultValue": 60 }, { "name": "highlighted_antivirus", "description": "Add taxonomy if selected AV don't recognize observable", "type": "string", "multi": true, "required": false } ], "registration_required": true, "subscription_required": false, "service_homepage": "https://www.virustotal.com/", "service_logo": { "path": "assets/virustotal-logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/virustotal_scan:3" }, { "name": "Virusshare", "author": "Nils Kuhnert, CERT-Bund", "license": "AGPL-V3", "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", "version": "2.0", "description": "Search for MD5 hashes in Virusshare.com hash list", "dataTypeList": [ "hash", "file" ], "baseConfig": "Virusshare", "configurationItems": [ { "name": "path", "description": "Define the path to the stored data", "type": "string", "multi": false, "required": false } ], "config": { "check_tlp": true, "max_tlp": 2, "auto_extract": false }, "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://virusshare.com/", "service_logo": { "path": "assets/virusshare.png", "caption": "logo" }, "screenshots": [ { "path": "assets/long_report.png", "caption": "VirusShare: long report" } ], "dockerImage": "ghcr.io/thehive-project/virusshare:2" }, { "name": "Vulners_CVE", "version": "1.0", "author": "Dmitry Uchakin, Vulners team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get information about CVE from powerful Vulners database.", "dataTypeList": [ "cve" ], "baseConfig": "Vulners", "config": { "service": "vulnerability" }, "configurationItems": [ { "name": "key", "description": "API key for Vulners", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://vulners.com", "service_logo": { "path": "assets/vulners_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/theHive_add_cve", "caption": "Add new IOC type in theHive observables" }, { "path": "assets/cve_long_template.gif", "caption": "Long template for CVE" }, { "path": "assets/cve_short_template", "caption": "Short template for CVE" } ], "dockerImage": "ghcr.io/thehive-project/vulners_cve:1" }, { "name": "Vulners_IOC", "version": "1.0", "author": "Dmitry Uchakin, Vulners team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get information from the RST Threat Feed, which integrated with Vulners, for a domain, url or an IP address.", "dataTypeList": [ "url", "domain", "ip" ], "baseConfig": "Vulners", "config": { "service": "ioc" }, "configurationItems": [ { "name": "key", "description": "API key for Vulners", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": true, "service_homepage": "https://vulners.com", "service_logo": { "path": "assets/vulners_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/vulners_api.png", "caption": "Vulners API key for analyzer" }, { "path": "assets/Cortex_settings.png", "caption": "Paste Vulners API key in Cortex settings" }, { "path": "assets/ioc_long_template.png", "caption": "Long template for network IOCs (ip, url, domain)" }, { "path": "assets/ioc_short_template.png", "caption": "Short template for network IOCs (ip, url, domain)" }, { "path": "assets/assets/ioc_with_malware_family.png", "caption": "Full template with malware family" } ], "dockerImage": "ghcr.io/thehive-project/vulners_ioc:1" }, { "name": "WOT_Lookup", "version": "2.0", "author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use Web of Trust to check a domain's reputation.", "dataTypeList": [ "domain", "fqdn" ], "baseConfig": "WOT", "config": { "service": "query" }, "configurationItems": [ { "name": "user", "description": "Define the API user", "type": "string", "multi": false, "required": true }, { "name": "key", "description": "Define the API key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/wot_lookup:2" }, { "name": "Yara", "author": "Nils Kuhnert, CERT-Bund; Fabien Bloume, StrangeBee", "license": "AGPL-V3", "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", "version": "3.0", "description": "Check files against YARA rules, either from local filesystem or from one or multiple GitHub repositories. NOTE: Performance & execution time may be much longer according to the number of rules checked.", "dataTypeList": [ "file" ], "baseConfig": "Yara", "configurationItems": [ { "name": "rules", "description": "Define the path rules folder", "type": "string", "multi": true, "required": false }, { "name": "github_urls", "description": "GitHub URLs to get rules from. Expected format: https://github.com/owner/repo/tree/main or https://github.com/owner/repo/tree/main/subdir", "type": "string", "multi": true, "required": false }, { "name": "github_token", "description": "GitHub Private Access Token", "type": "string", "multi": false, "required": false }, { "name": "files_limit", "description": "Enforce a limit on the number of YARA files downloaded or tested against the file. Adjust with care as this may impact analysis time and resources on your Cortex instance.", "type": "number", "multi": false, "required": false, "defaultValue": 400 } ], "dockerImage": "ghcr.io/thehive-project/yara:3" }, { "name": "Yeti", "author": "CERT-BDF", "license": "AGPL-V3", "url": "https://github.com/CERT/cortex-analyzers", "version": "1.0", "description": "Fetch observable details from a YETI instance.", "dataTypeList": [ "domain", "fqdn", "ip", "url", "hash" ], "baseConfig": "Yeti", "configurationItems": [ { "name": "url", "description": "Define the URL of the service", "type": "string", "multi": false, "required": true }, { "name": "api_key", "description": "Define the api key of the service", "type": "string", "multi": false, "required": false }, { "name": "verify_ssl", "description": "Verify SSL certificate", "type": "boolean", "multi": false, "required": true, "defaultValue": true } ], "dockerImage": "ghcr.io/thehive-project/yeti:1" }, { "name": "Zscaler", "author": "Simon Lavigne, Mikael Keri", "license": "AGPL-V3", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.3", "description": "Check Zscaler category for a domain, fqdn, IP address or FQDN. This analyzer requires a paid subscription to Zscaler ZIA", "dataTypeList": [ "ip", "domain", "url", "fqdn" ], "baseConfig": "Zscaler", "config": { "check_tlp": true, "max_tlp": 2, "check_pap": true, "max_pap": 2 }, "configurationItems": [ { "name": "username", "description": "Zscaler username", "type": "string", "multi": false, "required": true }, { "name": "password", "description": "Zscaler password", "type": "string", "multi": false, "required": true }, { "name": "api_key", "description": "API key", "type": "string", "multi": false, "required": true }, { "name": "base_uri", "description": "The base URL of your Zscaler subscription. Example: https://zsapi.zscalertwo.net", "type": "string", "multi": false, "required": true }, { "name": "malicious_categories", "description": "List of Zscaler categories to be considered as malicious", "type": "string", "multi": true, "required": true, "defaultValue": [ "PHISHING", "MALWARE_SITE", "BOTNET", "SPYWARE_OR_ADWARE", "ADSPYWARE_SITES", "ADWARE_OR_SPYWARE", "CRYPTOMINING", "WEB_SPAM", "MALICIOUS_TLD" ] }, { "name": "suspicious_categories", "description": "List of Zscaler categories to be considered as suspicious", "type": "string", "multi": true, "required": true, "defaultValue": [ "SHAREWARE_DOWNLOAD", "REMOTE_ACCESS", "MISCELLANEOUS_OR_UNKNOWN", "NEWLY_REG_DOMAINS", "OTHER_ILLEGAL_OR_QUESTIONABLE", "COPYRIGHT_INFRINGEMENT", "GAMBLING", "COMPUTER_HACKING", "ANONYMIZER", "MISCELLANEOUS_OR_UNKNOWN", "DNS_OVER_HTTPS", "ENCR_WEB_CONTENT" ] } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.zscaler.com/", "service_logo": { "path": "assets/zscaler_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/zscaler_url_lookup_long.png", "caption": "Zscaler Lookup sample Information full report" }, { "path": "assets/zscaler_url_lookup_short.png", "caption:": "Zscaler Lookup sample mini report" } ], "dockerImage": "ghcr.io/thehive-project/zscaler:1" } ]