[ { "name": "AMPforEndpoints_IsolationStart", "version": "1.0", "author": "Cisco Security", "url": "https://github.com/CiscoSecurity", "license": "MIT", "description": "Start host isolation for an AMP for Endpoints connector", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "AMPforEndpoints", "config": { "service": "isolationstart" }, "configurationItems": [ { "name": "amp_cloud", "description": "FQDN of the AMP for Endpoints cloud to interact with", "type": "string", "multi": false, "required": true }, { "name": "client_id", "description": "Client ID for AMP for Endpoints", "type": "string", "multi": false, "required": true }, { "name": "api_key", "description": "API Key for AMP for Endpoints", "type": "string", "multi": false, "required": true }, { "name": "unlock_code", "description": "Custom unlock code used to stop isolation from the endpoint (Maximum 24 characters)", "type": "string", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/ampforendpoints_isolationstart:1" }, { "name": "AMPforEndpoints_IsolationStop", "version": "1.0", "author": "Cisco Security", "url": "https://github.com/CiscoSecurity", "license": "MIT", "description": "Stop host isolation for an AMP for Endpoints connector", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "AMPforEndpoints", "config": { "service": "isolationstop" }, "configurationItems": [ { "name": "amp_cloud", "description": "FQDN of the AMP for Endpoints cloud to interact with", "type": "string", "multi": false, "required": true }, { "name": "client_id", "description": "Client ID for AMP for Endpoints", "type": "string", "multi": false, "required": true }, { "name": "api_key", "description": "API Key for AMP for Endpoints", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/ampforendpoints_isolationstop:1" }, { "name": "AMPforEndpoints_MoveGUID", "version": "1.0", "author": "Cisco Security", "url": "https://github.com/CiscoSecurity", "license": "MIT", "description": "Move an AMP for Endpoints connector GUID to a different Group", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "AMPforEndpoints", "config": { "service": "moveguid" }, "configurationItems": [ { "name": "amp_cloud", "description": "FQDN of the AMP for Endpoints cloud to interact with", "type": "string", "multi": false, "required": true }, { "name": "client_id", "description": "Client ID for AMP for Endpoints", "type": "string", "multi": false, "required": true }, { "name": "api_key", "description": "API Key for AMP for Endpoints", "type": "string", "multi": false, "required": true }, { "name": "group_guid", "description": "AMP for Endpoints Group GUID for the group connectors will be moved to", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/ampforendpoints_moveguid:1" }, { "name": "AMPforEndpoints_SCDAdd", "version": "1.0", "author": "Cisco Security", "url": "https://github.com/CiscoSecurity", "license": "MIT", "description": "Add a SHA256 to an AMP for Endpoints Simple Custom Detection list", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "AMPforEndpoints", "config": { "service": "scdadd" }, "configurationItems": [ { "name": "amp_cloud", "description": "FQDN of the AMP for Endpoints cloud to interact with", "type": "string", "multi": false, "required": true }, { "name": "client_id", "description": "Client ID for AMP for Endpoints", "type": "string", "multi": false, "required": true }, { "name": "api_key", "description": "API Key for AMP for Endpoints", "type": "string", "multi": false, "required": true }, { "name": "scd_guid", "description": "AMP for Endpoints Simple Custom Detection GUID", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/ampforendpoints_scdadd:1" }, { "name": "AMPforEndpoints_SCDRemove", "version": "1.0", "author": "Cisco Security", "url": "https://github.com/CiscoSecurity", "license": "MIT", "description": "Remove a SHA256 to an AMP for Endpoints Simple Custom Detection list", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "AMPforEndpoints", "config": { "service": "scdremove" }, "configurationItems": [ { "name": "amp_cloud", "description": "FQDN of the AMP for Endpoints cloud to interact with", "type": "string", "multi": false, "required": true }, { "name": "client_id", "description": "Client ID for AMP for Endpoints", "type": "string", "multi": false, "required": true }, { "name": "api_key", "description": "API Key for AMP for Endpoints", "type": "string", "multi": false, "required": true }, { "name": "scd_guid", "description": "AMP for Endpoints Simple Custom Detection GUID", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/ampforendpoints_scdremove:1" }, { "name": "AWSLambda_InvokeFunction", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Invokes the configured AWS Lambda function", "dataTypeList": [ "thehive:case", "thehive:alert", "thehive:case_artifact", "thehive:case_task", "thehive:case_task_log" ], "baseConfig": "AWSLambda", "configurationItems": [ { "name": "aws_access_key_id", "description": "AWS Access Key ID", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "aws_secret_access_key", "description": "AWS Secret Access Key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "aws_region", "description": "AWS Region", "type": "string", "multi": false, "required": true, "defaultValue": "us-east-1" }, { "name": "lambda_function_name", "description": "Name of the AWS Lambda function to invoke", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "invocation_type", "description": "Invocation type for the lambda function. Default is 'RequestResponse'. Change to 'Event' for asynchronous invocation.", "type": "string", "multi": false, "required": true, "defaultValue": "RequestResponse" }, { "name": "add_tag_to_case", "description": "Add a tag to case mentioning the AWS Lambda function that was invoked", "type": "boolean", "multi": false, "required": true, "defaultValue": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://aws.amazon.com/lambda/", "service_logo": { "path": "assets/awslambda.png", "caption": "AWS Lambda logo" }, "dockerImage": "ghcr.io/thehive-project/awslambda_invokefunction:1" }, { "name": "AWX_StartJob", "version": "1.0", "author": "Tim Muehlhausen", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Start a job on AWX", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "AWX", "configurationItems": [ { "name": "url", "description": "The URL to your AWX instance, expl. https://awx.intern.foo.de", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "The AWX user", "type": "string", "multi": false, "required": true }, { "name": "password", "description": "The AWX user password", "type": "string", "multi": false, "required": true }, { "name": "cert_path", "description": "If you need a certificate to authentificate to your AWX, expl. /etc/ssl/certs/foo.de.pem", "type": "string", "multi": false, "required": false }, { "name": "workflow_id", "description": "The ID of the workflow to execute", "type": "string", "multi": false, "required": true } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://www.ansible.com/awx/", "dockerImage": "ghcr.io/thehive-project/awx_startjob:1" }, { "name": "Binalyze_AIR_Acquisition", "version": "1.0", "author": "Binalyze Integration Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Start an acquisition with Binalyze AIR.", "dataTypeList": [ "thehive:case_artifact" ], "config": { "service": "air_acquire" }, "service_logo": { "path": "assets/binalyze-logo.png", "caption": "logo" }, "baseConfig": "BinalyzeAIR", "configurationItems": [ { "name": "air_console_url", "description": "Console URL", "type": "string", "multi": false, "required": true }, { "name": "air_api_key", "description": "API Key,", "type": "string", "multi": false, "required": true }, { "name": "endpoint_hostname", "description": "Endpoint Hostname", "type": "string", "multi": false, "required": true }, { "name": "acquisition_name", "description": "Acquisition name should match with the AIR console.", "type": "string", "multi": false, "default": "quick", "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.binalyze.com/air", "dockerImage": "ghcr.io/thehive-project/binalyze_air_acquisition:1" }, { "name": "Binalyze_AIR_Isolation", "version": "1.0", "author": "Binalyze Integration Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Isolate your endpoints with Binalyze AIR.", "dataTypeList": [ "thehive:case_artifact" ], "config": { "service": "air_isolate" }, "service_logo": { "path": "assets/binalyze-logo.png", "caption": "logo" }, "baseConfig": "BinalyzeAIR", "configurationItems": [ { "name": "air_console_url", "description": "Console URL", "type": "string", "multi": false, "required": true }, { "name": "air_api_key", "description": "API Key,", "type": "string", "multi": false, "required": true }, { "name": "endpoint_hostname", "description": "Endpoint Hostname", "type": "string", "multi": false, "required": true }, { "name": "isolation", "description": "Isolation operation", "type": "boolean", "multi": false, "default": "true", "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.binalyze.com/air", "dockerImage": "ghcr.io/thehive-project/binalyze_air_isolation:1" }, { "name": "CheckPoint_Lock", "version": "1.0", "author": "@dadokkio LDO-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Lock ip on CheckPoint Gaia", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "CheckPoint", "config": { "service": "lock" }, "configurationItems": [ { "name": "server", "description": "Checkpoint API server", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "CheckPoint username", "type": "string", "multi": false, "required": true }, { "name": "password", "description": "CheckPoint password", "type": "string", "multi": false, "required": true }, { "name": "group_name", "description": "CheckPoint group name ip will be added/removed from", "type": "string", "multi": false, "required": true }, { "name": "exclusions", "description": "ip/subnet that cannot be locked or unlocked", "type": "string", "multi": true, "required": false }, { "name": "added_tag", "description": "Tag added to observable when adding to FW", "type": "string", "multi": false, "required": false }, { "name": "removed_tag", "description": "Tag added to observable when removing from FW", "type": "string", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/checkpoint_lock:1" }, { "name": "CheckPoint_Unlock", "version": "1.0", "author": "@dadokkio LDO-CERT", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Unlock ip on CheckPoint Gaia", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "CheckPoint", "config": { "service": "unlock" }, "configurationItems": [ { "name": "server", "description": "Checkpoint API server", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "CheckPoint username", "type": "string", "multi": false, "required": true }, { "name": "password", "description": "CheckPoint password", "type": "string", "multi": false, "required": true }, { "name": "group_name", "description": "CheckPoint group name ip will be added/removed from", "type": "string", "multi": false, "required": true }, { "name": "exclusions", "description": "ip/subnet that cannot be locked or unlocked", "type": "string", "multi": true, "required": false }, { "name": "added_tag", "description": "Tag added to observable when adding to FW", "type": "string", "multi": false, "required": false }, { "name": "removed_tag", "description": "Tag added to observable when removing from FW", "type": "string", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/checkpoint_unlock:1" }, { "name": "Cloudflare_IP_Blocker", "version": "1.0", "author": "Nick Babkin @nickbabkin", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Block IP Address on Account level in Cloudflare", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "CloudflareIPBlocker", "configurationItems": [ { "name": "cloudflare_api_key", "description": "Cloudflare API Key", "type": "string", "multi": false, "required": true }, { "name": "cloudflare_account_ids", "description": "Cloudflare Account IDs to block IP address in", "type": "string", "multi": true, "required": true }, { "name": "cloudflare_action", "description": "Cloudflare Action: block, challenge, whitelist, js_challenge or managed_challenge", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.cloudflare.com", "dockerImage": "ghcr.io/thehive-project/cloudflare_ip_blocker:1" }, { "name": "CrowdStrikeFalcon_AddIOC", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Add IOC to IoC Management on Crowdstrike - supports domain, url, IPs & different kind of hashes", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "CrowdstrikeFalcon", "config": { "service": "addIOC" }, "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" }, { "name": "severity", "description": "Severity linked to the IoC - informational, low, medium, high, critical", "type": "string", "multi": false, "required": true, "defaultValue": "informational" }, { "name": "action", "description": "Action policy to do - no_action, detect, allow, prevent. Prevent & Allow only works with hashes. In case of other types, prevent will default to detect.", "type": "string", "multi": false, "required": true, "defaultValue": "prevent" }, { "name": "expiration_days", "description": "Expiration date of the IoC -- None if not filled.", "type": "number", "multi": false, "required": false, "defaultValue": 0 }, { "name": "platform_list", "description": "List of Platforms", "type": "string", "multi": true, "required": true, "defaultValue": [ "windows", "mac", "linux" ] }, { "name": "host_groups_list", "description": "Applies Detection to all Hosts if left empty. Else, provide host group IDs", "type": "string", "multi": true, "defaultValue": [ "all" ], "required": false }, { "name": "retrodetect_flag", "description": "Flag to indicate whether to submit retrodetects.", "type": "boolean", "multi": false, "required": false, "defaultValue": false }, { "name": "tags_list", "description": "Tags added to IOC when TheHive pushes the IoC", "type": "string", "multi": true, "required": false, "defaultValue": [] } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/responder-report-1-ioc.png", "caption": "Crowdstrike: responder report example" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_addioc:1" }, { "name": "CrowdStrikeFalcon_Sync", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Sync TheHive status back to CS Alerts or Incidents", "dataTypeList": [ "thehive:case", "thehive:alert" ], "baseConfig": "CrowdstrikeFalcon", "config": { "service": "sync" }, "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" }, { "name": "custom_field_name_alert_id", "description": "Custom field in TheHive containing the CSFalcon Alert ID", "type": "string", "multi": false, "required": true, "defaultValue": "csfalcon-alert-id" }, { "name": "custom_field_name_incident_id", "description": "Custom field in TheHive containing the CSFalcon Incident ID", "type": "string", "multi": false, "required": true, "defaultValue": "csfalcon-incident-id" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_sync:1" }, { "name": "CrowdStrikeFalcon_RemoveIOC", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "remove IOC from IoC Management on Crowdstrike", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "CrowdstrikeFalcon", "config": { "service": "removeIOC" }, "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/responder-report-2-ioc.png", "caption": "Crowdstrike: responder report example" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_removeioc:1" }, { "name": "CrowdStrikeFalcon_HostContainment", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "CrowdstrikeFalcon", "config": { "service": "contain" }, "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/responder-report-hosts.png", "caption": "Crowdstrike: responder report example" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_hostcontainment:1" }, { "name": "CrowdStrikeFalcon_hideHost", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "This action will delete a host. After the host is deleted, no new detections for that host will be reported via UI or APIs", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "CrowdstrikeFalcon", "config": { "service": "hide_host" }, "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/responder-report-hosts.png", "caption": "Crowdstrike: responder report example" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_hidehost:1" }, { "name": "CrowdStrikeFalcon_LiftContainmentHost", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "This action lifts containment on the host, which returns its network communications to normal", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "CrowdstrikeFalcon", "config": { "service": "lift_containment" }, "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/responder-report-hosts.png", "caption": "Crowdstrike: responder report example" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_liftcontainmenthost:1" }, { "name": "CrowdStrikeFalcon_suppressDetections", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Supress detections for the host.", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "CrowdstrikeFalcon", "config": { "service": "detection_suppress" }, "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/responder-report-hosts.png", "caption": "Crowdstrike: responder report example" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_suppressdetections:1" }, { "name": "CrowdStrikeFalcon_unhideHost", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "This action will restore a host. Detection reporting will resume after the host is restored", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "CrowdstrikeFalcon", "config": { "service": "unhide_host" }, "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/responder-report-hosts.png", "caption": "Crowdstrike: responder report example" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_unhidehost:1" }, { "name": "CrowdStrikeFalcon_unsuppressDetections", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Allow detections for the host.", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "CrowdstrikeFalcon", "config": { "service": "detection_unsuppress" }, "configurationItems": [ { "name": "client_id", "description": "Crowdstrike client ID key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "client_secret", "description": "Crowdstrike client secret key", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "base_url", "description": "Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.crowdstrike.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.crowdstrike.com", "service_logo": { "path": "assets/crowdstrike.png", "caption": "Crowdstrike logo" }, "screenshots": [ { "path": "assets/responder-report-hosts.png", "caption": "Crowdstrike: responder report example" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrikefalcon_unsuppressdetections:1" }, { "name": "DNS-RPZ", "version": "1.0", "author": "Michael Hornung; Expeditors International of Washington, Inc.", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Add a dynamic DNS entry to a Response Policy Zone, blackholing or redirecting a FQDN.", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "DNS-RPZ", "config": { "max_tlp": 3, "check_tlp": false, "max_pap": 3, "check_pap": true }, "configurationItems": [ { "name": "bind_server", "description": "IP or FQDN of RPZ master BIND server", "type": "string", "multi": false, "required": true, "defaultValue": "127.0.0.1" }, { "name": "tsig_keyname", "description": "Name of TSIG key to access BIND server", "type": "string", "multi": false, "required": true, "defaultValue": "cortex." }, { "name": "tsig_keyval", "description": "TSIG key value to access BIND server", "type": "string", "multi": false, "required": true, "defaultValue": "updateme" }, { "name": "tsig_hashalg", "description": "TSIG hash algorithm to use", "type": "string", "multi": false, "required": true, "defaultValue": "HMAC-SHA512" }, { "name": "rpz_zonename", "description": "Fully qualified RPZ zone name (don't forget the trailing dot)", "type": "string", "multi": false, "required": true, "defaultValue": "rpz." }, { "name": "remediation_ip", "description": "IP to resolve RPZ names to", "type": "string", "multi": false, "required": true, "defaultValue": "127.0.0.1" } ], "dockerImage": "ghcr.io/thehive-project/dns-rpz:1" }, { "name": "DomainToolsIris_AddRiskyDNSTag", "version": "1.0", "author": "DomainTools", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Add Tag saying that the case contains a risky DNS.", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "DomainToolsIris", "configurationItems": [ { "name": "high_risk_threshold", "description": "Risk score threshold to be considered high risk.", "type": "number", "multi": false, "required": false, "defaultValue": 70 } ], "dockerImage": "ghcr.io/thehive-project/domaintoolsiris_addriskydnstag:1" }, { "name": "DomainToolsIris_CheckMaliciousTags", "version": "1.0", "author": "DomainTools", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Add Tag saying that the observable and case have a malicious tag in their Iris Tags.", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "DomainToolsIris", "configurationItems": [ { "name": "monitored_iris_tags", "description": "Monitored Iris tags.", "type": "string", "multi": true, "required": false } ], "dockerImage": "ghcr.io/thehive-project/domaintoolsiris_checkmalicioustags:1" }, { "name": "DuoBypassUserAccount", "version": "1.0", "author": "jahamilto", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Put User Account into Bypass mode in Duo Security via AdminAPI (The user will not be prompted when logging in.)", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "Duo_Security_main", "configurationItems": [ { "name": "API_hostname", "description": "Duo Admin API hostname, api-XXXXXXXX.duosecurity.com", "type": "string", "multi": false, "required": true }, { "name": "Integration_Key", "description": "Integration Key", "type": "string", "multi": false, "required": true }, { "name": "Secret_Key", "description": "Secret Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/duobypassuseraccount:1" }, { "name": "DuoLockUserAccount", "version": "1.0", "author": "Sven Kutzer / Gyorgy Acs, @oscd_initiative", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Lock User Account in Duo Security via AdminAPI (The user will not be able to log in)", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "Duo_Security_main", "configurationItems": [ { "name": "API_hostname", "description": "Duo Admin API hostname, api-XXXXXXXX.duosecurity.com", "type": "string", "multi": false, "required": true }, { "name": "Integration_Key", "description": "Integration Key", "type": "string", "multi": false, "required": true }, { "name": "Secret_Key", "description": "Secret Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/duolockuseraccount:1" }, { "name": "DuoUnlockUserAccount", "version": "1.0", "author": "Sven Kutzer / Gyorgy Acs, @oscd_initiative", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Unlock User Account in Duo Security via AdminAPI (The user must complete secondary authentication)", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "Duo_Security_main", "configurationItems": [ { "name": "API_hostname", "description": "Duo Admin API hostname, api-XXXXXXXX.duosecurity.com", "type": "string", "multi": false, "required": true }, { "name": "Integration_Key", "description": "Integration Key", "type": "string", "multi": false, "required": true }, { "name": "Secret_Key", "description": "Secret Key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/duounlockuseraccount:1" }, { "name": "EclecticIQ_Indicator_API", "version": "1.0", "author": "EclecticIQ", "url": "https://eclecticiq.com", "license": "MIT", "description": "Submit indicators to the EclecticIQ Intelligence Center api", "dataTypeList": [ "thehive:case_artifact", "thehive:case" ], "baseConfig": "EclecticIQIndicator", "configurationItems": [ { "name": "eiq_host_url", "description": "EclecticIQ Intelligence Center host url", "type": "string", "multi": false, "required": true }, { "name": "eiq_api_key", "description": "EclecticIQ Intelligence Center API key", "type": "string", "multi": false, "required": true }, { "name": "group_name", "description": "EclecticIQ Intelligence Center Group Name", "type": "string", "multi": false, "required": true, "defaultValue": "Testing Group" } ], "dockerImage": "ghcr.io/thehive-project/eclecticiq_indicator_api:1" }, { "name": "Crowdstrike_Falcon_Custom_IOC_API", "version": "1.0", "author": "Michael", "url": "https://www.crowdstrike.com/blog/tech-center/import-iocs-crowdstrike-falcon-host-platform-via-api/", "license": "MIT", "description": "Submit observables to the Crowdstrike Falcon Custom IOC api", "dataTypeList": [ "thehive:alert", "thehive:case_artifact" ], "baseConfig": "FalconCustomIOC", "configurationItems": [ { "name": "falconapi_url", "description": "Crowdstrike Falcon host url", "type": "string", "multi": false, "required": true }, { "name": "falconapi_user", "description": "Crowdstrike Falcon query api user", "type": "string", "multi": false, "required": true }, { "name": "falconapi_key", "description": "Crowdstrike Falcon query api key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/crowdstrike_falcon_custom_ioc_api:1" }, { "name": "Crowdstrike_Falcon_Custom_IOC", "version": "2.0", "author": "Nicolas Criton", "url": "https://www.crowdstrike.com/blog/tech-center/consume-ioc-and-threat-feeds/", "license": "AGPL-v3", "description": "Submit observables to the Crowdstrike Falcon Custom IOC API", "dataTypeList": [ "thehive:alert", "thehive:case_artifact" ], "baseConfig": "FalconCustomIOCv2", "configurationItems": [ { "name": "falconapi_endpoint", "description": "CrowdStrike API endpoints: US-1 | US-2 | US-GOV-1 | EU-1", "type": "string", "multi": false, "required": true }, { "name": "falconapi_clientid", "description": "Crowdstrike Falcon Client ID Oauth2 API client", "type": "string", "multi": false, "required": true }, { "name": "falconapi_key", "description": "Crowdstrike Falcon Oauth2 API Key", "type": "string", "multi": false, "required": true }, { "name": "domain_block_expiration_days", "description": "How many days should we block the domain IOCs sent? Default: 30", "type": "number", "multi": false, "required": false, "defaultValue": 30 }, { "name": "ip_block_expiration_days", "description": "How many days should we block the ip IOCs sent? Default: 30", "type": "number", "multi": false, "required": false, "defaultValue": 30 }, { "name": "hash_block_expiration_days", "description": "How many days should we block the hash IOCs sent? Default: 30", "type": "number", "multi": false, "required": false, "defaultValue": 30 }, { "name": "action_to_take", "description": "How the IOCs should be handled by Falcon ? Choose between 'no_action' or 'detect' -> no_action: Save the indicator for future use, but take no action / detect: Enable detections for the indicator at the selected severity (Default: detect)", "type": "string", "multi": false, "required": false, "defaultValue": "detect" }, { "name": "severity_level", "description": "Severity level when IOCs are ingested by Falcon CustomIOC: informational / low / medium / high / critical - Default: high", "type": "string", "multi": false, "required": false, "defaultValue": "high" }, { "name": "tag_added_to_cs", "description": "Tag added to the IOC in Falcon platform - Default: Cortex Incident - FalconCustomIOC", "type": "string", "multi": false, "required": false, "defaultValue": "Cortex Incident - FalconCustomIOC" }, { "name": "tag_added_to_thehive", "description": "Tag added to the IOC in TheHive platform - Default: Falcon:Custom IOC Uploaded", "type": "string", "multi": false, "required": false, "defaultValue": "Falcon:Custom IOC Uploaded" } ], "dockerImage": "ghcr.io/thehive-project/crowdstrike_falcon_custom_ioc:2" }, { "name": "Gmail_BlockDomain", "version": "1.0", "author": "David Strassegger, @oscd_initiative", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "MIT", "description": "Move emails from a given domain to trash", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "Gmail", "config": { "service": "blockdomain", "max_tlp": 2, "check_tlp": false, "max_pap": 2, "check_pap": true }, "configurationItems": [ { "name": "thehive_url", "description": "URL for thehive instance", "type": "string", "multi": false, "required": true }, { "name": "thehive_api_key", "description": "API key for TheHive instance", "type": "string", "multi": false, "required": true }, { "name": "gmail_domain", "description": "Gsuite Domain", "type": "string", "multi": false, "required": true }, { "name": "gmail_project_id", "description": "GCP Project ID", "type": "string", "multi": false, "required": true }, { "name": "gmail_private_key_id", "description": "Service account private key id", "type": "string", "multi": false, "required": true }, { "name": "gmail_private_key", "description": "Service Account private key (PEM Format)", "type": "string", "multi": false, "required": true }, { "name": "gmail_client_email", "description": "Service Account E-Mail address", "type": "string", "multi": false, "required": true }, { "name": "gmail_client_id", "description": "OAuth Client ID", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/gmail_blockdomain:1" }, { "name": "Gmail_BlockSender", "version": "1.0", "author": "David Strassegger, @oscd_initiative", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "MIT", "description": "Move emails from a given sender to trash", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "Gmail", "config": { "service": "blocksender", "max_tlp": 2, "check_tlp": false, "max_pap": 2, "check_pap": true }, "configurationItems": [ { "name": "thehive_url", "description": "URL for thehive instance", "type": "string", "multi": false, "required": true }, { "name": "thehive_api_key", "description": "API key for TheHive instance", "type": "string", "multi": false, "required": true }, { "name": "gmail_domain", "description": "Gsuite Domain", "type": "string", "multi": false, "required": true }, { "name": "gmail_project_id", "description": "GCP Project ID", "type": "string", "multi": false, "required": true }, { "name": "gmail_private_key_id", "description": "Service account private key id", "type": "string", "multi": false, "required": true }, { "name": "gmail_private_key", "description": "Service Account private key (PEM Format)", "type": "string", "multi": false, "required": true }, { "name": "gmail_client_email", "description": "Service Account E-Mail address", "type": "string", "multi": false, "required": true }, { "name": "gmail_client_id", "description": "OAuth Client ID", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/gmail_blocksender:1" }, { "name": "Gmail_DeleteMessage", "version": "1.0", "author": "David Strassegger, @oscd_initiative", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "MIT", "description": "Move a given message into the trash folder", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "Gmail", "config": { "service": "deletemessage", "max_tlp": 2, "check_tlp": false, "max_pap": 2, "check_pap": true }, "configurationItems": [ { "name": "thehive_url", "description": "URL for thehive instance", "type": "string", "multi": false, "required": true }, { "name": "thehive_api_key", "description": "API key for TheHive instance", "type": "string", "multi": false, "required": true }, { "name": "gmail_domain", "description": "Gsuite Domain", "type": "string", "multi": false, "required": true }, { "name": "gmail_project_id", "description": "GCP Project ID", "type": "string", "multi": false, "required": true }, { "name": "gmail_private_key_id", "description": "Service account private key id", "type": "string", "multi": false, "required": true }, { "name": "gmail_private_key", "description": "Service Account private key (PEM Format)", "type": "string", "multi": false, "required": true }, { "name": "gmail_client_email", "description": "Service Account E-Mail address", "type": "string", "multi": false, "required": true }, { "name": "gmail_client_id", "description": "OAuth Client ID", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/gmail_deletemessage:1" }, { "name": "Gmail_UnblockDomain", "version": "1.0", "author": "David Strassegger, @oscd_initiative", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "MIT", "description": "Remove a message filter for a given domain", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "Gmail", "config": { "service": "unblockdomain", "max_tlp": 2, "check_tlp": false, "max_pap": 2, "check_pap": true }, "configurationItems": [ { "name": "thehive_url", "description": "URL for thehive instance", "type": "string", "multi": false, "required": true }, { "name": "thehive_api_key", "description": "API key for TheHive instance", "type": "string", "multi": false, "required": true }, { "name": "gmail_domain", "description": "Gsuite Domain", "type": "string", "multi": false, "required": true }, { "name": "gmail_project_id", "description": "GCP Project ID", "type": "string", "multi": false, "required": true }, { "name": "gmail_private_key_id", "description": "Service account private key id", "type": "string", "multi": false, "required": true }, { "name": "gmail_private_key", "description": "Service Account private key (PEM Format)", "type": "string", "multi": false, "required": true }, { "name": "gmail_client_email", "description": "Service Account E-Mail address", "type": "string", "multi": false, "required": true }, { "name": "gmail_client_id", "description": "OAuth Client ID", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/gmail_unblockdomain:1" }, { "name": "Gmail_UnblockSender", "version": "1.0", "author": "David Strassegger, @oscd_initiative", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "MIT", "description": "Remove a message filter for a given sender", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "Gmail", "config": { "service": "unblocksender", "max_tlp": 2, "check_tlp": false, "max_pap": 2, "check_pap": true }, "configurationItems": [ { "name": "thehive_url", "description": "URL for thehive instance", "type": "string", "multi": false, "required": true }, { "name": "thehive_api_key", "description": "API key for TheHive instance", "type": "string", "multi": false, "required": true }, { "name": "gmail_domain", "description": "Gsuite Domain", "type": "string", "multi": false, "required": true }, { "name": "gmail_project_id", "description": "GCP Project ID", "type": "string", "multi": false, "required": true }, { "name": "gmail_private_key_id", "description": "Service account private key id", "type": "string", "multi": false, "required": true }, { "name": "gmail_private_key", "description": "Service Account private key (PEM Format)", "type": "string", "multi": false, "required": true }, { "name": "gmail_client_email", "description": "Service Account E-Mail address", "type": "string", "multi": false, "required": true }, { "name": "gmail_client_id", "description": "OAuth Client ID", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/gmail_unblocksender:1" }, { "name": "HarfangLab-DumpProcess", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Dump process memory", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "dumpProcess" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-dumpprocess:1" }, { "name": "HarfangLab-GetArtifactAll", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get all artifacts", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getArtifactAll" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getartifactall:1" }, { "name": "HarfangLab-GetArtifactEvtx", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get Windows event logs artifact", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getArtifactEvtx" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getartifactevtx:1" }, { "name": "HarfangLab-GetArtifactFilesystem", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get Linux filesystem artifact", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getArtifactFilesystem" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getartifactfilesystem:1" }, { "name": "HarfangLab-GetArtifactHives", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get Hives artifact", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getArtifactHives" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getartifacthives:1" }, { "name": "HarfangLab-GetArtifactLogs", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get Linux logs artifact", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getArtifactLogs" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getartifactlogs:1" }, { "name": "HarfangLab-GetArtifactMFT", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get MFT artifact", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getArtifactMFT" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getartifactmft:1" }, { "name": "HarfangLab-GetArtifactPrefetch", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get prefetches artifact", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getArtifactPrefetch" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getartifactprefetch:1" }, { "name": "HarfangLab-GetArtifactRamdump", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get RAM dump artifact", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getArtifactRamdump" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getartifactramdump:1" }, { "name": "HarfangLab-GetArtifactUSN", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get USN logs artifact", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getArtifactUSN" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getartifactusn:1" }, { "name": "HarfangLab-GetBinary", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get binary information and download link", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "HarfangLab", "config": { "service": "getBinary" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getbinary:1" }, { "name": "HarfangLab-GetDrivers", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get drivers loaded on a host", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getDrivers" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getdrivers:1" }, { "name": "HarfangLab-GetNetworkShares", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get network shares on a host", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getNetworkShares" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getnetworkshares:1" }, { "name": "HarfangLab-GetPersistence", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get persistence items on a Linux host", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getPersistence" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getpersistence:1" }, { "name": "HarfangLab-GetPipes", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get pipes on a host", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getPipes" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getpipes:1" }, { "name": "HarfangLab-GetPrefetches", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get prefetches on a host", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getPrefetches" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getprefetches:1" }, { "name": "HarfangLab-GetProcesses", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get processes running on a host", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getProcesses" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getprocesses:1" }, { "name": "HarfangLab-GetRunKeys", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get RUN keys on a host", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getRunKeys" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getrunkeys:1" }, { "name": "HarfangLab-GetScheduledTasks", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get scheduled tasks on a host", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getScheduledTasks" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getscheduledtasks:1" }, { "name": "HarfangLab-GetServices", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get services on a host", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getServices" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getservices:1" }, { "name": "HarfangLab-GetSessions", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get sessions on a host", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getSessions" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getsessions:1" }, { "name": "HarfangLab-GetStartupFiles", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get startup files on a host", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getStartupFiles" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getstartupfiles:1" }, { "name": "HarfangLab-GetWMI", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get WMI items on a host", "dataTypeList": [ "thehive:case" ], "baseConfig": "HarfangLab", "config": { "service": "getWMI" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-getwmi:1" }, { "name": "HarfangLab-IsolateHost", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Isolate machine with HarfangLab EDR", "dataTypeList": [ "thehive:case", "thehive:alert" ], "baseConfig": "HarfangLab", "config": { "service": "isolateEndpoint" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-isolatehost:1" }, { "name": "HarfangLab-KillProcess", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Kill a process", "dataTypeList": [ "thehive:case", "thehive:alert" ], "baseConfig": "HarfangLab", "config": { "service": "killProcess" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-killprocess:1" }, { "name": "HarfangLab-SearchDestinationIP", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Search an IP in HarfangLab EDR's telemetry", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "HarfangLab", "config": { "service": "searchDestinationIP" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" }, { "name": "limit", "description": "Maximum number of items to collect from telemetry searches", "type": "number", "multi": false, "required": true, "defaultValue": "100" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-searchdestinationip:1" }, { "name": "HarfangLab_SearchDriverByFileName", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Search a driver load in HarfangLab EDR's telemetry per filename", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "HarfangLab", "config": { "service": "searchDriverByFileName" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" }, { "name": "limit", "description": "Maximum number of items to collect from telemetry searches", "type": "number", "multi": false, "required": true, "defaultValue": "100" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab_searchdriverbyfilename:1" }, { "name": "HarfangLab_SearchDriverByHash", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Search a driver load in HarfangLab EDR's telemetry per hash", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "HarfangLab", "config": { "service": "searchDriverByHash" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" }, { "name": "limit", "description": "Maximum number of items to collect from telemetry searches", "type": "number", "multi": false, "required": true, "defaultValue": "100" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab_searchdriverbyhash:1" }, { "name": "HarfangLab-SearchHash", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Search a hash in HarfangLab EDR's telemetry", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "HarfangLab", "config": { "service": "searchHash" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" }, { "name": "limit", "description": "Maximum number of items to collect from telemetry searches", "type": "number", "multi": false, "required": true, "defaultValue": "100" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-searchhash:1" }, { "name": "HarfangLab-SearchSourceIP", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Search an IP in HarfangLab EDR's telemetry", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "HarfangLab", "config": { "service": "searchSourceIP" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" }, { "name": "limit", "description": "Maximum number of items to collect from telemetry searches", "type": "number", "multi": false, "required": true, "defaultValue": "100" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-searchsourceip:1" }, { "name": "HarfangLab-UnisolateHost", "version": "1.0", "author": "HarfangLab Product Team", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Isolate machine with HarfangLab EDR", "dataTypeList": [ "thehive:case", "thehive:alert" ], "baseConfig": "HarfangLab", "config": { "service": "unisolateEndpoint" }, "configurationItems": [ { "name": "apiURL", "description": "HarfangLab EDR API URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://hurukai:8443/" }, { "name": "apiKey", "description": "HarfangLab EDR API Key", "type": "string", "multi": false, "required": true, "defaultValue": "0123456789abcdef" } ], "subscription_required": true, "free_subscription": false, "service_logo": { "path": "assets/HarfangLab_logo.png", "caption": "logo" }, "dockerImage": "ghcr.io/thehive-project/harfanglab-unisolatehost:1" }, { "name": "JAMFProtect_addHashtoPreventList", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Add IOC to JAMF Protect - creates a custom prevent list for a hash", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "JAMFProtect", "config": { "service": "addIOC" }, "configurationItems": [ { "name": "base_url", "description": "JAMF Protect base url", "type": "string", "multi": false, "required": true, "defaultValue": "https://mycompany.protect.jamfcloud.com" }, { "name": "client_id", "description": "JAMF Protect client ID", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "password", "description": "JAMF Protect password", "type": "string", "multi": false, "required": true, "defaultValue": "" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.jamf.com/products/jamf-protect/", "service_logo": { "path": "assets/jamfprotect.png", "caption": "JAMF Protect logo" }, "dockerImage": "ghcr.io/thehive-project/jamfprotect_addhashtopreventlist:1" }, { "name": "JAMFProtect_removeHashfromPreventList", "version": "1.0", "author": "Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Remove IOC on JAMF Protect - removes associated custom prevent list(s) containing the hash", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "JAMFProtect", "config": { "service": "removeIOC" }, "configurationItems": [ { "name": "base_url", "description": "JAMF Protect base url", "type": "string", "multi": false, "required": true, "defaultValue": "https://mycompany.protect.jamfcloud.com" }, { "name": "client_id", "description": "JAMF Protect client ID", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "password", "description": "JAMF Protect password", "type": "string", "multi": false, "required": true, "defaultValue": "" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.jamf.com/products/jamf-protect/", "service_logo": { "path": "assets/jamfprotect.png", "caption": "JAMF Protect logo" }, "dockerImage": "ghcr.io/thehive-project/jamfprotect_removehashfrompreventlist:1" }, { "name": "Jupyter_Run_Notebook_Responder", "version": "1.0", "author": "Alexandre Demeyer", "url": "https://jupyter.org/", "license": "AGPL-V3", "description": "Execute a parameterized notebook in Jupyter", "dataTypeList": [ "thehive:case", "thehive:case_artifact", "thehive:alert", "thehive:case_task", "thehive:case_task_log" ], "baseConfig": "Jupyter", "config": { "service": "Run_Notebook", "check_tlp": true, "max_tlp": 4, "check_pap": true, "max_pap": 3 }, "configurationItems": [ { "name": "input_hostname", "description": "[INPUT] Hostname representing the Jupyter(Hub) instance (or Azure, S3 etc location) to reach to get the input notebook. See https://github.com/nteract/papermill#supported-name-handlers for more information.", "type": "string", "multi": false, "required": true }, { "name": "input_handler_http_service_api_token", "description": "[HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate an API token used by a dedicated service, otherwise don't take this parameter into account", "type": "string", "multi": false, "required": false }, { "name": "input_handler_http_is_jupyterhub", "description": "[INPUT][HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate if you're behind a JupyterHub instance or not, otherwise don't take this parameter into account", "type": "boolean", "multi": false, "required": false, "defaultValue": true }, { "name": "input_handler_http_execute_remotely", "description": "[INPUT][HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate if you want to run your code locally (papermill) or remotely (websocket through HTTP), otherwise don't take this parameter into account", "type": "boolean", "multi": false, "required": false, "defaultValue": false }, { "name": "input_paths", "description": "[INPUT] List of paths of the notebooks you want to run", "type": "string", "multi": true, "required": true }, { "name": "output_hostname", "description": "[OUTPUT] Hostname representing the Jupyter(Hub) instance (or Azure, S3 etc location) to reach to store the output notebook. See https://github.com/nteract/papermill#supported-name-handlers for more information.", "type": "string", "multi": false, "required": true }, { "name": "output_handler_http_service_api_token", "description": "[HTTP Handler] If you want to use the REST API to store the output notebook, you must indicate an API token used by a dedicated service, otherwise don't take this parameter into account", "type": "string", "multi": false, "required": false }, { "name": "output_handler_http_is_jupyterhub", "description": "[OUTPUT][HTTP Handler] If you want to use the REST API to store the output notebook, you must indicate if you're behind a JupyterHub instance or not, otherwise don't take this parameter into account", "type": "boolean", "multi": false, "required": false, "defaultValue": true }, { "name": "output_folder", "description": "[OUTPUT] Folder path in which executed notebooks will be stored. This field is supporting datetime format (see 'strftime' function).", "type": "string", "multi": false, "required": true, "defaultValue": "/" }, { "name": "any_handler_http_user", "description": "[ANY][HTTP Handler] If you want to use the REST API directly (HTTP handler), you must indicate which user will be used as the reference for having the original notebooks, otherwise don't take this parameter into account.", "type": "string", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/jupyter_run_notebook_responder:1" }, { "name": "KnowBe4", "version": "1.0", "author": "Kyle Parrish", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Add 'Clicked Event' to User via User Events API.", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "KnowBe4", "configurationItems": [ { "name": "api_url", "description": "Base API url", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.events.knowbe4.com/events" }, { "name": "hive_url", "description": "Specify The Hive Instance URL", "type": "string", "multi": false, "required": true }, { "name": "api_key", "description": "Api Key", "type": "string", "multi": false, "required": true }, { "name": "required_tag", "description": "Specify a tag that must be present for responder to run.", "type": "string", "multi": false, "required": false }, { "name": "event_type", "description": "Specify the Event Type for the new event. https://developer.knowbe4.com/events/#tag/Event-Types", "type": "string", "multi": false, "required": true }, { "name": "risk_level", "description": "Specify the desired risk level. https://developer.knowbe4.com/events/#tag/Events/paths/~1events/post", "type": "number", "multi": false, "required": false, "defaultValue": 10 } ], "dockerImage": "ghcr.io/thehive-project/knowbe4:1" }, { "name": "MSDefender-AutoInvestigation", "version": "1.0", "author": "Keijo Korte, Louis-Maximilien Dupouy", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Start an automated investigation on a device", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSDefenderforEndpoints", "config": { "service": "startAutoInvestigation" }, "configurationItems": [ { "name": "tenantId", "description": "Azure tenant ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appId", "description": "Azure app ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appSecret", "description": "Azure app secret", "type": "string", "multi": false, "required": true, "defaultValue": "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890=" }, { "name": "resourceAppIdUri", "description": "Security Center URI, usually doens't need to change", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.securitycenter.windows.com" }, { "name": "oAuthUri", "description": "Azure oAuth2 authentication endpoint", "type": "string", "multi": false, "required": true, "defaultValue": "https://login.microsoftonline.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://securitycenter.windows.com", "dockerImage": "ghcr.io/thehive-project/msdefender-autoinvestigation:1" }, { "name": "MSDefender-IsolateMachine", "version": "1.0", "author": "Keijo Korte", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Isolate machine with Microsoft Defender for Endpoints", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSDefenderforEndpoints", "config": { "service": "isolateMachine" }, "configurationItems": [ { "name": "tenantId", "description": "Azure tenant ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appId", "description": "Azure app ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appSecret", "description": "Azure app secret", "type": "string", "multi": false, "required": true, "defaultValue": "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890=" }, { "name": "resourceAppIdUri", "description": "Security Center URI, usually doens't need to change", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.securitycenter.windows.com" }, { "name": "oAuthUri", "description": "Azure oAuth2 authentication endpoint", "type": "string", "multi": false, "required": true, "defaultValue": "https://login.microsoftonline.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://securitycenter.windows.com", "dockerImage": "ghcr.io/thehive-project/msdefender-isolatemachine:1" }, { "name": "MSDefender-PushIOC-Alert", "version": "2.0", "author": "Keijo Korte, Louis-Maximilien Dupouy", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Push IOC to Defender client. Alert mode", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSDefenderforEndpoints", "config": { "service": "pushIOCAlert" }, "configurationItems": [ { "name": "tenantId", "description": "Azure tenant ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appId", "description": "Azure app ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appSecret", "description": "Azure app secret", "type": "string", "multi": false, "required": true, "defaultValue": "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890=" }, { "name": "resourceAppIdUri", "description": "Security Center URI, usually doens't need to change", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.securitycenter.windows.com" }, { "name": "oAuthUri", "description": "Azure oAuth2 authentication endpoint", "type": "string", "multi": false, "required": true, "defaultValue": "https://login.microsoftonline.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://securitycenter.windows.com", "dockerImage": "ghcr.io/thehive-project/msdefender-pushioc-alert:2" }, { "name": "MSDefender-PushIOC-Block", "version": "2.0", "author": "Keijo Korte, Louis-Maximilien Dupouy", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Push IOC to Defender client. Blocking mode", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSDefenderforEndpoints", "config": { "service": "pushIOCBlock" }, "configurationItems": [ { "name": "tenantId", "description": "Azure tenant ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appId", "description": "Azure app ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appSecret", "description": "Azure app secret", "type": "string", "multi": false, "required": true, "defaultValue": "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890=" }, { "name": "resourceAppIdUri", "description": "Security Center URI, usually doens't need to change", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.securitycenter.windows.com" }, { "name": "oAuthUri", "description": "Azure oAuth2 authentication endpoint", "type": "string", "multi": false, "required": true, "defaultValue": "https://login.microsoftonline.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://securitycenter.windows.com", "dockerImage": "ghcr.io/thehive-project/msdefender-pushioc-block:2" }, { "name": "MSDefender-RestrictAppExecution", "version": "1.0", "author": "Keijo Korte, Louis-Maximilien Dupouy", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Restrict execution of all applications on the device except a predefined set", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSDefenderforEndpoints", "config": { "service": "restrictAppExecution" }, "configurationItems": [ { "name": "tenantId", "description": "Azure tenant ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appId", "description": "Azure app ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appSecret", "description": "Azure app secret", "type": "string", "multi": false, "required": true, "defaultValue": "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890=" }, { "name": "resourceAppIdUri", "description": "Security Center URI, usually doens't need to change", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.securitycenter.windows.com" }, { "name": "oAuthUri", "description": "Azure oAuth2 authentication endpoint", "type": "string", "multi": false, "required": true, "defaultValue": "https://login.microsoftonline.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://securitycenter.windows.com", "dockerImage": "ghcr.io/thehive-project/msdefender-restrictappexecution:1" }, { "name": "MSDefender-UnRestrictAppExecution", "version": "1.0", "author": "Keijo Korte, Louis-Maximilien Dupouy", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Enable execution of any application on the device", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSDefenderforEndpoints", "config": { "service": "unrestrictAppExecution" }, "configurationItems": [ { "name": "tenantId", "description": "Azure tenant ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appId", "description": "Azure app ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appSecret", "description": "Azure app secret", "type": "string", "multi": false, "required": true, "defaultValue": "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890=" }, { "name": "resourceAppIdUri", "description": "Security Center URI, usually doens't need to change", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.securitycenter.windows.com" }, { "name": "oAuthUri", "description": "Azure oAuth2 authentication endpoint", "type": "string", "multi": false, "required": true, "defaultValue": "https://login.microsoftonline.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://securitycenter.windows.com", "dockerImage": "ghcr.io/thehive-project/msdefender-unrestrictappexecution:1" }, { "name": "MSDefender-UnisolateMachine", "version": "1.0", "author": "Keijo Korte", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Unisolate machine with Microsoft Defender for Endpoints", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSDefenderforEndpoints", "config": { "service": "unisolateMachine" }, "configurationItems": [ { "name": "tenantId", "description": "Azure tenant ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appId", "description": "Azure app ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appSecret", "description": "Azure app secret", "type": "string", "multi": false, "required": true, "defaultValue": "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890=" }, { "name": "resourceAppIdUri", "description": "Security Center URI, usually doens't need to change", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.securitycenter.windows.com" }, { "name": "oAuthUri", "description": "Azure oAuth2 authentication endpoint", "type": "string", "multi": false, "required": true, "defaultValue": "https://login.microsoftonline.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://securitycenter.windows.com", "dockerImage": "ghcr.io/thehive-project/msdefender-unisolatemachine:1" }, { "name": "MSDefender-FullVirusscan", "version": "1.0", "author": "Keijo Korte", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Run full virus scan to machine with Microsoft Defender for Endpoints", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSDefenderforEndpoints", "config": { "service": "runFullVirusScan" }, "configurationItems": [ { "name": "tenantId", "description": "Azure tenant ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appId", "description": "Azure app ID", "type": "string", "multi": false, "required": true, "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" }, { "name": "appSecret", "description": "Azure app secret", "type": "string", "multi": false, "required": true, "defaultValue": "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890=" }, { "name": "resourceAppIdUri", "description": "Security Center URI, usually doens't need to change", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.securitycenter.windows.com" }, { "name": "oAuthUri", "description": "Azure oAuth2 authentication endpoint", "type": "string", "multi": false, "required": true, "defaultValue": "https://login.microsoftonline.com" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://securitycenter.windows.com", "dockerImage": "ghcr.io/thehive-project/msdefender-fullvirusscan:1" }, { "name": "MSDefenderOffice365_block", "version": "1.0", "author": "Joe Lazaro", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Add entries to the Tenant Allow/Block List in the Microsoft 365 Defender", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSDefenderOffice365", "config": { "service": "block" }, "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/defender-for-office-365?view=o365-worldwide", "service_logo": { "path": "assets/MicrosoftDefenderForOffice365_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/MSDefenderOffice365_Block.png", "caption": "Example responder action result" } ], "configurationItems": [ { "name": "certificate_base64", "description": "Base64-encoded PFX certificate to be used for certificate-based authentication.", "type": "string", "multi": false, "required": true }, { "name": "certificate_password", "description": "Password for the certificate used to authenticate", "type": "string", "multi": false, "required": true }, { "name": "app_id", "description": "The application ID of the service principal that's used in certificate based authentication", "type": "string", "multi": false, "required": true }, { "name": "organization", "description": "Tenant ID. Example: something.onmicrosoft.com", "type": "string", "multi": false, "required": true }, { "name": "block_expiration_days", "description": "How many days out should we set the expiration? A value <= 0 means to set no expiration.", "type": "number", "multi": false, "required": true, "defaultValue": 0 } ], "dockerImage": "ghcr.io/thehive-project/msdefenderoffice365_block:1" }, { "name": "MSDefenderOffice365_unblock", "version": "1.0", "author": "Joe Lazaro", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Add entries to the Tenant Allow/Block List in the Microsoft 365 Defender", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSDefenderOffice365", "config": { "service": "unblock" }, "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/defender-for-office-365?view=o365-worldwide", "service_logo": { "path": "assets/MicrosoftDefenderForOffice365_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/MSDefenderOffice365_Block.png", "caption": "Example responder action result" } ], "configurationItems": [ { "name": "certificate_base64", "description": "Base64-encoded PFX certificate to be used for certificate-based authentication.", "type": "string", "multi": false, "required": true }, { "name": "certificate_password", "description": "Password for the certificate used to authenticate", "type": "string", "multi": false, "required": true }, { "name": "app_id", "description": "The application ID of the service principal that's used in certificate based authentication", "type": "string", "multi": false, "required": true }, { "name": "organization", "description": "Tenant ID. Example: something.onmicrosoft.com", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/msdefenderoffice365_unblock:1" }, { "name": "MSEntraID_ForcePasswordReset", "version": "1.0", "author": "nusatanra-self, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Force password reset at next login for a User Principal Name. (mail)", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSEntraID", "config": { "service": "forcePasswordReset" }, "configurationItems": [ { "name": "tenant_id", "description": "Microsoft Entra ID Tenant ID", "type": "string", "multi": false, "required": true }, { "name": "client_id", "description": "Client ID/Application ID of Microsoft Entra ID Registered App", "type": "string", "multi": false, "required": true }, { "name": "client_secret", "description": "Secret for Microsoft Entra ID Registered Application", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.microsoft.com/security/business/identity-access/microsoft-entra-id", "dockerImage": "ghcr.io/thehive-project/msentraid_forcepasswordreset:1" }, { "name": "MSEntraID_ForcePasswordResetWithMFA", "version": "1.0", "author": "nusatanra-self, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Force password reset at next login with MFA verification before password change for a User Principal Name. (mail)", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSEntraID", "config": { "service": "forcePasswordResetWithMFA" }, "configurationItems": [ { "name": "tenant_id", "description": "Microsoft Entra ID Tenant ID", "type": "string", "multi": false, "required": true }, { "name": "client_id", "description": "Client ID/Application ID of Microsoft Entra ID Registered App", "type": "string", "multi": false, "required": true }, { "name": "client_secret", "description": "Secret for Microsoft Entra ID Registered Application", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.microsoft.com/security/business/identity-access/microsoft-entra-id", "dockerImage": "ghcr.io/thehive-project/msentraid_forcepasswordresetwithmfa:1" }, { "name": "MSEntraID_disableUser", "version": "1.0", "author": "nusatanra-self, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Disable user in Microsoft Entra ID for a User Principal Name. (mail)", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSEntraID", "config": { "service": "disableUser" }, "configurationItems": [ { "name": "tenant_id", "description": "Microsoft Entra ID Tenant ID", "type": "string", "multi": false, "required": true }, { "name": "client_id", "description": "Client ID/Application ID of Microsoft Entra ID Registered App", "type": "string", "multi": false, "required": true }, { "name": "client_secret", "description": "Secret for Microsoft Entra ID Registered Application", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.microsoft.com/security/business/identity-access/microsoft-entra-id", "dockerImage": "ghcr.io/thehive-project/msentraid_disableuser:1" }, { "name": "MSEntraID_enableUser", "version": "1.0", "author": "nusatanra-self, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Enable user in Microsoft Entra ID for a User Principal Name. (mail)", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSEntraID", "config": { "service": "enableUser" }, "configurationItems": [ { "name": "tenant_id", "description": "Microsoft Entra ID Tenant ID", "type": "string", "multi": false, "required": true }, { "name": "client_id", "description": "Client ID/Application ID of Microsoft Entra ID Registered App", "type": "string", "multi": false, "required": true }, { "name": "client_secret", "description": "Secret for Microsoft Entra ID Registered Application", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.microsoft.com/security/business/identity-access/microsoft-entra-id", "dockerImage": "ghcr.io/thehive-project/msentraid_enableuser:1" }, { "name": "MSEntraID_revokeSignInSessions", "version": "1.1", "author": "Daniel Weiner @dmweiner; revised by @jahamilto; Fabien Bloume, StrangeBee", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Invalidates all the refresh tokens issued to applications for a Microsoft Entra ID user (as well as session cookies in a user's browser)", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "MSEntraID", "config": { "service": "revokeSignInSessions" }, "configurationItems": [ { "name": "tenant_id", "description": "Microsoft Entra ID Tenant ID", "type": "string", "multi": false, "required": true }, { "name": "client_id", "description": "Client ID/Application ID of Microsoft Entra ID Registered App", "type": "string", "multi": false, "required": true }, { "name": "client_secret", "description": "Secret for Microsoft Entra ID Registered Application", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.microsoft.com/security/business/identity-access/microsoft-entra-id", "dockerImage": "ghcr.io/thehive-project/msentraid_revokesigninsessions:1" }, { "name": "MailIncidentStatus", "version": "1.0", "author": "Manuel Krucker", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Mail a detailed status information of an incident case. The mail is sent to recipients specified by tags prefixed with 'mail='. The responder respects tlp definitions. For tlp:amber mail addresse and for tlp:green mail domains must be pre-defined in the configuration. For tlp:red sending mails is denied. The responser also uses thehive4py to collect information about the status of the tasks of the incidents.", "dataTypeList": [ "thehive:case" ], "baseConfig": "MailIncidentStatus", "configurationItems": [ { "name": "from", "description": "email address from which the mail is send", "type": "string", "multi": false, "required": true }, { "name": "smtp_host", "description": "SMTP server used to send mail", "type": "string", "multi": false, "required": true, "defaultValue": "localhost" }, { "name": "smtp_port", "description": "SMTP server port", "type": "number", "multi": false, "required": true, "defaultValue": 25 }, { "name": "smtp_user", "description": "SMTP server user", "type": "string", "multi": false, "required": false, "defaultValue": "user" }, { "name": "smtp_pwd", "description": "SMTP server password", "type": "string", "multi": false, "required": false, "defaultValue": "pwd" }, { "name": "mail_subject_prefix", "description": "Prefix of the mail subject", "type": "string", "multi": false, "required": false, "defaultValue": "Incident Case Notification: " }, { "name": "mail_html_style_tag_content", "description": "The css content of the style tag for the HTML mail body. Define table, th, hd, .first, and .second elements.", "type": "string", "multi": false, "required": false, "defaultValue": "table { border: 1px solid black; border-collapse: collapse; text-align: left; vertical-align: top; th { border: 1px solid black; border-collapse: collapse; text-align: left;} td { border: 1px solid black; border-collapse: collapse; text-align: left;} .first { width: 150px; min-width: 150px; max-width: 150px; background-color: #ffe8d4; } .second { background-color: #d7d9f2;}" }, { "name": "tlp_amber_mail_addresses", "description": "Mail addresses which are allowed to receive tlp:amber classified incidents", "type": "string", "multi": true, "required": false }, { "name": "tlp_green_mail_domains", "description": "Mail domains which are allowed to receive tlp:green classified incidents", "type": "string", "multi": true, "required": false }, { "name": "thehive_url", "description": "URL pointing to your TheHive installation, e.g. 'http://127.0.0.1:9000'", "type": "string", "multi": false, "required": true }, { "name": "thehive_apikey", "description": "TheHive API key which is used get tasks and other elements of the incident", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/mailincidentstatus:1" }, { "name": "Mailer", "version": "1.0", "author": "CERT-BDF", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Send an email with information from a TheHive case or alert", "dataTypeList": [ "thehive:case", "thehive:alert", "thehive:case_task" ], "baseConfig": "Mailer", "configurationItems": [ { "name": "from", "description": "email address from which the mail is send", "type": "string", "multi": false, "required": true }, { "name": "smtp_host", "description": "SMTP server used to send mail", "type": "string", "multi": false, "required": true, "defaultValue": "localhost" }, { "name": "smtp_port", "description": "SMTP server port", "type": "number", "multi": false, "required": true, "defaultValue": 25 }, { "name": "smtp_user", "description": "SMTP server user", "type": "string", "multi": false, "required": false, "defaultValue": "user" }, { "name": "smtp_pwd", "description": "SMTP server password", "type": "string", "multi": false, "required": false, "defaultValue": "pwd" } ], "dockerImage": "ghcr.io/thehive-project/mailer:1" }, { "name": "Minemeld", "version": "1.0", "author": "Wes Lambert, Security Onion Solutions", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Submit indicator to Minemeld", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "Minemeld", "configurationItems": [ { "name": "minemeld_url", "description": "URL for Minemeld instance", "type": "string", "multi": false, "required": true, "defaultValue": "https://x.x.x.x" }, { "name": "minemeld_user", "description": "User for Minemeld", "type": "string", "multi": false, "required": true, "defaultValue": "apiuser" }, { "name": "minemeld_password", "description": "Password for Minemeld", "type": "string", "multi": false, "required": true, "defaultValue": "password" }, { "name": "minemeld_indicator_list", "description": "Name of indicator list to which indicators will be added", "type": "string", "multi": false, "required": true, "defaultValue": "my_block_list" }, { "name": "minemeld_share_level", "description": "Share level for indicator", "type": "string", "multi": false, "required": true, "defaultValue": "red" }, { "name": "minemeld_confidence", "description": "Confidence level for indicator", "type": "string", "multi": false, "required": true, "defaultValue": "100" }, { "name": "minemeld_ttl", "description": "TTL for indicator", "type": "string", "multi": false, "required": true, "defaultValue": "86400" } ], "registration_required": false, "subscription_required": false, "free_subscription": false, "service_homepage": "https://github.com/PaloAltoNetworks/minemeld", "service_logo": { "path": "assets/MM-logo.png", "caption": "logo" }, "screenshots": [ { "path": "", "caption": "" } ], "dockerImage": "ghcr.io/thehive-project/minemeld:1" }, { "name": "Netcraft_TakedownPhishingURL", "version": "1.0", "author": "Keijo Korte - @korteke", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Submit URL to Netcraft's Takedown API.", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "Netcraft", "configurationItems": [ { "name": "api_key", "description": "Netcraft Takedown API key", "type": "string", "multi": false, "required": false }, { "name": "username", "description": "Netcraft Takedown Username", "type": "string", "multi": false, "required": false }, { "name": "password", "description": "Netcraft Takedown Password", "type": "string", "multi": false, "required": false }, { "name": "useUserPass", "description": "Use User and Password authentication", "type": "boolean", "multi": false, "required": true, "defaultValue": false }, { "name": "takedown_url", "description": "Netcraft Takedown URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://takedown.netcraft.com/authorise.php" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.netcraft.com/cybercrime/countermeasures/", "dockerImage": "ghcr.io/thehive-project/netcraft_takedownphishingurl:1" }, { "name": "PaloAltoCortexXDR_isolate", "version": "1.0", "author": "Joe Lazaro", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Isolate endpoints identified by hostname or IP list", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "PaloAltoCortexXDR", "config": { "service": "isolate" }, "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.paloaltonetworks.com/cortex/cortex-xdr", "service_logo": { "path": "assets/cortex_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/PaloAltoCortexXDR_isolate.png", "caption": "Example responder action result" } ], "configurationItems": [ { "name": "api_key", "description": "API key", "type": "string", "multi": false, "required": true }, { "name": "api_key_id", "description": "API key ID", "type": "string", "multi": false, "required": true }, { "name": "advanced_security", "description": "Set True if the API key was generated with Advanced security level. False for a Standard security key.", "type": "boolean", "multi": false, "required": true }, { "name": "api_host", "description": "Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com", "type": "string", "multi": false, "required": true }, { "name": "isolate_polling_interval", "description": "Interval, in seconds between requests for isolate or unisolate actions.", "type": "number", "multi": false, "required": false, "defaultValue": 30 }, { "name": "isolate_max_polling_retries", "description": "Maximum number of time to retry action status when the isolate or unisolate action is still in progress.", "type": "number", "multi": false, "required": false, "defaultValue": 120 }, { "name": "allow_multiple_isolation_targets", "description": "Allow the responder to send multiple targets for isolation/unisolation in one multi-line observable. Set to false as a safety mechanism to allow only a single endpoint to be affected while refusing requests to operate on multiple endpoints.", "type": "boolean", "multi": false, "required": true, "defaultValue": false } ], "dockerImage": "ghcr.io/thehive-project/paloaltocortexxdr_isolate:1" }, { "name": "PaloAltoCortexXDR_scan", "version": "1.0", "author": "Joe Lazaro", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Scan endpoints identified by hostname or IP list", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "PaloAltoCortexXDR", "config": { "service": "scan" }, "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.paloaltonetworks.com/cortex/cortex-xdr", "service_logo": { "path": "assets/cortex_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/PaloAltoCortexXDR_isolate.png", "caption": "Example responder action result" } ], "configurationItems": [ { "name": "api_key", "description": "API key", "type": "string", "multi": false, "required": true }, { "name": "api_key_id", "description": "API key ID", "type": "string", "multi": false, "required": true }, { "name": "advanced_security", "description": "Set True if the API key was generated with Advanced security level. False for a Standard security key.", "type": "boolean", "multi": false, "required": true }, { "name": "api_host", "description": "Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com", "type": "string", "multi": false, "required": true }, { "name": "scan_polling_interval", "description": "Interval, in seconds between requests for scan actions.", "type": "number", "multi": false, "required": false, "defaultValue": 60 }, { "name": "scan_max_polling_retries", "description": "Maximum number of time to retry action status when a scan action is still in progress.", "type": "number", "multi": false, "required": false, "defaultValue": 240 } ], "dockerImage": "ghcr.io/thehive-project/paloaltocortexxdr_scan:1" }, { "name": "PaloAltoCortexXDR_unisolate", "version": "1.0", "author": "Joe Lazaro", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Unisolate endpoints identified by hostname or IP list", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "PaloAltoCortexXDR", "config": { "service": "unisolate" }, "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.paloaltonetworks.com/cortex/cortex-xdr", "service_logo": { "path": "assets/cortex_logo.png", "caption": "logo" }, "screenshots": [ { "path": "assets/PaloAltoCortexXDR_isolate.png", "caption": "Example responder action result" } ], "configurationItems": [ { "name": "api_key", "description": "API key", "type": "string", "multi": false, "required": true }, { "name": "api_key_id", "description": "API key ID", "type": "string", "multi": false, "required": true }, { "name": "advanced_security", "description": "Set True if the API key was generated with Advanced security level. False for a Standard security key.", "type": "boolean", "multi": false, "required": true }, { "name": "api_host", "description": "Fully qualified domain name for the API host. Example: api-example.xdr.us.paloaltonetworks.com", "type": "string", "multi": false, "required": true }, { "name": "isolate_polling_interval", "description": "Interval, in seconds between requests for isolate or unisolate actions.", "type": "number", "multi": false, "required": false, "defaultValue": 30 }, { "name": "isolate_max_polling_retries", "description": "Maximum number of time to retry action status when the isolate or unisolate action is still in progress.", "type": "number", "multi": false, "required": false, "defaultValue": 120 }, { "name": "allow_multiple_isolation_targets", "description": "Allow the responder to send multiple targets for isolation/unisolation in one multi-line observable. Set to false as a safety mechanism to allow only a single endpoint to be affected while refusing requests to operate on multiple endpoints.", "type": "boolean", "multi": false, "required": true, "defaultValue": false } ], "dockerImage": "ghcr.io/thehive-project/paloaltocortexxdr_unisolate:1" }, { "name": "PaloAltoNGFW_block_external_IP_address", "version": "2.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Block external IP address", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Security_rule_for_block_external_IP_address", "description": "Name external name security rule for IP address", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block external IP address" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_block_external_ip_address:2" }, { "name": "PaloAltoNGFW_block_external_domain", "version": "2.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Block external domain", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Security_rule_for_block_external_domain", "description": "Name external security rule for domains", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block external Domain" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_block_external_domain:2" }, { "name": "PaloAltoNGFW_block_external_user", "version": "1.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Block external user", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Security_rule_for_block_external_user", "description": "Name security rule for external users", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block external user" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_block_external_user:1" }, { "name": "PaloAltoNGFW_block_internal_IP_address", "version": "2.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Block internal IP address", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Security_rule_for_block_internal_IP_address", "description": "Name internal security rule for IP address", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block internal IP address" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_block_internal_ip_address:2" }, { "name": "PaloAltoNGFW_block_internal_domain", "version": "2.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Block internal domain", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Security_rule_for_block_internal_domain", "description": "Name internal security rule for domains", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block internal Domain" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_block_internal_domain:2" }, { "name": "PaloAltoNGFW_block_internal_user", "version": "1.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Block internal user", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Security_rule_for_block_internal_user", "description": "Name internal security rule for users", "type": "string", "multi": false, "required": false, "defaultValue": "TheHive Block internal user" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_block_internal_user:1" }, { "name": "PaloAltoNGFW_block_port_for_external_communication", "version": "2.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Block external port communication", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Security_rule_for_block_port_external_communication", "description": "Name external security rule for port communications", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block port for external communication" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_block_port_for_external_communication:2" }, { "name": "PaloAltoNGFW_block_port_for_internal_communication", "version": "2.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Block internal port communication", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Security_rule_for_block_port_internal_communication", "description": "Name internal security rule for port communications", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block port for internal communication" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_block_port_for_internal_communication:2" }, { "name": "PaloAltoNGFW_unblock_external_IP_address", "version": "1.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Unblock external ip", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Address_group_for_external_IP_address", "description": "Name external Address Group for IP address", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block list external IP address" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_unblock_external_ip_address:1" }, { "name": "PaloAltoNGFW_unblock_external_domain", "version": "1.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Unblock external domain", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Address_group_for_unblock_external_domain", "description": "Name external Address Group for domains", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block list external domain" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_unblock_external_domain:1" }, { "name": "PaloAltoNGFW_unblock_external_user", "version": "1.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Unblock external user", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Security_rule_for_block_external_user", "description": "Name security rule for external users", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block external user" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_unblock_external_user:1" }, { "name": "PaloAltoNGFW_unblock_internal_IP_address", "version": "1.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Unblock internal ip", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Address_group_for_internal_IP_address", "description": "Name internal Address Group for IP address", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block list internal IP address" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_unblock_internal_ip_address:1" }, { "name": "PaloAltoNGFW_unblock_internal_domain", "version": "1.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Unblock internal domain", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Address_group_for_unblock_internal_domain", "description": "Name internal Address Group for domains", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block list internal domain" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_unblock_internal_domain:1" }, { "name": "PaloAltoNGFW_unblock_internal_user", "version": "1.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Unblock internal user", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Security_rule_for_block_internal_user", "description": "Name security rule for internal users", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block internal user" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_unblock_internal_user:1" }, { "name": "PaloAltoNGFW_unblock_port_for_external_communication", "version": "1.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Unblock external port communication", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Service_group_for_external_port_communication", "description": "Name external Service Group for port communication", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block list for external port communication" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_unblock_port_for_external_communication:1" }, { "name": "PaloAltoNGFW_unblock_port_for_internal_communication", "version": "1.0.0", "author": "Maxim Konakin, OSCD Initiative", "url": "https://www.paloaltonetworks.com/", "license": "AGPL-V3", "description": "Unblock internal port communication", "dataTypeList": [ "thehive:alert", "thehive:case_artifact", "thehive:case" ], "baseConfig": "PaloAltoNGFW_main", "configurationItems": [ { "name": "Hostname_PaloAltoNGFW", "description": "Hostname PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "User_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Password_PaloAltoNGFW", "description": "User PaloAltoNGFW", "type": "string", "multi": false, "required": true }, { "name": "Service_group_for_internal_port_communication", "description": "Name internal Service Group for port communication", "type": "string", "multi": false, "required": true, "defaultValue": "TheHive Block list for internal port communication" }, { "name": "TheHive_instance", "description": "URL of the TheHive instance to query", "type": "string", "multi": false, "required": true }, { "name": "TheHive_API_key", "description": "TheHive API key with read access", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/paloaltongfw_unblock_port_for_internal_communication:1" }, { "name": "PaloAltoWildfire_URL_submission", "version": "1.0", "author": "Keijo Korte - @korteke", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Submit URL to PaloAlto Wildfire service.", "dataTypeList": [ "url", "domain", "fqdn" ], "baseConfig": "PaloAltoWildfire", "configurationItems": [ { "name": "api_key", "description": "PaloAlto Wildfire API key", "type": "string", "multi": false, "required": true }, { "name": "wildfire_url", "description": "PaloAlto Wildfire Takedown URL", "type": "string", "multi": false, "required": true, "defaultValue": "https://wildfire.paloaltonetworks.com/publicapi/submit/link" } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://www.paloaltonetworks.com/network-security/wildfire", "dockerImage": "ghcr.io/thehive-project/paloaltowildfire_url_submission:1" }, { "name": "QRadar_Auto_Closing_Offense", "version": "1.0", "author": "Florian Perret", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Closing the QRadar Offense associated to your case in one clic !", "dataTypeList": [ "thehive:case" ], "baseConfig": "QRadarAutoClose", "configurationItems": [ { "name": "QRadar_API_Key", "description": "A QRadar API key with sufficent rights to close an offense", "type": "string", "multi": false, "required": true }, { "name": "QRadar_Url", "description": "URL of your QRadar API, must be accessible from Cortex server. eg: myqradar.myorg.com/api/siem/offenses", "type": "string", "multi": false, "required": true }, { "name": "Cert_Path", "description": "If you need a certificate to authentificate to your QRadar API, please provide the path here", "type": "string", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/qradar_auto_closing_offense:1" }, { "name": "RT4-CreateTicket", "version": "1.0", "author": "Michael Davis, REN-ISAC", "url": "https://github.com/TheHive-Project/Cortex-Analyzers/tree/master/responders/RT4", "license": "MIT", "description": "Cortex Responder to create a ticket in RT4 from TheHive observables or alerts", "dataTypeList": [ "thehive:case_artifact", "thehive:alert", "thehive:case" ], "baseConfig": "RT4", "configurationItems": [ { "name": "server", "description": "RT4 Base URL, e.g., https://rt.domain.local", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "RT4 username for authentication", "type": "string", "multi": false, "required": true }, { "name": "password", "description": "RT4 password for user account", "type": "string", "multi": false, "required": true }, { "name": "Queue", "description": "Default queue in which to create new tickets", "type": "string", "multi": false, "required": true, "defaultValue": "General" }, { "name": "Owner", "description": "Default owner to assign newly created tickets (optional)", "type": "string", "multi": false, "required": false }, { "name": "Status", "description": "Default ticket status to assign newly created tickets (optional)", "type": "string", "multi": false, "required": false }, { "name": "custom_field_list", "description": "Name:Value of Custom Fields in RT to set on every ticket created (e.g.: 'How Reported:TheHive' sets CF.{How Reported} = TheHive on every new ticket)", "type": "string", "multi": true, "required": false }, { "name": "tag_to_template_map", "description": "Mapping table of tags to templates (e.g.: 'phishing:phish_letter' maps anything tagged as 'phishing' to the 'phish_letter' template)", "type": "string", "multi": true, "required": true }, { "name": "thehive_cf_rtticket", "description": "Name of a case custom field in TheHive in which RT ticket #s will be saved upon successful case-level Responder run (optional)", "type": "string", "multi": false, "required": false }, { "name": "thehive_url", "description": "TheHive Base URL, e.g., https://thehive.domain.local:9000 (optional: only needed to process Cases)", "type": "string", "multi": false, "required": false }, { "name": "thehive_token", "description": "TheHive API token for authentication (optional: only needed to process Cases)", "type": "string", "multi": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/rt4-createticket:1" }, { "name": "Redmine_Issue", "version": "1.0", "author": "Marc-André DOLL", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Create a redmine issue from a case", "dataTypeList": [ "thehive:case", "thehive:case_task" ], "baseConfig": "Redmine", "configurationItems": [ { "name": "instance_name", "description": "Name of the Redmine instance", "multi": false, "required": false, "type": "string", "defaultValue": "redmine" }, { "name": "url", "description": "URL where to find the Redmine API", "type": "string", "multi": false, "required": true }, { "name": "username", "description": "Username to log into Redmine", "type": "string", "multi": false, "required": true }, { "name": "password", "description": "Password to log into Redmine", "type": "string", "multi": false, "required": true }, { "name": "project_field", "description": "Name of the custom field containing the Redmine project to use when creating the issue", "multi": false, "required": true, "type": "string" }, { "name": "tracker_field", "description": "Name of the custom field containing the Redmine tracker to use when creating the issue", "multi": false, "required": true, "type": "string" }, { "name": "assignee_field", "description": "Name of the custom field containing the Redmine assignee to use when creating the issue", "multi": false, "required": false, "type": "string" }, { "name": "reference_field", "description": "Name of the case custom field in which to store the opened issue. If not defined, this information will not be stored", "type": "string", "required": false, "multi": false }, { "name": "opening_status", "description": "Status used when opening a Redmine issue (if not defined here, will use the default opening status from the Redmine Workflow)", "type": "string", "multi": false, "required": false }, { "name": "closing_task", "description": "Closing the task after successfully creating the Redmine issue", "type": "boolean", "multi": false, "defaultValue": false, "required": false } ], "dockerImage": "ghcr.io/thehive-project/redmine_issue:1" }, { "author": "RiskIQ", "baseConfig": "RiskIQ", "config": { "service": "PushArtifactToProject" }, "configurationItems": [ { "description": "API username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)", "multi": false, "name": "username", "required": true, "type": "string" }, { "description": "API key of the RiskIQ Illuminate or PassiveTotal account", "multi": false, "name": "api_key", "required": true, "type": "string" }, { "defaultValue": "analyst", "description": "Visiblity for new RiskIQ Illuminate projects (analyst, team, or public).", "multi": false, "name": "project_visibility", "required": true, "type": "string" }, { "defaultValue": "Hive:", "description": "Prefix to add when auto-generating project names from case names.", "multi": false, "name": "project_prefix", "required": false, "type": "string" }, { "description": "Tag to apply to artifact in TheHive when is has been pushed to a RiskIQ Illuminate Project (leave blank to skip tagging).", "multi": false, "name": "thehive_artifact_tag", "required": false, "type": "string" }, { "description": "Tag to apply to artifact in RiskIQ Illuminate when is has been pushed to an Illuminate Project (leave blank to skip tagging).", "multi": false, "name": "riq_artifact_tag", "required": false, "type": "string" } ], "dataTypeList": [ "thehive:case_artifact" ], "description": "Push a case to a RiskIQ Illuminate project.", "license": "AGPL-V3", "name": "RiskIQ_PushArtifactToProject", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.0", "dockerImage": "ghcr.io/thehive-project/riskiq_pushartifacttoproject:1" }, { "name": "SendGrid", "version": "1.0", "author": "Equate Technologies", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Send an email with information from a TheHive case or alert via SendGrid API over HTTPS", "dataTypeList": [ "thehive:case", "thehive:alert" ], "baseConfig": "SendGrid", "configurationItems": [ { "name": "from", "description": "Email address to use as the From: field", "type": "string", "multi": false, "required": true }, { "name": "api_key", "description": "SendGrid API key", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/sendgrid:1" }, { "name": "SentinelOne_Hash_Blacklister", "version": "1.0", "author": "Joe Vasquez", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Add SHA1 hash to SentinelOne Blacklist via API v2.1.", "dataTypeList": [ "thehive:case_artifact" ], "config": { "service": "s1_blacklist" }, "baseConfig": "SentinelOne", "configurationItems": [ { "name": "s1_console_url", "description": "Console URL", "type": "string", "multi": false, "required": true }, { "name": "s1_api_key", "description": "API Key, don't forget this will expire!", "type": "string", "multi": false, "required": true }, { "name": "s1_account_id", "description": "Account ID", "type": "string", "multi": false, "required": true }, { "name": "s1_blacklist_ostype", "description": "OS type, must be one of the following: macos, windows, linux, or windows_legacy. Default is windows", "type": "string", "multi": false, "default": "windows", "required": false } ], "dockerImage": "ghcr.io/thehive-project/sentinelone_hash_blacklister:1" }, { "name": "Shuffle", "version": "1.0", "author": "@frikkylikeme", "url": "https://github.com/frikky/shuffle", "license": "AGPL-V3", "description": "Execute a workflow in Shuffle", "dataTypeList": [ "thehive:case", "thehive:alert", "thehive:case_artifact", "thehive:case_task", "thehive:case_task_log" ], "baseConfig": "Shuffle", "configurationItems": [ { "name": "url", "description": "The URL to your shuffle instance", "type": "string", "multi": false, "required": true, "defaultValue": "https://shuffler.io" }, { "name": "api_key", "description": "The API key to your Shuffle user", "type": "string", "multi": false, "required": true }, { "name": "workflow_id", "description": "The ID of the workflow to execute", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/shuffle:1" }, { "name": "Telegram", "version": "1.0", "author": "Alex Kolnik, PS Cloud Services, @ps_kz", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Send a message to Telegram with information from TheHive case", "dataTypeList": [ "thehive:case" ], "baseConfig": "Telegram", "configurationItems": [ { "name": "api_token", "description": "The token is a string, like 110201543:AAHdqTcvCH1vGWJxfSeofSAs0K5PALDsaw, which is required to authorize the bot and send requests to the Bot API", "type": "string", "multi": false, "required": true }, { "name": "chat_id", "description": "ID of the chat or channel to which the message will be sent", "type": "number", "multi": false, "required": true }, { "name": "date_format", "description": "https://www.geeksforgeeks.org/python-datetime-strptime-function/", "type": "string", "multi": false, "required": true, "defaultValue": "%d.%m.%Y %H:%M" }, { "name": "tag", "description": "Tag name to be assigned to the case", "type": "string", "multi": false, "required": false } ], "registration_required": true, "subscription_required": false, "free_subscription": true, "service_homepage": "https://www.telegram.org", "dockerImage": "ghcr.io/thehive-project/telegram:1" }, { "name": "Test", "version": "1.0", "author": "Jerome Leonard", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "test", "dataTypeList": [ "thehive:case", "thehive:alert", "thehive:case_artifact", "thehive:case_task", "thehive:case_task_log" ], "baseConfig": "Test", "configurationItems": [], "dockerImage": "ghcr.io/thehive-project/test:1" }, { "name": "Umbrella_Blacklister", "version": "1.1", "author": "Kyle Parrish", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Add domain to Umbrella blacklist via Enforcement API.", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "UmbrellaBlacklister", "configurationItems": [ { "name": "integration_url", "description": "Custom integration url", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/umbrella_blacklister:1" }, { "name": "Velociraptor_Flow", "version": "0.1", "author": "Wes Lambert", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Run Velociraptor flow", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "Velociraptor", "configurationItems": [ { "name": "velociraptor_client_config", "description": "Path to API client config file", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "velociraptor_artifact", "description": "Artifact to collect", "type": "string", "multi": false, "required": true, "defaultValue": "" }, { "name": "upload_flow_results", "description": "Upload the results of a flow as an observable", "type": "boolean", "multi": false, "required": true }, { "name": "thehive_url", "description": "URL pointing to your TheHive installation, e.g. 'http://127.0.0.1:9000'", "type": "string", "multi": false, "required": true }, { "name": "thehive_apikey", "description": "TheHive API key (used to add the downloaded file back to the alert/case)", "type": "string", "multi": false, "required": true } ], "dockerImage": "ghcr.io/thehive-project/velociraptor_flow:0" }, { "name": "Virustotal_Downloader", "version": "0.1", "author": "Mario Henkel @hariomenkel", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Download a file from Virustotal by its hash", "dataTypeList": [ "thehive:case_artifact" ], "baseConfig": "VirustotalDownloader", "configurationItems": [ { "name": "virustotal_apikey", "description": "Virustotal API key which should be used to download files", "type": "string", "multi": false, "required": true }, { "name": "thehive_url", "description": "URL pointing to your TheHive installation, e.g. 'http://127.0.0.1:9000'", "type": "string", "multi": false, "required": true }, { "name": "thehive_apikey", "description": "TheHive API key which is used to add the downloaded file back to the alert/case", "type": "string", "multi": false, "required": true } ], "registration_required": true, "subscription_required": true, "free_subscription": false, "service_homepage": "https://virustotal.com", "service_logo": { "path": "", "caption": "logo" }, "screenshots": [ { "path": "", "caption": "" } ], "dockerImage": "ghcr.io/thehive-project/virustotal_downloader:0" }, { "name": "Wazuh", "version": "1.0", "author": "Wes Lambert", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Block an IP on a host via Wazuh agent", "dataTypeList": [ "thehive:case", "thehive:case_artifact" ], "baseConfig": "Wazuh", "configurationItems": [ { "name": "wazuh_manager", "description": "URL for Wazuh Manager", "type": "string", "multi": false, "required": true, "defaultValue": "https://localhhost:55000" }, { "name": "wazuh_user", "description": "User for Wazuh Manager", "type": "string", "multi": false, "required": true, "defaultValue": "foo" }, { "name": "wazuh_password", "description": "Password for Wazuh Manager", "type": "string", "multi": false, "required": true, "defaultValue": "bar" } ], "dockerImage": "ghcr.io/thehive-project/wazuh:1" }, { "name": "ZEROFOX_Close_alert", "version": "1.0", "author": "TheHive-Project", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Close alert in Zerofox", "dataTypeList": [ "thehive:case" ], "baseConfig": "ZEROFOX", "configurationItems": [ { "name": "url", "description": "URL for Zerofox API", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.zerofox.com/1.0" }, { "name": "api", "description": "Key API for Zerofox", "type": "string", "multi": false, "required": true, "defaultValue": "" } ], "dockerImage": "ghcr.io/thehive-project/zerofox_close_alert:1" }, { "name": "ZEROFOX_Takedown_request", "version": "1.0", "author": "TheHive-Project", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Request for a takedown regarding the alert in Zerofox", "dataTypeList": [ "thehive:case" ], "baseConfig": "ZEROFOX", "configurationItems": [ { "name": "url", "description": "URL for Zerofox API", "type": "string", "multi": false, "required": true, "defaultValue": "https://api.zerofox.com/1.0" }, { "name": "api", "description": "Key API for Zerofox", "type": "string", "multi": false, "required": true, "defaultValue": "" } ], "dockerImage": "ghcr.io/thehive-project/zerofox_takedown_request:1" } ]