adding Patrowl analyzer

TheHive-Project · Dec 5, 2018 · 313f075 · 313f075
1 parent 2d5034e
commit 313f075
Show file tree

Hide file tree

Showing 7 changed files with 209 additions and 0 deletions.
diff --git a/analyzers/Patrowl/.gitignore b/analyzers/Patrowl/.gitignore
@@ -0,0 +1,2 @@
+env
+.DS_Store
diff --git a/analyzers/Patrowl/Patrowl_GetReport.json b/analyzers/Patrowl/Patrowl_GetReport.json
@@ -0,0 +1,26 @@
+{
+    "name": "Patrowl_GetReport",
+    "version": "1.0",
+    "author": "Nicolas Mattiocco",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Get the current Patrowl report for a fdqn, a domain or an IP address.",
+    "dataTypeList": ["fqdn", "domain", "ip"],
+    "baseConfig": "Patrowl",
+    "config": {
+      "url": "http://my.patrowl.io:8000",
+      "service": "getreport",
+      "username": "cortex",
+      "password": "Bonjour1!"
+    },
+    "configurationItems": [
+      {
+        "name": "url",
+        "description": "Define the PatrOwl url",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+    ],
+    "command": "Patrowl/patrowl.py"
+}
diff --git a/analyzers/Patrowl/README.md b/analyzers/Patrowl/README.md
@@ -0,0 +1,10 @@
+![](https://github.com/Patrowl/PatrowlDocs/blob/master/images/logos/logo-patrowl-light.png)
+
+[![Join the chat at https://gitter.im/Patrowl/Support](https://badges.gitter.im/Patrowl/Support.png)](https://gitter.im/Patrowl/Support)
+
+# **PatrOwl**
+[PatrOwl](https://www.patrowl.io/) is a scalable, free and open-source solution for orchestrating Security Operations.  
+**PatrowlManager** is the Front-end application for managing the assets, reviewing risks on real-time, orchestrating the operations (scans, searches, API calls, ...), aggregating the results, relaying alerts on third parties (ex: Incident Response platform like [TheHive](https://github.com/TheHive-Project/TheHive/), Splunk, ...) and providing the reports and dashboards. Operations are performed by the [PatrowlEngines](https://github.com/Patrowl/PatrowlEngines/) instances. Don't forget to install and deploy them ;)
+
+# Installation
+See [Cortex Installation Guide](https://github.com/TheHive-Project/CortexDocs).
diff --git a/analyzers/Patrowl/patrowl.py b/analyzers/Patrowl/patrowl.py
@@ -0,0 +1,77 @@
+#!/usr/bin/env python
+# encoding: utf-8
+"""Patrowl Analyzer for Cortex."""
+
+import requests
+from cortexutils.analyzer import Analyzer
+
+
+class PatrowlAnalyzer(Analyzer):
+    """PatrowlAnalyzer Class definition."""
+
+    def __init__(self):
+        """Initialize the Analyzer."""
+        Analyzer.__init__(self)
+        self.service = self.getParam('config.service', None, 'Patrowl service is missing')
+        self.url = self.getParam('config.url', None, 'Patrowl URL is missing').rstrip("/")
+        self.username = self.getParam('config.username', None, 'Patrowl Username is missing')
+        self.password = self.getParam('config.password', None, 'Patrowl Password is missing')
+
+    def summary(self, raw):
+        """Parse, format and return scan summary."""
+        taxonomies = []
+        level = "info"
+        namespace = "Patrowl"
+
+        # getreport service
+        if self.service == 'getreport':
+            if 'risk_level' in raw and raw['risk_level']:
+
+                # Grade
+                if raw['risk_level']['grade'] in ["A", "B"]:
+                    level = "safe"
+                else:
+                    level = "suspicious"
+                taxonomies.append(self.build_taxonomy(
+                    level, namespace, "Grade", raw['risk_level']['grade']))
+
+                # Findings
+                if raw['risk_level']['high'] > 0:
+                    level = "malicious"
+                elif raw['risk_level']['medium'] > 0 or raw['risk_level']['low'] > 0:
+                    level = "suspicious"
+                else:
+                    level = "info"
+                taxonomies.append(self.build_taxonomy(
+                    level, namespace, "Findings", "{}/{}/{}/{}".format(
+                        raw['risk_level']['high'],
+                        raw['risk_level']['medium'],
+                        raw['risk_level']['low'],
+                        raw['risk_level']['info']
+                    )))
+        #todo: add_asset service
+
+        return {"taxonomies": taxonomies}
+
+    def run(self):
+        """Run the analyzer."""
+        Analyzer.run(self)
+        data = self.getData()
+
+        try:
+            if self.service == 'getreport':
+                service_url = self.url+"/assets/api/v1/details/"+data
+                response = requests.get(service_url, auth=requests.auth.HTTPBasicAuth(self.username, self.password))
+
+                self.report(response.json())
+
+            else:
+                self.error('Unknown Patrowl service')
+
+        except Exception as e:
+            self.unexpectedError(e)
+
+
+if __name__ == '__main__':
+    """Main function."""
+    PatrowlAnalyzer().run()
diff --git a/analyzers/Patrowl/requirements.txt b/analyzers/Patrowl/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+requests
diff --git a/analyzers/Patrowl/templates/Patrowl_GetReport_long.html b/analyzers/Patrowl/templates/Patrowl_GetReport_long.html
@@ -0,0 +1,89 @@
+<div class="report-Patrowl" ng-if="success">
+    <style>
+        .report-Patrowl dl {
+            margin-bottom: 2px;
+        }
+        .report-Patrowl .patrowl-info {
+            background-color: #3B4CA1;
+        }
+        .report-Patrowl .patrowl-low {
+            background-color: #79AB3D;
+        }
+        .report-Patrowl .patrowl-medium {
+            background-color: #D5C920;
+        }
+        .report-Patrowl .patrowl-high {
+            background-color: #D39F27;
+        }
+        .report-Patrowl .patrowl-critical {
+            background-color: #C61010;
+        }
+    </style>
+
+    <div class="panel panel-info">
+        <div class="panel-heading">
+            <strong>Patrowl Report</strong>
+        </div>
+        <div class="panel-body">
+            <h4>Asset Information for {{content.value}}</h4>
+            <dl class="dl-horizontal">
+                <dt>Name</dt>
+                <dd>{{content.name}}</dd>
+                <dt>Criticity</dt>
+                <dd><label class="label patrowl-{{content.criticity}}">{{content.criticity}}</label></dd>
+                <dt>DataType</dt>
+                <dd>{{content.type}}</dd>
+                <dt>Description</dt>
+                <dd>{{content.description}}</dd>
+                <dt>Findings summary</dt>
+                <dd>
+                    <div class="progress">
+                        <div class="progress-bar patrowl-info" ng-style="{width:(content.risk_level.info *100)/(content.risk_level.total)+'%'}">
+                            <span>{{content.risk_level.info}}</span>
+                        </div>
+                        <div class="progress-bar patrowl-low" ng-style="{width:(content.risk_level.low *100)/(content.risk_level.total)+'%'}">
+                            <span>{{content.risk_level.low}}</span>
+                        </div>
+                        <div class="progress-bar patrowl-medium" ng-style="{width:(content.risk_level.medium *100)/(content.risk_level.total)+'%'}">
+                            <span>{{content.risk_level.medium}}</span>
+                        </div>
+                        <div class="progress-bar patrowl-high" ng-style="{width:(content.risk_level.high *100)/(content.risk_level.total)+'%'}">
+                            <span>{{content.risk_level.high}}</span>
+                        </div>
+                    </div>
+                </dd>
+            </dl>
+            <br>
+            <hr>
+            <h4>Findings Reports</h4>
+            <div ng-if="content.findings" ng-repeat="finding in content.findings">
+                <div class="panel panel-default">
+                    <div class="panel-heading">
+                        <strong>{{finding.title}}</strong>
+                    </div>
+                    <div class="panel-body">
+                        <dl class="dl-horizontal" nf-if="finding.severity" >
+                            <dt>Severity</dt>
+                            <dd><label class="label patrowl-{{finding.severity}}">{{finding.severity}}</label></dd>
+                            <dt>Description</dt>
+                            <dd>{{finding.description}}</dd>
+                            <dt>From engine</dt>
+                            <dd>{{finding.engine_type}}</dd>
+                        </dl>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
diff --git a/analyzers/Patrowl/templates/Patrowl_GetReport_short.html b/analyzers/Patrowl/templates/Patrowl_GetReport_short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>