From 313f0754c07b92e1fe4c710a3cd0ce1c5a8c30ac Mon Sep 17 00:00:00 2001 From: Nicolas Mattiocco Date: Wed, 5 Dec 2018 10:48:23 +0100 Subject: [PATCH] adding Patrowl analyzer --- analyzers/Patrowl/.gitignore | 2 + analyzers/Patrowl/Patrowl_GetReport.json | 26 ++++++ analyzers/Patrowl/README.md | 10 +++ analyzers/Patrowl/patrowl.py | 77 ++++++++++++++++ analyzers/Patrowl/requirements.txt | 2 + .../templates/Patrowl_GetReport_long.html | 89 +++++++++++++++++++ .../templates/Patrowl_GetReport_short.html | 3 + 7 files changed, 209 insertions(+) create mode 100644 analyzers/Patrowl/.gitignore create mode 100644 analyzers/Patrowl/Patrowl_GetReport.json create mode 100644 analyzers/Patrowl/README.md create mode 100755 analyzers/Patrowl/patrowl.py create mode 100644 analyzers/Patrowl/requirements.txt create mode 100644 analyzers/Patrowl/templates/Patrowl_GetReport_long.html create mode 100644 analyzers/Patrowl/templates/Patrowl_GetReport_short.html diff --git a/analyzers/Patrowl/.gitignore b/analyzers/Patrowl/.gitignore new file mode 100644 index 000000000..02b63a21c --- /dev/null +++ b/analyzers/Patrowl/.gitignore @@ -0,0 +1,2 @@ +env +.DS_Store diff --git a/analyzers/Patrowl/Patrowl_GetReport.json b/analyzers/Patrowl/Patrowl_GetReport.json new file mode 100644 index 000000000..52397082a --- /dev/null +++ b/analyzers/Patrowl/Patrowl_GetReport.json @@ -0,0 +1,26 @@ +{ + "name": "Patrowl_GetReport", + "version": "1.0", + "author": "Nicolas Mattiocco", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Get the current Patrowl report for a fdqn, a domain or an IP address.", + "dataTypeList": ["fqdn", "domain", "ip"], + "baseConfig": "Patrowl", + "config": { + "url": "http://my.patrowl.io:8000", + "service": "getreport", + "username": "cortex", + "password": "Bonjour1!" + }, + "configurationItems": [ + { + "name": "url", + "description": "Define the PatrOwl url", + "type": "string", + "multi": false, + "required": true + } + ], + "command": "Patrowl/patrowl.py" +} diff --git a/analyzers/Patrowl/README.md b/analyzers/Patrowl/README.md new file mode 100644 index 000000000..d25ce83c4 --- /dev/null +++ b/analyzers/Patrowl/README.md @@ -0,0 +1,10 @@ +![](https://github.com/Patrowl/PatrowlDocs/blob/master/images/logos/logo-patrowl-light.png) + +[![Join the chat at https://gitter.im/Patrowl/Support](https://badges.gitter.im/Patrowl/Support.png)](https://gitter.im/Patrowl/Support) + +# **PatrOwl** +[PatrOwl](https://www.patrowl.io/) is a scalable, free and open-source solution for orchestrating Security Operations. +**PatrowlManager** is the Front-end application for managing the assets, reviewing risks on real-time, orchestrating the operations (scans, searches, API calls, ...), aggregating the results, relaying alerts on third parties (ex: Incident Response platform like [TheHive](https://github.com/TheHive-Project/TheHive/), Splunk, ...) and providing the reports and dashboards. Operations are performed by the [PatrowlEngines](https://github.com/Patrowl/PatrowlEngines/) instances. Don't forget to install and deploy them ;) + +# Installation +See [Cortex Installation Guide](https://github.com/TheHive-Project/CortexDocs). diff --git a/analyzers/Patrowl/patrowl.py b/analyzers/Patrowl/patrowl.py new file mode 100755 index 000000000..e533726d5 --- /dev/null +++ b/analyzers/Patrowl/patrowl.py @@ -0,0 +1,77 @@ +#!/usr/bin/env python +# encoding: utf-8 +"""Patrowl Analyzer for Cortex.""" + +import requests +from cortexutils.analyzer import Analyzer + + +class PatrowlAnalyzer(Analyzer): + """PatrowlAnalyzer Class definition.""" + + def __init__(self): + """Initialize the Analyzer.""" + Analyzer.__init__(self) + self.service = self.getParam('config.service', None, 'Patrowl service is missing') + self.url = self.getParam('config.url', None, 'Patrowl URL is missing').rstrip("/") + self.username = self.getParam('config.username', None, 'Patrowl Username is missing') + self.password = self.getParam('config.password', None, 'Patrowl Password is missing') + + def summary(self, raw): + """Parse, format and return scan summary.""" + taxonomies = [] + level = "info" + namespace = "Patrowl" + + # getreport service + if self.service == 'getreport': + if 'risk_level' in raw and raw['risk_level']: + + # Grade + if raw['risk_level']['grade'] in ["A", "B"]: + level = "safe" + else: + level = "suspicious" + taxonomies.append(self.build_taxonomy( + level, namespace, "Grade", raw['risk_level']['grade'])) + + # Findings + if raw['risk_level']['high'] > 0: + level = "malicious" + elif raw['risk_level']['medium'] > 0 or raw['risk_level']['low'] > 0: + level = "suspicious" + else: + level = "info" + taxonomies.append(self.build_taxonomy( + level, namespace, "Findings", "{}/{}/{}/{}".format( + raw['risk_level']['high'], + raw['risk_level']['medium'], + raw['risk_level']['low'], + raw['risk_level']['info'] + ))) + #todo: add_asset service + + return {"taxonomies": taxonomies} + + def run(self): + """Run the analyzer.""" + Analyzer.run(self) + data = self.getData() + + try: + if self.service == 'getreport': + service_url = self.url+"/assets/api/v1/details/"+data + response = requests.get(service_url, auth=requests.auth.HTTPBasicAuth(self.username, self.password)) + + self.report(response.json()) + + else: + self.error('Unknown Patrowl service') + + except Exception as e: + self.unexpectedError(e) + + +if __name__ == '__main__': + """Main function.""" + PatrowlAnalyzer().run() diff --git a/analyzers/Patrowl/requirements.txt b/analyzers/Patrowl/requirements.txt new file mode 100644 index 000000000..6aabc3cfa --- /dev/null +++ b/analyzers/Patrowl/requirements.txt @@ -0,0 +1,2 @@ +cortexutils +requests diff --git a/analyzers/Patrowl/templates/Patrowl_GetReport_long.html b/analyzers/Patrowl/templates/Patrowl_GetReport_long.html new file mode 100644 index 000000000..900957f11 --- /dev/null +++ b/analyzers/Patrowl/templates/Patrowl_GetReport_long.html @@ -0,0 +1,89 @@ +
+ + +
+
+ Patrowl Report +
+
+

Asset Information for {{content.value}}

+
+
Name
+
{{content.name}}
+
Criticity
+
+
DataType
+
{{content.type}}
+
Description
+
{{content.description}}
+
Findings summary
+
+
+
+ {{content.risk_level.info}} +
+
+ {{content.risk_level.low}} +
+
+ {{content.risk_level.medium}} +
+
+ {{content.risk_level.high}} +
+
+
+
+
+
+

Findings Reports

+
+
+
+ {{finding.title}} +
+
+
+
Severity
+
+
Description
+
{{finding.description}}
+
From engine
+
{{finding.engine_type}}
+
+
+
+
+
+
+
+ + + +
+
+ {{(artifact.data || artifact.attachment.name) | fang}} +
+
+ {{content.errorMessage}} +
+
diff --git a/analyzers/Patrowl/templates/Patrowl_GetReport_short.html b/analyzers/Patrowl/templates/Patrowl_GetReport_short.html new file mode 100644 index 000000000..57f9d29cf --- /dev/null +++ b/analyzers/Patrowl/templates/Patrowl_GetReport_short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}={{t.value}} +