Merge pull request #1405 from TheHive-Project/rename-ciscoumbrella

Folder/vendor structure & subscription/homepage info improvements

Author: nusantara-self

analyzers/AILOnionLookup/AIL_OnionLookup.json

@@ -41,6 +41,6 @@
     ],
     "registration_required": false,
     "subscription_required": false,
-    "free_subscription": false,
-    "serviceHomepage": "https://onion.ail-project.org/"
+    "free_subscription": true,
+    "service_homepage": "https://onion.ail-project.org/"
 }

analyzers/Umbrella/Umbrella.py analyzers/CiscoUmbrella/Umbrella.pyanalyzers/Umbrella/Umbrella.py renamed to analyzers/CiscoUmbrella/Umbrella.py

@@ -1,13 +1,13 @@
 {
-  "name": "Umbrella_Report",
+  "name": "CiscoUmbrella_Report",
   "version": "1.0",
   "author": "Kyle Parrish",
   "url": "https://github.com/arnydo/thehive/Cortex-Analyzers",
   "license": "AGPL-V3",
-  "description": "Query the Umbrella Reporting API for recent DNS queries and their status.",
+  "description": "Query the Cisco Umbrella Reporting API for recent DNS queries and their status.",
   "dataTypeList": ["domain", "fqdn"],
-  "command": "Umbrella/Umbrella.py",
-  "baseConfig": "Umbrella",
+  "command": "CiscoUmbrella/Umbrella.py",
+  "baseConfig": "CiscoUmbrella",
   "config": {
         "service": "get"
   },
@@ -41,5 +41,9 @@
         "required": false,
         "default": 20
     }
-  ]
+  ],
+  "registration_required": true,
+  "subscription_required": true,
+  "free_subscription": false,
+  "service_homepage": "https://umbrella.cisco.com"
 }

analyzers/Umbrella/Umbrella_Report.json …yzers/CiscoUmbrella/Umbrella_Report.jsonanalyzers/Umbrella/Umbrella_Report.json renamed to analyzers/CiscoUmbrella/Umbrella_Report.json analyzers/Umbrella/Umbrella_Report.json renamed to analyzers/CiscoUmbrella/Umbrella_Report.json

@@ -1,95 +1,134 @@
-{
-    "name": "Elasticsearch_Analysis",
-    "author": "Nick Prokop",
-    "license": "MIT",
-    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
-    "version": "1.0",
-    "description": "Search for IoCs in Elasticsearch",
-    "dataTypeList": ["url", "domain", "ip", "hash", "filename", "fqdn"],
-    "command": "Elasticsearch/elk.py",
-    "baseConfig": "Elasticsearch",
-    "configurationItems": [
-     {
-        "name": "endpoints",
-        "description": "Define the Elasticsearch endpoints",
-        "type": "string",
-        "multi": true,
-        "required": true,
-        "defaultValue": ["http://127.0.0.1:9200"]
-      },
-      {
-        "name": "keys",
-        "description": "Set the Elasticsearch api keys for each endpoint. Note: Use api key or basic auth, but not both.",
-        "type": "string",
-        "multi": true,
-        "required": false
-      },
-	  {
-        "name": "users",
-        "description": "Set the Elasticsearch users for each endpoint. Note: Use api key or basic auth, but not both.",
-        "type": "string",
-        "multi": true,
-        "required": false
-      },
-	  {
-        "name": "passwords",
-        "description": "Set the Elasticsearch passwords for each endpoint. Note: Use api key or basic auth, but not both.",
-        "type": "string",
-        "multi": true,
-        "required": false
-      },
-      {
-        "name": "kibana",
-        "description": "Define the kibana address",
-        "type": "string",
-        "multi": false,
-        "required": false
-      },
-      {
-        "name": "dashboard",
-        "description": "Set the kibana dashboard id that will be linked in the report",
-        "type": "string",
-        "multi": false,
-        "required": false
-      },
-      {
-        "name": "index",
-        "description": "Define the Elasticsearch indices to use",
-        "type": "string",
-        "multi": true,
-        "required": true,
-        "defaultValue": ["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","packetbeat-*","winlogbeat-*"]
-      },
-      {
-        "name": "field",
-        "description": "Define the fields to query",
-        "type": "string",
-        "multi": true,
-        "required": true,
-        "defaultValue": ["destination.ip","dll.hash.md5","dll.hash.sha256","dns.question.name","dns.resolved_ip","file.hash.md5","file.hash.sha256","file.name","hash.md5","hash.sha256","process.args","process.hash.md5","process.hash.sha256","process.parent.hash.md5","process.parent.hash.sha256","source.ip","url.domain","url.full"]
-      },
-      {
-        "name": "size",
-        "description": "Define the number of hits per index to return",
-        "type": "string",
-        "multi": false,
-        "required": true,
-        "defaultValue": "10"
-      },
-      {
-        "name": "verifyssl",
-        "description": "Verify SSL certificate",
-        "type": "boolean",
-        "multi": false,
-        "required": true,
-        "defaultValue": true
-      },
-      {
-        "name": "cert_path",
-        "description": "Path to the CA on the system used to check server certificate",
-        "type": "string",
-        "multi": false,
-        "required": false
-      }
-    ]
-  }
+{
+  "name": "Elasticsearch_Analysis",
+  "author": "Nick Prokop",
+  "license": "MIT",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "version": "1.0",
+  "description": "Search for IoCs in Elasticsearch",
+  "dataTypeList": [
+    "url",
+    "domain",
+    "ip",
+    "hash",
+    "filename",
+    "fqdn"
+  ],
+  "command": "Elasticsearch/elk.py",
+  "baseConfig": "Elasticsearch",
+  "configurationItems": [
+    {
+      "name": "endpoints",
+      "description": "Define the Elasticsearch endpoints",
+      "type": "string",
+      "multi": true,
+      "required": true,
+      "defaultValue": [
+        "http://127.0.0.1:9200"
+      ]
+    },
+    {
+      "name": "keys",
+      "description": "Set the Elasticsearch api keys for each endpoint. Note: Use api key or basic auth, but not both.",
+      "type": "string",
+      "multi": true,
+      "required": false
+    },
+    {
+      "name": "users",
+      "description": "Set the Elasticsearch users for each endpoint. Note: Use api key or basic auth, but not both.",
+      "type": "string",
+      "multi": true,
+      "required": false
+    },
+    {
+      "name": "passwords",
+      "description": "Set the Elasticsearch passwords for each endpoint. Note: Use api key or basic auth, but not both.",
+      "type": "string",
+      "multi": true,
+      "required": false
+    },
+    {
+      "name": "kibana",
+      "description": "Define the kibana address",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "dashboard",
+      "description": "Set the kibana dashboard id that will be linked in the report",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "index",
+      "description": "Define the Elasticsearch indices to use",
+      "type": "string",
+      "multi": true,
+      "required": true,
+      "defaultValue": [
+        "apm-*-transaction*",
+        "auditbeat-*",
+        "endgame-*",
+        "filebeat-*",
+        "packetbeat-*",
+        "winlogbeat-*"
+      ]
+    },
+    {
+      "name": "field",
+      "description": "Define the fields to query",
+      "type": "string",
+      "multi": true,
+      "required": true,
+      "defaultValue": [
+        "destination.ip",
+        "dll.hash.md5",
+        "dll.hash.sha256",
+        "dns.question.name",
+        "dns.resolved_ip",
+        "file.hash.md5",
+        "file.hash.sha256",
+        "file.name",
+        "hash.md5",
+        "hash.sha256",
+        "process.args",
+        "process.hash.md5",
+        "process.hash.sha256",
+        "process.parent.hash.md5",
+        "process.parent.hash.sha256",
+        "source.ip",
+        "url.domain",
+        "url.full"
+      ]
+    },
+    {
+      "name": "size",
+      "description": "Define the number of hits per index to return",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "10"
+    },
+    {
+      "name": "verifyssl",
+      "description": "Verify SSL certificate",
+      "type": "boolean",
+      "multi": false,
+      "required": true,
+      "defaultValue": true
+    },
+    {
+      "name": "cert_path",
+      "description": "Path to the CA on the system used to check server certificate",
+      "type": "string",
+      "multi": false,
+      "required": false
+    }
+  ],
+  "registration_required": false,
+  "subscription_required": false,
+  "free_subscription": true,
+  "service_homepage": "https://www.elastic.co"
+}

analyzers/Umbrella/requirements.txt analyzers/CiscoUmbrella/requirements.txtanalyzers/Umbrella/requirements.txt renamed to analyzers/CiscoUmbrella/requirements.txt

@@ -47,5 +47,9 @@
       "required": false,
       "defaultValue": 5
     }
-  ]
+  ],
+  "registration_required": true,
+  "subscription_required": true,
+  "free_subscription": false,
+  "service_homepage": "https://haveibeenpwned.com"
 }

analyzers/Elasticsearch/Elasticsearch_Analysis.json

@@ -5,10 +5,13 @@
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-V3",
   "description": "Decodes Office 365 ATP Safe Links to extract original URLs. Supports url observables containing safelinks.protection.outlook.com domains.",
-  "dataTypeList": ["url"],
+  "dataTypeList": [
+    "url"
+  ],
   "baseConfig": "SafeLinks",
   "registration_required": false,
   "subscription_required": false,
   "free_subscription": true,
-  "command": "MSDefenderOffice365/safelinks_decoder.py"
-}
+  "command": "MSDefenderOffice365/safelinks_decoder.py",
+  "service_homepage": "https://www.microsoft.com/en-us/microsoft-365/security/office-365-defender"
+}

analyzers/HIBP/HIBP_Query.json

@@ -5,11 +5,14 @@
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan",
   "license": "AGPL-V3",
   "description": "Retrieve domain resolutions on Shodan.",
-  "dataTypeList": ["domain", "fqdn"],
+  "dataTypeList": [
+    "domain",
+    "fqdn"
+  ],
   "command": "Shodan/shodan_analyzer.py",
   "baseConfig": "Shodan",
   "config": {
-      "service": "dns_resolve"
+    "service": "dns_resolve"
   },
   "configurationItems": [
     {
@@ -19,5 +22,9 @@
       "multi": false,
       "required": true
     }
-  ]
+  ],
+  "registration_required": true,
+  "subscription_required": false,
+  "free_subscription": true,
+  "service_homepage": "https://www.shodan.io"
 }

analyzers/MSDefenderOffice365/ MSDefenderOffice365_SafeLinksDecoder.json

@@ -5,11 +5,13 @@
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan",
   "license": "AGPL-V3",
   "description": "Retrieve key Shodan information on an IP address.",
-  "dataTypeList": ["ip"],
+  "dataTypeList": [
+    "ip"
+  ],
   "command": "Shodan/shodan_analyzer.py",
   "baseConfig": "Shodan",
   "config": {
-      "service": "host"
+    "service": "host"
   },
   "configurationItems": [
     {
@@ -19,5 +21,9 @@
       "multi": false,
       "required": true
     }
-  ]
+  ],
+  "registration_required": true,
+  "subscription_required": false,
+  "free_subscription": true,
+  "service_homepage": "https://www.shodan.io"
 }

analyzers/Shodan/Shodan_DNSResolve.json

@@ -5,11 +5,13 @@
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers/Shodan",
   "license": "AGPL-V3",
   "description": "Retrieve Shodan history scan results  for an IP address.",
-  "dataTypeList": ["ip"],
+  "dataTypeList": [
+    "ip"
+  ],
   "command": "Shodan/shodan_analyzer.py",
   "baseConfig": "Shodan",
   "config": {
-      "service": "host_history"
+    "service": "host_history"
   },
   "configurationItems": [
     {
@@ -19,5 +21,9 @@
       "multi": false,
       "required": true
     }
-  ]
+  ],
+  "registration_required": true,
+  "subscription_required": false,
+  "free_subscription": true,
+  "service_homepage": "https://www.shodan.io"
 }