Cortex-Analyzers/analyzers/Qintel/qintel_qsentry.py at 72e196d9b63be3d19570aef73fae636b9748d2e3 · TheHive-Project/Cortex-Analyzers · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#!/usr/bin/env python3
# encoding: utf-8

from cortexutils.analyzer import Analyzer

from qintel_helper import search_qsentry


class Qintel(Analyzer):

    VERSION = '1.0'

    def __init__(self):
        Analyzer.__init__(self)
        self.token = self.get_param('config.token', None, 'Missing API Key')
        self.remote = self.get_param('config.remote', None)

    def _enrich(self, data):

        kwargs = {
            'token': self.token,
            'user_agent': f'cortex/{self.VERSION}'
        }

        try:
            return search_qsentry(data, **kwargs)
        except Exception as e:
            self.error(f'Qintel API request failed: {str(e)}')

    def summary(self, raw):
        taxonomies = []
        ns = 'Qintel'

        for tag in self.res.get('tags', []):
            level = 'suspicious'

            if tag == 'criminal':
                level = 'malicious'

            tax = self.build_taxonomy(level, ns, 'tag', tag)
            taxonomies.append(tax)

        return {'taxonomies': taxonomies}

    def run(self):
        if self.data_type not in ['ip']:
            self.error(f'Unsupported data type: {self.data_type}')

        data = self.getData()
        self.res = self._enrich(data)

        self.report({
            'Qintel': self.res
        })


if __name__ == '__main__':
    Qintel().run()