Cortex-Analyzers/analyzers/AbuseIPDB/AbuseIPDB.json at b2dd31b653a8eabfe94fd9fe3dff3d363758c9d7 · TheHive-Project/Cortex-Analyzers · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
{
  "name": "AbuseIPDB",
  "version": "1.0",
  "author": "Matteo Lodi",
  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
  "license": "AGPL-v3",
  "description": "Determine whether an IP was reported or not as malicious by AbuseIPDB",
  "dataTypeList": [
    "ip"
  ],
  "baseConfig": "AbuseIPDB",
  "command": "AbuseIPDB/abuseipdb.py",
  "configurationItems": [
    {
      "name": "key",
      "description": "API key for AbuseIPDB",
      "type": "string",
      "multi": false,
      "required": true
    },
    {
      "name": "days",
      "description": "Check for IP Reports in the last X days",
      "type": "number",
      "multi": false,
      "required": false,
      "defaultValue": 30
    }
  ],
  "config": {
    "check_tlp": true,
    "max_tlp": 2,
    "auto_extract": false
  },
  "registration_required": true,
  "subscription_required": true,
  "free_subscription": true,
  "service_homepage": "https://www.abuseipdb.com/",
  "service_logo": {
    "path": "assets/abuseipdb.png",
    "caption": "abuseipdb logo"
  },
  "screenshots": [
    {
      "path": "assets/long_report.png",
      "caption": "AbuseIPDB: Long report template"
    }
  ],
  "checks": [
    {
      "input": {
        "data": "8.8.8.8",
        "dataType": "ip",
        "config": {
          "key": "ENV:AbuseIPDB",
          "days": 30,
          "check_tlp": true,
          "max_tlp": 2,
          "auto_extract": false
        }
      },
      "rules": [
        {
          "path": "$.success",
          "expected": [
            true
          ]
        },
        {
          "path": "$.summary.taxonomies[*].level",
          "expected": [
            "malicious"
          ]
        },
        {
          "path": "$.summary.taxonomies[*].namespace",
          "expected": [
            "AbuseIPDB"
          ]
        },
        {
          "path": "$.summary.taxonomies[*].predicate",
          "expected": [
            "Records"
          ]
        },
        {
          "path": "$.summary.taxonomies[*].value",
          "expected": [
            22
          ]
        },
        {
          "path": "$.full.values[*].data.ipAddress",
          "expected": [
            "8.8.8.8"
          ]
        },
        {
          "path": "$.full.values[*].data.usageType",
          "expected": [
            "Data Center/Web Hosting/Transit"
          ]
        },
        {
          "path": "$.full.values[*].data.domain",
          "expected": [
            "google.com"
          ]
        },
        {
          "path": "$.full.values[*].categories_strings[*]",
          "expected": [
            "Port Scan",
            "Hacking",
            "Brute Force",
            "Exploited Host",
            "SSH",
            "unknown category",
            "Web App Attack",
            "IoT Targeted",
            "Web Spam"
          ]
        }
      ]
    }
  ]
}