Cortex-Analyzers/analyzers/CIRCLHashlookup/CIRCLHashlookup.json at b2dd31b653a8eabfe94fd9fe3dff3d363758c9d7 · TheHive-Project/Cortex-Analyzers · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
{
  "name": "CIRCLHashlookup",
  "author": "Mikael Keri",
  "license": "AGPL-V3",
  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
  "version": "1.1",
  "description": "CIRCL hashlookup uses a public API to lookup hash values against databases of known good files",
  "dataTypeList": [
    "hash"
  ],
  "baseConfig": "CIRCLHashlookup",
  "config": {
    "check_tlp": true,
    "max_tlp": 2,
    "check_pap": true,
    "max_pap": 2
  },
  "command": "CIRCLHashlookup/circlhashlookup_analyzer.py",
  "registration_required": false,
  "subscription_required": false,
  "free_subscription": true,
  "service_homepage": "https://hashlookup.circl.lu/",
  "service_logo": {
    "path": "assets/circlhashlookup_logo.png",
    "caption": "logo"
  },
  "screenshots": [
    {
      "path": "assets/circlhashlookup_long_report.png",
      "caption:": "CIRCLHashlookup analyzer full report"
    },
    {
      "path": "assets/circlhashlookup_verdict.png",
      "caption:": "CIRCLHashlookup analyzer verdict"
    }
  ],
  "checks": [
    {
      "input": {
        "data": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9",
        "dataType": "hash",
        "config": {
          "check_tlp": true,
          "max_tlp": 2,
          "check_pap": true,
          "max_pap": 2
        }
      },
      "rules": [
        {
          "path": "$.success",
          "expected": [
            true
          ]
        },
        {
          "path": "$.summary.taxonomies[*].level",
          "expected": [
            "info"
          ]
        },
        {
          "path": "$.summary.taxonomies[*].namespace",
          "expected": [
            "CIRCLHashlookup"
          ]
        },
        {
          "path": "$.summary.taxonomies[*].predicate",
          "expected": [
            "Result"
          ]
        },
        {
          "path": "$.summary.taxonomies[*].value",
          "expected": [
            "unkown"
          ]
        },
        {
          "path": "$.full.message",
          "expected": [
            "Non existing MD5"
          ]
        },
        {
          "path": "$.full.query",
          "expected": [
            "f26d3fb255f843fd977ca4a4000cb782"
          ]
        }
      ]
    }
  ]
}