Analyze download pdf link virustotal - how
Analyze download pdf link virustotal - would
Tag: VirusTotal
Guess what? TheHive Project is still alive and well, as Saâd already mentioned in a previous blog post.
We’ve been certainly very busy lately, preparing the upcoming release of TheHive 4 and doing many other things beside working on our FOSS project. As a result, it took us a rather long time to merge several community contributions and reduce the sizeable pile of pull requests.
We would like to thank our contributors for their patience and we hope the cyberdefenders out there will enjoy the brand new Cortex-Analyzers release, with many new analyzers, responders and some bug fixes & improvements, bringing the total to a whooping analyzers (counting all flavors) and 10 responders!
Additionally, with this release, all analyzers are now using Python 3. No more Python 2 technodebt!
What’s New?
New Analyzers
8 new analyzers have been added to this release:
1 analyzer has new flavors:
New Responders
3 new responders have been added:
Overview of the New Analyzers
DomainToolsIris
This analyzer looks up domain names, IP addresses, e-mail addresses, and SSL hashes using the popular DomainTools Iris service API.
The analyzer comes in 2 flavors:
- DomainToolsIris_Investigate: use DomainTools Iris API to investigate a .
- DomainToolsIris_Pivot: use DomainTools Iris API to pivot on , , or .
A valid DomainTools API integration subscription is needed to run this analyzer.
TheHive displays the analyzer results as follows:
EmailRep
The EmailRep analyzer checks the reputation of an email address against the vtigerxabier.esy.es database.
IPInfo
This analyzer accesses IP-centric features provided by vtigerxabier.esy.es While the EmailRep API can be used without a token for limited usage, the vtigerxabier.esy.es analyzer requires the configuration of an API token before use.
Maltiverse
This analyzer lets you query the free Maltiverse Threat Intelligence platform for enrichment information about a particular , , or .
TheHive displays the analyzer results as follows:
MalwareClustering
Andrea Garavaglia contributed this one a long time ago and we finally merged it into the Cortex-Analyzers repository. Andrea gave a talk about the background of this analyzer at the fourth MISP summit. You can watch it here.
In order to use the analyzer, you need to point it to a Neo4j server (you need to supply the host, port, login & password).
PaloAlto Autofocus
This analyzer lets you leverage PaloAlto Autofocus services. Provided you are an Autofocus customer and you have access to their API, you need to configure the analyzer with your username and a token key.
The analyzer comes with 3 flavors:
- AUTOFOCUS_GetSampleAnalysis lets you request a full report for a given .
- AUTOFOCUS_SearchIOC lets you research for samples linked to specific IoCs with datatypes like , , , , , , and . Please note that and are not default datatypes in TheHive. You need to create them in TheHive before you can leverage them.
- AUTOFOCUS_SearchJSON lets you research for samples based on a complex JSON query.
Important: TheHive has no templates corresponding to this analyzer have been published yet. They will be provided in the near future.
SpamhausDBL
This analyzer performs reputation lookups of a or a against Spamhaus Domain Block List (DBL).
TheHive displays the analyzer results as follows:
TeamCymruMHR
This analyzer queries Team Cymru’s Malware Hash Registry for known malware hashes (MD5 or SHA-1). If it is malware and known by the service, it returns the last time it has been seen along with an approximate anti-virus detection percentage.
Overview of the New Responders
KnowBe4
This responder allows the integration between TheHive/Cortex and KnowBe4’s User Events API.
If a observable is tagged with a specified tag, corresponding to the responder’s configuration (e.g. phished), then the associated user will have a custom event added to their profile in KnowBe4.
A valid account on KnowBe4 and an API key are required to run this responder.
Minemeld
This responder sends observables you select to a Palo Alto Minemeld instance.
To run this responder, a MineMeld Threat Intelligence Sharing account is needed.
Wazuh
This responder performs actions on Wazuh, the open source security monitoring platform. It currently supports ad-hoc firewall blocking of observables.
Improvements
New PassiveTotal flavors
Thanks to Brandon Dixon, the PassiveTotal analyzer gains 3 new flavors, bringing the total to
- PassiveTotal_Trackerslet you make tracker lookups on observables of type , and .
- PassiveTotal_Host_Pairs let you make host pair lookups on observables of type , and .
- PassiveTotal_Componentslets you make components lookup on observables of type , fqdn and .
They come with their own report templates.
GreyNoise Analyzer
The analyzer has been updated to support GreyNoise API v2, thanks to the contribution of Whitney Champion (#).
New Data Types Supported by Some Analyzers
- VirusTotal_GetReporthas been updated to allow requests for observables of type .
- Threatcrowd has been updated to allow requests for observables of type .
- Shodan has been updated to allow requests for observables of type .
Fixes
- [#] The MISP analyzer was bumped to version and is ready to use PyMISP
Get It While Supply Lasts!
I’m Hype
If you are using the dockerized analyzers & responders, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button.
I’m Country
If you are still using the old-style way of installing analyzers and responders, run the following commands:
Once done, ensure to refresh your analyzers and responders in the Cortex WebUI. Connect as an and go to the Organization menu. Click on the Analyzers tab and click on the Refresh analyzers button. Do the same for the Responders tab: click on the Refresh responders button. Refer to the online Cortex documentation for further details.
Update TheHive Report Templates
If you are using TheHive, you must import the new report templates in your instance as follows:
- download the updated package
- log in TheHive using an administrator account
- go to > menu
- click on button and select the downloaded package
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@vtigerxabier.esy.es We will be more than happy to help!
-
-