Merge branch 'release/3.3.9'

CHANGELOG.md

@@ -1,39 +1,96 @@
 # Changelog
 
-## [3.3.8](https://github.com/TheHive-Project/Cortex-Analyzers/tree/HEAD)
+## [3.3.9](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.3.9) (2024-11-26)
+
+[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.3.8...3.3.9)
+
+**Closed issues:**
+
+- \[FR\] Enhance Crowdstrike Falcon integration with TheHive  [\#1296](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1296)
+
+## [3.3.8](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.3.8) (2024-11-08)
 
 [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.3.7...3.3.8)
 
 **Closed issues:**
 
+- \[Bug\] OpenCTI Analyzer [\#1280](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1280)
+- \[Bug\] Requirements don't get installed for new responder [\#1259](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1259)
+- \[Bug\] Fortiguard parser error [\#1228](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1228)
+- \[Bug\]\[URLhaus\_2\_0\] - Empty summary for positive results [\#1210](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1210)
+- \[FR\] Add Microsoft 365 Defender responder for Tenant Allow/Block List [\#1102](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1102)
+- \[FR\] Add EchoTrail analyzer [\#1099](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1099)
+- \[Bug\] KnowBe4 Responder Missing Config Options [\#1086](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1086)
 - \[FR\] JAMF Protect Prevent list responder [\#1292](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1292)
 - \[FR\] Add AWS Lambda responder [\#1289](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1289)
 - \[FR\] Censys Analyzer v2 [\#1287](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1287)
 - \[FR\] Fix the version of TheHive4py dependencies in existing responders [\#1281](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1281)
-- \[Bug\] OpenCTI Analyzer [\#1280](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1280)
 - \[Bug\] Phistank analyzer failing [\#1276](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1276)
 - New Analyzer: QrDecode [\#1274](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1274)
 - \[FR\] Update Triage Analyzer to Configure Sandbox API [\#1263](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1263)
 - \[FR\] mail-subject dataType should be used instead of mail\_subject [\#1260](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1260)
-- \[Bug\] Requirements don't get installed for new responder [\#1259](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1259)
 - \[FR\] EclecticIQ Responder [\#1257](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1257)
 - \[FR\] EclecticIQ Analyser [\#1255](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1255)
 - \[FR\] Added capabilities/features for Microsoft Defender for Endpoint responder [\#1229](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1229)
-- \[Bug\] Fortiguard parser error [\#1228](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1228)
 - \[FR\]Binalyze AIR responder [\#1218](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1218)
 - AWX Responder [\#1213](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1213)
-- \[Bug\]\[URLhaus\_2\_0\] - Empty summary for positive results [\#1210](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1210)
 - Add a responder to send case information to Telegram [\#1132](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1132)
-- \[FR\] Add Microsoft 365 Defender responder for Tenant Allow/Block List [\#1102](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1102)
-- \[FR\] Add EchoTrail analyzer [\#1099](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1099)
 - Hybrid Analysis Analyzer not working anymore [\#1090](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1090)
-- \[Bug\] KnowBe4 Responder Missing Config Options [\#1086](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1086)
 - \[FR\] DNSDumpster analyzer [\#1056](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1056)
 - \[FR\] Okta User Lookup Analyzer [\#1047](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1047)
 - Abuse\_Finder\_3\_0 \[KeyError: '\\s'\] [\#940](https://github.com/TheHive-Project/Cortex-Analyzers/issues/940)
 - TorBlutmagie\_1\_0 doesn't work \[Bug\] [\#829](https://github.com/TheHive-Project/Cortex-Analyzers/issues/829)
 - New Analyzer: Fireeye Capa \(WIP\) [\#822](https://github.com/TheHive-Project/Cortex-Analyzers/issues/822)
 
+**Merged pull requests:**
+
+- Update urlcategory.py [\#1154](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1154) ([lucamemini](https://github.com/lucamemini))
+- Netcraft Cortex responder [\#1053](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1053) ([korteke](https://github.com/korteke))
+- Update analyzers & responders upgrade guide [\#1294](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1294) ([nusantara-self](https://github.com/nusantara-self))
+- Add JAMF Protect Prevent List responder [\#1293](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1293) ([nusantara-self](https://github.com/nusantara-self))
+- Refactor Censys Analyzer for Censys API Version 2 [\#1288](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1288) ([nusantara-self](https://github.com/nusantara-self))
+- MSEntraID Folder structure & naming adjustments [\#1286](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1286) ([nusantara-self](https://github.com/nusantara-self))
+- Rename & rework existing Azure AD analyzer & responder for Entra ID name change [\#1285](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1285) ([nusantara-self](https://github.com/nusantara-self))
+- utils improvements [\#1284](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1284) ([nusantara-self](https://github.com/nusantara-self))
+- Add DNSDumpster analyzer templates [\#1283](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1283) ([nusantara-self](https://github.com/nusantara-self))
+- Pin thehive4py package version to 1.8.x [\#1282](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1282) ([nusantara-self](https://github.com/nusantara-self))
+- Added QrDecode Analyzer [\#1275](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1275) ([EnzoCyberSec](https://github.com/EnzoCyberSec))
+- \[CrowdSec\] Update analyzer \(1.0 =\> 1.1\) [\#1273](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1273) ([julienloizelet](https://github.com/julienloizelet))
+- SpamHausDBL fix: replace query function \(not working\) with resolve function [\#1272](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1272) ([emalderson](https://github.com/emalderson))
+- PhishTank fix: add User-Agent header to make phishtank api work again [\#1271](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1271) ([emalderson](https://github.com/emalderson))
+- KasperskyTIP fix: previously ignored category orange now is malicious [\#1270](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1270) ([emalderson](https://github.com/emalderson))
+- Handle invalid UTF-8 bytes during decode for emlParser [\#1267](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1267) ([nusantara-self](https://github.com/nusantara-self))
+- Add AWS Invoke Lambda responder [\#1266](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1266) ([nusantara-self](https://github.com/nusantara-self))
+- \#1263 Update Triage Analyzer [\#1264](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1264) ([rpitts-recordedfuture](https://github.com/rpitts-recordedfuture))
+- Quick updates [\#1262](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1262) ([vpiserchia](https://github.com/vpiserchia))
+- add dataType mail-subject [\#1261](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1261) ([Guiiix](https://github.com/Guiiix))
+- EclecticIQ responder [\#1258](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1258) ([deepanshu-eiq](https://github.com/deepanshu-eiq))
+- Added EclecticIQ Analyser [\#1256](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1256) ([deepanshu-eiq](https://github.com/deepanshu-eiq))
+- Filters format migration for OpenCTI 5.12 [\#1245](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1245) ([evost](https://github.com/evost))
+- Update Gatewatcher CTI Analyzer for 'unknown' risk [\#1232](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1232) ([remydewaGW](https://github.com/remydewaGW))
+- Fixes and added features to Defender for endpoints responder [\#1225](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1225) ([louismaxx](https://github.com/louismaxx))
+- TheHive Binalyze integration [\#1219](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1219) ([binalyze-murat](https://github.com/binalyze-murat))
+- Added responder for Ansible AWX [\#1215](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1215) ([Timmu91](https://github.com/Timmu91))
+- Azure sign in retriever [\#1212](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1212) ([jahamilto](https://github.com/jahamilto))
+- Duo Account Bypass Mode \(Correction\) [\#1208](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1208) ([jahamilto](https://github.com/jahamilto))
+- Azure Token Revoker Responder [\#1207](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1207) ([jahamilto](https://github.com/jahamilto))
+- added responder input to Shuffle API call [\#1194](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1194) ([tbi88](https://github.com/tbi88))
+- FalconCrowstrikeCustomIOC Responder v2 [\#1188](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1188) ([nicoctn](https://github.com/nicoctn))
+- When you get whenCreated attribute datetime fix [\#1181](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1181) ([p1kusmie](https://github.com/p1kusmie))
+- Cloudflare Account IP Access List Responder [\#1177](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1177) ([nickbabkin](https://github.com/nickbabkin))
+- Add a responder to send case information to Telegram [\#1163](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1163) ([alexkolnik](https://github.com/alexkolnik))
+- Search users in Okta. [\#1157](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1157) ([mjleesment](https://github.com/mjleesment))
+- AnyRun Sandbox Analyzer v1.1 [\#1142](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1142) ([nolsen311](https://github.com/nolsen311))
+- bump abuse\_finder [\#1135](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1135) ([Augustin-FL](https://github.com/Augustin-FL))
+- Update of NERD analyzer [\#1121](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1121) ([vaclavbartos](https://github.com/vaclavbartos))
+- \[FIX\] HybridAnalysis API V2 [\#1117](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1117) ([X0x1RG9f](https://github.com/X0x1RG9f))
+- Update TorBlutMagie to point to alternative domain [\#1114](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1114) ([red-ship-it](https://github.com/red-ship-it))
+- Updated Censys Analyzer for latest API [\#1083](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1083) ([Gandalf098](https://github.com/Gandalf098))
+- Make analyzer work with template [\#1061](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1061) ([ch0wm3in](https://github.com/ch0wm3in))
+- DNSdumpster analyzer. Initial commit. [\#1058](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1058) ([korteke](https://github.com/korteke))
+- cortexutils not installed in RT4 Responder Docker Image [\#1055](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1055) ([hajjiwajih](https://github.com/hajjiwajih))
+- Add Capa Analyzer [\#1027](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1027) ([weslambert](https://github.com/weslambert))
+
 ## [3.3.7](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.3.7) (2024-04-11)
 
 [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.3.6...3.3.7)

analyzers/Capa/Capa.json

@@ -1,7 +1,7 @@
 {
     "name": "Capa",
     "version": "1.0",
-    "author": "Wes Lambert",
+    "author": "Wes Lambert; nusantara-self, StrangeBee",
     "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
     "license": "AGPL-V3",
     "description": "Analyze files with Capa",

analyzers/Capa/CapaAnalyze.py

@@ -4,10 +4,7 @@
 from cortexutils.analyzer import Analyzer
 import os
 import subprocess
-import argparse
 import json
-import re
-from collections import defaultdict
 
 class CapaAnalyzer(Analyzer):
     def __init__(self):
@@ -26,66 +23,100 @@ def summary(self, raw):
         return {"taxonomies": taxonomies}
 
     def run(self):
-        parser = argparse.ArgumentParser(description='exec capa.')
-        parser.add_argument('filepath', type=str, help='file path')
-        args = parser.parse_args()
-
-        if os.path.exists(self.filepath):
-            f = subprocess.check_output([self.capa_path, '-j', self.filepath])
-            process = json.loads(f)
-            rules = process['rules']
-            tactics = []
-            techniques = []
-            subtechniques = []
-            ids = []
-            capabilities = {}
-
-            for rule in rules:
-                try:
-                    # Metadata
-                    meta = process['rules'][rule]['meta']
-
-                    # ATT&CK details
-                    attack = meta['att&ck'][0]
-
-                    # ID
-                    id = attack['id']
-
-                    # Technique
-                    technique = attack['technique'] + " - " + id
-
-                    # Subtechnique
-                    subtechnique = attack['subtechnique']
-
-                    # Tactic
-                    tactic = attack['tactic']
-
-                    # Capability
-                    capability_name = process['rules'][rule]['meta']['name']
-
-                    if tactic not in tactics:
-                        tactics.append(tactic)
-
-                    if subtechnique != "":
-                        if subtechnique not in subtechniques: 
-                            subtechniques.append(attack['subtechnique'])
-
-                    if technique not in techniques:
-                        techniques.append(attack['technique'])
-
-                    if id not in ids:
-                        ids.append(id)
-
-                    if tactic not in capabilities:
-                        capabilities[tactic] = {}
-
-                    if technique not in capabilities[tactic]:
-                        capabilities[tactic][technique] = []
-
-                    if capability_name not in capabilities[tactic][technique]:
-                        capabilities[tactic][technique].append(capability_name)
-                except:
-                    continue
-        self.report({ 'capabilities': capabilities, 'tactics': tactics, 'techniques': techniques, 'subtechniques': subtechniques, 'ids': ids, 'rules': rules })
+        if not os.path.isfile(self.capa_path) or not os.access(self.capa_path, os.X_OK):
+            self.error(f"capa binary not found or not executable at path: {self.capa_path}")
+            return
+
+        if not os.path.exists(self.filepath):
+            self.error(f"File not found: {self.filepath}")
+            return
+
+        try:
+            result = subprocess.run(
+                [self.capa_path, '-j', self.filepath],
+                capture_output=True,
+                text=True
+            )
+            if result.returncode != 0:
+                self.error(f"capa execution failed with return code {result.returncode}: {result.stderr}")
+                return
+        except Exception as e:
+            self.error(f"An error occurred while executing capa: {e}")
+            return
+
+        try:
+            process = json.loads(result.stdout)
+        except json.JSONDecodeError as e:
+            self.error(f"Failed to parse capa output as JSON: {e}")
+            return
+
+        rules = process.get('rules', {})
+        tactics = []
+        techniques = []
+        subtechniques = []
+        ids = []
+        capabilities = {}
+
+        for rule_key, rule_value in rules.items():
+            try:
+                # Metadata
+                meta = rule_value['meta']
+
+                # ATT&CK details
+                attack = meta['att&ck'][0]
+
+                # ID
+                attack_id = attack['id']
+
+                # Technique
+                technique = f"{attack['technique']} - {attack_id}"
+
+                # Subtechnique
+                subtechnique = attack.get('subtechnique', '')
+
+                # Tactic
+                tactic = attack['tactic']
+
+                # Capability
+                capability_name = meta['name']
+
+                # Collect data
+                if tactic not in tactics:
+                    tactics.append(tactic)
+
+                if subtechnique:
+                    if subtechnique not in subtechniques:
+                        subtechniques.append(subtechnique)
+
+                if technique not in techniques:
+                    techniques.append(technique)
+
+                if attack_id not in ids:
+                    ids.append(attack_id)
+
+                if tactic not in capabilities:
+                    capabilities[tactic] = {}
+
+                if technique not in capabilities[tactic]:
+                    capabilities[tactic][technique] = []
+
+                if capability_name not in capabilities[tactic][technique]:
+                    capabilities[tactic][technique].append(capability_name)
+            except KeyError as e:
+                #self.error(f"KeyError processing rule {rule_key}: {e}")
+                continue
+            except Exception as e:
+                #self.error(f"Unexpected error processing rule {rule_key}: {e}")
+                continue
+
+        self.report({
+            'capabilities': capabilities,
+            'tactics': tactics,
+            'techniques': techniques,
+            'subtechniques': subtechniques,
+            'ids': ids,
+            'rules': rules
+        })
+
 if __name__ == '__main__':
     CapaAnalyzer().run()