Open penguinspy opened 7 years ago
I'd like to tackle this one. I have experience using python with the cb api.
Hi @mack7121. Please give it a shot then. Feel free to ask @3c7 and @jeromeleonard for advice though we can't obviously test your code as we don't have access to a test Cb env.
Great! You can find info on how to create an Analyzer in the documentation: https://github.com/TheHive-Project/CortexDocs/blob/master/api/how-to-create-an-analyzer.md#writing-an-analyzer. It would be great, if your analyzer supports python 3.
Has there been any dev done on this? What kind of results are required? Binary associated with the query?
Are you able to share the requirement a little more? Is this to search across multiple instances?
Hey @mack7121, are there any news regarding the CB analyzer? :)
@mack7121 @3c7 I would be willing to help test/debug the analyzer, we utilize CB and this would be a great tool!
Thanks!
@3c7 @jeromeleonard Good Afternoon, I am writing an analyzer for CB Protect and am having an issue with the summary portion of the analyzer. It appears the reposnse is json but then get stored as a list and causes an error when executing. What would you need in order to help troubleshoot? Many Thanks!
Hey @pmichaudii, the summary has to be a list of tags created with self.build_taxonomy(...)
which has to be stored in the result object as follows:
{
summary: {
taxonomies: [
... //list of tags here
]
},
...
}
Uusally, you just process the raw results in the summary
method and return {taxonomies: <YOUR LIST HERE>}
as a python dict. Please also attach the error message, which can lead to better advise. :)
Thanks for the info @3c7 I don't see anything in the application/log other than the job failed, but here is what the job report spit out, not sure if this helps any.
{ "errorMessage": "Invalid output\n", "input": null, "success": false }
Thanks, Paul
Good afternoon @3c7 I got some new errors:
Invalid output import: unable to open X server
' @ error/import.c/ImportImageCommand/364.
import: unable to open X server ' @ error/import.c/ImportImageCommand/364. from: can't read /var/mail/cortexutils.analyzer CarbonBlack/carbonblack.py: 4: CarbonBlack/carbonblack.py: : not found CarbonBlack/carbonblack.py: 5: CarbonBlack/carbonblack.py: : not found CarbonBlack/carbonblack.py: 6: CarbonBlack/carbonblack.py: Syntax error: "(" unexpected
Invalid output
can be a hint to various issues, the simplest would be that carbonblack.py
does not have execution permission. You should try to run it manually from the cli and verify the output:
$ ./carbonblack.py <<< '{"dataType": "ip", "data": "IP HERE", "config": {<CONFIG ITEMS HERE>}}'
The output should be valid json. You can try to pipe it through jq to verify that easily (add | jq
to the end).
I'm quite surprised by the X server
error messages as they indicate you're trying to use some kind of graphical user interface from the cli?!
Thanks for the tips @3c7 , made some changes and still not having any luck. Would you possibly be able to do a static analysis on the script? I know you don't have access to a CB enviroment, but figure that might have some issue you could easily spot.
import requests, json
from cortexutils.analyzer import Analyzer
class CarbonBlack(Analyzer):
def __init__(self):
Analyzer.__init__(self)
self.url = self.get_param('config.url', None, 'Missing CarbonBlack URL')
self.key = self.get_param('config.key', None, 'Missing CarbonBlack API Key')
def summary(self, raw):
taxonomies = []
level = "info"
if 'prevalence' in raw is True:
value = "{}".format(raw['prevalence'])
else:
value = "0"
taxonomies.append(self.build_taxonomy(level, "CarbonBlack", "prevalence", value))
return {"taxonomies": taxonomies}
def search_hash(self, sha):
AuthJson = {
'X-Auth-Token': self.key,
'content-type': 'application/json'
}
b9StrongCert = False # Set to False if your Server has self-signed IIS certificate
#Get File Instance ID
fid = requests.get(self.url + '/api/bit9platform/v1/fileCatalog?q=sha256:' + sha, headers=AuthJson, verify=b9StrongCert).json()
return fid
def run(self):
if self.data_type == 'hash':
sha = self.get_param('data', None, 'Data is missing')
r = self.search_hash(sha)
if 'id' in r:
self.report({'results': r})
else:
self.report({'errortext': r['errortext']})
else:
self.error('Invalid data type')
if __name__ == '__main__':
CarbonBlack().run()
Request Type
Feature Request
Feature Summary
Would it be possible to develop an analyzer (or analyzers) for CarbonBlack (ER/EP) using the cbapi-python? https://github.com/carbonblack/cbapi-python
It should have the ability to lookup the following Data Types in each instance
CB EP: {file(via hash), filename, hash} CB ER: {file(via hash), filename, fqdn, hash, ip, registry, url}
Thanks