CarbonBlack Analyzer Feature Request

[penguinspy]

Request Type

Feature Request

Feature Summary

Would it be possible to develop an analyzer (or analyzers) for CarbonBlack (ER/EP) using the cbapi-python? https://github.com/carbonblack/cbapi-python

It should have the ability to lookup the following Data Types in each instance

CB EP: {file(via hash), filename, hash} CB ER: {file(via hash), filename, fqdn, hash, ip, registry, url}

Thanks

[mack7121]

I'd like to tackle this one. I have experience using python with the cb api.

[saadkadhi]

Hi @mack7121. Please give it a shot then. Feel free to ask @3c7 and @jeromeleonard for advice though we can't obviously test your code as we don't have access to a test Cb env.

[3c7]

Great! You can find info on how to create an Analyzer in the documentation: https://github.com/TheHive-Project/CortexDocs/blob/master/api/how-to-create-an-analyzer.md#writing-an-analyzer. It would be great, if your analyzer supports python 3.

[geekscrapy]

Has there been any dev done on this? What kind of results are required? Binary associated with the query?

Are you able to share the requirement a little more? Is this to search across multiple instances?

[3c7]

Hey @mack7121, are there any news regarding the CB analyzer? :)

[pmichaudii]

@mack7121 @3c7 I would be willing to help test/debug the analyzer, we utilize CB and this would be a great tool!

Thanks!

[pmichaudii]

@3c7 @jeromeleonard Good Afternoon, I am writing an analyzer for CB Protect and am having an issue with the summary portion of the analyzer. It appears the reposnse is json but then get stored as a list and causes an error when executing. What would you need in order to help troubleshoot? Many Thanks!

[3c7]

Hey @pmichaudii, the summary has to be a list of tags created with self.build_taxonomy(...) which has to be stored in the result object as follows:

{
  summary: {
    taxonomies: [
      ... //list of tags here
    ]
  },
  ...
}

Uusally, you just process the raw results in the summary method and return {taxonomies: <YOUR LIST HERE>} as a python dict. Please also attach the error message, which can lead to better advise. :)

[pmichaudii]

Thanks for the info @3c7 I don't see anything in the application/log other than the job failed, but here is what the job report spit out, not sure if this helps any. { "errorMessage": "Invalid output\n", "input": null, "success": false }

Thanks, Paul

[pmichaudii]

Good afternoon @3c7 I got some new errors: Invalid output import: unable to open X server' @ error/import.c/ImportImageCommand/364. import: unable to open X server ' @ error/import.c/ImportImageCommand/364. from: can't read /var/mail/cortexutils.analyzer CarbonBlack/carbonblack.py: 4: CarbonBlack/carbonblack.py: : not found CarbonBlack/carbonblack.py: 5: CarbonBlack/carbonblack.py: : not found CarbonBlack/carbonblack.py: 6: CarbonBlack/carbonblack.py: Syntax error: "(" unexpected

[3c7]

Invalid output can be a hint to various issues, the simplest would be that carbonblack.py does not have execution permission. You should try to run it manually from the cli and verify the output:

$ ./carbonblack.py <<< '{"dataType": "ip", "data": "IP HERE", "config": {<CONFIG ITEMS HERE>}}'

The output should be valid json. You can try to pipe it through jq to verify that easily (add | jq to the end).

I'm quite surprised by the X server error messages as they indicate you're trying to use some kind of graphical user interface from the cli?!

[pmichaudii]

Thanks for the tips @3c7 , made some changes and still not having any luck. Would you possibly be able to do a static analysis on the script? I know you don't have access to a CB enviroment, but figure that might have some issue you could easily spot.

import requests, json
from cortexutils.analyzer import Analyzer

class CarbonBlack(Analyzer):

        def __init__(self):
                Analyzer.__init__(self)
                self.url = self.get_param('config.url', None, 'Missing CarbonBlack URL')
                self.key = self.get_param('config.key', None, 'Missing CarbonBlack API Key')

    def summary(self, raw):
        taxonomies = []
        level = "info"

        if 'prevalence' in raw is True:
            value = "{}".format(raw['prevalence'])
        else:
            value = "0"

               taxonomies.append(self.build_taxonomy(level, "CarbonBlack", "prevalence", value))

               return {"taxonomies": taxonomies}

        def search_hash(self, sha):

                AuthJson = { 
        'X-Auth-Token': self.key,
        'content-type': 'application/json'
        }   

        b9StrongCert = False # Set to False if your Server has self-signed IIS certificate

        #Get File Instance ID
        fid = requests.get(self.url + '/api/bit9platform/v1/fileCatalog?q=sha256:' + sha, headers=AuthJson, verify=b9StrongCert).json()

        return fid

        def run(self):
                if self.data_type == 'hash':
                        sha = self.get_param('data', None, 'Data is missing')
                        r = self.search_hash(sha)
                        if 'id' in r:
                                self.report({'results': r})
                        else:
                                self.report({'errortext': r['errortext']})
                else:
                        self.error('Invalid data type')

if __name__ == '__main__':
        CarbonBlack().run()