Merge pull request #1264 from rpitts-recordedfuture/develop

#1263 Update Triage Analyzer
TheHive-Project · Oct 16, 2024 · ed13de2 · ed13de2
2 parents a1c8b49 + 8c254fe
commit ed13de2
Show file tree

Hide file tree

Showing 7 changed files with 37 additions and 31 deletions.
diff --git a/analyzers/Triage/README.md b/analyzers/Triage/README.md
@@ -4,10 +4,4 @@ Triage Sandbox is a commercial malware sandbox that let's you run malware in a s
 
 You can read more about the underlying solutions at: https://hatching.io/
 
-Thus this analyzer requires you to have a commercial license.
-
-# FAQ
-
-### Q: There is a free tier as well, why is that not part of this analyzer?
-
-#### This was done because Triage is an affordable solutions that you should support! 
+This analyzer requires you to have a commercial license for the Recorded Future sandbox and Private sandbox.
diff --git a/analyzers/Triage/Triage.json b/analyzers/Triage/Triage.json
@@ -3,8 +3,8 @@
   "author": "Mikael Keri",
   "license": "AGPL-V3",
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
-  "version": "1.0",
-  "description": "Submit artifacts to the Triage sandbox service. This analyzer requires a paid subscription",
+  "version": "2.0",
+  "description": "Submit artifacts to the Recorded Future Triage sandbox service. This analyzer requires a paid subscription for the Private and Recorded Future sandboxes.",
   "dataTypeList": ["ip", "url", "file"],
   "baseConfig": "Triage",
   "config": {
@@ -22,6 +22,13 @@
       "multi": false,
       "required": true
     },
+    {
+      "name": "api_url",
+      "description": "Sandbox API URL: public sandbox (https://tria.ge/api), private sandbox (https://private.tria.ge/api), or Recorded Future sandbox (https://sandbox.recordedfuture.com/api)",
+      "type": "string",
+      "multi": false,
+      "required": true
+    },
     {
       "name": "timeout",
       "description": "Sandbox run timeout in seconds (default: 200)",
@@ -39,9 +46,9 @@
    ],
    "registration_required": true,
    "subscription_required": true,
-   "free_subscription": false,
+   "free_subscription": true,
    "service_homepage": "https://tria.ge",
-   "service_logo": {"path":"assets/triage_logo.png", "caption": "logo"},
+   "service_logo": {"path":"assets/recorded_future_triage_logo.png", "caption": "logo"},
    "screenshots": [
      {"path":"assets/triage_cortex_settings.png",
        "caption":"Triage analyzer cortex setting"

diff --git a/analyzers/Triage/assets/recorded_future_triage_logo.png b/analyzers/Triage/assets/recorded_future_triage_logo.png
diff --git a/analyzers/Triage/assets/triage_logo.png b/analyzers/Triage/assets/triage_logo.png
diff --git a/analyzers/Triage/triage_analyzer.py b/analyzers/Triage/triage_analyzer.py
@@ -22,7 +22,7 @@ def __init__(self):
         else:
             self.timeout = 200
 
-        self.url = 'https://private.tria.ge/api'
+        self.url = self.get_param('config.api_url', 'https://private.tria.ge/api', 'Triage API URL is missing')
 
     def summary(self, raw):
          taxonomies = []
@@ -87,25 +87,32 @@ def url_submit(self, data):
         return retrive
 
     def run(self):
+        # strip api from the base URL
+        base_url = self.url.rstrip('api')
+        if self.data_type == 'ip' or self.data_type == 'url':
+            data = self.get_param('data', None, 'Data is missing')
+
+            if ':' in data:
+                result = self.url_submit(data)
+                self.report({
+                    'result': result,
+                    'url': base_url
+                    })
+            else:
+                self.error('Schema is missing')
 
-            if self.data_type == 'ip' or self.data_type == 'url':
-                data = self.get_param('data', None, 'Data is missing')
-
-                if ':' in data:
-                    result = self.url_submit(data)
-                    self.report({'result': result})
-                else:
-                    self.error('Schema is missing')
-
-            elif self.data_type == 'file':
-                filepath = self.get_param('file', None, 'File is missing')
-                filename = self.get_param('filename', basename(filepath))
+        elif self.data_type == 'file':
+            filepath = self.get_param('file', None, 'File is missing')
+            filename = self.get_param('filename', basename(filepath))
 
-                result = self.file_submit(filename, filepath)
+            result = self.file_submit(filename, filepath)
 
-                self.report({'result': result})
-            else:
-               data = self.get_param('data', None, 'Data is missing')
+            self.report({
+                    'result': result,
+                    'url': base_url
+                    })
+        else:
+            data = self.get_param('data', None, 'Data is missing')
 
 if __name__ == '__main__':
     TriageAnalyzer().run()
diff --git a/thehive-templates/Triage_1_0/long.html → thehive-templates/Triage_2_0/long.html b/thehive-templates/Triage_1_0/long.html → thehive-templates/Triage_2_0/long.html
@@ -2,8 +2,7 @@
         <div class="panel panel-heading"><strong>Triage Analyze</strong></div>
  <div>
             <div class="btn-group btn-group-justified" role="group">
-                <div class="btn-group" role="group"><a target="_blank" href="https://private.tria.ge/{{content.result.sample.id}}"><button type="button" class="btn btn-default"><span class="glyphicon glyphicon-link" aria-hidden="true"></span>Full Report</button></a></div>
-
+                <div class="btn-group" role="group"><a target="_blank" href="{{content.url}}{{content.result.sample.id}}"><button type="button" class="btn btn-default"><span class="glyphicon glyphicon-link" aria-hidden="true"></span>Full Report</button></a></div>
             </div>
         </div>
     </div> 
@@ -100,4 +99,3 @@
         </dl>
     </div>
 </div>
-
diff --git a/thehive-templates/Triage_1_0/short.html → thehive-templates/Triage_2_0/short.html b/thehive-templates/Triage_1_0/short.html → thehive-templates/Triage_2_0/short.html