Skip to content

Update Intezer integration #1727

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jun 26, 2018
Merged

Update Intezer integration #1727

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fa693d1
Update Intezer integration - Malicious should be added only for bad r…
Nitzperetz Jun 26, 2018
15556a5
Update outputs
Nitzperetz Jun 26, 2018
fb695ba
Merge branch 'master' of github.com:demisto/content into update_intez…
Nitzperetz Jun 26, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 41 additions & 49 deletions Integrations/integration-Intezer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ commonfields:
version: -1
name: Intezer
display: Intezer
releaseNotes: Add file upload command and update category
releaseNotes: Set malicious in context only for "Bad" reputation files
category: Forensics & Malware Analysis
image: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAAyCAMAAACgee/qAAACjlBMVEUAAAAaGhobGxsbGxsaGhobGxsoKCgaGhoZGRkcHBwbGxsdHR0cHBwaGhodHR0bGxsbGxsbGxsaGhoXFxcbGxscHBwcHBwbGxsogMsdHR0aaLQbGxsVFRUogMwcHBwjd8Alfsgof8kdHR0eHh4VZrAXFxccHBwogMsnfckaGhodHR0ZGRkYabEVFRUpgcwbGxsbGxslgMo6pe4GBgY8qfQcHBwbGxsbabUbGxsbGxsZZq8ZGRkZZrEcHBw9qfM7p/E7p/AbGxsaGhoaGho3negbGxsZGRkcHBweaqwog88SYLccHBwcHBwaGhobGxsaGhobGxsZZbAaGhoZaLM8pu4YGBgYGBgogs0cHBwdHR0og887qPIcHBw7qPEbaLUcHBwbGxscHBwaabYdHR0bGxs8qPEYZLEmfsk8p/E9qfImgMsZGRkbGxs5p/IaGho4oOsnfssZGRklfcg9qfQaaLQbGxs8qfMbGxspgs0ZZbEeHh4dHR0nf8oaaLU7p/Anf8sngMsZZrMaGhoofscaGhongMgnfMgXFxcaGho9qvQZGRkcbbU7p/IgcMAWFhYYGBg7l+Yogcw8qPE+rPcphdIbGxsYZbA8qfM7p/A8qPEngs0YZbI7qfAngcwZZrEidb8bGxsidcEaGhoYZbI7pe8lgMsaGho7pvEZZ7EbGxs8pu8XZLA7pfAkfsk2neUohc85ougwkd0aaLQ+rfYaabQphNApg84of8oogcsZZ7EcHBwbbLkmfcongMw9qfImfckaZbAaZ7UZY64lfsgkfswYYrEXWKcaWaYcHBweHh4ogcsaaLMaZrAof8k9qvQ8p/EphNEof8oaZ7IaabY9q/Yogc0aZ7E/rvobargogs/bBoJtAAAAyHRSTlMAfsT8h90FQT28XhnOdfDsmHIlCKzb0cL1wqVbC+WqenFeTkUxLP3eg0crKA8P1IRSQTED+Pi/rp98eC758/LHbmhhVyQhHRILBwXj4aeTj4qIY1BKQTb38efm1tbNysa4s7Glm5eQiIB4dFJPPDs3NDEu/PX06uji4ODd2c+8uaydjGxsYlJLRUNDJBoaFhQN7N7d08rJvbKlpKSLi35zb2tramlmZWFgXVpVUklIMC0S+evq1c3FxLi1s5uRjo2LinFhVUE3FLQKAJIAAAR0SURBVFjD7ZXnW1JRHMePickQHBFF0TbK1BAJggwVJcCcqTnKSnOVuXPkSi0zt+299957725iSCGh/03nnAuhXR/fyVPPw+cF/A4H+NzfOd9zL3DixIkTJ/8XXcnt94HD2Vd0av32ZRu2BkcBh7Lv0kHL4MCAxbLhVtRq4Ahws7lhucklW2DHYeHBt46HbXFE21Hq8J2hg4bB0J1Xg5PbS8LDlg0aDFXHbnRNdN/qNw8thoEBg+HAlntqdUlulQGOBi0Ht3aBCUVcIC7ZumEZ6vfGsdCq48nBsOfQo+Hia0k6MJHs2TG98ePd9qJguMOocbTLRXeS8mpW5gWAiWTeoj7zcP083T3YtmEAbvXRS+ovJytM+pVr7OJVTNVCAEIuqPzxsDfIO0WwV+Fi5YqPhmmr/QRLWlxsbNPavzVTA/yvoEKhKg60ir//mJ6/u2luaXLugfWn7iQ1561o0Pf/Gin221TLBCAiWihfhYYLuRw2K+cbhCDgC28bXfYNFgivHmYtWcFPsv1ZXoR1IrMYBPHIUspok9jEi+euM856dVstXnGkYmj5io1/iRdMmzoTAKYbwVGgq10y29M7sJBGS5BJM3JotAv+dEZaJg0h2isI8cZVwjSppyKQ5eV6OB6PIzRgvkc1l0bbNTua4HfYxbP6+oyHzjab9P36ccTE1OsSUjwZQM55xuLFpzNiIgCJfZEq41kAihMCAQkUexSS35aKBDBcNvH3vqVzZvzs/yN+RxVXp7vK3O3iyWwOdyH5V9GJo73FDCG8JiSO19rFvCAAmaJQyjVA3Jg6bKaITSZ9zQcdRcxw4QuzfcYUq6Yg8DrgzRBmpgAsjmPhGYlVjH+WBrMS0Ck+XT89f7S44dHzi52rAUUs60iMSRMFjiF29XRDeJGx18RJD/sBUpyGJ1744aXGYv9sKVz/ec9OtJbfFu9eZ+zD4l/6oeU3k3yRlSrmr9XSlHXMMcRCV8zsEDTUunBQFrCYIGd4QUhc5+Lu7qdiSHnbULiMqfVvS7tbT8wyHpozY6jiyBnfKJuQKkaLyEjMpojTFT4I1hS0hy3R6d4CYO1YnoImVgmQmMAI3VQCMtXm1PzWAvHdy6/Pn3n/2ffaxc5xxDCurh48ijjGHi5JZAaH1gts4l0jUq3M4PN5HLcICfhznArWpT4tKA/ovnmyxvTSdzzx5MQYgqCK7cepbVJlnAZQxLZw9cQr5T5gxDk2m41PzjebTD/1m8cVA62okipOT3DHhAhSsgiPFrp1AMXcQlyn9NpSTZd5sgXoITH8Y8Q51vf3U8RoeevQLbOW34FTGSvksEmxkovThG6ZJNwytpKwkVUGw2UlIxIUevAiUQTOVaNwlZ9eZB4efY6p4rK42Daoj40rA9iTkxUpwbuZJcI375B4/iQSkU9kJi7IgdZ7mrWWu4PiHDkdP3JEMnYPfO++3Lg/nyJ2CLrS0lHnGIodxv1PTfuNj+E5ftCwBt49HElU+eKms3kzkr4Cx6ML0K0GTpw4ceLkX+M37Ay+Gmklo9oAAAAASUVORK5CYII=
description: Malware detection and analysis based on code reuse
Expand Down Expand Up @@ -52,9 +52,8 @@ script:
false,
params.useproxy
);

return handleResponse(result, url, acceptedCodes);
}
};

var sendMultipartRequest = function(url, file, body) {
// handle '/' at the end of the url
Expand All @@ -65,7 +64,6 @@ script:
body = {};
}
body.api_key = params.APIKey;

var result = httpMultipart(
SERVER_API + url,
file,
Expand All @@ -75,13 +73,11 @@ script:
},
body
);

return handleResponse(result, url);
};

var handleResponse = function(result, url, acceptedCodes) {
var ignoreStatusCode = acceptedCodes && (acceptedCodes.indexOf(result.StatusCode) !== -1);

// validate response
if (!ignoreStatusCode && (result.StatusCode < 200 || result.StatusCode > 299)) {
switch (result.StatusCode) {
Expand Down Expand Up @@ -124,7 +120,6 @@ script:

var getAnalysis = function(analysisId) {
var analysisRes = sendRequest('POST', ANALYSIS_RESULT_URL + analysisId);

return analysisRes.obj;
};

Expand All @@ -138,28 +133,21 @@ script:
ContentsFormat: formats.markdown
};
}

// create file analysis request
var res = sendRequest('POST', HASH_URL, {
sha256: hash,
code_item_type: codeItemType
}, [404]);

var analysisId;

if (res.statusCode === 404) {
var dBotScore = [{Indicator: hash, Type: 'hash', Vendor: 'Intezer', Score: 0}];
var file = {
SHA256: hash,
ExistsInIntezer: false,
Malicious: {
Vendor: 'Intezer'
}
};
var ec = {
'File(val.SHA256==obj.SHA256)': file,
DBotScore: dBotScore
ExistsInIntezer: false
};
var ec = { };
ec[outputPaths.file] = file;
ec.DBotScore = dBotScore;

return [{
Type: entryTypes.note,
Expand All @@ -173,27 +161,22 @@ script:
} else {
throw ERROR_PREFIX + 'Failed to create sha256 analysis for ' + hash + ', request status code: ' + res.statusCode + '\n';
}

return waitForResponse(analysisId, maxRetries, delay);
}
};

var analyzeUploadedFile = function(fileEntryId, codeItemType, maxRetries, delay) {
var res = sendMultipartRequest(FILE_UPLOAD_URL, fileEntryId, {code_item_type: codeItemType});

var analysisId;

if (res.statusCode === 201) {
analysisId = res.obj.analysis_id;
} else {
throw ERROR_PREFIX + 'Failed to create analysis, request status code: ' + res.statusCode + '\n';
}

return waitForResponse(analysisId, maxRetries, delay);
}
};

var waitForResponse = function(analysisId, maxRetries, delay) {
var entries = [];

// perform wait loop
res = getAnalysis(analysisId);
var tries = 0;
Expand All @@ -203,7 +186,6 @@ script:
wait(delay); // wait {delay} seconds
res = getAnalysis(analysisId);
}

// if polling did not retrieve response after {delay * maxRetries} seconds, return an error message
if (res.status !== SUCCESS_STATUS) {
throw ERROR_PREFIX + 'Failed to analyze, Try to change maxRetries or delay arguments\n';
Expand All @@ -213,28 +195,35 @@ script:
var hash = res.result.sha256;
var dbotScore = 0;
var ec = {};
ec.DBotScore = [];
ec[outputPaths.file] = [];

if (verdict === 'malicious') {
dbotScore = 3;
var malFile = {};
addMalicious(malFile, outputPaths.file, {
SHA256: hash,
Malicious: {Vendor: 'Intezer', Metadata: res.result}
ExistsInIntezer: true,
Metadata: res.result,
Malicious: {Vendor: 'Intezer'}
});
ec[outputPaths.file].push(malFile[outputPaths.file]);
} else if (verdict === 'suspicious') {
dbotScore = 2;
} else if (verdict === 'trusted' || verdict === 'neutral') {
dbotScore = 1;
}
var dBotScore = [{Indicator: hash, Type: 'hash', Vendor: 'Intezer', Score: dbotScore}];
var file = {
SHA256: hash,
ExistsInIntezer: true,
Malicious: {
Vendor: 'Intezer'
} else {
ec[outputPaths.file].push({
SHA256: hash,
ExistsInIntezer: true,
Metadata: res.result
});
if (verdict === 'suspicious') {
dbotScore = 2;
} else if (verdict === 'trusted' || verdict === 'neutral') {
dbotScore = 1;
}
};
}

// Set DBot score
ec.DBotScore.push({Indicator: hash, Type: 'hash', Vendor: 'Intezer', Score: dbotScore});

var data = res.result;
var md = '## Intezer analysis result\n';
md += 'SHA256: ' + hash + '\n';
Expand All @@ -244,19 +233,16 @@ script:
}
md += 'Verdict: **' + data.verdict + '** (' + data.sub_verdict + ')\n';
md += '[' + 'Analysis Link' + '](' + data.analysis_url + ')\n';

// set return entry with context
entries.push({
Type: entryTypes.note,
Contents: res.body,
ContentsFormat: formats.json,
HumanReadable: md,
EntryContext: {
'File(val.SHA256==obj.SHA256)': file,
DBotScore: dBotScore
}
EntryContext: ec
});
}

return entries;
};

Expand Down Expand Up @@ -295,7 +281,7 @@ script:
defaultValue: "5"
outputs:
- contextPath: File.SHA256
description: Bad hash SHA256
description: Hash SHA256
type: string
- contextPath: File.Malicious.Vendor
description: For malicious files, the vendor that made the decision
Expand All @@ -312,13 +298,15 @@ script:
- contextPath: DBotScore.Score
description: The actual score
type: number
- contextPath: Intezer.File
description: 'The file '
type: unknown
- contextPath: File.ExistsInIntezer
description: 'File exists in Intezer genome database (in case file does not
exist, consider upload the file) '
type: boolean
- contextPath: File.Metadata
description: Metadata returned from Intezer analysis (analysis id, analysis
url, family, family type, sha256, verdict, sub_verdict). Metedata will be
retuned only for supported files.
type: unknown
description: Checks file reputation of the given hash, supports SHA256
- name: intezer-upload
arguments:
Expand All @@ -343,7 +331,7 @@ script:
defaultValue: "5"
outputs:
- contextPath: File.SHA256
description: Bad hash SHA256
description: Hash SHA256
type: string
- contextPath: File.Malicious.Vendor
description: For malicious files, the vendor that made the decision
Expand All @@ -360,5 +348,9 @@ script:
- contextPath: DBotScore.Score
description: The actual score
type: number
- contextPath: File.Metadata
description: Metadata returned from Intezer analysis (analysis id, analysis
url, family, family type, sha256, verdict, sub_verdict). Metedata will be
retuned only for supported files.
description: Checks file reputation for uploaded file (up to 20MB)
runonce: false