diff --git a/analyzers/Gatewatcher_CTI/Gatewatcher_CTI.py b/analyzers/Gatewatcher_CTI/Gatewatcher_CTI.py index 1c14e385a..af155a196 100755 --- a/analyzers/Gatewatcher_CTI/Gatewatcher_CTI.py +++ b/analyzers/Gatewatcher_CTI/Gatewatcher_CTI.py @@ -50,8 +50,8 @@ def run(self): has_max = False total_found_relations = 0 for item in info["message"][0]["IOCs"]: - if total_found_relations == len(relations) or \ - (has_max and total_found_relations >= self.max_relations): + if (total_found_relations == len(relations) or + (has_max and total_found_relations >= self.max_relations)): break if item["IocId"] in relations: @@ -65,14 +65,16 @@ def run(self): elif item["Type"] in ["URL", "Host", "MD5", "SHA1", "SHA256"]: records["IOCs"].append(item) - additional = {k : v for k, v in additional.items() if v is not None} + additional = {k: v for k, v in additional.items() if v is not None} main.update(additional) records["IOCs"].insert(0, main) + if len(records["IOCs"]) == 1 and records["IOCs"][0]["Risk"].lower() == "unknown": + records["is_on_gw"] = False self.report(records) def check_response(self, response): - if response.status_code not in [200,422]: + if response.status_code not in [200, 422]: try: result = response.json() if ( @@ -102,23 +104,22 @@ def summary(self, raw): level = "info" namespace = "Gatewatcher CTI" predicate = "GetReport" - value = "Not found" + value = "not found" data = next( (ioc for ioc in raw["IOCs"] if ioc["Value"] == self.observable_value), None ) if data is not None: level = data["Risk"].lower() if level == "malicious": - value = 86 + value = 100 elif level == "high suspicious": - value = 71 - level = "suspicious" - else: - value = 31 + value = 75 + elif level == "suspicious": + value = 60 taxonomies.append(self.build_taxonomy(level, namespace, predicate, value)) return {"taxonomies": taxonomies} if __name__ == "__main__": - GatewatcherCTI().run() \ No newline at end of file + GatewatcherCTI().run() diff --git a/analyzers/Gatewatcher_CTI/README.md b/analyzers/Gatewatcher_CTI/README.md index 8b30868dd..81dc3896d 100644 --- a/analyzers/Gatewatcher_CTI/README.md +++ b/analyzers/Gatewatcher_CTI/README.md @@ -1,5 +1,18 @@ -Requirement : if you want to use LastInfoSec's intelligence, you need an API key. You could contact LastInfoSec's team here https://www.gatewatcher.com/en/contact/ -LastInfosec has been acquired by Gatewatcher. -LastInfoSec's Threat Feed is a data feed that makes it easier to detect threats within the information system. It contains enriched compromised evidences in order to reduce the time of threat analysis once detected. -https://www.gatewatcher.com/en/nos-produits/last-info-sec +## Gatewatcher +Gatewatcher is a European leader in advanced Threats detection, protecting critical networks of large Entreprises and Governement organisations since 2015. +## Gatewatcher CTI +The Gatewatcher CTI (Cyber Threat Intelligence) offer is compatible with all cybersecurity solutions. It immediately enhances your detection with contextual information about internal and external cyber threats specifically targeting your business. + +## Cortex Integration +This cortex analyzer allows you to search for an IOC (url, hash, host/domain) in the Gatewatcher CTI database + +## How to obtain credentials ? +If you want to try our freemium offer your can obtain your API key : https://info.gatewatcher.com/en/lp-free-ioc-analysis-api-key + +If you want more you can contact us : https://info.gatewatcher.com/fr/speed-meeting-lastinfosec + +## TheHive Integration +With this cortex integration, we also provide you templates for TheHive available in the [thehive-templates](../../thehive-templates/Gatewatcher_CTI_1_0) directory. + +![](assets/Gatewatcher_CTI_long.png) \ No newline at end of file