Skip to content

Commit

Permalink
unknown risk management (#1232)
Browse files Browse the repository at this point in the history
  • Loading branch information
remydewaGW authored Jun 12, 2024
1 parent ba1cfe3 commit be92c11
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 15 deletions.
23 changes: 12 additions & 11 deletions analyzers/Gatewatcher_CTI/Gatewatcher_CTI.py
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,8 @@ def run(self):
has_max = False
total_found_relations = 0
for item in info["message"][0]["IOCs"]:
if total_found_relations == len(relations) or \
(has_max and total_found_relations >= self.max_relations):
if (total_found_relations == len(relations) or
(has_max and total_found_relations >= self.max_relations)):
break

if item["IocId"] in relations:
Expand All @@ -65,14 +65,16 @@ def run(self):
elif item["Type"] in ["URL", "Host", "MD5", "SHA1", "SHA256"]:
records["IOCs"].append(item)

additional = {k : v for k, v in additional.items() if v is not None}
additional = {k: v for k, v in additional.items() if v is not None}
main.update(additional)
records["IOCs"].insert(0, main)
if len(records["IOCs"]) == 1 and records["IOCs"][0]["Risk"].lower() == "unknown":
records["is_on_gw"] = False

self.report(records)

def check_response(self, response):
if response.status_code not in [200,422]:
if response.status_code not in [200, 422]:
try:
result = response.json()
if (
Expand Down Expand Up @@ -102,23 +104,22 @@ def summary(self, raw):
level = "info"
namespace = "Gatewatcher CTI"
predicate = "GetReport"
value = "Not found"
value = "not found"
data = next(
(ioc for ioc in raw["IOCs"] if ioc["Value"] == self.observable_value), None
)
if data is not None:
level = data["Risk"].lower()
if level == "malicious":
value = 86
value = 100
elif level == "high suspicious":
value = 71
level = "suspicious"
else:
value = 31
value = 75
elif level == "suspicious":
value = 60

taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
return {"taxonomies": taxonomies}


if __name__ == "__main__":
GatewatcherCTI().run()
GatewatcherCTI().run()
21 changes: 17 additions & 4 deletions analyzers/Gatewatcher_CTI/README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,18 @@
Requirement : if you want to use LastInfoSec's intelligence, you need an API key. You could contact LastInfoSec's team here https://www.gatewatcher.com/en/contact/
LastInfosec has been acquired by Gatewatcher.
LastInfoSec's Threat Feed is a data feed that makes it easier to detect threats within the information system. It contains enriched compromised evidences in order to reduce the time of threat analysis once detected.
https://www.gatewatcher.com/en/nos-produits/last-info-sec
## Gatewatcher
Gatewatcher is a European leader in advanced Threats detection, protecting critical networks of large Entreprises and Governement organisations since 2015.

## Gatewatcher CTI
The Gatewatcher CTI (Cyber Threat Intelligence) offer is compatible with all cybersecurity solutions. It immediately enhances your detection with contextual information about internal and external cyber threats specifically targeting your business.

## Cortex Integration
This cortex analyzer allows you to search for an IOC (url, hash, host/domain) in the Gatewatcher CTI database

## How to obtain credentials ?
If you want to try our freemium offer your can obtain your API key : https://info.gatewatcher.com/en/lp-free-ioc-analysis-api-key

If you want more you can contact us : https://info.gatewatcher.com/fr/speed-meeting-lastinfosec

## TheHive Integration
With this cortex integration, we also provide you templates for TheHive available in the [thehive-templates](../../thehive-templates/Gatewatcher_CTI_1_0) directory.

![](assets/Gatewatcher_CTI_long.png)

0 comments on commit be92c11

Please sign in to comment.