Merge pull request #1036 from viviandsilva/otxquery_fixes

OTX query does not have actionable intelligence

Author: nusantara-self

analyzers/OTXQuery/otxquery.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 # encoding: utf-8
-import json
+import json, re
 import requests
 import urllib
 import hashlib
@@ -102,7 +102,7 @@ def otx_query_file(self, data):
 
             if ip_['analysis']['analysis']:
                 # file has been analyzed before
-                self.report({
+                result = {
                     'pulse_count': ip_.get('general', {}).get('pulse_info', {}).get('count', "0"),
                     'pulses': ip_.get('general', {}).get('pulse_info', {}).get('pulses', "-"),
                     'malware': ip_.get('analysis', {}).get('malware', "-"),
@@ -120,8 +120,22 @@ def otx_query_file(self, data):
                     'filesize': ip_.get('analysis', {}).get('analysis', {}).get('info', {}).get('results', {}).get(
                         'filesize', "-"),
                     'ssdeep': ip_.get('analysis', {}).get('analysis', {}).get('info', {}).get('results', {}).get(
-                        'ssdeep')
-                })
+                        'ssdeep'),
+                    'combined_score' : ip_.get('analysis', {}).get('analysis', {}).get('plugins', {}).get('cuckoo', {}).get(
+                        'result', {}).get('info', {}).get('combined_score')
+                }
+                alert_val = ip_.get('analysis', {}).get('analysis', {}).get('plugins', {}).get('cuckoo', {}).get(
+                        'result', {}).get('signatures')
+                if alert_val is not None and len(alert_val) > 0:
+                    result['alerts'] = alert_val
+
+                ids_detections_val = ip_.get('analysis', {}).get('analysis', {}).get('plugins', {}).get('cuckoo', {}).get(
+                        'result', {}).get('suricata', {}).get('rules')
+                if ids_detections_val is not None and len(ids_detections_val) > 0:
+                    result['ids_detections'] = ids_detections_val
+
+                self.report(result)
+
             else:
                 # file has not been analyzed before
                 self.report({
@@ -159,8 +173,27 @@ def summary(self, raw):
         level = "info"
         namespace = "OTX"
         predicate = "Pulses"
+        pulses = dict()
         value = "{}".format(raw["pulse_count"])
-        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        pulses = raw.get("pulses", 0)
+        malicious_count = 0
+
+        if "combined_score" in raw:
+            combined_score = raw['combined_score']
+            if (combined_score < 3):
+                level = "safe"
+            elif (combined_score < 7):
+                level = "suspicious"
+            elif (combined_score >= 7):
+                level = "malicious"
+            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        else:
+            for pulse in pulses:
+                for tag in pulse["tags"]:
+                    if re.match(r"Malicious", tag, re.IGNORECASE) is not None:
+                        malicious_count +=1
+            value = "Number of pulses: " + value + ", Pulses that have a malicious tag: " + str(malicious_count)
+            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
 
         return {"taxonomies": taxonomies}