Analyzers are autonomous applications managed by and run through the Cortex core engine. Analyzers allow analysts and security researchers to analyze observables and IOCs such as domain names, IP addresses, hashes, files, URLs at scale. While many analyzers are free to use, some require special access while others necessitate a valid service subscription or product license, even though the analyzers themselves are released under an the AGPL (Affero General Public License).
This document outlines the information needed to:
- install the Cortex analyzers.
- update them when needed.
- configure them.
This documents also specifies whether the service that the analyzer is based on is free or requires special access or valid subscription or product license.
- Introduction
- Free Analyzers
- Abuse_Finder
- C1fApp
- Censys.io
- Crtsh
- CuckooSandbox
- Cybercrime-Tracker
- Cymon
- FileInfo
- FireHOLBlocklists
- Fortiguard
- GoogleSafeBrowsing
- Hashdd
- Hippocampe
- HybridAnalysis
- MaxMind
- MISP
- MISP Warninglists
- Msg_Parser
- Onyphe
- OTXQuery
- PhishTank
- PhishingInitiative
- Robtex
- StaxxSearch
- StopForumSpam
- ThreatCrowd
- Tor Blutmagie
- Tor Project
- URLhaus
- Unshortenlink
- Virusshare
- WOT
- Yara
- Yeti
- Analyzers Requiring Special Access
- Subscription and License-based Analyzers
All analyzer configuration settings must be made using the Cortex Web UI. Please refer to the Administration Guide for further details.
By default, and within every freshly created organization, all analyzers are disabled. If you want to enable and configure them, use the Web UI (Organization > Configurations and Organization > Analyzers tabs).
Use CERT-SG's Abuse Finder to find abuse contacts associated with domain names, URLs, IPs and email addresses.
The analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Get C1fApp information related to an IP address, a domain or a URL.
The analyzer comes in only one flavor.
This analyzer requires you to have an account on c1fapp.com and an API key.
To configure the analyzer you need to supply the key as a value of the key parameter.
Get Censys.io information about certificates using the associated IP, domain or hash.
The analyzer comes in only one flavor.
Provide your API ID and the API secret as values for uid and key parameters.
Get Crt.sh certificate transparency lists associated with a domain name. Crt.sh is an online service operated by the Comodo Certificate Authority.
The analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Analyze URLs and files using Cuckoo Sandbox.
The analyzer comes in two flavors:
- CuckooSandbox_File_Analysis_Inet: analyze files with Internet access.
- CuckooSandbox_Url_Analysis: analyze URLs.
The CuckooSandbox analyzer requires you to have a local instance of Cuckoo Sandbox deployed. It is a FOSS that is free for use but needs to be manually deployed in your environment. Please go to https://cuckoosandbox.org/ for more information on setting it up.
To configure the analyzer you need to supply the URL of your local instance
as a value of the url parameter.
Use the Cybercrime-tracker.net service to assess whether an IP address, URL, domain, or FQDN has a C2 (Command & Control) entry in its database.
This analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Checks IP addresses against Cymon.io.
This analyzer comes in only one flavor.
You need to sign up to the service at https://cymon.io/user/signup. Once you do, provide your API key as the value to the key parameter.
Parse files in several formats such as OLE and OpenXML to detect VBA macros,
extract their source code, generate useful information on PE, PDF and Microsoft Office documents, Outlook msg files and much more.
The analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Check IP addresses against the FireHOL blocklists.
The analyzer comes in only one flavor.
This analyzer needs you to download the FireHOL block lists first to a
directory. Use git for that purpose:
$ mkdir /path/to/firehol
$ cd /path/to/firehol
$ git clone https://github.com/firehol/blocklist-ipsets
We advise you to keep the lists fresh by adding a cron entry to
regularly download them for example (using git pull).
Specify the directory where the lists have been downloaded using the
blocklistpath paramater and an optional ignoreolderthandays parameter to
ignore all lists that have not been updated in the last N days.
Check the Fortiguard category of a URL or a domain.
The analyzer comes in only one flavor called Fortiguard_URLCategory.
No configuration is required. It can be used out of the box.
Check URLs against Google Safebrowsing.
The analyzer comes in only one flavor.
You need to obtain an API key from Google.
Provide your API key as a value of the key parameter.
Check file hashes against the Hashdd web service.
The analyzer comes in two flavors:
- Status: query hashdd without an API key for the threat level only.
- Detail: use an API key and obtain additional meta data about the sample.
As long as you are using the Status flavor you don't need API key. If you want more details using the Detail flavor, you need to sign up for a hashdd.com account and obtain an API.
Query threat feeds through Hippocampe, a FOSS tool from TheHive Project that centralizes feeds and allows you to associate a confidence level to each one of them (that can be changed over time) and get a score indicating the data quality.
The analyzer comes in two flavors:
- HippoMore: get the Hippocampe detailed report for an IP address, a domain or a URL.
- Hipposcore: get the Hippocampe Score report associated with an IP address, a domain or a URL.
The Hippocampe analyzer requires you to have a local instance of Hippocampe deployed/configured. It is a FOSS product that needs to be manually deployed in your environment. Please go to https://github.com/TheHive-Project/Hippocampe for more information on setting it up.
To configure the analyzer you need to supply the URL of your local instance
using the url parameter.
Fetch Hybrid Analysis reports associated with hashes and filenames.
This analyzer comes in only one flavor called HybridAnalysis_GetReport.
You need to have or create a free Hybrid Analysis account.
Follow the instructions outlined on the Hybrid Analysis API page to generate an API key/secret pair.
Provide the API key as a value for the key parameter and the secret as a
value to the secret parameter.
Geolocate an IP Address via MaxMind GeoLite2 free City and Country databases.
Cortex does not refresh those databases automatically. It is up to you to create a cron job to refresh them at the frequency you want. The files to update are:
MaxMind/GeoLite2-City.mmdbMaxMind/GeoLite2-Country.mmdb
You can fetch up-to-date versions from https://dev.maxmind.com/geoip/geoip2/geolite2/.
The analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Query multiple MISP (Malware Information Sharing Platform) instances for events containing an observable.
MISP is a FOSS threat sharing platform. It is considered the de facto standard in the field. You'd benefit greatly from using it in conjunction to Cortex and TheHive as these 3 products make an interesting Threat Intelligence, Incident Response and Digital Forensics ecosystem.
The analyzer comes in only one flavor.
The MISP analyzer requires you to have access to one or several MISP instances. You can also deploy your own instance.
Four parameters are required to make the analyzer work:
urlkeycertpathname
You need the URL for each MISP instance you'd like to search. Those URLs go
in the url dict. You'll also need the authentication key associated with
your account on each of those instances. To obtain the key, log into the MISP
instance's Web UI, click on your username on the top navigation bar and
retrieve the value of the Authkey parameter. Each Authkey must be added,
in the same order as the URLs to the key dict.
Another important parameter is the certpath dict. For each MISP instance:
- Use
falseif you don't want to validate the instance's X.509 certificate or if the instance use old plain HTTP. - Use
"/etc/ssl/certs"or another file to validate the instance's X.509 certificate.
Last but not least, give each instance a name and add it in the order you
specified URLs and keys above to the name dict.
Check IP addresses, hashes, domains, FQDNs and URLs against MISP WarningLists.
The analyzer comes in only one flavor.
This analyzer needs you to download the MISP WarningLists first to a
directory. Use git for that purpose:
$ mkdir /path/to/misp-warninglists/repository
$ cd /path/to/misp-warninglists/repository
$ git clone https://github.com/MISP/misp-warninglists
We advise you to keep the lists fresh by adding a cron entry to regularly download them for example (using git pull).
Specify the directory where the WarningLists have been downloaded or updated using the
path paramater.
Parse Outlook message files automatically and show the key information it contains such as headers, attachments etc. Please note that the analyzer doesn't extract attachments.
The analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Get publicly available information from Onyphe for IP addresses.
The analyzer comes in five flavors:
- Onyphe_Forward: retrieve forward DNS lookup information Onyphe has for the given IPv{4,6} address with history of changes.
- Onyphe_Geolocate: retrieve geolocation information for the given IPv{4,6} address.
- Onyphe_Ports: retrieve SYN scan information Onyphe has for the given IPv{4,6} address with history of changes.
- Onyphe_Reverse: retrieve reverse DNS lookup information Onyphe has for the given IPv{4,6} address with history of changes.
- Onyphe_Threats: retrieve Onyphe threat information for the given IPv{4,6} address with history.
Provide the API key as a value for the key parameter.
Query AlienVault's Open Threat Exchange for IPs, domains, URLs, or file hashes.
The analyzer comes in only one flavor.
You need to sign up for an OTX account or use an existing one.
Log in to your OTX account, click on your username on the top
navigation bar then on Settings and retrieve your OTX key and use it as the
value of the key parameter.
Query PhishTank to assess whether a URL has been flagged as a phishing site.
The analyzer comes in only one flavor called PhishTank_CheckURL.
You need to sign up for a PhishTank account or use an existing one.
Log in to your PhishTank account, click on the Developers tab then on
Manage Applications, register an application by giving it a name and
entering a CAPTCHA code. You'll obtain an API key that you'll need to supply
as the value to the key configuration parameter for this analyzer to work.
Query Phishing Initiative to assess whether a URL has been flagged as a phishing site.
This analyzer comes in only one flavor called PhishingInitiative_Lookup.
You need to sign up for a Phishing Initiative account or use an existing one.
Log in to your Phishing Initiative account, click on the icon representing
your account details then on API. Retrieve the API key value and supply
it as the value to the key configuration parameter.
Query the Robtex database and retrieve information about a domain, a FQDN or an IP address.
This analyzer comes in three flavors:
- Robtex_Forward_PDNS_Query: check domains/FQDNs using the Robtex passive DNS database.
- Robtex_IP_Query: make IP lookups against the Robtex DB.
- Robtex_Reverse_PDNS_Query: check IPs in Robtex reverse passive DNS database.
The analyzer uses the free Robtex API which needs no subsequent configuration. However, the free API has limits with regard to rates and amount of data returned.
Fetch observable details from an Anomali STAXX instance.
This analyzer comes in only one flavor.
You need to install an Anomali STAXX instance or to have access to one to use the analyzer. Supply the following parameters to the analyzer in order to use it:
auth_url: URL of the authentication endpoint.query_url: URL of the intelligence endpoint.username: the STAXX user name.password: the STAXX password.cert_check: boolean indicating whether the certificate of the endpoint must be checked or not.cert_path: path to the CA on the system to validate the endpoint's certificate ifcert_checkis true.
Query StopForumSpam to check if an IP or email address is a known spammer.
You need to define the thresholds above which the analyzed observable should be marked as suspicious or malicious.
Look up domains, mail and IP addresses on ThreatCrowd, a service powered by AlienVault.
This analyzer comes in only one flavor.
No configuration is needed. It can be used out of the box.
Check if an IP address, a domain or a FQDN is known by Blutmagie to be linked to a Tor node.
This analyzer comes in only one flavor.
In order to check if an IP, domain or FQDN is a Tor exit node, this analyzer queries the Tor status service at Blutmagie.de. The analyzer uses a caching mechanism in order to save some time when doing multiple queries, so the configuration includes parameter regarding the cache directory and the duration of caching.
Check if an IP address is known to be a Tor node. The information source is the official Tor network status.
This analyzer comes in only one flavor.
The analyzer uses a caching mechanism in order to save some time when doing multiple queries, so the configuration includes parameter regarding the cache directory and the duration of caching. This analyzer also accepts a ttl parameter, which is the threshold in seconds for exit nodes before they get discarded.
Follow redirects of shortened URLs to reveal the real ones.
This analyzer comes in only one flavor.
No configuration is required. It can be used out of the box.
Warning: using this analyzer without extra caution might lead to unexpected consequences. For example, if the URL you are seeking to unshorten is an attacker-controlled one, you may end up leaving undesired traces in the threat actor's infrastructure logs. The TLP values Cortex allows you to configure to prevent the use of an analyzer if the TLP associated with an observable is above the authorized level won't be of much help since Unshortenlink have to access the shortened URL. Please do not activate this analyzer unless you (and your fellow analysts) know what they are doing.
Check if a domain, URL or hash is known by Abuse.ch and stored in the URLhaus database, and get a report about its 'maliciousness'.
This analyzer comes in only one flavor.
No configuration is needed. It can be used out of the box.
Check whether a file or hash is available on VirusShare.com.
This analyzer comes in only one flavor.
Prior to using the analyzer, you need to retrieve the Virusshare hash lists
using the download_hashes.py script that is located in the same directory
as the analyzer. To keep your lists fresh, you may want to regularly
download them using a cron entry or a similar system.
Indicate the path where you have downloaded the hash lists using the path
parameter.
Check a domain against Web of Trust, a website reputation service.
This analyzer comes in only one flavor called WOT_Lookup.
An account with Web of Trust is required to get an API key, which is necessary to configure the analyzer. You can sign up for an account at https://www.mywot.com/en/signup?destination=profile/api.
Supply the API key you'll find under https://www.mywot.com/en/signup?destination=profile/api
as the value for the key parameter.
Check files against YARA rules using yara-python.
The analyzer comes in only one flavor.
You need to point your analyzer to multiple files and/or directories containing your YARA rules. If you supply a directory, the analyzer expects to find an index.yar or index.yas file. The index file can include other rule files. An example can be found in the Yara-rules repository.
Add each file and/or directory containing YARA rules to the rules dict.
YETI is a FOSS platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. The analyzer for this platform lets you make API calls to YETI and retrieve all available information pertaining to a domain, a fully qualified domain name, an IP address, a URL or a hash.
This analyzer comes in only one flavor.
The Yeti analyzer requires you to have a local instance of YETI deployed/configured. It is an open source tool that is free for use but needs to be manually deployed in your environment.
Provide the URL of your YETI instance as a value for the url parameter.
Check CERT.at Passive DNS Service for a given domain.
This analyzer comes in only one flavor.
Access to the CERT.at service is allowed to trusted partners only. If you think you qualify, please contact CERT.at.
No configuration is required. It can be used out of the box if CERT.at positively answers your access request.
Check CIRCL's Passive DNS for a given domain.
This analyzer comes in only one flavor.
Access to CIRCL Passive DNS is only allowed to trusted partners in Luxembourg and abroad. Contact CIRCL if you would like access. Include your affiliation and the foreseen use of the Passive DNS data.
If the CIRCL positively answers your access request, you'll obtain a username and password which are needed to make the analyzer work.
supply your username as the value for the user parameter and your password
as the value for the password parameter.
Check CIRCL's Passive SSL service for a given IP address or certificate hash.
This analyzer comes in only one flavor.
Access to CIRCL Passive SSL is allowed to partners including security researchers or incident analysts worldwide. Contact CIRCL if you would like access.
If the CIRCL positively answers your access request, you'll obtain a username and password which are needed to make the analyzer work.
Supply your username as the value for the user parameter and your password
as the value for the password parameter.
Determine whether an IP has known scanning activity using GreyNoise.
This analyzer comes in only one flavor.
The analyzer can be used out of the box without configuration. However, if you make many requests, you need to obtain an API key. Please contact GreyNoise to ask for one.
Once you get the API key, provide it as the value of the key parameter.
Query domains, IPs, hashes and URLs against IBM X-Force Threat Intelligence sharing platform.
This analyzer comes in only one flavor.
Access to IBM X-Force Threat Exchange requires an IBM ID.
Once you have access to the service, supply the URL of the service as value for the url parameter, the API key associated with your account as value for the key parameter and the associated password as the value of the pwd parameter.
Scan files against YARA rules automatically downloaded every 10 hours by the analyzer from Malpedia.
If a rule matches, the analyzer tries to retrieve more info from Malpedia such as the malware family (currently more than 600) and the actor group (tracked through MISP Galaxies).
This analyzer comes in only one flavor.
You need access to Malpedia to use this analyzer. Please note that Malpedia does not feature open registration. It is operated as an invite-only trust group. If you believe you qualify for an account, please see Malpedia's Terms of Services for contact details.
If you have access to Malpedia, provide your username as the value for the username parameter and the associated password as the value of the password parameter then specify a location where the analyzer will download the YARA rules to using the path parameter.
Query Malwares.com and get reports on files, hashes, domain names and IP addresses.
The analyzer comes in two flavors:
- Malwares_GetReport: get the latest Malwares report for a file, hash, domain or an IP address.
- Malwares_Scan: scan a file or URL.
You need to sign up for a Malwares.com account.
An API key to use the service's API should be associated with your account. Supply it as the value of the key parameter.
Query IP addresses and domain names against Mnemonic Passive DNS service.
This analyzer comes in two flavors:
- Mnemonic_pDNS_Public: query Mnemonic's public service.
- Mnemonic_pDNS_Closed: query Mnemonic's closed service.
When using the public service, the analyzer can be used out of the box with no further configuration.
When using the closed service, you need to contact Mnemonic to get an API key which you'll need to supply as the value of the key parameter.
Check SinkDB service from abuse.ch fort a given IP address.
This analyzer comes in only one flavor.
SinkDB is a private service provided by abuse.ch which collects sinkholed IPs. Access to this service is restricted to trusted partners. Request an access using the form available on the SinkDB website if you would like access.
Provide the API key as a value for the key parameter.
Retrieve key Shodan information on domains and IP addresses.
This analyzer comes in two flavors:
- Shodan_Host: get Shodan information on a host.
- Shodan_Search: get Shodan information on a domain.
You need to create a Shodan account and retrieve the associated API Key. For best results, it is advised to get a Membership level account, otherwise a free one can be used.
Supply the API key as the value for the key parameter.
Leverage Farsight Security's DNSDB for Passive DNS.
This analyzer comes in three flavors:
- DNSDB_DomainName: fetch historical records for a domain.
- DNSDB_IPHistory: fetch historical records for an IP address.
- DNSDB_NameHistory: fetch historical records for a fully-qualified domain name.
You need a valid subscription to Farsight Security's DNSDB service to use the analyzer.
Provide the URL of the DNSDB API service to the server parameter. The
default (https://api.dnsdb.info) should work. If it doesn't, contact
Farsight
Security.
Provide your API key as a value to the key parameter.
Look up domain names, IP addresses, WHOIS records, etc. using the popular DomainTools service API.
The analyzer comes in 7 flavors:
- DomainTools_ReverseIP: get a list of domain names sharing the same IP address.
- DomainTools_ReverseNameServer: get a list of domain names that share the same primary or secondary name server.
- DomainTools_ReverseWhois: get a list of domain names which share the same registrant information.
- DomainTools_WhoisHistory: get a list of historical Whois records associated with a domain name.
- DomainTools_WhoisLookup: get the ownership record for a domain with basic registration details.
- DomainTools_WhoisLookup_IP: get the ownership record for an IP address with basic registration details.
- DomainTools_Risk: get a risk score for a given domain name.
- DomainTools_Reputation: get a reputation score for a given domain name.
You need a valid DomainTools API integration subscription to use the analyzer.
Provide your username as a value for the username parameter and API key as
a value for the key parameter.
Leverage Proofpoint's Emerging Threats Intelligence to assess the reputation of various observables and obtain additional and valuable information on malware.
The service comes in three flavors:
- EmergingThreats_DomainInfo: retrieve ET reputation, related malware, and IDS requests for a given domain.
- EmergingThreats_IPInfo: retrieve ET reputation, related malware, and IDS requests for a given IP address.
- EmergingThreats_MalwareInfo: retrieve ET details and info related to a malware hash.
You need a valid Proofpoint Emerging Threats Intelligence subscription to use the analyzer.
Retrieve the API key associated with your account and provide it as a value
to the key parameter.
Leverage FireEye iSIGHT Threat Intelligence to qualify domains, IP addresses, hashes and URLs.
This analyzer comes in only one flavor.
You need a valid FireEye iSIGHT Threat Intelligence subscription to use the analyzer.
Retrieve the API key associated with your account and provide it as a value
to the key parameter. Obtain the password associated with the API key and provide it as a value to the pwd parameter.
Analyze URLs and files using the powerful Joe Sandbox malware analysis solution.
Joe Sandbox is a commercial solution by Joe Security LLC. It comes in several versions. The analyzer has been tested with Joe Sandbox Cloud, Joe Sandbox Ultimate and Joe Sandbox Complete.
The analyzer comes in 3 flavors:
- JoeSandbox_File_Analysis_Inet: analyze files while providing Internet access.
- JoeSandbox_File_Analysis_Noinet: analyze files without providing Internet access.
- JoeSandbox_Url_Analysis: analyze URLs.
Provide the URL of your on-premises Joe Sandbox instance or the cloud version
to the url parameter and supply the associated API key as a value for the
key parameter.
Leverage RiskIQ's PassiveTotal service to gain invaluable insight on observables, identify overlapping infrastructure using Passive DNS, WHOIS, SSL certificates and more.
The analyzer comes in 8 flavors:
- PassiveTotal_Enrichment: enrichment Lookup.
- PassiveTotal_Malware: malware Lookup.
- PassiveTotal_Osint: OSINT Lookup.
- PassiveTotal_Passive_Dns: passive DNS Lookup.
- PassiveTotal_Ssl_Certificate_Details: SSL Certificate Details.
- PassiveTotal_Ssl_Certificate_History: Ssl Certificate History Lookup.
- PassiveTotal_Unique_Resolutions: Unique Resolutions Lookup.
- PassiveTotal_Whois_Details: Whois Details Lookup.
You need a PassiveTotal account to obtain the API key which is required to use the analyzer. If you sign up for a Community Edition Account, you'll have a very limited number of queries. You can purchase a PassiveTotal subscription for a higher number of queries per day.
Provide your account's username as the value of the username parameter and
the associated API key as value for the key parameter.
Submit files or URLs to an on premise PayloadSecurity sandbox and fetch the associated reports.
This analyzer comes in only one flavor.
Five parameters are required to make the analyzer work:
urlkeysecretenvironmentidverifyssl
Provide the API key as a value for the key parameter and the secret as a
value to the secret parameter. the url parameter should be the address of your on premise service. environmentid should also be gathered from your custom configuration.
Use Nessus Professional, a popular vulnerability scanner to scan an IP address or a FQDN. This analyzer works with Nessus 6 or earlier. Tenable has removed API access starting from version 7 rendering this analyzer useless with that version.
The analyzer comes in only one flavor.
You must have a locally deployed instance of Nessus Professional 6 or earlier to use the analyzer. The scanner must have at least a scan policy defined. You must not scan assets that do not belong to you, unless you really know what you are doing. That’s why safeguards were built in the analyzer’s configuration.
To configure the analyzer, you must supply four parameters:
url: URL of your Nessus scanner.login: username to log to the scanner.password: password of your login account.policy: the scan policy to use.ca_bundle: an optional parameter to validate the X.509 certificate of the scanner. This parameter must be omitted if no validation is needed.allowed_networks: a list of networks in CIDR notation that the scanner is allowed to probe.
Look up files, URLs and hashes in VirusTotal.
The analyzer comes in two flavors:
- VirusTotal_GetReport: get the latest VirusTotal report for a file, hash, domain, URL or an IP address.
- VirusTotal_Scan: scan a file or URL.
You need a VirusTotal community account or a Private API subscription, a premium service.
Please note that a community account is highly limited in the number of API queries it can make. If you can afford them, subscribe to the premium services.
Provide the API key associated with your account as a value to the key
parameter.
Analyze files using the VMRay Analyzer Platform commercial sandbox.
The analyzer comes in only one flavor. It lets you run a file in a local or remote (cloud) VMRay sandbox. The analyzer also lets you check existing analysis reports.
You need a VMRay Analyzer Platform to use the analyzer.
To configure the analyzer, provide the URL of the platform as a value for the
url parameter and the API key as a value for the key parameter.
To validate the X.509 certificate of your VMRay Analyzer Platform instance,
use the certpath parameter.