Permalink
Switch branches/tags
Nothing to show
Find file Copy path
888 lines (647 sloc) 37.7 KB

Cortex Analyzer Requirements Guide

Analyzers are autonomous applications managed by and run through the Cortex core engine. Analyzers allow analysts and security researchers to analyze observables and IOCs such as domain names, IP addresses, hashes, files, URLs at scale. While many analyzers are free to use, some require special access while others necessitate a valid service subscription or product license, even though the analyzers themselves are released under an the AGPL (Affero General Public License).

This document outlines the information needed to:

  • install the Cortex analyzers.
  • update them when needed.
  • configure them.

This documents also specifies whether the service that the analyzer is based on is free or requires special access or valid subscription or product license.

Table of Contents

Introduction

All analyzer configuration settings must be made using the Cortex Web UI. Please refer to the Administration Guide for further details.

By default, and within every freshly created organization, all analyzers are disabled. If you want to enable and configure them, use the Web UI (Organization > Configurations and Organization > Analyzers tabs).

Free Analyzers

Abuse_Finder

Use CERT-SG's Abuse Finder to find abuse contacts associated with domain names, URLs, IPs and email addresses.

The analyzer comes in only one flavor.

No configuration is required. It can be used out of the box.

C1fApp

Get C1fApp information related to an IP address, a domain or a URL.

The analyzer comes in only one flavor.

Requirements

This analyzer requires you to have an account on c1fapp.com and an API key.

To configure the analyzer you need to supply the key as a value of the key parameter.

Censys.io

Get Censys.io information about certificates using the associated IP, domain or hash.

The analyzer comes in only one flavor.

Requirements

Provide your API ID and the API secret as values for uid and key parameters.

Crtsh

Get Crt.sh certificate transparency lists associated with a domain name. Crt.sh is an online service operated by the Comodo Certificate Authority.

The analyzer comes in only one flavor.

No configuration is required. It can be used out of the box.

CuckooSandbox

Analyze URLs and files using Cuckoo Sandbox.

The analyzer comes in two flavors:

  • CuckooSandbox_File_Analysis_Inet: analyze files with Internet access.
  • CuckooSandbox_Url_Analysis: analyze URLs.

Requirements

The CuckooSandbox analyzer requires you to have a local instance of Cuckoo Sandbox deployed. It is a FOSS that is free for use but needs to be manually deployed in your environment. Please go to https://cuckoosandbox.org/ for more information on setting it up.

To configure the analyzer you need to supply the URL of your local instance as a value of the url parameter.

Cybercrime-Tracker

Use the Cybercrime-tracker.net service to assess whether an IP address, URL, domain, or FQDN has a C2 (Command & Control) entry in its database.

This analyzer comes in only one flavor.

No configuration is required. It can be used out of the box.

Cymon

Checks IP addresses against Cymon.io.

This analyzer comes in only one flavor.

Requirements

You need to sign up to the service at https://cymon.io/user/signup. Once you do, provide your API key as the value to the key parameter.

DShield

Checks IP addresses against SANS ISC DShield database.

The analyzer comes in only one flavor called DShield_lookup.

No configuration is required. It can be used out of the box.

EmlParser

Use the eml_parser python library to parse EML email and extract useful information.

No configuration is required. It can be used out of the box.

FileInfo

Parse files in several formats such as OLE and OpenXML to detect VBA macros, extract their source code, generate useful information on PE, PDF and Microsoft Office documents, Outlook msg files and much more.

The analyzer comes in only one flavor.

Requirements

Some configuration is required for the Manalyze submodule. This submodule needs to run binary program of Manalyze. There are two differents ways to do this:

  • Compile binary program by following instructions on the Github pages. Then enable manalyze_enable, manalyze_enable_binary and specify manalyze_binary_path options in Cortex.
  • Use docker on your Cortex server by setting up manalyze_enable and manalyze_enable_docker options in Cortex. The submodule program use the evanowe/manalyze container when running with Docker. The first analysis using this option could be long unless you first run docker pull evanowe/manalyze on your Cortex server.

FireHOLBlocklists

Check IP addresses against the FireHOL blocklists.

The analyzer comes in only one flavor.

Requirements

This analyzer needs you to download the FireHOL block lists first to a directory. Use git for that purpose:

$ mkdir /path/to/firehol
$ cd /path/to/firehol
$ git clone https://github.com/firehol/blocklist-ipsets

We advise you to keep the lists fresh by adding a cron entry to regularly download them for example (using git pull).

Specify the directory where the lists have been downloaded using the blocklistpath paramater and an optional ignoreolderthandays parameter to ignore all lists that have not been updated in the last N days.

Fortiguard

Check the Fortiguard category of a URL or a domain.

The analyzer comes in only one flavor called Fortiguard_URLCategory.

Reaquirements

This anlyzer comes with a default configuration regarding categories and their maliciousness. If needed, this can be customized your own by selecting the categories from the Fortiguard website. Select which categories you want to be considered malicious or suspicious, and others will be considered by the analyzer as info. Analyzed observables that are not categorised by Fortigard service is considered as safe.

GoogleSafeBrowsing

Check URLs against Google Safebrowsing.

The analyzer comes in only one flavor.

Requirements

You need to obtain an API key from Google.

Provide your API key as a value of the key parameter.

Hashdd

Check file hashes against the Hashdd web service.

The analyzer comes in two flavors:

  • Status: query hashdd without an API key for the threat level only.
  • Detail: use an API key and obtain additional meta data about the sample.

Requirements

As long as you are using the Status flavor you don't need API key. If you want more details using the Detail flavor, you need to sign up for a hashdd.com account and obtain an API.

Hippocampe

Query threat feeds through Hippocampe, a FOSS tool from TheHive Project that centralizes feeds and allows you to associate a confidence level to each one of them (that can be changed over time) and get a score indicating the data quality.

The analyzer comes in two flavors:

  • HippoMore: get the Hippocampe detailed report for an IP address, a domain or a URL.
  • Hipposcore: get the Hippocampe Score report associated with an IP address, a domain or a URL.

Requirements

The Hippocampe analyzer requires you to have a local instance of Hippocampe deployed/configured. It is a FOSS product that needs to be manually deployed in your environment. Please go to https://github.com/TheHive-Project/Hippocampe for more information on setting it up.

To configure the analyzer you need to supply the URL of your local instance using the url parameter.

HybridAnalysis

Fetch Hybrid Analysis reports associated with hashes and filenames.

This analyzer comes in only one flavor called HybridAnalysis_GetReport.

Requirements

You need to have or create a free Hybrid Analysis account.

Follow the instructions outlined on the Hybrid Analysis API page to generate an API key/secret pair.

Provide the API key as a value for the key parameter and the secret as a value to the secret parameter.

Hunterio_DomainSearch

Query https://hunter.io/ and find emails associated with a given domain name.

This analyzer comes in only one flavor called Hunterio_DomainSearch.

Requirements

You need to have or create a free Hunter.io account.

Provide the API key as a value for the key parameter.

MaxMind

Geolocate an IP Address via MaxMind GeoLite2 free City and Country databases.

Cortex does not refresh those databases automatically. It is up to you to create a cron job to refresh them at the frequency you want. The files to update are:

  • MaxMind/GeoLite2-City.mmdb
  • MaxMind/GeoLite2-Country.mmdb

You can fetch up-to-date versions from https://dev.maxmind.com/geoip/geoip2/geolite2/.

The analyzer comes in only one flavor.

No configuration is required. It can be used out of the box.

MISP

Query multiple MISP (Malware Information Sharing Platform) instances for events containing an observable.

MISP is a FOSS threat sharing platform. It is considered the de facto standard in the field. You'd benefit greatly from using it in conjunction to Cortex and TheHive as these 3 products make an interesting Threat Intelligence, Incident Response and Digital Forensics ecosystem.

The analyzer comes in only one flavor.

Requirements

The MISP analyzer requires you to have access to one or several MISP instances. You can also deploy your own instance.

Four parameters are required to make the analyzer work:

  • url
  • key
  • certpath
  • name

You need the URL for each MISP instance you'd like to search. Those URLs go in the url dict. You'll also need the authentication key associated with your account on each of those instances. To obtain the key, log into the MISP instance's Web UI, click on your username on the top navigation bar and retrieve the value of the Authkey parameter. Each Authkey must be added, in the same order as the URLs to the key dict.

Another important parameter is the certpath dict. For each MISP instance:

  • Use false if you don't want to validate the instance's X.509 certificate or if the instance use old plain HTTP.
  • Use "/etc/ssl/certs" or another file to validate the instance's X.509 certificate.

Last but not least, give each instance a name and add it in the order you specified URLs and keys above to the name dict.

MISP Warninglists

Check IP addresses, hashes, domains, FQDNs and URLs against MISP WarningLists.

The analyzer comes in only one flavor.

Requirements

This analyzer needs you to download the MISP WarningLists first to a directory. Use git for that purpose:

$ mkdir /path/to/misp-warninglists/repository
$ cd /path/to/misp-warninglists/repository
$ git clone https://github.com/MISP/misp-warninglists

We advise you to keep the lists fresh by adding a cron entry to regularly download them for example (using git pull).

Specify the directory where the WarningLists have been downloaded or updated using the path paramater.

Msg_Parser

Parse Outlook message files automatically and show the key information it contains such as headers, attachments etc. Please note that the analyzer doesn't extract attachments.

The analyzer comes in only one flavor.

No configuration is required. It can be used out of the box.

Onyphe

Get publicly available information from Onyphe for IP addresses.

The analyzer comes in five flavors:

  • Onyphe_Forward: retrieve forward DNS lookup information Onyphe has for the given IPv{4,6} address with history of changes.
  • Onyphe_Geolocate: retrieve geolocation information for the given IPv{4,6} address.
  • Onyphe_Ports: retrieve SYN scan information Onyphe has for the given IPv{4,6} address with history of changes.
  • Onyphe_Reverse: retrieve reverse DNS lookup information Onyphe has for the given IPv{4,6} address with history of changes.
  • Onyphe_Threats: retrieve Onyphe threat information for the given IPv{4,6} address with history.

Requirements

Provide the API key as a value for the key parameter.

OTXQuery

Query AlienVault's Open Threat Exchange for IPs, domains, URLs, or file hashes.

The analyzer comes in only one flavor.

Requirements

You need to sign up for an OTX account or use an existing one.

Log in to your OTX account, click on your username on the top navigation bar then on Settings and retrieve your OTX key and use it as the value of the key parameter.

PhishTank

Query PhishTank to assess whether a URL has been flagged as a phishing site.

The analyzer comes in only one flavor called PhishTank_CheckURL.

Requirements

You need to sign up for a PhishTank account or use an existing one.

Log in to your PhishTank account, click on the Developers tab then on Manage Applications, register an application by giving it a name and entering a CAPTCHA code. You'll obtain an API key that you'll need to supply as the value to the key configuration parameter for this analyzer to work.

PhishingInitiative

Query Phishing Initiative to assess whether a URL has been flagged as a phishing site.

This analyzer comes in two flavors called PhishingInitiative_Lookup and PhishingInitiative_Scan.

Requirements

You need to sign up for a Phishing Initiative account or use an existing one.

Log in to your Phishing Initiative account, click on the icon representing your account details then on API. Retrieve the API key value and supply it as the value to the key configuration parameter.

Pulsedive

Query Pulsedive and get information about a domain name, hash, IP or URL.

This analyzer comes in only one flavor called Pulsedive_GetIndicator.

Requirements

You need to sign up for a Pulsedive account or use an existing one.

Provide the API key as a value for the key parameter.

Robtex

Query the Robtex database and retrieve information about a domain, a FQDN or an IP address.

This analyzer comes in three flavors:

  • Robtex_Forward_PDNS_Query: check domains/FQDNs using the Robtex passive DNS database.
  • Robtex_IP_Query: make IP lookups against the Robtex DB.
  • Robtex_Reverse_PDNS_Query: check IPs in Robtex reverse passive DNS database.

The analyzer uses the free Robtex API which needs no subsequent configuration. However, the free API has limits with regard to rates and amount of data returned.

StaxxSearch

Fetch observable details from an Anomali STAXX instance.

This analyzer comes in only one flavor.

Requirements

You need to install an Anomali STAXX instance or to have access to one to use the analyzer. Supply the following parameters to the analyzer in order to use it:

  • auth_url: URL of the authentication endpoint.
  • query_url: URL of the intelligence endpoint.
  • username: the STAXX user name.
  • password: the STAXX password.
  • cert_check: boolean indicating whether the certificate of the endpoint must be checked or not.
  • cert_path: path to the CA on the system to validate the endpoint's certificate if cert_check is true.

StopForumSpam

Query StopForumSpam to check if an IP or email address is a known spammer.

Requirements

You need to define the thresholds above which the analyzed observable should be marked as suspicious or malicious.

ThreatCrowd

Look up domains, mail and IP addresses on ThreatCrowd, a service powered by AlienVault.

This analyzer comes in only one flavor.

No configuration is needed. It can be used out of the box.

Tor Blutmagie

Check if an IP address, a domain or a FQDN is known by Blutmagie to be linked to a Tor node.

This analyzer comes in only one flavor.

Requirements

In order to check if an IP, domain or FQDN is a Tor exit node, this analyzer queries the Tor status service at Blutmagie.de. The analyzer uses a caching mechanism in order to save some time when doing multiple queries, so the configuration includes parameter regarding the cache directory and the duration of caching.

Tor Project

Check if an IP address is known to be a Tor node. The information source is the official Tor network status.

This analyzer comes in only one flavor.

Requirements

The analyzer uses a caching mechanism in order to save some time when doing multiple queries, so the configuration includes parameter regarding the cache directory and the duration of caching. This analyzer also accepts a ttl parameter, which is the threshold in seconds for exit nodes before they get discarded.

Unshortenlink

Follow redirects of shortened URLs to reveal the real ones.

This analyzer comes in only one flavor.

No configuration is required. It can be used out of the box.

Warning: using this analyzer without extra caution might lead to unexpected consequences. For example, if the URL you are seeking to unshorten is an attacker-controlled one, you may end up leaving undesired traces in the threat actor's infrastructure logs. The TLP values Cortex allows you to configure to prevent the use of an analyzer if the TLP associated with an observable is above the authorized level won't be of much help since Unshortenlink have to access the shortened URL. Please do not activate this analyzer unless you (and your fellow analysts) know what they are doing.

URLhaus

Check if a domain, URL or hash is known by Abuse.ch and stored in the URLhaus database, and get a report about its 'maliciousness'.

This analyzer comes in only one flavor.

No configuration is needed. It can be used out of the box.

Virusshare

Check whether a file or hash is available on VirusShare.com.

This analyzer comes in only one flavor.

Requirements

Prior to using the analyzer, you need to retrieve the Virusshare hash lists using the download_hashes.py script that is located in the same directory as the analyzer. To keep your lists fresh, you may want to regularly download them using a cron entry or a similar system.

Indicate the path where you have downloaded the hash lists using the path parameter.

WOT

Check a domain against Web of Trust, a website reputation service.

This analyzer comes in only one flavor called WOT_Lookup.

Requirements

An account with Web of Trust is required to get an API key, which is necessary to configure the analyzer. You can sign up for an account at https://www.mywot.com/en/signup?destination=profile/api.

Supply the API key you'll find under https://www.mywot.com/en/signup?destination=profile/api as the value for the key parameter.

Yara

Check files against YARA rules using yara-python.

The analyzer comes in only one flavor.

Requirements

You need to point your analyzer to multiple files and/or directories containing your YARA rules. If you supply a directory, the analyzer expects to find an index.yar or index.yas file. The index file can include other rule files. An example can be found in the Yara-rules repository.

Add each file and/or directory containing YARA rules to the rules dict.

Yeti

YETI is a FOSS platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. The analyzer for this platform lets you make API calls to YETI and retrieve all available information pertaining to a domain, a fully qualified domain name, an IP address, a URL or a hash.

This analyzer comes in only one flavor.

Requirements

The Yeti analyzer requires you to have a local instance of YETI deployed/configured. It is an open source tool that is free for use but needs to be manually deployed in your environment.

Provide the URL of your YETI instance as a value for the url parameter.

Analyzers Requiring Special Access

CERTatPassiveDNS

Check CERT.at Passive DNS Service for a given domain.

This analyzer comes in only one flavor.

Requirements

Access to the CERT.at service is allowed to trusted partners only. If you think you qualify, please contact CERT.at.

No configuration is required. It can be used out of the box if CERT.at positively answers your access request.

CIRCLPassiveDNS

Check CIRCL's Passive DNS for a given domain.

This analyzer comes in only one flavor.

Requirements

Access to CIRCL Passive DNS is only allowed to trusted partners in Luxembourg and abroad. Contact CIRCL if you would like access. Include your affiliation and the foreseen use of the Passive DNS data.

If the CIRCL positively answers your access request, you'll obtain a username and password which are needed to make the analyzer work.

supply your username as the value for the user parameter and your password as the value for the password parameter.

CIRCLPassiveSSL

Check CIRCL's Passive SSL service for a given IP address or certificate hash.

This analyzer comes in only one flavor.

Requirements

Access to CIRCL Passive SSL is allowed to partners including security researchers or incident analysts worldwide. Contact CIRCL if you would like access.

If the CIRCL positively answers your access request, you'll obtain a username and password which are needed to make the analyzer work.

Supply your username as the value for the user parameter and your password as the value for the password parameter.

GreyNoise

Determine whether an IP has known scanning activity using GreyNoise.

This analyzer comes in only one flavor.

Requirements

The analyzer can be used out of the box without configuration. However, if you make many requests, you need to obtain an API key. Please contact GreyNoise to ask for one.

Once you get the API key, provide it as the value of the key parameter.

IBM X-Force

Query domains, IPs, hashes and URLs against IBM X-Force Threat Intelligence sharing platform.

This analyzer comes in only one flavor.

Requirements

Access to IBM X-Force Threat Exchange requires an IBM ID.

Once you have access to the service, supply the URL of the service as value for the url parameter, the API key associated with your account as value for the key parameter and the associated password as the value of the pwd parameter.

Malpedia

Scan files against YARA rules automatically downloaded every 10 hours by the analyzer from Malpedia.

If a rule matches, the analyzer tries to retrieve more info from Malpedia such as the malware family (currently more than 600) and the actor group (tracked through MISP Galaxies).

This analyzer comes in only one flavor.

Requirements

You need access to Malpedia to use this analyzer. Please note that Malpedia does not feature open registration. It is operated as an invite-only trust group. If you believe you qualify for an account, please see Malpedia's Terms of Services for contact details.

If you have access to Malpedia, provide your username as the value for the username parameter and the associated password as the value of the password parameter then specify a location where the analyzer will download the YARA rules to using the path parameter.

Malwares

Query Malwares.com and get reports on files, hashes, domain names and IP addresses.

The analyzer comes in two flavors:

  • Malwares_GetReport: get the latest Malwares report for a file, hash, domain or an IP address.
  • Malwares_Scan: scan a file or URL.

Requirements

You need to sign up for a Malwares.com account.

An API key to use the service's API should be associated with your account. Supply it as the value of the key parameter.

MnemonicPDNS

Query IP addresses and domain names against Mnemonic Passive DNS service.

This analyzer comes in two flavors:

  • Mnemonic_pDNS_Public: query Mnemonic's public service.
  • Mnemonic_pDNS_Closed: query Mnemonic's closed service.

Requirements

When using the public service, the analyzer can be used out of the box with no further configuration.

When using the closed service, you need to contact Mnemonic to get an API key which you'll need to supply as the value of the key parameter.

SinkDB

Check SinkDB service from abuse.ch fort a given IP address.

This analyzer comes in only one flavor.

Requirements

SinkDB is a private service provided by abuse.ch which collects sinkholed IPs. Access to this service is restricted to trusted partners. Request an access using the form available on the SinkDB website if you would like access.

Provide the API key as a value for the key parameter.

Shodan

Retrieve key Shodan information on domains and IP addresses.

This analyzer comes in two flavors:

  • Shodan_Host: get Shodan information on a host.
  • Shodan_Search: get Shodan information on a domain.

Requirements

You need to create a Shodan account and retrieve the associated API Key. For best results, it is advised to get a Membership level account, otherwise a free one can be used.

Supply the API key as the value for the key parameter.

Subscription and License-based Analyzers

DNSDB

Leverage Farsight Security's DNSDB for Passive DNS.

This analyzer comes in three flavors:

  • DNSDB_DomainName: fetch historical records for a domain.
  • DNSDB_IPHistory: fetch historical records for an IP address.
  • DNSDB_NameHistory: fetch historical records for a fully-qualified domain name.

Requirements

You need a valid subscription to Farsight Security's DNSDB service to use the analyzer.

Provide the URL of the DNSDB API service to the server parameter. The default (https://api.dnsdb.info) should work. If it doesn't, contact Farsight Security.

Provide your API key as a value to the key parameter.

DomainTools

Look up domain names, IP addresses, WHOIS records, etc. using the popular DomainTools service API.

The analyzer comes in 7 flavors:

  • DomainTools_ReverseIP: get a list of domain names sharing the same IP address.
  • DomainTools_ReverseNameServer: get a list of domain names that share the same primary or secondary name server.
  • DomainTools_ReverseWhois: get a list of domain names which share the same registrant information.
  • DomainTools_WhoisHistory: get a list of historical Whois records associated with a domain name.
  • DomainTools_WhoisLookup: get the ownership record for a domain with basic registration details.
  • DomainTools_WhoisLookup_IP: get the ownership record for an IP address with basic registration details.
  • DomainTools_Risk: get a risk score for a given domain name.
  • DomainTools_Reputation: get a reputation score for a given domain name.

Requirements

You need a valid DomainTools API integration subscription to use the analyzer.

Provide your username as a value for the username parameter and API key as a value for the key parameter.

EmergingThreats

Leverage Proofpoint's Emerging Threats Intelligence to assess the reputation of various observables and obtain additional and valuable information on malware.

The service comes in three flavors:

  • EmergingThreats_DomainInfo: retrieve ET reputation, related malware, and IDS requests for a given domain.
  • EmergingThreats_IPInfo: retrieve ET reputation, related malware, and IDS requests for a given IP address.
  • EmergingThreats_MalwareInfo: retrieve ET details and info related to a malware hash.

Requirements

You need a valid Proofpoint Emerging Threats Intelligence subscription to use the analyzer.

Retrieve the API key associated with your account and provide it as a value to the key parameter.

FireEye iSIGHT

Leverage FireEye iSIGHT Threat Intelligence to qualify domains, IP addresses, hashes and URLs.

This analyzer comes in only one flavor.

Requirements

You need a valid FireEye iSIGHT Threat Intelligence subscription to use the analyzer.

Retrieve the API key associated with your account and provide it as a value to the key parameter. Obtain the password associated with the API key and provide it as a value to the pwd parameter.

JoeSandbox

Analyze URLs and files using the powerful Joe Sandbox malware analysis solution.

Joe Sandbox is a commercial solution by Joe Security LLC. It comes in several versions. The analyzer has been tested with Joe Sandbox Cloud, Joe Sandbox Ultimate and Joe Sandbox Complete.

The analyzer comes in 3 flavors:

  • JoeSandbox_File_Analysis_Inet: analyze files while providing Internet access.
  • JoeSandbox_File_Analysis_Noinet: analyze files without providing Internet access.
  • JoeSandbox_Url_Analysis: analyze URLs.

Requirements

Provide the URL of your on-premises Joe Sandbox instance or the cloud version to the url parameter and supply the associated API key as a value for the key parameter.

PassiveTotal

Leverage RiskIQ's PassiveTotal service to gain invaluable insight on observables, identify overlapping infrastructure using Passive DNS, WHOIS, SSL certificates and more.

The analyzer comes in 8 flavors:

  • PassiveTotal_Enrichment: enrichment Lookup.
  • PassiveTotal_Malware: malware Lookup.
  • PassiveTotal_Osint: OSINT Lookup.
  • PassiveTotal_Passive_Dns: passive DNS Lookup.
  • PassiveTotal_Ssl_Certificate_Details: SSL Certificate Details.
  • PassiveTotal_Ssl_Certificate_History: Ssl Certificate History Lookup.
  • PassiveTotal_Unique_Resolutions: Unique Resolutions Lookup.
  • PassiveTotal_Whois_Details: Whois Details Lookup.

Requirements

You need a PassiveTotal account to obtain the API key which is required to use the analyzer. If you sign up for a Community Edition Account, you'll have a very limited number of queries. You can purchase a PassiveTotal subscription for a higher number of queries per day.

Provide your account's username as the value of the username parameter and the associated API key as value for the key parameter.

PayloadSecurity

Submit files or URLs to an on premise PayloadSecurity sandbox and fetch the associated reports.

This analyzer comes in only one flavor.

Requirements

Five parameters are required to make the analyzer work:

  • url
  • key
  • secret
  • environmentid
  • verifyssl

Provide the API key as a value for the key parameter and the secret as a value to the secret parameter. the url parameter should be the address of your on premise service. environmentid should also be gathered from your custom configuration.

Nessus

Use Nessus Professional, a popular vulnerability scanner to scan an IP address or a FQDN. This analyzer works with Nessus 6 or earlier. Tenable has removed API access starting from version 7 rendering this analyzer useless with that version.

The analyzer comes in only one flavor.

Requirements

You must have a locally deployed instance of Nessus Professional 6 or earlier to use the analyzer. The scanner must have at least a scan policy defined. You must not scan assets that do not belong to you, unless you really know what you are doing. That’s why safeguards were built in the analyzer’s configuration.

To configure the analyzer, you must supply four parameters:

  • url: URL of your Nessus scanner.
  • login: username to log to the scanner.
  • password: password of your login account.
  • policy: the scan policy to use.
  • ca_bundle: an optional parameter to validate the X.509 certificate of the scanner. This parameter must be omitted if no validation is needed.
  • allowed_networks: a list of networks in CIDR notation that the scanner is allowed to probe.

VirusTotal

Look up files, URLs and hashes in VirusTotal.

The analyzer comes in two flavors:

  • VirusTotal_GetReport: get the latest VirusTotal report for a file, hash, domain, URL or an IP address.
  • VirusTotal_Scan: scan a file or URL.

Requirements

You need a VirusTotal community account or a Private API subscription, a premium service.

Please note that a community account is highly limited in the number of API queries it can make. If you can afford them, subscribe to the premium services.

Provide the API key associated with your account as a value to the key parameter.

VMRay

Analyze files using the VMRay Analyzer Platform commercial sandbox.

The analyzer comes in only one flavor. It lets you run a file in a local or remote (cloud) VMRay sandbox. The analyzer also lets you check existing analysis reports.

Requirements

You need a VMRay Analyzer Platform to use the analyzer.

To configure the analyzer, provide the URL of the platform as a value for the url parameter and the API key as a value for the key parameter.

To validate the X.509 certificate of your VMRay Analyzer Platform instance, use the certpath parameter.