Repository used for developing analyzers for Cortex.
This repository contains 10 updated analyzers which can be used in Cortex.
- BitcoinAbuse
- CheckPhish
- IP-API
- IPTracker
- KapeIPParser
- KapeJSONParser
- KasperskyThreatIntelligencePortal
- ThreatMiner
- Verifalia
- W3SA-UPJS
Clone this repository to Cortex directory of your installation.
cd /opt
sudo git clone https://github.com/pjuhas/Cortex-Analyzers.git
You may need to install Cortex prerequisites in order to successfully install and use Cortex analyzers.
sudo apt-get install -y --no-install-recommends python-pip python3-pip python3-dev ssdeep libfuzzy-dev libfuzzy2 libmagic1 build-essential libssl-dev
sudo pip install -U pip setuptools && sudo pip3 install -U pip setuptools
Install all modules used in Cortex analyzers located in requirements.txt.
for I in $(find Cortex-Analyzers -name 'requirements.txt'); do sudo -H pip3 install -r $I || true; done
Update your Cortex application.conf.
...
## ANALYZERS
analyzer {
...
"/opt/Cortex-Analyzers/analyzers"
}
...
Restart Cortex and you should see installed Cortex analyzers under Organization → Analyzers.
Check Bitcoin address against Bitcoin Abuse database.
Returns count of reports and description of reports.
Provide your API key from BitcoinAbuse as a value of the key parameter.
Detailed analysis of URL via CheckPhish.
Returns URL to analysis and screenshot of site.
Provide your API key from CheckPhish as a value of the key parameter.
Checks IP address or domain using ip-api.com.
Returns geolocation informations of IP address or domain.
No configuration is required. It can be used out of the box.
Checks IP address using IPTracker.
Returns geolocation informations of IP address.
Provide your API key from IPTracker as a value of the key parameter.
Parse established connections from Kape logs.
.\kape.exe --tsource <source> --tdest <destination> --tflush --target !BasicCollection --msource <source> --mdest <destination> --mflush --module Get-NetworkConnection
Returns IP addresses of established connections.
No configuration is required. It can be used out of the box.
Parse process list from Kape logs.
.\kape.exe --tsource <source> --tdest <destination> --tflush --target !BasicCollection --msource <source> --mdest <destination> --mflush --module Get-Process
Returns abbreviated informations about processes.
No configuration is required. It can be used out of the box.
Analyze IP address, domain or hash via Kaspersky Threat Intelligence Portal.
Returns basic informations about IP address, domain or hash.
Provide your API key from KasperskyThreatIntelligencePortal as a value of the key parameter.
Returns WHOIS information of IP address or domain if available using ThreatMiner.
No configuration is required. It can be used out of the box.
Submit e-mail address for analysis via Verifalia.
Returns basic informations about analyzed e-mail address.
Provide your username as a value of the login parameter and password as a value of the password parameter from Verifalia.
Checks if IP address is part of university network in Pavol Jozef Šafárik University.
Returns MAC address, name of the server, VLAN and many more..
Provide your username as a value of the login parameter and password as a value of the password parameter from W3SA.