-
Notifications
You must be signed in to change notification settings - Fork 80
1.1 Current Integrations
cloudtracer edited this page Feb 16, 2017
·
2 revisions
Straight from the Chrome Web Store ThreatPinch comes with the following integrations:
- ThreatMiner for IPv4, FQDN, MD5, SHA1 and SHA2 lookups.
- Alienvault OTX for IPv4, MD5, SHA1 and SHA2 lookups.
- IBM X-Force Exchange for IPv4, EFQDN lookups.
- VirusTotal for MD5, SHA1, SHA2 and FQDN lookups.
- Cymon.io for IPv4 lookups.
- Computer Incident Response Center Luxembourg for CVE Lookups.
- PassiveTotal for FQDN Whois lookups
- MISP for MD5 and SHA2 (If you want more submit an issue in this github)
- Censys.io for IPv4 lookups
Below are the default ThreatPinch JSON Schemas used to create the requests, you can use these as a template to create your own integrations. The JSON Schemas are editable in the ThreatPinch Developer Options page.
{
"IBMXFORCEIP": {
"registration": {
"type":"Free",
"link":"https://exchange.xforce.ibmcloud.com/",
"title": "IBM X-Force Exchange",
"summary": "IBM X-Force Exchange is a cloud-based threat intelligence sharing platform enabling users to rapidly research the latest security threats, aggregate actionable intelligence and collaborate with peers. IBM X-Force Exchange is supported by human- and machine-generated intelligence leveraging the scale of IBM X-Force."
},
"authorizationSettings": {
"api_key": "${PINCH.USERDEFINED.api_key.value}",
"api_password": "${PINCH.USERDEFINED.api_password.value}",
"validated": true
},
"authorizationType": "API_KEY_AND_PASSWORD_BASIC",
"dataSchema": {
"title": {
"linkTitle": "${PINCH.HOVERITEM}",
"linkUrl": "https://exchange.xforce.ibmcloud.com/ip/${PINCH.HOVERITEM}",
"mapping": "${PINCH.LINKURL} S:${PINCH.RESPONSE.score}",
"order": 0,
"title": "XFORCE"
},
"tpicons": {
"expression": "${(DATA.indexOf('botnet command and control server') >1) ? PINCH.ICONS.CC : ''}${(DATA.indexOf('malware') >1) ? PINCH.ICONS.MALWARE : ''}${(DATA.indexOf('bots') >1 ) ? PINCH.ICONS.BOT : ''}${(DATA.indexOf('phishing') >1 ) ? PINCH.ICONS.PHISHING : ''}${(DATA.indexOf('attacks') >1 ) ? PINCH.ICONS.ATTACK : ''}${(DATA.indexOf('scanning ips') >1 ) ? PINCH.ICONS.SCANS : ''}${(DATA.indexOf('spam') >1 ) ? PINCH.ICONS.SPAM : ''}${(DATA.indexOf('blacklist') >1 ) ? PINCH.ICONS.BLACKLIST : ''}${(DATA.indexOf('dynamic ips') >1 ) ? PINCH.ICONS.DYNAMIC : ''}",
"flatten": true,
"mapping": "${PINCH.RESPONSE.cats}",
"nocase": true,
"order": 1,
"raw": "cats",
"title": false
},
"country": {
"mapping": "${PINCH.RESPONSE.geo.country}",
"order": 2,
"title": "Country"
},
"summary": {
"mapping": "${PINCH.RESPONSE.reason}",
"order": 3,
"title": "Summary"
}
},
"dataType": "JSON",
"httpHeaders": "",
"httpType": "GET",
"indicatorExpression": "${(PINCH.RESPONSE.score > 1) ? ((PINCH.RESPONSE.score > 5) ? 'bad' : 'suspicious') : 'good'}",
"lookupName": "IBM X-Force Exchange IP Lookup",
"lookupType": "IPV4",
"lookupUrl": "https://api.xforce.ibmcloud.com/ipr/${PINCH.HOVERITEM}",
"lookupVariable": "IBMXFORCEIP",
"onError": "API Error",
"onNotAuthorized": "Setup XForce API",
"order": 0,
"regexMatcher": false,
"requestGroup": "INTERNET",
"userDefined": {
"api_key": {
"title": "X-Force API Key",
"value": "YOURDATAHERE"
},
"api_password": {
"title": "X-Force API password",
"value": "YOURDATAHERE"
}
}
},
"ALIENVAULTIP": {
"authorizationType": "DEFAULT",
"dataSchema": {
"title": {
"linkTitle": "${PINCH.HOVERITEM}",
"linkUrl": "https://www.alienvault.com/open-threat-exchange/dashboard#/my/reputation-monitor/${PINCH.HOVERITEM}",
"mapping": "${PINCH.LINKURL} S:${PINCH.RESPONSE.reputation_score}",
"order": 0,
"title": "AlienVault"
},
"tpicons": {
"expression": "${(DATA.indexOf('apt') >1) ? PINCH.ICONS.APT : ''}${(DATA.indexOf('c&c') >1) ? PINCH.ICONS.CC : ''}${(DATA.indexOf('malware') >1) ? PINCH.ICONS.MALWARE : ''}${(DATA.indexOf('malicious') >1) ? PINCH.ICONS.MALICIOUS : ''}${(DATA.indexOf('bot') >1 ) ? PINCH.ICONS.BOT : ''}${(DATA.indexOf('phishing') >1 ) ? PINCH.ICONS.PHISHING : ''}${(DATA.indexOf('attacks') >1 ) ? PINCH.ICONS.ATTACK : ''}${(DATA.indexOf('scanning') >1 ) ? PINCH.ICONS.SCANS : ''}${(DATA.indexOf('spam') >1 ) ? PINCH.ICONS.SPAM : ''}${(DATA.indexOf('blacklist') >1 ) ? PINCH.ICONS.BLACKLIST : ''}${(DATA.indexOf('dynamic') >1 ) ? PINCH.ICONS.DYNAMIC : ''}",
"flatten": true,
"mapping": "${PINCH.RESPONSE.activity_types}",
"nocase": true,
"order": 1,
"raw": "activity_types",
"title": false
}
},
"dataType": "JSON",
"httpHeaders": "",
"httpType": "GET",
"indicatorExpression": "${(PINCH.RESPONSE.reputation_score > 1) ? ((PINCH.RESPONSE.reputation_score > 3) ? 'bad' : 'suspicious') : 'good'}",
"lookupName": "AlienVault IP Lookup",
"lookupType": "IPV4",
"lookupUrl": "https://www.alienvault.com/apps/api/threat/ip/${PINCH.HOVERITEM}",
"lookupVariable": "ALIENVAULTIP",
"order": 1,
"regexMatcher": false,
"requestGroup": "INTERNET"
},
"CYMONIP": {
"authorizationType": "DEFAULT",
"dataSchema": {
"title": {
"linkTitle": "${PINCH.HOVERITEM}",
"linkUrl": "https://cymon.io/${PINCH.HOVERITEM}",
"mapping": "${PINCH.LINKURL}",
"order": 0,
"title": "CYMON"
},
"tpicons": {
"expression": "${(DATA.indexOf('malware') >1) ? PINCH.ICONS.MALWARE : ''}${(DATA.indexOf('botnet') >1 ) ? PINCH.ICONS.BOT : ''}${(DATA.indexOf('phishing') >1 ) ? PINCH.ICONS.PHISHING : ''}${(DATA.indexOf('attacks') >1 ) ? PINCH.ICONS.ATTACK : ''}${(DATA.indexOf('scanning') >1 ) ? PINCH.ICONS.SCANS : ''}${(DATA.indexOf('spam') >1 ) ? PINCH.ICONS.SPAM : ''}${(DATA.indexOf('blacklist') >1 ) ? PINCH.ICONS.BLACKLIST : ''}",
"flatten": true,
"mapping": "${PINCH.RESPONSE.timeline}",
"nocase": true,
"order": 1,
"raw": "timeline",
"title": false
}
},
"dataType": "JSON",
"httpHeaders": "",
"httpType": "GET",
"indicatorExpression": "${(JSON.stringify(PINCH.RESPONSE.timeline).toLowerCase().indexOf('scanning') >1 || JSON.stringify(PINCH.RESPONSE.timeline).toLowerCase().indexOf('blacklist') >1) ? ((JSON.stringify(PINCH.RESPONSE.timeline).toLowerCase().indexOf('malware') >1 || JSON.stringify(PINCH.RESPONSE.timeline).toLowerCase().indexOf('botnet') >1 || JSON.stringify(PINCH.RESPONSE.timeline).toLowerCase().indexOf('phishing') >1 || JSON.stringify(PINCH.RESPONSE.timeline).toLowerCase().indexOf('attacks') >1 || JSON.stringify(PINCH.RESPONSE.timeline).toLowerCase().indexOf('spam') >1) ? 'bad' : 'suspicious') : ((JSON.stringify(PINCH.RESPONSE.timeline).toLowerCase().indexOf('malware') >1 || JSON.stringify(PINCH.RESPONSE.timeline).toLowerCase().indexOf('botnet') >1 || JSON.stringify(PINCH.RESPONSE.timeline).toLowerCase().indexOf('phishing') >1 || JSON.stringify(PINCH.RESPONSE.timeline).toLowerCase().indexOf('attacks') >1 || JSON.stringify(PINCH.RESPONSE.timeline).toLowerCase().indexOf('spam') >1) ? 'bad' : 'good')}",
"lookupName": "Cymon.io IP Lookup",
"lookupType": "IPV4",
"lookupUrl": "https://cymon.io/api/nexus/v1/ip/${PINCH.HOVERITEM}/timeline",
"lookupVariable": "CYMONIP",
"order": 2,
"regexMatcher": false,
"requestGroup": "INTERNET"
},
"THREATMINERIP": {
"authorizationType": "DEFAULT",
"dataSchema": {
"title": {
"linkTitle": "${PINCH.HOVERITEM}",
"linkUrl": "https://www.threatminer.org/host.php?q=${PINCH.HOVERITEM}",
"mapping": "${PINCH.LINKURL}",
"order": 0,
"title": "ThreatMiner"
},
"rdns": {
"mapping": "${PINCH.REGEXMATCH[1]}",
"order": 1,
"title": "rdns"
},
"bgp": {
"mapping": "${PINCH.REGEXMATCH[2]}",
"order": 2,
"title": "bgp"
},
"cc": {
"mapping": "${PINCH.REGEXMATCH[3]}",
"order": 3,
"title": "cc"
},
"asnname": {
"mapping": "${PINCH.REGEXMATCH[5]}",
"order": 4,
"title": "ASN"
},
"orgname": {
"mapping": "${PINCH.REGEXMATCH[6]}",
"order": 5,
"title": "ORG"
},
"reg": {
"mapping": "${PINCH.REGEXMATCH[7]}",
"order": 6,
"title": "REG"
}
},
"dataType": "HTML",
"httpHeaders": "",
"httpType": "POST",
"lookupName": "ThreatMiner IP Lookup",
"lookupType": "IPV4",
"lookupUrl": "https://www.threatminer.org/getData.php?e=whois_container&q=${PINCH.HOVERITEM}&t=1&rt=4&p=1",
"lookupVariable": "THREATMINERIP",
"order": 3,
"regexMatcher": "<tr><td.*?>.*?</td><td.*?>(.*?)</td></tr><tr><td.*?>.*?</td><td.*?>(.*?)</td></tr><tr><td.*?>.*?</td><td.*?>(.*?)</td></tr><tr><td.*?>.*?</td><td.*?>(.*?)</td></tr><tr><td.*?>.*?</td><td.*?>(.*?)</td></tr><tr><td.*?>.*?</td><td.*?>(.*?)</td></tr><tr><td.*?>.*?</td><td.*?>(.*?)</td></tr><tr><td.*?>.*?</td><td.*?>(.*?)</td></tr>",
"requestGroup": "INTERNET"
},
"VIRUSTOTALSHA2": {
"authorizationType": "DEFAULT",
"registration": {
"type":"Free",
"link":"https://www.virustotal.com/en/documentation/virustotal-community/",
"title": "VirusTotal",
"summary": "VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware."
},
"dataSchema": {
"title": {
"linkTitle": "${PINCH.HOVERITEM}",
"linkUrl": "https://www.virustotal.com/en/file/${PINCH.RESPONSE.sha256}/analysis/",
"mapping": "${PINCH.LINKURL}",
"order": 0,
"title": "VirusTotal"
},
"scanned": {
"mapping": "${PINCH.RESPONSE.scan_date} UTC",
"order": 1,
"title": "Scanned"
},
"detections": {
"mapping": "${PINCH.RESPONSE.positives}/${PINCH.RESPONSE.total}",
"order": 2,
"title": "Detections"
},
"samples": {
"condition": "${(PINCH.LOOP.detected === true ? 'true': 'false')}",
"datapath": "RESPONSE.scans",
"mapping": "${PINCH.LOOP.result}",
"objectloop": true,
"order": 3,
"title": "${PINCH.LOOPPROPNAME}"
}
},
"dataType": "JSON",
"httpHeaders": "",
"httpPostData": "resource=${PINCH.HOVERITEM}&apikey=${PINCH.USERDEFINED.api_key.value}",
"httpType": "POST",
"indicatorExpression": "${(PINCH.RESPONSE.positives > 1) ? ((PINCH.RESPONSE.positives > 3) ? 'bad' : 'suspicious') : 'good'}",
"lookupName": "VirusTotal SHA2 Lookup",
"lookupType": "SHA2",
"lookupUrl": "https://www.virustotal.com/vtapi/v2/file/report",
"lookupVariable": "VIRUSTOTALSHA2",
"order": 4,
"requestGroup": "INTERNET",
"userDefined": {
"api_key": {
"title": "API Key",
"value": "YOURDATAHERE"
}
}
},
"ALIENVAULTSHA2": {
"authorizationType": "DEFAULT",
"registration": {
"type":"Free",
"link":"https://otx.alienvault.com/",
"title": "AlienVault Open Threat Exchange",
"summary": "World's First Open Threat Intelligence Community - Threat sharing in the security industry remains mainly ad-hoc and informal, filled with blind spots, frustration, and pitfalls. Our vision is for companies and government agencies to gather and share relevant, timely, and accurate information about new or ongoing cyberattacks and threats as quickly as possible to avoid major breaches (or minimize the damage from an attack). AlienVault’s Open Threat Exchange (OTX) delivers the first truly open threat intelligence community that makes this vision a reality."
},
"dataSchema": {
"title": {
"linkTitle": "${PINCH.HOVERITEM}",
"linkUrl": "https://otx.alienvault.com/browse/pulses/?q=${PINCH.HOVERITEM}",
"mapping": "${PINCH.LINKURL}",
"order": 0,
"title": "AlienVault"
},
"pulses": {
"mapping": "${PINCH.RESPONSE.pulse_info.count}",
"order": 1,
"title": "Pulses"
}
},
"dataType": "JSON",
"httpHeaders": {
"X-OTX-API-KEY": "${PINCH.USERDEFINED.api_key.value}"
},
"httpType": "GET",
"lookupName": "AlienVault SHA2 Lookup",
"lookupType": "SHA2",
"lookupUrl": "https://otx.alienvault.com:443/api/v1/indicators/file/${PINCH.HOVERITEM}/general",
"lookupVariable": "ALIENVAULTSHA2",
"order": 5,
"requestGroup": "INTERNET",
"userDefined": {
"api_key": {
"title": "AlienVault OTX Key",
"value": "YOURDATAHERE"
}
}
},
"THREATMINERSHA2": {
"authorizationType": "DEFAULT",
"dataSchema": {
"title": {
"linkTitle": "${PINCH.HOVERITEM}",
"linkUrl": "https://www.threatminer.org/sample.php?q=${PINCH.HOVERITEM}",
"mapping": "${PINCH.LINKURL}",
"order": 0,
"title": "ThreatMiner"
},
"samples": {
"mapping": "${PINCH.REGEXMATCH[2]}",
"order": 1,
"regexloop": true,
"title": "${PINCH.REGEXMATCH[1]}"
}
},
"dataType": "HTML",
"httpHeaders": "",
"httpType": "POST",
"indicatorExpression": "${(PINCH.REGEXLOOPCOUNTER > 1) ? ((PINCH.REGEXLOOPCOUNTER > 4) ? 'bad' : 'suspicious') : 'good'}",
"lookupName": "ThreatMiner SHA2 Lookup",
"lookupType": "SHA2",
"lookupUrl": "https://www.threatminer.org/getData.php?e=av_container&q=${PINCH.HOVERITEM}&t=2&rt=7&p=1",
"lookupVariable": "THREATMINERSHA2",
"order": 6,
"regexMatcher": {
"flags": "gm",
"loop": true,
"regex": "<tr><td.*?>(.*?)</td><td.*?><a.*?>(.*?)</a></td></tr>"
},
"requestGroup": "INTERNET"
},
"VIRUSTOTALMD5": {
"registration": {
"type":"Free",
"link":"https://www.virustotal.com/en/documentation/virustotal-community/",
"title": "VirusTotal",
"summary": "VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware."
},
"authorizationType": "DEFAULT",
"dataSchema": {
"title": {
"linkTitle": "${PINCH.HOVERITEM}",
"linkUrl": "https://www.virustotal.com/en/file/${PINCH.RESPONSE.sha256}/analysis/",
"mapping": "${PINCH.LINKURL}",
"order": 0,
"title": "VirusTotal"
},
"scanned": {
"mapping": "${PINCH.RESPONSE.scan_date} UTC",
"order": 1,
"title": "Scanned"
},
"detections": {
"mapping": "${PINCH.RESPONSE.positives}/${PINCH.RESPONSE.total}",
"order": 2,
"title": "Detections"
},
"samples": {
"condition": "${(PINCH.LOOP.detected === true ? 'true': 'false')}",
"datapath": "RESPONSE.scans",
"mapping": "${PINCH.LOOP.result}",
"objectloop": true,
"order": 3,
"title": "${PINCH.LOOPPROPNAME}"
}
},
"dataType": "JSON",
"httpHeaders": "",
"httpPostData": "resource=${PINCH.HOVERITEM}&apikey=${PINCH.USERDEFINED.api_key.value}",
"httpType": "POST",
"indicatorExpression": "${(PINCH.RESPONSE.positives > 1) ? ((PINCH.RESPONSE.positives > 3) ? 'bad' : 'suspicious') : 'good'}",
"lookupName": "VirusTotal MD5 Lookup",
"lookupType": "MD5",
"lookupUrl": "https://www.virustotal.com/vtapi/v2/file/report",
"lookupVariable": "VIRUSTOTALMD5",
"order": 7,
"requestGroup": "INTERNET",
"userDefined": {
"api_key": {
"title": "API Key",
"value": "YOURDATAHERE"
}
}
},
"ALIENVAULTMD5": {
"registration": {
"type":"Free",
"link":"https://otx.alienvault.com/",
"title": "AlienVault Open Threat Exchange",
"summary": "World's First Open Threat Intelligence Community - Threat sharing in the security industry remains mainly ad-hoc and informal, filled with blind spots, frustration, and pitfalls. Our vision is for companies and government agencies to gather and share relevant, timely, and accurate information about new or ongoing cyberattacks and threats as quickly as possible to avoid major breaches (or minimize the damage from an attack). AlienVault’s Open Threat Exchange (OTX) delivers the first truly open threat intelligence community that makes this vision a reality."
},
"authorizationType": "DEFAULT",
"dataSchema": {
"title": {
"linkTitle": "${PINCH.HOVERITEM}",
"linkUrl": "https://otx.alienvault.com/browse/pulses/?q=${PINCH.HOVERITEM}",
"mapping": "${PINCH.LINKURL}",
"order": 0,
"title": "AlienVault"
},
"pulses": {
"mapping": "${PINCH.RESPONSE.pulse_info.count}",
"order": 1,
"title": "Pulses"
}
},
"dataType": "JSON",
"httpHeaders": {
"X-OTX-API-KEY": "${PINCH.USERDEFINED.api_key.value}"
},
"httpType": "GET",
"lookupName": "AlienVault MD5 Lookup",
"lookupType": "MD5",
"lookupUrl": "https://otx.alienvault.com/api/v1/indicators/file/${PINCH.HOVERITEM}/general",
"lookupVariable": "ALIENVAULTMD5",
"order": 8,
"requestGroup": "INTERNET",
"userDefined": {
"api_key": {
"title": "AlienVault OTX Key",
"value": "YOURDATAHERE"
}
}
},
"THREATMINERMD5": {
"authorizationType": "DEFAULT",
"dataSchema": {
"title": {
"linkTitle": "${PINCH.HOVERITEM}",
"linkUrl": "https://www.threatminer.org/sample.php?q=${PINCH.HOVERITEM}",
"mapping": "${PINCH.LINKURL}",
"order": 0,
"title": "ThreatMiner"
},
"samples": {
"mapping": "${PINCH.REGEXMATCH[2]}",
"order": 1,
"regexloop": true,
"title": "${PINCH.REGEXMATCH[1]}"
}
},
"dataType": "HTML",
"httpHeaders": "",
"httpType": "POST",
"indicatorExpression": "${(PINCH.LOOPCOUNTER > 1) ? ((PINCH.LOOPCOUNTER > 4) ? 'bad' : 'suspicious') : 'good'}",
"lookupName": "ThreatMiner MD5 Lookup",
"lookupType": "MD5",
"lookupUrl": "https://www.threatminer.org/getData.php?e=av_container&q=${PINCH.HOVERITEM}&t=2&rt=7&p=1",
"lookupVariable": "THREATMINERMD5",
"order": 9,
"regexMatcher": {
"flags": "gm",
"loop": true,
"regex": "<tr><td.*?>(.*?)</td><td.*?><a.*?>(.*?)</a></td></tr>"
},
"requestGroup": "INTERNET"
},
"CIRCLCVE": {
"authorizationType": "DEFAULT",
"dataSchema": {
"title": {
"linkTitle": "${PINCH.HOVERITEM}",
"linkUrl": "https://cve.circl.lu/cve/${PINCH.HOVERITEM}",
"mapping": "${PINCH.LINKURL}",
"order": 0,
"title": "CIRCL"
},
"CVSS": {
"mapping": "${PINCH.RESPONSE.cvss}",
"order": 1,
"title": "CVSS"
},
"Metasploit": {
"mapping": "${PINCH.RESPONSE.map_cve_msf.msfid}",
"order": 2,
"title": "Metasploit"
},
"ExploitDB": {
"mapping": "${PINCH.RESPONSE.map_cve_exploitdb.exploitdbid}",
"order": 3,
"title": "ExploitDB"
},
"Saint": {
"mapping": "${PINCH.RESPONSE.map_cve_saint.saintexploitid}",
"order": 4,
"title": "Saint"
}
},
"dataType": "JSON",
"httpHeaders": "",
"httpType": "GET",
"lookupName": "CIRCL CVE Lookup",
"lookupType": "CVE",
"lookupUrl": "https://cve.circl.lu/api/cve/${PINCH.HOVERITEM}",
"lookupVariable": "CIRCL",
"order": 10,
"requestGroup": "INTERNET"
}
};