diff --git a/salt/sensoroni/defaults.yaml b/salt/sensoroni/defaults.yaml index f53646ac2..4be93175e 100644 --- a/salt/sensoroni/defaults.yaml +++ b/salt/sensoroni/defaults.yaml @@ -22,11 +22,17 @@ sensoroni: base_url: https://otx.alienvault.com/api/v1/ api_key: pulsedive: - base_url: https://pulsedive.com/api/ + base_url: https://pulsedive.com/api/ api_key: spamhaus: lookup_host: zen.spamhaus.org nameservers: [] + sublime_platform: + base_url: https://api.platform.sublimesecurity.com + api_key: + live_flow: False + mailbox_email_address: + message_source_id: urlscan: base_url: https://urlscan.io/api/v1/ api_key: diff --git a/salt/sensoroni/files/analyzers/sublime/__init__.py b/salt/sensoroni/files/analyzers/sublime/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/salt/sensoroni/files/analyzers/sublime/requirements.txt b/salt/sensoroni/files/analyzers/sublime/requirements.txt new file mode 100644 index 000000000..a8980057f --- /dev/null +++ b/salt/sensoroni/files/analyzers/sublime/requirements.txt @@ -0,0 +1,2 @@ +requests>=2.27.1 +pyyaml>=6.0 diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl new file mode 100644 index 000000000..d2b6c37f9 Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2021.10.8-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2021.10.8-py2.py3-none-any.whl new file mode 100644 index 000000000..fbcb86b5f Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2021.10.8-py2.py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-2.0.12-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-2.0.12-py3-none-any.whl new file mode 100644 index 000000000..17a2dfbeb Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-2.0.12-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.3-py3-none-any.whl new file mode 100644 index 000000000..060541bc9 Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.27.1-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.27.1-py2.py3-none-any.whl new file mode 100644 index 000000000..807fc6110 Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.27.1-py2.py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-1.26.9-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-1.26.9-py2.py3-none-any.whl new file mode 100644 index 000000000..5019453dd Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-1.26.9-py2.py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/sublime.json b/salt/sensoroni/files/analyzers/sublime/sublime.json new file mode 100644 index 000000000..1b480b020 --- /dev/null +++ b/salt/sensoroni/files/analyzers/sublime/sublime.json @@ -0,0 +1,7 @@ +{ + "name": "Sublime", + "version": "0.1", + "author": "Wes Lambert", + "description": "This analyzer analyzes an email with Sublime Security to determine if it is considered malicious.", + "supportedTypes" : ["eml"] +} diff --git a/salt/sensoroni/files/analyzers/sublime/sublime.py b/salt/sensoroni/files/analyzers/sublime/sublime.py new file mode 100644 index 000000000..bf5261f6b --- /dev/null +++ b/salt/sensoroni/files/analyzers/sublime/sublime.py @@ -0,0 +1,79 @@ +import json +import requests +import sys +import os +import helpers +import argparse + + +def checkConfigRequirements(conf): + if "api_key" not in conf or len(conf['api_key']) == 0: + sys.exit(126) + + +def buildReq(conf, artifact_value): + headers = {"Authorization": "Bearer " + conf['api_key']} + base_url = conf['base_url'] + if conf['live_flow'] is True: + uri = "/v1/live-flow/raw-messages/analyze" + data = {"create_mailbox": True, "mailbox_email_address": str(conf['mailbox_email_address']), "message_source_id": str(conf['message_source_id']), "raw_message": artifact_value} + else: + uri = "/v0/messages/analyze" + data = {"raw_message": artifact_value, "run_active_detection_rules": True} + url = base_url + uri + return url, headers, data + + +def sendReq(url, headers, data): + response = requests.request('POST', url=url, headers=headers, data=json.dumps(data)).json() + return response + + +def prepareResults(raw): + matched = [] + if "rule_results" in raw: + for r in raw["rule_results"]: + if r["matched"] is True: + matched.append(r) + if len(matched) > 0: + raw = matched + status = "threat" + summary = "malicious" + else: + raw = "No rules matched." + status = "ok" + summary = "harmless" + elif "flagged_rules" in raw: + if raw["flagged_rules"] is not None: + status = "threat" + summary = "malicious" + else: + status = "ok" + summary = "harmless" + results = {'response': raw, 'status': status, 'summary': summary} + return results + + +def analyze(conf, input): + checkConfigRequirements(conf) + meta = helpers.loadMetadata(__file__) + data = helpers.parseArtifact(input) + helpers.checkSupportedType(meta, data["artifactType"]) + request = buildReq(conf, data["value"]) + response = sendReq(request[0], request[1], request[2]) + return prepareResults(response) + + +def main(): + dir = os.path.dirname(os.path.realpath(__file__)) + parser = argparse.ArgumentParser(description="Submit an email to Sublime Platform's EML Analyzer for analysis") + parser.add_argument('artifact', help='the artifact represented in JSON format') + parser.add_argument('-c', '--config', metavar="CONFIG_FILE", default=dir + "/sublime.yaml", help='optional config file to use instead of the default config file') + args = parser.parse_args() + if args.artifact: + results = analyze(helpers.loadConfig(args.config), args.artifact) + print(json.dumps(results)) + + +if __name__ == "__main__": + main() diff --git a/salt/sensoroni/files/analyzers/sublime/sublime.yaml b/salt/sensoroni/files/analyzers/sublime/sublime.yaml new file mode 100644 index 000000000..fa6886aa0 --- /dev/null +++ b/salt/sensoroni/files/analyzers/sublime/sublime.yaml @@ -0,0 +1,5 @@ +base_url: "{{ salt['pillar.get']('sensoroni:analyzers:sublime_platform:base_url', 'https://api.platform.sublimesecurity.com') }}" +api_key: "{{ salt['pillar.get']('sensoroni:analyzers:sublime_platform:api_key', '') }}" +live_flow: {{ salt['pillar.get']('sensoroni:analyzers:sublime_platform:live_flow', 'False') }} +mailbox_email_address: "{{ salt['pillar.get']('sensoroni:analyzers:sublime_platform:mailbox_email_address', '') }}" +message_source_id: "{{ salt['pillar.get']('sensoroni:analyzers:sublime_platform:message_source_id', '') }}" diff --git a/salt/sensoroni/files/analyzers/sublime/sublime_test.py b/salt/sensoroni/files/analyzers/sublime/sublime_test.py new file mode 100755 index 000000000..a81138a2f --- /dev/null +++ b/salt/sensoroni/files/analyzers/sublime/sublime_test.py @@ -0,0 +1,188 @@ +from io import StringIO +import sys +from unittest.mock import patch, MagicMock +from sublime import sublime +import json +import unittest + + +class TestSublimePlatformMethods(unittest.TestCase): + + def test_main_missing_input(self): + with patch('sys.exit', new=MagicMock()) as sysmock: + with patch('sys.stderr', new=StringIO()) as mock_stderr: + sys.argv = ["cmd"] + sublime.main() + self.assertEqual(mock_stderr.getvalue(), "usage: cmd [-h] [-c CONFIG_FILE] artifact\ncmd: error: the following arguments are required: artifact\n") + sysmock.assert_called_once_with(2) + + def test_main_success(self): + output = {"foo": "bar"} + with patch('sys.stdout', new=StringIO()) as mock_stdout: + with patch('sublime.sublime.analyze', new=MagicMock(return_value=output)) as mock: + sys.argv = ["cmd", "input"] + sublime.main() + expected = '{"foo": "bar"}\n' + self.assertEqual(mock_stdout.getvalue(), expected) + mock.assert_called_once() + + def test_checkKeyNonexistent(self): + conf = {"not_a_key": "abcd12345"} + with self.assertRaises(SystemExit) as cm: + sublime.checkConfigRequirements(conf) + self.assertEqual(cm.exception.code, 126) + + def test_buildReqLiveFlow(self): + conf = {'base_url': 'https://api.platform.sublimesecurity.com', 'api_key': 'abcd12345', 'live_flow': True, 'mailbox_email_address': 'user@test.local', 'message_source_id': 'abcd1234'} + artifact_value = "abcd1234" + result = sublime.buildReq(conf, artifact_value) + self.assertEqual("https://api.platform.sublimesecurity.com/v1/live-flow/raw-messages/analyze", result[0]) + self.assertEqual({'Authorization': 'Bearer abcd12345'}, result[1]) + + def test_buildReqNotLiveFlow(self): + conf = {'base_url': 'https://api.platform.sublimesecurity.com', 'api_key': 'abcd12345', 'live_flow': False, 'mailbox_email_address': 'user@test.local'} + artifact_value = "abcd1234" + result = sublime.buildReq(conf, artifact_value) + self.assertEqual("https://api.platform.sublimesecurity.com/v0/messages/analyze", result[0]) + self.assertEqual({'Authorization': 'Bearer abcd12345'}, result[1]) + + def test_prepareResultsRuleResultsMatched(self): + raw = ''' { + "rule_results": [{ + "rule": { + "id": "9147f589-39d5-4dd0-a0ee-00433a6e2632", + "name": "AnonymousFox Indicators", + "source": "type.inbound\\nand regex.icontains(sender.email.email, \\"(anonymous|smtp)fox-\\"))\\n", + "severity": "medium" + }, + "matched": true, + "success": true, + "error": null, + "external_errors": null, + "execution_time": 0.000071679 + }]}''' + results = sublime.prepareResults(json.loads(raw)) + print(results) + self.assertEqual(results["response"], json.loads(raw)["rule_results"]) + self.assertEqual(results["summary"], "malicious") + self.assertEqual(results["status"], "threat") + + def test_prepareResultsRuleResultsNotMatched(self): + raw = ''' { + "rule_results": [{ + "rule": { + "id": "9147f589-39d5-4dd0-a0ee-00433a6e2632", + "name": "AnonymousFox Indicators", + "source": "type.inbound and regex.icontains(.value, \\"(anonymous|smtp)fox-\\"))\\n", + "severity": "medium" + }, + "matched": false, + "success": true, + "error": null, + "external_errors": null, + "execution_time": 0.000071679 + }]}''' + results = sublime.prepareResults(json.loads(raw)) + print(results) + self.assertEqual(results["response"], "No rules matched.") + self.assertEqual(results["summary"], "harmless") + self.assertEqual(results["status"], "ok") + + def test_prepareResultsLiveFlowMatched(self): + raw = '''{ + "canonical_id": "fb8b46e3317ac7d5036c6b21517d363634293c6d4f6bf1b1e67548c80948a1c6", + "flagged_rules": [ + { + "actions": null, + "active": true, + "active_updated_at": "2023-08-09T14:58:25.669495Z", + "attack_types": [ + "Credential Phishing", + "Malware/Ransomware" + ], + "authors": null, + "created_at": "2023-08-09 01:00:25.642489+00", + "created_by_api_request_id": null, + "created_by_org_id": null, + "created_by_org_name": null, + "created_by_user_id": null, + "created_by_user_name": null, + "description": "Recursively scans files and archives to detect HTML smuggling techniques.\\n", + "detection_methods": [ + "Archive analysis", + "File analysis", + "HTML analysis", + "Javascript analysis" + ], + "exclusion_mql": null, + "false_positives": null, + "feed_external_rule_id": "0b0fed36-735a-50f1-bf10-6673237a4623", + "feed_id": "4e5d7da3-d566-4910-a613-f00709702240", + "full_type": "detection_rule", + "id": "537bf73d-a4f0-4389-b2a1-272192efa0d5", + "immutable": true, + "internal_type": null, + "label": null, + "maturity": null, + "name": "Attachment: HTML smuggling with unescape", + "org_id": "dac92af8-2bd6-4861-9ee1-a04e713e3ae2", + "references": [ + "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader" + ], + "severity": "high", + "source_md5": "b68388617d78ccc20075ca8fffc7e3f8", + "tactics_and_techniques": [ + "Evasion", + "HTML smuggling", + "Scripting" + ], + "tags": null, + "type": "detection", + "updated_at": "2023-11-01 15:25:47.212056+00", + "user_provided_tags": [ + + ] + } + ], + "message_id": "0071b1ac-d7ca-4e37-91c5-068a96b9dda8", + "raw_message_id": "1dc90473-b028-4754-942c-476cfb1ca2ff" + }''' + + results = sublime.prepareResults(json.loads(raw)) + print(results) + self.assertEqual(results["response"], json.loads(raw)) + self.assertEqual(results["summary"], "malicious") + self.assertEqual(results["status"], "threat") + + def test_prepareResultsLiveFlowNotMatched(self): + raw = '''{ + "canonical_id": "092459fa0d9edd5d8e2d0ccf3af50120c63ec58717a8cfdeb15854706940346f", + "flagged_rules": null, + "message_id": "1e8693b4-bf44-4cb9-ac9a-85fc2a99eeb8", + "raw_message_id": "5d2f03c2-86e1-47d8-81ae-620ecb5c6553" + }''' + + results = sublime.prepareResults(json.loads(raw)) + self.assertEqual(results["response"], json.loads(raw)) + self.assertEqual(results["summary"], "harmless") + self.assertEqual(results["status"], "ok") + + def test_sendReq(self): + with patch('requests.request', new=MagicMock(return_value=MagicMock())) as mock: + url = "https://api.platform.sublimesecurity.com/v1/live-flow/raw-messages/analyze" + headers = {'Authorization': 'Bearer abcd12345'} + data = {"create_mailbox": True, "mailbox_email_address": "user@test.local", "message_source_id": "abcd1234", "raw_message": "abcd1234"} + url = "https://api.platform.sublimesecurity.com/v1/live-flow/raw-messages/analyze" + response = sublime.sendReq(url=url, headers=headers, data=data) + mock.assert_called_once_with('POST', url=url, headers=headers, data=json.dumps(data)) + self.assertIsNotNone(response) + + def test_analyze(self): + output = '{"message_id":"abcd1234","raw_message_id":"abcd1234","canonical_id":"abcd1234","flagged_rules":null}' + artifactInput = '{"value":"RnJvbTogQWxpY2UgPGFsaWNlQGV4YW1wbGUuY29tPgpUbzogQm9iIDxib2JA","artifactType":"eml"}' + conf = {'base_url': 'https://api.platform.sublimesecurity.com', 'api_key': 'abcd12345', 'live_flow': False, 'mailbox_email_address': 'user@test.local'} + with patch('sublime.sublime.sendReq', new=MagicMock(return_value=json.loads(output))) as mock: + results = sublime.analyze(conf, artifactInput) + print(results) + self.assertEqual(results["summary"], "harmless") + mock.assert_called_once() diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index db51da358..9c2304d6c 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -128,6 +128,42 @@ sensoroni: sensitive: False advanced: True forcedTypes: "[]string" + sublime_platform: + api_key: + description: API key for the Sublime Platform analyzer. + helpLink: cases.html + global: False + sensitive: True + advanced: True + forcedType: string + base_url: + description: Base URL for the Sublime Platform analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + live_flow: + description: Determines if live flow analysis is used. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: bool + mailbox_email_address: + description: Source mailbox address used for live flow analysis. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + message_source_id: + description: ID of the message source used for live flow analysis. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string urlscan: api_key: description: API key for the Urlscan analyzer.