Merge branch 'release/3.4.1'

CHANGELOG.md

@@ -1,13 +1,18 @@
 # Changelog
 
-## [3.4.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.0) (2024-11-26)
+## [3.4.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.0) (2024-12-09)
 
 [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.3.8...3.4.0)
 
 **Closed issues:**
 
 - \[FR\] Enhance Crowdstrike Falcon integration with TheHive  [\#1296](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1296)
 
+**Merged pull requests:**
+
+- Multiple Analyzers & Responders for CrowdstrikeFalcon [\#1297](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1297) ([nusantara-self](https://github.com/nusantara-self))
+- Capa Analyzer - Code improvements [\#1295](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1295) ([nusantara-self](https://github.com/nusantara-self))
+
 ## [3.3.8](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.3.8) (2024-11-08)
 
 [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.3.7...3.3.8)
@@ -460,7 +465,7 @@
 - Upgrade OpenCTI analyzer to v4 + add fuzzy search flavor [\#928](https://github.com/TheHive-Project/Cortex-Analyzers/pull/928) ([amr-cossi](https://github.com/amr-cossi))
 - Add IVRE Analyzer [\#923](https://github.com/TheHive-Project/Cortex-Analyzers/pull/923) ([p-l-](https://github.com/p-l-))
 - Feature/mail incident status [\#921](https://github.com/TheHive-Project/Cortex-Analyzers/pull/921) ([mkcorpc](https://github.com/mkcorpc))
-- \[OSCD Initiative\] Add Azure Authentication Token Revokation Responder [\#906](https://github.com/TheHive-Project/Cortex-Analyzers/pull/906) ([Dmweiner](https://github.com/Dmweiner))
+- \[OSCD Initiative\] Add Azure Authentication Token Revokation Responder [\#906](https://github.com/TheHive-Project/Cortex-Analyzers/pull/906) ([districtofpaige](https://github.com/districtofpaige))
 - FIX issue \#896 [\#897](https://github.com/TheHive-Project/Cortex-Analyzers/pull/897) ([ipfyx](https://github.com/ipfyx))
 - \[Bug\] MineMeld responder domain IOC incorrect type \#892 [\#893](https://github.com/TheHive-Project/Cortex-Analyzers/pull/893) ([colin-stubbs](https://github.com/colin-stubbs))
 - \[OSCD Initiative\] add Gmail responder [\#891](https://github.com/TheHive-Project/Cortex-Analyzers/pull/891) ([strassi](https://github.com/strassi))

analyzers/AnyRun/anyrun_analyzer.py

@@ -119,7 +119,7 @@ def run(self):
                     if status_code == 200:
                         task_id = response.json()["data"]["taskid"]
                     elif status_code == 201:
-                        task_id = response.json()["taskid"]
+                        task_id = response.json()["data"]["taskid"]
                     elif status_code == 429:
                         # it not support parallel runs, so we wait and resubmit later
                         time.sleep(60)

analyzers/Capa/Dockerfile

@@ -0,0 +1,17 @@
+FROM python:3
+WORKDIR /worker
+COPY . Capa
+
+# Install required tools
+RUN apt-get update && apt-get install -y \
+    curl \
+    jq \
+    unzip && \
+    rm -rf /var/lib/apt/lists/*
+
+# Add a script to fetch the latest capa release and extract it
+COPY fetch_capa.sh /worker/fetch_capa.sh
+RUN chmod +x /worker/fetch_capa.sh && /worker/fetch_capa.sh
+
+RUN test ! -e Capa/requirements.txt || pip install --no-cache-dir -r Capa/requirements.txt
+ENTRYPOINT "Capa/CapaAnalyze.py"

analyzers/Capa/fetch_capa.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+set -e  # Exit immediately if a command exits with a non-zero status
+set -x  # Print commands and their arguments as they are executed
+
+# Fetch the latest release version
+LATEST_VERSION=$(curl -s https://api.github.com/repos/mandiant/capa/releases/latest | jq -r '.tag_name')
+
+# Validate the version
+if [ -z "$LATEST_VERSION" ]; then
+    echo "Failed to fetch the latest version."
+    exit 1
+fi
+
+echo "Latest version is $LATEST_VERSION"
+
+# Construct the download URL
+DOWNLOAD_URL="https://github.com/mandiant/capa/releases/download/${LATEST_VERSION}/capa-${LATEST_VERSION}-linux.zip"
+echo "Downloading from $DOWNLOAD_URL"
+
+# Download and extract capa
+curl -L -o capa.zip "$DOWNLOAD_URL" || { echo "Download failed"; exit 1; }
+unzip capa.zip -d /worker/capa || { echo "Extraction failed"; exit 1; }
+
+# Clean up
+rm capa.zip
+echo "Capa downloaded and extracted successfully."

analyzers/Censys/Censys.json

@@ -34,7 +34,7 @@
   ],
   "registration_required": true,
   "subscription_required": true,
-  "free_subscription": true,
+  "free_subscription": false,
   "service_homepage": "https://censys.io/",
   "service_logo": {
     "path": "assets/censys.png",

analyzers/DomainTools/requirements.txt

@@ -1,3 +1,2 @@
 cortexutils
-domaintools_api ; python_version < '3.5'
-git+https://github.com/DomainTools/python_api.git ; python_version >= '3.5'
+domaintools_api==0.6.2

analyzers/DomainToolsIris/requirements.txt

@@ -1,3 +1,2 @@
 cortexutils
-domaintools_api ; python_version < '3.5'
-git+https://github.com/DomainTools/python_api.git ; python_version >= '3.5'
+domaintools_api==0.6.2

analyzers/PhishTank/phishtank_checkurl.py

@@ -8,14 +8,15 @@ class PhishtankAnalyzer(Analyzer):
 
     def __init__(self):
         Analyzer.__init__(self)
-        self.phishtank_key = self.get_param('config.key', None,
-                                            'Missing PhishTank API key')
+        self.phishtank_key = self.get_param('config.key', None, 'Missing PhishTank API key')
+        self.proxies = {'http': self.get_param('config.proxy_http', None),
+                        'https': self.get_param('config.proxy_https', None)}
 
     def phishtank_checkurl(self, data):
         url = 'https://checkurl.phishtank.com/checkurl/'
         postheaders = {"User-Agent": "phishtank/cortex"}
         postdata = {'url': data, 'format': 'json', 'app_key': self.phishtank_key}
-        r = requests.post(url, headers=postheaders, data=postdata)
+        r = requests.post(url, headers=postheaders, data=postdata, proxies=self.proxies)
         return r.json()
 
     def summary(self, raw):