Documentation ¶
Overview ¶
Package cortex is the client library for Cortex v2 API. Link: https://github.com/TheHive-Project/Cortex.
Check out Cortex v2 documentation: https://github.com/TheHive-Project/CortexDocs
Index ¶
- Constants
- Variables
- type APIAuth
- type Analyzer
- type AnalyzerError
- type AnalyzerReport
- type AnalyzerService
- type AnalyzerServiceOp
- func (a *AnalyzerServiceOp) DataTypes(ctx context.Context) ([]string, error)
- func (a *AnalyzerServiceOp) Get(ctx context.Context, id string) (*Analyzer, *http.Response, error)
- func (a *AnalyzerServiceOp) List(ctx context.Context) ([]Analyzer, *http.Response, error)
- func (a *AnalyzerServiceOp) ListByType(ctx context.Context, t string) ([]Analyzer, *http.Response, error)
- func (a *AnalyzerServiceOp) NewMultiRun(ctx context.Context, d time.Duration) *MultiRun
- func (a *AnalyzerServiceOp) Run(ctx context.Context, anid string, o Observable, d time.Duration) (*Report, error)
- func (a *AnalyzerServiceOp) StartJob(ctx context.Context, anid string, o Observable) (*Job, *http.Response, error)
- type Artifact
- type Client
- func (c *Client) Do(ctx context.Context, req *http.Request, v interface{}) (*http.Response, error)
- func (c *Client) NewFileRequest(method, urlStr string, body interface{}, fileName string, r io.Reader) (*http.Request, error)
- func (c *Client) NewRequest(method, urlStr string, body interface{}) (*http.Request, error)
- type ClientOpts
- type ExtractedArtifact
- type FileTask
- type FileTaskMeta
- type Job
- type JobInput
- type JobService
- type JobServiceOp
- func (j *JobServiceOp) Get(ctx context.Context, jobid string) (*Job, *http.Response, error)
- func (j *JobServiceOp) GetReport(ctx context.Context, jobid string) (*Report, *http.Response, error)
- func (j *JobServiceOp) WaitReport(ctx context.Context, jid string, d time.Duration) (*Report, *http.Response, error)
- type MultiRun
- type Observable
- type Report
- type ReportBody
- type Summary
- type Task
- type Taxonomy
- type User
- type UserService
- type UserServiceOp
Constants ¶
const ( // TxSafe is a safe taxonomy level TxSafe = "safe" // TxInfo is an info taxonomy level TxInfo = "info" // TxSuspicious is a suspicious taxonomy level TxSuspicious = "suspicious" // TxMalicious is a malicious taxonomy level TxMalicious = "malicious" )
const (
// APIRoute represents a prefix path
APIRoute = "api"
)
Variables ¶
var ( // TLPWhite represents non-limited disclosure. TLPWhite = 0 // TLPGreen limits disclosure, restricted to the community. TLPGreen = 1 // TLPAmber represents limited disclosure, restricted to participants’ organizations. TLPAmber = 2 // TLPRed is not for disclosure, restricted to participants only. TLPRed = 3 // PAPWhite represents no restrictions in using information. // Source: https://github.com/MISP/misp-taxonomies/blob/master/PAP/machinetag.json#L24 PAPWhite = TLPWhite // PAPGreen - active actions allowed. // Recipients may use PAP:GREEN information to ping the target, // block incoming/outgoing traffic from/to the target // or specifically configure honeypots to interact with the target // Source: https://github.com/MISP/misp-taxonomies/blob/master/PAP/machinetag.json#L19 PAPGreen = TLPGreen // PAPAmber - passive cross check. // Recipients may use PAP:AMBER information for conducting online checks, // like using services provided by third parties (e.g. VirusTotal), // or set up a monitoring honeypot. // Source: https://github.com/MISP/misp-taxonomies/blob/master/PAP/machinetag.json#L14 PAPAmber = TLPAmber // PAPRed - non-detectable actions only. // Recipients may not use PAP:RED information on the network. // Only passive actions on logs, that are not detectable from the outside. // Source: https://github.com/MISP/misp-taxonomies/blob/master/PAP/machinetag.json#L9 PAPRed = TLPRed )
Type var is used instead of const because a pointer is needed when cortex.Task and cortex.FileTaskMeta structs are being marshalled. This will enable omitting the value and force Cortex itself to use default TLP and PAP for tasks: cortex.TLPAmber and cortex.PAPAmber.
var ( // DefaultInput represents an analyzer or responder input that is used by // default DefaultInput = os.Stdin )
var Rxs = map[string]*regexp.Regexp{
"cc": rxCC,
"ipv4": rxIPv4,
"ipv6": rxIPv6,
"domain": rxDomain,
"email": rxEmail,
"hash": rxHash,
"registry": rxRegistryKey,
"url": rxURL,
"user-agent": rxUserAgent,
"bitcoin-address": rxBitcoinAddress,
}
Rxs represents map of regexes
Functions ¶
This section is empty.
Types ¶
type Analyzer ¶
type Analyzer struct { Author string `json:"author"` BaseConfig string `json:"baseConfig"` Configuration map[string]interface{} `json:"configuration"` CreatedAt int64 `json:"createdAt"` CreatedBy string `json:"createdBy"` DataTypeList []string `json:"dataTypeList"` DefinitionID string `json:"analyzerDefinitionId"` Description string `json:"description"` ID string `json:"id"` JobCache interface{} `json:"jobCache,omitempty"` // unknown License string `json:"license"` Name string `json:"name"` Rate int `json:"rate,omitempty"` RateUnit string `json:"rateUnit,omitempty"` URL string `json:"url"` UpdatedAt int64 `json:"updatedAt,omitempty"` UpdatedBy string `json:"updatedBy,omitempty"` Version string `json:"version"` }
Analyzer defines a specific Cortex Analyzer
type AnalyzerError ¶
type AnalyzerError struct { Success bool `json:"success"` ErrorMessage string `json:"errorMessage"` Input *JobInput `json:"input"` }
AnalyzerError is the report that analyzer app should return in case something went wrong
type AnalyzerReport ¶
type AnalyzerReport struct { Artifacts []ExtractedArtifact `json:"artifacts"` FullReport interface{} `json:"full"` Success bool `json:"success"` Summary *Summary `json:"summary"` }
AnalyzerReport is the report that analyzer app should return in case everything is okay
type AnalyzerService ¶
type AnalyzerService interface { Get(context.Context, string) (*Analyzer, *http.Response, error) List(context.Context) ([]Analyzer, *http.Response, error) ListByType(context.Context, string) ([]Analyzer, *http.Response, error) Run(context.Context, string, Observable, time.Duration) (*Report, error) StartJob(context.Context, string, Observable) (*Job, *http.Response, error) NewMultiRun(context.Context, time.Duration) *MultiRun DataTypes(context.Context) ([]string, error) }
AnalyzerService is an interface for managing analyzers
type AnalyzerServiceOp ¶
type AnalyzerServiceOp struct {
// contains filtered or unexported fields
}
AnalyzerServiceOp handles analyzer methods from Cortex API
func (*AnalyzerServiceOp) DataTypes ¶
func (a *AnalyzerServiceOp) DataTypes(ctx context.Context) ([]string, error)
DataTypes returns all available data types that Cortex can analyse. The entries are not sorted.
func (*AnalyzerServiceOp) ListByType ¶
func (a *AnalyzerServiceOp) ListByType(ctx context.Context, t string) ([]Analyzer, *http.Response, error)
ListByType lists Cortex analyzers by datatype
func (*AnalyzerServiceOp) NewMultiRun ¶
NewMultiRun is a function that bootstraps MultiRun struct
type Artifact ¶
type Artifact struct { DataType string `json:"dataType"` CreatedBy string `json:"createdBy"` CreatedAt int64 `json:"createdAt"` Data string `json:"data"` TLP int `json:"tlp"` PAP int `json:"pap"` ID string `json:"id"` }
Artifact represents an artifact
type Client ¶
type Client struct { Client *http.Client BaseURL *url.URL UserAgent string Opts *ClientOpts PageSize int Analyzers AnalyzerService Users UserService }
Client is used to communicate with Cortex API
func NewClient ¶
func NewClient(baseurl string, opts *ClientOpts) (*Client, error)
NewClient bootstraps a client to interact with Cortex API
func (*Client) Do ¶
Do sends an API request and returns the API response. The API response is JSON decoded and stored in the value pointed to by v, or returned as an error if an API error has occurred. If v implements the io.Writer interface, the raw response body will be written to v, without attempting to first decode it.
The provided ctx must be non-nil. If it is canceled or times out, ctx.Err() will be returned.
func (*Client) NewFileRequest ¶
func (c *Client) NewFileRequest(method, urlStr string, body interface{}, fileName string, r io.Reader) (*http.Request, error)
NewFileRequest creates an API request with a file http form.
func (*Client) NewRequest ¶
NewRequest creates an API request. A relative URL can be provided in urlStr, in which case it is resolved relative to the BaseURL of the Client. Relative URLs should always be specified without a preceding slash. If specified, the value pointed to by body is JSON encoded and included as the request body.
type ClientOpts ¶
type ClientOpts struct {
Auth auth
}
ClientOpts represent options that are passed to client
type ExtractedArtifact ¶
ExtractedArtifact is used for artifacts with slightly different structure
func ExtractArtifacts ¶
func ExtractArtifacts(body string) []ExtractedArtifact
ExtractArtifacts extracts all artifacts from the report string
type FileTask ¶
type FileTask struct { FileTaskMeta Reader io.Reader FileName string }
FileTask is a file to be analyzed
func (*FileTask) Description ¶
Description returns a file name
type FileTaskMeta ¶
type FileTaskMeta struct { DataType string `json:"dataType"` TLP *int `json:"tlp,omitempty"` PAP *int `json:"pap,omitempty"` }
FileTaskMeta represents meta data of the file observable
type Job ¶
type Job struct { Task ID string `json:"id"` AnalyzerDefinitionID string `json:"analyzerDefinitionId"` AnalyzerID string `json:"analyzerID"` AnalyzerName string `json:"analyzerName"` Status string `json:"status"` Organization string `json:"organization"` StartDate int64 `json:"startDate"` EndDate int64 `json:"endDate"` Date int64 `json:"date"` CreatedAt int64 `json:"createdAt"` CreatedBy string `json:"createdBy"` UpdatedAt int64 `json:"updatedAt,omitempty"` UpdatedBy string `json:"updatedBy,omitempty"` }
Job is a sample Cortex job
type JobInput ¶
type JobInput struct { DataType string `json:"dataType"` TLP int `json:"tlp,omitempty"` PAP int `json:"pap,omitempty"` Data string `json:"data,omitempty"` File string `json:"file,omitempty"` FileName string `json:"filename,omitempty"` ContentType string `json:"contentType,omitempty"` Config cfg `json:"config,omitempty"` Message string `json:"message,omitempty"` Parameters map[string]string `json:"parameters,omitempty"` }
JobInput is used to track failed jobs and work with analyzer's input
func NewInput ¶
NewInput grabs DefaultInput (stdin by default) and bootstraps *JobInput and *http.Client
func (*JobInput) PrintError ¶
PrintError returns unsuccessful Report with an error message
func (*JobInput) PrintReport ¶
PrintReport constructs Report by raw body and taxonomies
type JobService ¶
type JobService interface { Get(context.Context, string) (*Job, *http.Response, error) GetReport(context.Context, string) (*Report, *http.Response, error) WaitReport(context.Context, string, time.Duration) (*Report, *http.Response, error) }
JobService is an interface for managing jobs
type JobServiceOp ¶
type JobServiceOp struct {
// contains filtered or unexported fields
}
JobServiceOp handles cases methods from the Cortex API
type MultiRun ¶
type MultiRun struct { Timeout time.Duration OnReport func(*Report) OnError func(error, Observable, *Analyzer) // contains filtered or unexported fields }
MultiRun represents configuration for running multiple analyzers
func (*MultiRun) AnalyzeFile ¶
AnalyzeFile analyses a file observable by multiple analyzers
func (*MultiRun) AnalyzeString ¶
AnalyzeString analyses a basic string-alike observable by multiple analyzers
func (*MultiRun) Do ¶
func (m *MultiRun) Do(o Observable) error
Do analyzes an observable with all appropriate analyzers
type Observable ¶
Observable is an interface for string type artifact and file type artifact
type Report ¶
type Report struct { Job ReportBody ReportBody `json:"report,omitempty"` }
Report represents a struct returned by the Cortex
func (*Report) Taxonomies ¶
Taxonomies is a shortcut to get taxonomies from the report
type ReportBody ¶
type ReportBody struct { Artifacts []Artifact `json:"artifacts,omitempty"` FullReport interface{} `json:"full,omitempty"` Success bool `json:"success,omitempty"` Summary *Summary `json:"summary,omitempty"` ErrorMessage string `json:"errorMessage,omitempty"` Input string `json:"input,omitempty"` }
ReportBody represents a report with analyzer results
type Summary ¶
type Summary struct {
Taxonomies []Taxonomy `json:"taxonomies,omitempty"`
}
Summary is a customized report object which may have taxonomies
type Task ¶
type Task struct { Data string `json:"data,omitempty"` DataType string `json:"dataType,omitempty"` TLP *int `json:"tlp,omitempty"` PAP *int `json:"pap,omitempty"` Message string `json:"message,omitempty"` Parameters interface{} `json:"parameters,omitempty"` }
Task represents a Cortex task to run
func (*Task) Description ¶
Description returns Data of the task, satisfying an Observable interface
type Taxonomy ¶
type Taxonomy struct { Predicate string `json:"predicate"` Namespace string `json:"namespace"` Value interface{} `json:"value"` Level string `json:"level"` }
Taxonomy represents a taxonomy object in a report
type User ¶ added in v2.4.1
type User struct { Name string `json:"name"` CreatedAt int64 `json:"createdAt"` Roles []string `json:"roles"` CreatedBy string `json:"createdBy"` Organization string `json:"organization"` Status string `json:"status"` UpdatedBy string `json:"updatedBy"` UpdatedAt int64 `json:"updatedAt"` ID string `json:"id"` HasKey bool `json:"hasKey"` HasPassword bool `json:"hasPassword"` }
User represents a Cortex User
type UserService ¶ added in v2.4.1
UserService is an interface for managing users
type UserServiceOp ¶ added in v2.4.1
type UserServiceOp struct {
// contains filtered or unexported fields
}
UserServiceOp handles user specific methods from Cortex API