Conversation
Member
Author
|
@mlodic kindly check the wrapper. |
Member
|
lgtm |
Member
Author
|
TLP amber? |
Member
Author
|
I think we are gtg here. |
mlodic
requested changes
May 20, 2024
| "base_path": "api_app.analyzers_manager.observable_analyzers", | ||
| }, | ||
| "name": "CyCat", | ||
| "description": "[CyCat](https://cycat.org/) or the CYbersecurity Resource CATalogue aims at mapping and documenting, in a single formalism and catalogue available cybersecurity tools, rules, playbooks, processes and controls.", |
Member
There was a problem hiding this comment.
Suggested change
| "description": "[CyCat](https://cycat.org/) or the CYbersecurity Resource CATalogue aims at mapping and documenting, in a single formalism and catalogue available cybersecurity tools, rules, playbooks, processes and controls.", | |
| "description": "[CyCat](https://cycat.org/) or the CYbersecurity Resource CATalogue aims at mapping and documenting, in a single formalism and catalogue available cybersecurity tools, rules, playbooks, processes and controls.", |
| url: str = "https://api.cycat.org" | ||
|
|
||
| def uuid_lookup(self, uuid: str): | ||
| logger.info(f"performing lookup on uuid: {uuid}") |
Member
There was a problem hiding this comment.
adding the observable name in this log can help future debugging
| "requests.get", | ||
| return_value=MockUpResponse( | ||
| [ | ||
| "24bfaeba-cb0d-4525-b3dc-507c77ecec41", |
Member
There was a problem hiding this comment.
I am not sure this is the expected response. I would have expected data, like the one here: https://cycat.org/services/#fetch-item-by-uuid
UUID are useless as an output so I would have expected to get the data for the UUID. Your analyzer seems right to me so I don't understand why you get this result. can you please try again?
added 2 commits
May 20, 2024 21:37
mlodic
approved these changes
May 20, 2024
mlodic
added a commit
that referenced
this pull request
May 21, 2024
* updated yeti analyzer and connector to support new major * updated default pycti version * fixed MaxMind data extraction for the country flag * Fix pivot + file Signed-off-by: 0ssigeno <[email protected]> * healthcheck available for Plugins with `url` option by default (#2320) * healthcheck available for Plugins with `url` option * doc * fix * Bump quark-engine from 24.4.1 to 24.5.1 in /requirements (#2313) Bumps [quark-engine](https://github.com/quark-engine/quark-engine) from 24.4.1 to 24.5.1. - [Release notes](https://github.com/quark-engine/quark-engine/releases) - [Commits](ev-flow/quark-engine@v24.4.1...v24.5.1) --- updated-dependencies: - dependency-name: quark-engine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump jsonschema from 4.21.1 to 4.22.0 in /requirements (#2311) Bumps [jsonschema](https://github.com/python-jsonschema/jsonschema) from 4.21.1 to 4.22.0. - [Release notes](https://github.com/python-jsonschema/jsonschema/releases) - [Changelog](https://github.com/python-jsonschema/jsonschema/blob/main/CHANGELOG.rst) - [Commits](python-jsonschema/jsonschema@v4.21.1...v4.22.0) --- updated-dependencies: - dependency-name: jsonschema dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump docutils from 0.20.1 to 0.21.2 in /requirements (#2312) Bumps [docutils](https://docutils.sourceforge.io) from 0.20.1 to 0.21.2. --- updated-dependencies: - dependency-name: docutils dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Revert "Bump docutils from 0.20.1 to 0.21.2 in /requirements (#2312)" This reverts commit 9e5106e. * prettier * changes (#2322) * Phoneinfoga analyzer adjustment (#2324) * Phoneinfoga Signed-off-by: 0ssigeno <[email protected]> * Linters Signed-off-by: 0ssigeno <[email protected]> * adjusted phoneinfoga * Update api_app/analyzers_manager/migrations/0088_phoneinfoga_parameters.py --------- Signed-off-by: 0ssigeno <[email protected]> Co-authored-by: Matteo Lodi <[email protected]> * Fix serializer Signed-off-by: 0ssigeno <[email protected]> * Fix sender Signed-off-by: 0ssigeno <[email protected]> * pcap_analyzers adjusts + new playbook for PCAP files + upgraded Suricata to v7 (#2325) * pcap_analyzers adjusts + new playbook for PCAP files + upgraded Suricata to v7 * adjusted hfinger * adjust test * adjust test and upgraded watchman * tests * fix custom analysis (#2323) * hudsonrock (#2327) * hudsonrock * tests * test * add params * migration * tests * migration * i always overlook this lol * tlp to amber --------- Co-authored-by: g4ze <[email protected]> * Update api_app/analyzers_manager/observable_analyzers/hudsonrock.py Co-authored-by: code-review-doctor[bot] <72320148+code-review-doctor[bot]@users.noreply.github.com> * black * Fixes frontend regex (#2329) * support phone numbers * moved phone number validation to E.164 format * removed dates from parsing as IP addresses * prettier * Cy cat#1479 (#2328) * cycat * cycat * cycat wrapper done * migration * docs * tests * tests --------- Co-authored-by: g4ze <[email protected]> * updated changelog * fix loading visualizer navbar (#2335) * fix visualizer loading * changes * --- (#2332) updated-dependencies: - dependency-name: celery[redis,sqs] dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * --- (#2334) updated-dependencies: - dependency-name: intezer-sdk dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * --- (#2333) updated-dependencies: - dependency-name: docutils dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Speed up (#2336) Signed-off-by: 0ssigeno <[email protected]> * Revert "--- (#2333)" This reverts commit 12802eb. --------- Signed-off-by: 0ssigeno <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Daniele Rosetti <[email protected]> Co-authored-by: 0ssigeno <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Martina Carella <[email protected]> Co-authored-by: Simone Berni <[email protected]> Co-authored-by: Nilay Gupta <[email protected]> Co-authored-by: g4ze <[email protected]> Co-authored-by: code-review-doctor[bot] <72320148+code-review-doctor[bot]@users.noreply.github.com> Co-authored-by: Daniele Rosetti <[email protected]>
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #1479
Description
add cycat
Type of change
Please delete options that are not relevant.
Checklist
develop_monkeypatch()was used in its class to apply the necessary decorators.dumpplugincommand and added it in the project as a data migration. ("How to share a plugin with the community")test_files.zipand you added the default tests for that mimetype in test_classes.py.FREE_TO_USE_ANALYZERSplaybook by following this guide.MockUpResponseof the_monkeypatch()method. This serves us to provide a valid sample for testing.Black,Flake,Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.testsfolder). All the tests (new and old ones) gave 0 errors.DeepSource,Django Doctorsor other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.Important Rules
{
"description": """Detects Execution via
SyncInvoke in CL_Invocation.ps1 module""",
"raw": """
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via
SyncInvoke in CL_Invocation.ps1 module
detection:
condition: selection
selection:
EventID: 4104
ScriptBlockText|contains|all:
- CL_Invocation.ps1
- SyncInvoke
falsepositives:
- Unknown
id: 4cd29327-685a-460e-9dac-c3ab96e549dc
level: high
logsource:
product: windows
service: powershell
modified: 2021/05/21
references:
- https://twitter.com/bohops/status/948061991012327424
status: experimental
tags:
- attack.defense_evasion
- attack.t1216
title: Execution via CL_Invocation.ps1
""",
"sigma:id": "4cd29327-685a-460e-9dac-c3ab96e549dc",
"title": "Execution via CL_Invocation.ps1",
"_cycat_type": "Item",
},