unknown risk management (TheHive-Project#1232)

analyzers/Gatewatcher_CTI/Gatewatcher_CTI.py

@@ -50,8 +50,8 @@ def run(self):
                     has_max = False
                 total_found_relations = 0
                 for item in info["message"][0]["IOCs"]:
-                    if total_found_relations == len(relations) or \
-                    (has_max and total_found_relations >= self.max_relations):
+                    if (total_found_relations == len(relations) or
+                            (has_max and total_found_relations >= self.max_relations)):
                         break
 
                     if item["IocId"] in relations:
@@ -65,14 +65,16 @@ def run(self):
                         elif item["Type"] in ["URL", "Host", "MD5", "SHA1", "SHA256"]:
                             records["IOCs"].append(item)
 
-            additional = {k : v for k, v in additional.items() if v is not None}
+            additional = {k: v for k, v in additional.items() if v is not None}
             main.update(additional)
             records["IOCs"].insert(0, main)
+            if len(records["IOCs"]) == 1 and records["IOCs"][0]["Risk"].lower() == "unknown":
+                records["is_on_gw"] = False
 
         self.report(records)
 
     def check_response(self, response):
-        if response.status_code not in [200,422]:
+        if response.status_code not in [200, 422]:
             try:
                 result = response.json()
                 if (
@@ -102,23 +104,22 @@ def summary(self, raw):
         level = "info"
         namespace = "Gatewatcher CTI"
         predicate = "GetReport"
-        value = "Not found"
+        value = "not found"
         data = next(
             (ioc for ioc in raw["IOCs"] if ioc["Value"] == self.observable_value), None
         )
         if data is not None:
             level = data["Risk"].lower()
             if level == "malicious":
-                value = 86
+                value = 100
             elif level == "high suspicious":
-                value = 71
-                level = "suspicious"
-            else:
-                value = 31
+                value = 75
+            elif level == "suspicious":
+                value = 60
 
         taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
         return {"taxonomies": taxonomies}
 
 
 if __name__ == "__main__":
-    GatewatcherCTI().run()
+    GatewatcherCTI().run()

analyzers/Gatewatcher_CTI/README.md

@@ -1,5 +1,18 @@
-Requirement : if you want to use LastInfoSec's intelligence, you need an API key. You could contact LastInfoSec's team here https://www.gatewatcher.com/en/contact/
-LastInfosec has been acquired by Gatewatcher.
-LastInfoSec's Threat Feed is a data feed that makes it easier to detect threats within the information system. It contains enriched compromised evidences in order to reduce the time of threat analysis once detected.
-https://www.gatewatcher.com/en/nos-produits/last-info-sec
+## Gatewatcher
+Gatewatcher is a European leader in advanced Threats detection, protecting critical networks of large Entreprises and Governement organisations since 2015.
 
+## Gatewatcher CTI
+The Gatewatcher CTI (Cyber Threat Intelligence) offer is compatible with all cybersecurity solutions. It immediately enhances your detection with contextual information about internal and external cyber threats specifically targeting your business.
+
+## Cortex Integration
+This cortex analyzer allows you to search for an IOC (url, hash, host/domain) in the Gatewatcher CTI database
+
+## How to obtain credentials ?
+If you want to try our freemium offer your can obtain your API key : https://info.gatewatcher.com/en/lp-free-ioc-analysis-api-key
+
+If you want more you can contact us : https://info.gatewatcher.com/fr/speed-meeting-lastinfosec
+
+## TheHive Integration
+With this cortex integration, we also provide you templates for TheHive available in the [thehive-templates](../../thehive-templates/Gatewatcher_CTI_1_0) directory.
+
+![](assets/Gatewatcher_CTI_long.png)