diff --git a/.nojekyll b/.nojekyll new file mode 100644 index 000000000..e69de29bb diff --git a/404.html b/404.html new file mode 100644 index 000000000..7fe84b6cc --- /dev/null +++ b/404.html @@ -0,0 +1,4471 @@ + + + + + + + + + + + + + + + + + + + Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ +

404 - Not found

+ +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/AUTHORS/index.html b/AUTHORS/index.html new file mode 100644 index 000000000..879e14106 --- /dev/null +++ b/AUTHORS/index.html @@ -0,0 +1,4631 @@ + + + + + + + + + + + + + + + + + + + + + + + Authors & contributors - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Authors#

+
    +
  • Nabil Adouani
  • +
  • Thomas Franco
  • +
  • Jérôme Leonard
  • +
+

Contributors#

+
    +
  • Abdelkader Ben Ali
  • +
  • Adrien Barchapt
  • +
  • Andrea Garavaglia (LDO-CERT)
  • +
  • ANSSI
  • +
  • brandon@backscatter.io
  • +
  • Brandon Dixon (9bplus)
  • +
  • Brian Laskowski
  • +
  • CERT Arkéa
  • +
  • CERT-BDF
  • +
  • CERT-LaPoste
  • +
  • CERT-LDO
  • +
  • Cisco Security
  • +
  • Cisco Umbrella Research @opendns
  • +
  • crackytsi
  • +
  • Daniel Weiner @dmweiner
  • +
  • Daniil Yugoslavskiy (Tieto)
  • +
  • Danni Co
  • +
  • Davide Arcuri (LDO-CERT)
  • +
  • David Strassegger @oscd_initiative
  • +
  • Dennis Perto, Conscia
  • +
  • Dmitry Uchakin, Vulners team
  • +
  • DomainTools
  • +
  • Emmanuel Torquato
  • +
  • Equate Technologies
  • +
  • Eric Capuano
  • +
  • etz69
  • +
  • Florian Perret @cyber_pescadito
  • +
  • Florian Roth
  • +
  • @frikkylikeme
  • +
  • Gabriel Antonio da Silva
  • +
  • Guillaume Rousse
  • +
  • Ignacio Rodriguez Paez
  • +
  • iosonogio, dadokkio
  • +
  • Joe Lazaro
  • +
  • Joel Snape @ Nettitude
  • +
  • Joe Vasquez
  • +
  • KAPSCH-CDC
  • +
  • Keijo Korte
  • +
  • Kyle Parrish
  • +
  • LastInfoSec
  • +
  • LetMeR00t
  • +
  • Manabu Niseki, @ninoseki
  • +
  • Manuel Krucker
  • +
  • Marc-André DOLL (STARC by EXAPROBE)
  • +
  • Mario Henkel @hariomenkel
  • +
  • Mark Kikta, RedLegg Cybersecurity Solutions
  • +
  • Matteo Lodi
  • +
  • Matt Erasmus, Jonas Hergenhahn
  • +
  • Maxim Konakin (OSCD Initiative)
  • +
  • Mehdy Aschy
  • +
  • Michael
  • +
  • Michael Davis, REN-ISAC
  • +
  • Michael Hornung (Expeditors International of Washington, Inc.)
  • +
  • Michael Stensrud (Nordic Financial CERT)
  • +
  • Mikael Keri
  • +
  • Nclose
  • +
  • Nick Prokop
  • +
  • Nicolas Mattiocco
  • +
  • Nils Kuhnert (CERT-Bund)
  • +
  • ninoseki
  • +
  • Kyle Parrish (@arnydo)
  • +
  • ottimo
  • +
  • Peter Juhas
  • +
  • pettai@sunet.se, SUNET
  • +
  • ph34tur3
  • +
  • Pierre Baudry
  • +
  • Pierre Lalet
  • +
  • Rémi Allain, Cyberprotect
  • +
  • Remi Pointel
  • +
  • RiskIQ
  • +
  • Robert Nixon
  • +
  • Sebastian Schmerl - Computacenter
  • +
  • Sebastien Larinier @Sebdraven
  • +
  • SEKOIA
  • +
  • Simon Lavigne
  • +
  • Mikael Keri
  • +
  • SOL
  • +
  • Stamus Networks
  • +
  • StrangeBee
  • +
  • Sven Kutzer / Gyorgy Acs, @oscd_initiative
  • +
  • TheHive-Project
  • +
  • torsolaso
  • +
  • Unit777
  • +
  • LetMeR00t
  • +
  • Vaclav Bartos (CESNET)
  • +
  • Wes Lambert (Security Onion Solutions)
  • +
  • Xavier Xavier (SANS ISC)
  • +
+
+

Copyright (C) 2017-2022 Nabil Adouani

+

Copyright (C) 2014-2022 Thomas Franco

+

Copyright (C) 2014-2019 Saâd Kadhi

+

Copyright (C) 2014-2022 Jérôme Leonard

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/CHANGELOG/index.html b/CHANGELOG/index.html new file mode 100644 index 000000000..320380654 --- /dev/null +++ b/CHANGELOG/index.html @@ -0,0 +1,8159 @@ + + + + + + + + + + + + + + + + + + + + + + + Changelog - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Changelog#

+

3.4.0 (2024-12-09)#

+

Full Changelog

+

Closed issues:

+
    +
  • [FR] Enhance Crowdstrike Falcon integration with TheHive #1296
  • +
+

Merged pull requests:

+ +

3.3.8 (2024-11-08)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] OpenCTI Analyzer #1280
  • +
  • [Bug] Requirements don't get installed for new responder #1259
  • +
  • [Bug] Fortiguard parser error #1228
  • +
  • [Bug][URLhaus_2_0] - Empty summary for positive results #1210
  • +
  • [FR] Add Microsoft 365 Defender responder for Tenant Allow/Block List #1102
  • +
  • [FR] Add EchoTrail analyzer #1099
  • +
  • [Bug] KnowBe4 Responder Missing Config Options #1086
  • +
  • [FR] JAMF Protect Prevent list responder #1292
  • +
  • [FR] Add AWS Lambda responder #1289
  • +
  • [FR] Censys Analyzer v2 #1287
  • +
  • [FR] Fix the version of TheHive4py dependencies in existing responders #1281
  • +
  • [Bug] Phistank analyzer failing #1276
  • +
  • New Analyzer: QrDecode #1274
  • +
  • [FR] Update Triage Analyzer to Configure Sandbox API #1263
  • +
  • [FR] mail-subject dataType should be used instead of mail_subject #1260
  • +
  • [FR] EclecticIQ Responder #1257
  • +
  • [FR] EclecticIQ Analyser #1255
  • +
  • [FR] Added capabilities/features for Microsoft Defender for Endpoint responder #1229
  • +
  • [FR]Binalyze AIR responder #1218
  • +
  • AWX Responder #1213
  • +
  • Add a responder to send case information to Telegram #1132
  • +
  • Hybrid Analysis Analyzer not working anymore #1090
  • +
  • [FR] DNSDumpster analyzer #1056
  • +
  • [FR] Okta User Lookup Analyzer #1047
  • +
  • Abuse_Finder_3_0 [KeyError: '\s'] #940
  • +
  • TorBlutmagie_1_0 doesn't work [Bug] #829
  • +
  • New Analyzer: Fireeye Capa (WIP) #822
  • +
+

Merged pull requests:

+ +

3.3.7 (2024-04-11)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] MISP_2_1 analyzer #1249
  • +
  • 'Triage' analyzer adapation to fit Recorded Future solution (based on Triage) #1237
  • +
  • [Bug] Proofpoint error: "Unexpected Error: Strings must be encoded before hashing" #1250
  • +
+

Merged pull requests:

+
    +
  • #1250 fix: use file_digest to hash file #1251 (To-om)
  • +
+

3.3.6 (2024-02-16)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] CrowdSec Analyzer: requests module missing #1227
  • +
+

Merged pull requests:

+ +

3.3.5 (2024-02-05)#

+

Full Changelog

+

Merged pull requests:

+
    +
  • Updated ONYPHE documentation. Fixed potential naming conflict with legacy analyzer. #1244 (jimbobnet)
  • +
  • New ONYPHE Search, ASM and Vulnscan analyzers. Updated Summary Analyzer. #1242 (jimbobnet)
  • +
  • Fix missing requirements.txt in CrowdSec Analyzer #1224 (AlteredCoder)
  • +
  • StamusNetworks: fix error on empty network info #1220 (regit)
  • +
+

3.3.4 (2024-01-10)#

+

Full Changelog

+

Closed issues:

+
    +
  • New Analyzer: QR Code Parser #1238
  • +
  • [FR] Include additional intelligence from Recorded Future enrichment #1231
  • +
  • [Bug] Virustotal Analyzer Docker stuck "In Progress" #1239
  • +
+

3.3.3 (2023-12-28)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] Misp Analyzer #1235
  • +
+

Merged pull requests:

+ +

3.3.2 (2023-08-28)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] sveral fixes for 3.3.1 #1214
  • +
+

Merged pull requests:

+ +

3.3.1 (2023-08-18)#

+

Full Changelog

+

3.3.0 (2023-08-16)#

+

Full Changelog

+

Closed issues:

+
    +
  • [FR] Azure Sign In Retriever #1211
  • +
  • [Bug] Azure Revoke Session Token Responder #1202
  • +
  • [FR] Add Bypass option for Duo Security responder #1200
  • +
  • Missing requirements from analyzers #1171
  • +
  • [Bug] Checkpoint responder not building #1209
  • +
  • [Bug] VirusTotal get report ip_addresses do not return 'resolutions' #1204
  • +
  • [Bug] VirusTotal get report ip_addresses do not return report summary #1203
  • +
  • [Bug] OpenCTI Analyser #1182
  • +
  • [FR] Rename LastInfoSec Analyzer to Gatewatcher and add feature #1152
  • +
  • HarfangLab responder contribution #1125
  • +
+

Merged pull requests:

+ +

3.2.9 (2023-05-04)#

+

Full Changelog

+

Closed issues:

+
    +
  • [FR] in-progress - Analyzer - Crowdstrike API to enrich observables #1176
  • +
+

3.2.8 (2023-03-09)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] Eml Parser except Exception as e: error (Extra Spaces) in parse.py #1168
  • +
+

3.2.7 (2023-03-09)#

+

Full Changelog

+

Merged pull requests:

+ +

3.2.6 (2023-03-02)#

+

Full Changelog

+

Merged pull requests:

+
    +
  • CrowdSec: Set user agent of crowdsec analyzer to crowdsec-cortex/v1.0.0 #1164 (sbs2001)
  • +
+

3.2.5 (2023-03-01)#

+

Full Changelog

+

3.2.4 (2023-03-01)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] Analyzer Crt_sh_Transparency_Logs_1_0 not working #1139
  • +
  • [Bug] Analyzer GoogleDNS_resolve_1_0_0 not working #1136
  • +
  • [Bug] Container for analyzer FalconSandbox missing dependencies #1108
  • +
  • [FR] New Analyzer: Palo Alto Wildfire Sandbox #910
  • +
  • [Bug] error with emlparser #1162
  • +
  • [Bug] ProofPoint_Lookup_1_0 fails with "Strings must be encoded before hashing" #1160
  • +
  • [Bug] Analyzer Maltiverse_Report_1_0 type url not working #1140
  • +
  • [Bug] Censys analyzer not working #1134
  • +
+

Merged pull requests:

+ +

3.2.3 (2022-11-09)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] Falcon Responder: update python path #1131
  • +
  • [Bug] Virustotal not working correctly with proxy settings #1130
  • +
  • [Bug] MSDefender Responder has no module named cortexutils #1107
  • +
+

3.2.2 (2022-10-27)#

+

Full Changelog

+

Closed issues:

+
    +
  • update version of Emlparser report template #1129
  • +
+

3.2.1 (2022-10-25)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] fix perms on main programs #1128
  • +
+

3.2.0 (2022-10-21)#

+

Full Changelog

+

Closed issues:

+
    +
  • [FR] Upgrade OpenCTI analyzer for v4 compatibility #929
  • +
  • Updates for documentation website #1113
  • +
  • Build and manage images of private and custom analyzers/responders #1112
  • +
  • little improvements #1110
  • +
  • [FR] Virustotal Analyzer and VT API v3? (v2 will go offline soon) #1012
  • +
  • [FR] Verifalia analyzer #1007
  • +
  • [FR] ThreatMiner analyzer #1005
  • +
  • [FR] Kaspersky Threat Intelligence Portal analyzer #1003
  • +
  • [FR] IP-API analyzer #1001
  • +
  • [FR] CheckPhish Analyzer #997
  • +
  • [FR] Bitcoin Abuse Analyzer #995
  • +
  • [FR] SentinelOne Hash Blacklister (Responder) #781
  • +
+

Merged pull requests:

+ +

3.1.1 (2022-06-21)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] programs are missing executable permission #1106
  • +
  • [Bug] Can't install dependencies for MSDefenderEnpoints #1105
  • +
  • [Bug] Docker image CIRCLHashlookup built without the execute bit on the python script #1101
  • +
  • [Bug] Shuffle_1_0 docker Permission denied #1091
  • +
  • [Bug] Elasticsearch_Analysis_1_0 docker Permission denied #1089
  • +
+

3.1.0 (2022-06-20)#

+

Full Changelog

+

Closed issues:

+
    +
  • [FR] CIRCLHashlookup 1.1 #1077
  • +
  • [Bug]FalconCustomIOC Endpoint changed #1075
  • +
  • [FR] Allow analysts to mark an untouched task to not be deleted when closing the case #1072
  • +
  • [QUESTION] Get analyser jobs per case ? #1070
  • +
  • [FR] Get analyser jobs per case #1067
  • +
  • [DOC] How to create custom Analyzers or Responders catalogs #1060
  • +
  • [Bug] VirusTotal_GetReport_3_0 Error 403 #946
  • +
  • [Bug] CortexNeurons error parsing version in analyzer.json or responder.json #901
  • +
  • System proxy settings not set using global configuration #884
  • +
  • [Bug] EmlParser reports does not display correctly on small screens #1042
  • +
  • [Bug] Ldap_Query_2_0 Cortex Analyzer uid_search_field is missing Error #1030
  • +
  • [FR] Zscaler analyzer (New) #982
  • +
  • [FR] Cylance analyzer (New) #980
  • +
  • Censys analyzer is failing #917
  • +
  • [FR] Develop Responder for Microsoft Defender for Endpoint #908
  • +
  • Analyzer for Crowdstrike Falcon X - Sandbox #796
  • +
+

Merged pull requests:

+ +

3.0.3 (2021-11-15)#

+

Full Changelog

+

Closed issues:

+
    +
  • [BUG] error=2, No such file or directory when running responder #1041
  • +
  • [Bug] FileInfo cannot build successfully #1019
  • +
  • [Bug][EMLParser] incomplete headers #976
  • +
+

3.0.2 (2021-08-05)#

+

Full Changelog

+

3.0.1 (2021-07-29)#

+

Full Changelog

+

3.0.0 (2021-07-27)#

+

Full Changelog

+

Closed issues:

+
    +
  • [FR] Hashlookup (CIRCL) #1014
  • +
  • [FR] Improve MISP analyzer results #984
  • +
  • [Bug] Malware Clustering - py2neo #983
  • +
  • Update Cyberprotect Analyzer #973
  • +
  • [FR] Update GreyNoise Analyzer to support Community API #969
  • +
  • [FR] New Analyzer: Diario #966
  • +
  • [FR] Analyzer for Scirius Security Platform #958
  • +
  • [Improvement] EmlParser: manage report new observables of type 'file' #937
  • +
  • [FR] GreyNoise V3 - API update #912
  • +
  • [Doc] Check schema flavor json files #900
  • +
  • FileInfo: Add default value for manalyze_enable #881
  • +
  • Improve DShield #879
  • +
  • [Bug] Mail Responder recipient address not found in tags #860
  • +
  • [OSCD Initiative] Develop Responder for Gmail #859
  • +
  • [OSCD Initiative] Develop Responder for Azure Active Directory #858
  • +
  • [OSCD Initiative] Develop Responder for Palo Alto NGFW #855
  • +
  • [FR] Update AnyRun Analyzer to include privacy setting #853
  • +
  • [Bug] OTXQuery_2_0 analyzer does not work #850
  • +
  • [Bug] Wazuh Responder Not Working #844
  • +
  • New Analyzer: ElasticSearch Query #841
  • +
  • [FR] Merge new VMRay Analyzer #824
  • +
  • [Bug] CIRCLPassiveSSL uncaught exception on unexpected server behavior #805
  • +
  • [improvements] EMLParser: ensure observables are reported only once and detect URL in HTML messages #793
  • +
  • Add Analyzer for GRR #570
  • +
  • New Analyser: Strings #315
  • +
+

Merged pull requests:

+ +

2.9.7 (2021-07-27)#

+

Full Changelog

+

2.9.6 (2021-07-27)#

+

Full Changelog

+

2.9.5 (2021-07-27)#

+

Full Changelog

+

Closed issues:

+
    +
  • GET /api/analyzerconfig/nameofbaseconfig returned 404 #978
  • +
  • [Bug] Cortex Responders How to get task log content? #975
  • +
  • hook #972
  • +
  • Issue with analyzer developement - Specific problem #968
  • +
  • Unable to querry date to cortex analyser #965
  • +
  • [Bug]Cisco Umbrella Responder #954
  • +
  • [Bug] OpenCTI analyser: missing Python module? #945
  • +
  • Analyzers don't work #939
  • +
  • [Bug] TheHive can't execute Analyser on multi-organization Cortex #938
  • +
  • [Bug] Anyrun_Sandbox_Analysis_1_0 report-template is not correctly named according to documentation #935
  • +
  • [Bug] FileInfo_7_0 error if msg has encrypted zip attachment #924
  • +
  • IVRE-based analyzer #922
  • +
  • [FR] Responder which sends a mail with a detailed incident status #920
  • +
  • [FR] Virustotal custom functionality #899
  • +
  • [Bug] mispwarninglist update errors when using database backend #890
  • +
  • [OSCD Initiative] Develop Responder for Duo Security #857
  • +
  • [Improvement] FileInfo should include actual attachments in the report #839
  • +
  • [FR] DNSDB analyzer - more limiter options #770
  • +
+

2.9.4 (2021-02-05)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] Hashdd not working #931
  • +
  • [Bug] Changes to Application.conf #918
  • +
  • [Bug] Abuse_Finder analyzer fails #914
  • +
  • FileInfo_7_0 #905
  • +
  • [Bug] Splunk search analyzer - Password is not hidden #903
  • +
  • [Bug] Splunk TypeError jobResult["resultCount"] implicit int cast #896
  • +
  • [Bug] Retrieve email headers #895
  • +
  • [Bug] MineMeld responder domain IOC incorrect type #892
  • +
  • mispwarninglist with postgres initialization not working #885
  • +
  • LDAP3 Module not found on cortex analyser #883
  • +
  • Drone: improve process of catalogs generation and package of template #882
  • +
  • Cortex Analysers problem #878
  • +
  • [Bug] FileInfo/fileinfo_analyzer.py Missing Library #866
  • +
  • [Bug] OTX analyser no requests module on line 4 #818
  • +
  • EML_Parser auto extract URL and Attachment as observable #395
  • +
+

2.9.3 (2020-10-16)#

+

Full Changelog

+

2.9.2 (2020-10-15)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] TalosReputation_1_0. Failed to query Talos details. Status_code 503 #874
  • +
  • [Bug] EmlParser_1_2 fails to find iocextract library despite it being installed. #871
  • +
  • [Bug] #867
  • +
  • [Bug] Mailer Responder not working within tasks #846
  • +
  • [Bug] Fix doc #838
  • +
  • [Bug]Robtex api end point are no longer valid? #821
  • +
  • [Bug]Pulsedive analyzer doesn't work #788
  • +
  • [Bug] Msg_Parser_2_0 #601
  • +
  • Malwareconfig Lookup and Yara Rule Additions #174
  • +
+

2.9.1 (2020-08-13)#

+

Full Changelog

+

2.9.0 (2020-08-12)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] Docker images of some responders are not built #834
  • +
  • PhishTank_CheckURL_2_1 doesn't work[Bug] #833
  • +
  • [FR] Velociraptor Analyzer/Responder #579
  • +
  • [Bug] Mailer_1_0 not working #835
  • +
  • PhishingInitiative_Scan_1_0 doesn't work[Bug] #832
  • +
  • Hashdd_Detail_1_0 doesn't work [Bug] #831
  • +
  • MalwareBazaar_1_0 doesn't support types of observables, but writed that it does[Bug] #830
  • +
  • MISPWarninglists analyzer doesn't work [Bug] #827
  • +
  • New Analyzer: ForcepointWebsensePing #817
  • +
  • [FR] add SpamAssassin analyzer #810
  • +
  • [PATCH] Implement some other ONYPHE simple APIs (but still not the search API) #372
  • +
+

Merged pull requests:

+ +

2.8.7 (2020-08-03)#

+

Full Changelog

+

Closed issues:

+
    +
  • Robtex_IP_Query_1_0 doesn't work [Bug] #828
  • +
+

2.8.6 (2020-07-15)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] VirustotalDownloader docker image not available #820
  • +
+

2.8.5 (2020-07-13)#

+

Full Changelog

+

Closed issues:

+
    +
  • [FR] Splunk search analyzer #791
  • +
+

2.8.4 (2020-07-02)#

+

Full Changelog

+

2.8.3 (2020-07-02)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] missing simplejson lib in ThreatGrid analyzer #812
  • +
+

2.8.2 (2020-07-02)#

+

Full Changelog

+

2.8.1 (2020-07-02)#

+

Full Changelog

+

Closed issues:

+
    +
  • [FR] New Analyzer: LastInfoSec IoC Analysis #753
  • +
  • [Bug] IntezerCommunity Analyser: Permission denied #801
  • +
+

2.8.0 (2020-06-30)#

+

Full Changelog

+

Closed issues:

+
    +
  • [FR] Rename Lis_GetReport analyzer to LastInfoSec #808
  • +
  • [Bug] JSONDecodeError with dockerized analyzers #800
  • +
  • EML-Parser Requirements file missing pip requirement #792
  • +
  • [Bug] MineMeld_1_0 Obesrvable not reaching destination. #773
  • +
  • [Bug] Abuse_Finder : pythonwhois dependency tree broken #742
  • +
  • ELK - Elasticsearch or Kibana analyzer (contribution survey) #419
  • +
  • Remove catalogs #789
  • +
  • [Bug] Wazuh responder not working. #778
  • +
  • [Bug] Minemeld Responder: No module named 'requests' #774
  • +
  • WOT: Moving from legacy to the new endpoint #771
  • +
  • New Responder: Virustotal Downloader #765
  • +
  • ThreatResponse analyzer fails #759
  • +
  • [FR] SendGrid based mail delivery via HTTPS API #738
  • +
  • [FR] Mailer should support TLS/START-TLS and authentication #737
  • +
  • Use APIv2 in Onyphe analyers #736
  • +
  • Mailer incorrectly informes about missing receipient address in artifacts for Case object #379
  • +
+

Merged pull requests:

+ +

2.7.0 (2020-05-15)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] MaxMind #752
  • +
  • json.dump \n and \" #743
  • +
  • [Bug] Yeti Analyzer docker images pip installing pyeti #708
  • +
  • [Bug] FireHOLBlocklists No such file or directory #707
  • +
  • [Bug] Worker cannot be run #595
  • +
  • New analyzer : Google Vision API #298
  • +
  • BlueCoat Malware Analysis Sandbox Analyzer #145
  • +
  • [Bug] EmailRep #750
  • +
  • [Bug] Shodan Analyzer: Inconsistent Key References #748
  • +
  • New Analyzer: ANY.RUN #734
  • +
  • [discussion] Mispwarninglist analyzer speed issue and proposed improvement #731
  • +
  • New Analyzer: OpenCTI #723
  • +
  • New Analyzer: MalwareBazaar #722
  • +
  • Improvement: extract IOCs from EmlParser #710
  • +
  • [Bug] DNSDB Analyzer Python 3 incompatability #613
  • +
  • [FR] CyberChef Analyzer #600
  • +
  • [Bug] Crt_sh_Transparency_Logs_1_0 - No JSON object could be decoded #594
  • +
  • [FR] Yeti Analyzer - SSL error with self signed certificate #468
  • +
  • Cortex Responder for creating RT (Request Tracker) tickets out of TheHive #430
  • +
  • [Bug] TheHive isn't showing error messages from responders #429
  • +
+

Merged pull requests:

+ +

2.6.0 (2020-03-25)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] Importing Templates of Analyzers in Hive #704
  • +
  • Responder Cisco AMP for Endpoints #593
  • +
  • Analyzer Cisco Threat Response #592
  • +
  • MISP-Warninglists Analyzer Outdated #569
  • +
  • [Bug] VMRay Returns Error #520
  • +
  • Invalid requirements in responder FalconCustomIOC requirements.txt #509
  • +
  • ClamAV New analyzer #311
  • +
  • New Analyzer: Mnemonic PDNS (Public & Closed) #255
  • +
  • CISCO AMP Sandbox Analyzer #146
  • +
  • [Bug] FileInfo does not run Oletools submodule for a doc #705
  • +
  • [Bug] Investigate Analyzer Broken #703
  • +
  • [Bug] AbuseIPDB analyzer returns error #701
  • +
  • Analyzers missing cortexutils in requirements.txt #695
  • +
  • [Bug] abuselpdb stop stupport APIv1 #618
  • +
  • [Bug] All Onyphe analyzer return "Invalid output" #591
  • +
  • [Bug] Mailer 1_0 #573
  • +
  • Intezer Community analyzer #504
  • +
  • Analyzer Feature: URLScan.io "Scan" Service #405
  • +
  • New Analyzer: NSRL check #391
  • +
+

Merged pull requests:

+ +

2.5.0 (2020-02-24)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] Umbrella Investigate report error message 'Unknown Investigate service or invalid data type' #698
  • +
  • IPVoid IP reputation API #454
  • +
  • [Bug] Cuckoo Analyzer Fails when it hasn't been executed for many hours #437
  • +
  • Virusshare analyzer: suggesting another way to retrieve hash file names #359
  • +
  • Issue with Cuckoo Sanbox Analyzer #148
  • +
  • Cuckoo analyzer sometimes failes #114
  • +
+

Merged pull requests:

+ +

2.4.1 (2020-02-11)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] MaxMind_GeoIP_3_0 #564
  • +
  • Emailrep.io analyzer #466
  • +
  • IPinfo analyzer #462
  • +
  • Maltiverse Analyzer #440
  • +
  • [FR] Spamhaus DBL Analyzer #436
  • +
  • New Analyzer: SoltraEdge #264
  • +
  • Error when building docker image for MalwareClustering #620
  • +
  • Abuse Finder not working with docker after force usage of python3 #619
  • +
  • Rename AUTOFOCUS analyzers to Autofocus #616
  • +
  • [Bug] Permission Denied on Analyzer Execution #614
  • +
  • [Bug] VirusTotal script elif statement ends with semicolon typo #610
  • +
  • FileInfo_7_0 -- msg-Extract #545
  • +
+

2.4.0 (2020-02-10)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] SSL verification failing for majority of analyzers. #605
  • +
  • Cisco Umbrella Investigate Analyzer [FR] #583
  • +
  • [Bug] JoeSandbox analyzer fails if terms and conditions are not accepted #565
  • +
  • [Bug] Can't Remove an Analyzer #528
  • +
  • PayloadSecurity analyzer sslverify config conversion bug. #185
  • +
  • [Bug] MISP 2.0 analyzer search crashes the MISP instance #602
  • +
  • Add Wazuh Responder #578
  • +
  • [FR] Palo Alto Minemeld Responder #577
  • +
  • [FR] Team Cymru Malware Hash Registry Analyzer #576
  • +
  • OTXQuery Error - No module named requests #574
  • +
  • [Bug] Abuse_Finder_2_0 #566
  • +
  • New Responder: KnowBe4 (WIP) #548
  • +
  • [FR] Analyzer for PaloAltoNetworks Autofocus service #472
  • +
  • Force python3 in all analyzers #361
  • +
+

Merged pull requests:

+ +

2.3.0 (2019-11-28)#

+

Full Changelog

+

Closed issues:

+
    +
  • Old non-existent analysers showing in Cortex [Bug] #553
  • +
  • [Bug] Custom responder not working after upgrade to cortex 3 #542
  • +
  • [Bug] ThreatCrowd analyzer not respecting Max TLP value #527
  • +
  • [Bug]Missing baseConfig in two Analyzsers #508
  • +
  • FileInfo_5_0 Cannot parse PDF files #495
  • +
  • [Bug] MISP analyzer does not connect to MISP #480
  • +
  • MaxMind Analyzer: Use commercial databases with geoipupdate #474
  • +
  • [Bug] Missing module dependencies on responders #561
  • +
  • [Bug] #552
  • +
  • [Bug] Requests module is missing in PhishTank checkurl analyzer docker image #551
  • +
  • Add mime types of encrypted documents #550
  • +
  • [Bug] Cuckoo Sandbox 2.0.7 #544
  • +
  • [Bug] Docker build fails due to spaces in some responders #540
  • +
  • Talos Analyzer No Longer Works #521
  • +
  • [Bug] Fortiguard: Category parsing does not handle "-" #493
  • +
+

Merged pull requests:

+ +

2.2.0 (2019-10-01)#

+

Full Changelog

+

Closed issues:

+
    +
  • Template reports problem with custom analyzers #526
  • +
  • [Bug] VirusTotal_GetReport does not work anymore #519
  • +
  • [Bug] Cortex Analyzers Invalid output #515
  • +
  • [Bug] FileInfo crashes with some PDF #536
  • +
  • [Bug] Hybrid Analysis getReport fails with observable with datatype = file #535
  • +
  • [FR] Manage encrypted Office documents in FileInfo #533
  • +
  • [FR] Responder "request for takedown" in Zerofox #532
  • +
  • [FR] Responder "Close Alert" for Zerofox #531
  • +
  • [Bug] HIBP Analyser no longer works #524
  • +
  • [FR] Use HEAD instead of GET in UnshortenLink #506
  • +
  • [Misc] Remove Cymon analyzer #489
  • +
  • [Bug] Umbrella_Report_1_0 analyzer returning Invalid output #459
  • +
  • Responder QRadarAutoClose #441
  • +
  • Responder: Block a "domain" observable via BIND RPZ DDNS update #435
  • +
  • Encoding error in Shodan results #322
  • +
  • Option to ignore SSL errors from analyzers #228
  • +
+

Merged pull requests:

+ +

2.1.8 (2019-07-12)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] PassiveTotal SSL Certificate History analyzer always report at least one record, even if there isn't one #513
  • +
+

2.1.7 (2019-07-10)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] FortiGuard cannot parse response content #491
  • +
  • New analyzer: Talos Reputation #426
  • +
  • Threatcrowd, TorBlutmagie, TorProject not displayed #414
  • +
  • OTXQuery_2_0 Error when submitting IP address #363
  • +
  • Dockerising analyzers #246
  • +
  • Analyzer Template Check-Up #213
  • +
+

2.1.6 (2019-06-21)#

+

Full Changelog

+

Closed issues:

+
    +
  • Missing request lib in the docker of Fortiguard analyzer #503
  • +
+

Merged pull requests:

+ +

2.1.5 (2019-06-20)#

+

Full Changelog

+

Closed issues:

+
    +
  • Docker for EmlParser is not working, python-magic is missing #502
  • +
+

2.1.4 (2019-06-20)#

+

Full Changelog

+

Closed issues:

+
    +
  • TalosReputation : not cortexutils in requirements.txt #501
  • +
+

2.1.3 (2019-06-17)#

+

Full Changelog

+

Closed issues:

+
    +
  • Problem with iocp requirement #500
  • +
+

2.1.2 (2019-06-16)#

+

Full Changelog

+

2.1.1 (2019-06-16)#

+

Full Changelog

+

2.1.0 (2019-06-09)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] IBM X-Force Analyzer adds an extra slash which prevents it from running correctly #487
  • +
  • "errorMessage": "Missing dataType field" #481
  • +
  • Hashdd_Detail_1_0 throwing error #461
  • +
  • Cuckoo Sandbox Analyzer error #458
  • +
  • "errorMessage": "Invalid output\n" on Mail Responder #452
  • +
  • [Bug] EmlParser has incomplete header #484
  • +
  • [Bug] OpenXML files detected as zip but ignored by Oletools. #475
  • +
  • [Bug] Malwares_GetReport_1_0 #470
  • +
  • FileInfo : extract URL from documents like PDF or Office #465
  • +
  • Use up to date msg-Extract lib in FileInfo #464
  • +
  • [FR] Updated crt.sh Analyzer #438
  • +
+

Merged pull requests:

+ +

2.0.1 (2019-04-05)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Bug] Invalid version for stable Docker image #453
  • +
+

2.0.0 (2019-04-05)#

+

Full Changelog

+

Closed issues:

+
    +
  • [Help Wanted] First Analyser #449
  • +
  • [FR] Remove contrib folder #451
  • +
  • [FR] Add support to dockerized analyzers #450
  • +
+

1.16.0 (2019-03-27)#

+

Full Changelog

+

Closed issues:

+
    +
  • Different analyzer results between manually built instance and trainingVM #442
  • +
  • [Bug] #433
  • +
  • Crowdstrike Falcon Responder #423
  • +
  • Backscatter.io Analyzer #422
  • +
  • AbuseIPDB analyzer creation #353
  • +
+

Merged pull requests:

+ +

1.15.3 (2019-02-28)#

+

Full Changelog

+

Closed issues:

+
    +
  • [FR] New URLhaus API #431
  • +
  • Proofpoint analyzer fails Unexpected Error: Unicode-objects must be encoded before hashing #417
  • +
+

Merged pull requests:

+ +

1.15.2 (2019-02-11)#

+

Full Changelog

+

Closed issues:

+
    +
  • Analyzer creation : "invalid output" #412
  • +
  • EmlParser_1_1 not parsing .msg files #401
  • +
  • MISP Analyzer only queries first configured MISP instance #378
  • +
  • Issue with encoding in mailer responder #416
  • +
  • Restrict UnshortenLink usage to urls without IPs and/or ports #413
  • +
  • Crtsh Analyzer: crt.sh result is a nested list #410
  • +
  • MISP: fix requirements; enum not required for python 3.4+ #409
  • +
  • FileInfo Manalyze - [plugin_btcaddress] Renamed to plugin_cryptoaddress. #408
  • +
  • Bug: a broken link in the Cymon_Check_IP report #406
  • +
  • Wrong File handling in OTXQuery Analyzer #313
  • +
+

Merged pull requests:

+
    +
  • Fix for #410 removed wrapping of crt.sh result in a list #411 (sprungknoedl)
  • +
  • Fix a broken link in the Cymon_Check_IP report #407 (ninoseki)
  • +
+

1.15.1 (2019-01-09)#

+

Full Changelog

+

Closed issues:

+
    +
  • Wrong command path in HIBP_Query.json #404
  • +
  • Malwares Analyzer for Python 3.4+ #402
  • +
+

Merged pull requests:

+
    +
  • make code python 3.4 compatible #403 (dadokkio)
  • +
  • fix the lack of dependency called enum in ubuntu 16.04 #398 (yojo3000)
  • +
+

1.15.0 (2018-12-20)#

+

Full Changelog

+

Closed issues:

+
    +
  • Analyzer report samples/examples #390
  • +
  • Improvement: Eml_Parser Analyzer & Template #394
  • +
  • New Analyzer: Cisco Umbrella Reporting #385
  • +
  • Cisco Umbrella Blacklister Responder #382
  • +
  • New analyzer : Cyberprotect ThreatScore #373
  • +
  • New Analyzer: SecurityTrails #370
  • +
  • Fortigard Report Template needs to be updated with new reclassification url #345
  • +
  • Revamp Shodan analyzer #327
  • +
  • Update DomainTools analyzer with new flavors #320
  • +
  • Add support for query parameters in DNSDB #318
  • +
  • Analyzer - Haveibeenpwned.com Lookup #190
  • +
+

Merged pull requests:

+ +

1.14.4 (2018-12-05)#

+

Full Changelog

+

Closed issues:

+
    +
  • New Analyzer: ';--have i been pwned? #388
  • +
  • Add option to specify SMTP Port for Mailer Responder #377
  • +
  • Virustotal: update short reports to distinguish Scan from GetReport flavors #389
  • +
  • msg-extractor library has been updated and brakes FileInfo analyzer #384
  • +
+

1.14.3 (2018-11-28)#

+

Full Changelog

+

Closed issues:

+
    +
  • CERTatPassiveDNS_2_0 Invalid File for WHOIS.sh #349
  • +
  • eml_parser Unexpected Error: list index out of range #352
  • +
+

1.14.2 (2018-11-16)#

+

Full Changelog

+

Closed issues:

+
    +
  • Fix URLHaus long template #375
  • +
+

1.14.1 (2018-11-09)#

+

Full Changelog

+

Closed issues:

+
    +
  • FileInfo 5.0 Dockerized .exe analysis #369
  • +
  • Proofpoint analyzer definition missing the configuration objects #366
  • +
+

Merged pull requests:

+
    +
  • fix in case GSB value is missing #365 (garanews)
  • +
  • fix: "cut: the delimiter must be a single character" #364 (garanews)
  • +
  • Fix for Fortiguard to handle FQDNs as well as domains and urls #358 (phpsystems)
  • +
+

1.14.0 (2018-10-26)#

+

Full Changelog

+

Closed issues:

+
    +
  • Joe Sandbox Analyzer returning error with Joe Sandbox Cloud Pro #357
  • +
  • Yara analyzer: 'can't open include file' #354
  • +
  • Cortex Responder - Invalid Output #331
  • +
  • Add support to responders in cortexutils #316
  • +
  • Could not get Yeti analyzer worked in cortex #307
  • +
  • IPv4 address Extractor regex does not match only IPv4 address #198
  • +
  • MISP WarningLists CIDR notation support #197
  • +
  • Request for a Cortex Analyzer for Recorded Future #102
  • +
  • Fixes file not found issue and empty result set in CERT.at passive dns analyzer #362
  • +
  • Add RTF support in FileInfo #360
  • +
  • Force python3 for MISP-Analyzer #356
  • +
  • PassiveTotal_Passive_Dns_2_0 ordering issue #329
  • +
  • Add new flavors in Onyphe analyzer #324
  • +
  • HybridAnalysis analyzer does not properly handle filenames on some cases #323
  • +
  • New Analyzer: Investigate #309
  • +
  • New analyzer : Google DNS over HTTPS #306
  • +
  • Improve error msg when VT Get Report does not have an entry for #248
  • +
  • Urlscan Analyzer #131
  • +
  • Proofpoint Forensics Lookup #117
  • +
+

Merged pull requests:

+ +

1.13.2 (2018-10-16)#

+

Full Changelog

+

Closed issues:

+
    +
  • Cuckoo file submission Analyzer error #177
  • +
+

1.13.1 (2018-09-19)#

+

Full Changelog

+

Closed issues:

+
    +
  • Wrong datatype in artifact() in DShield analyzer #344
  • +
+

1.13.0 (2018-09-18)#

+

Full Changelog

+

Closed issues:

+
    +
  • Cortex Responder - "thehive:log" datatype #343
  • +
  • DomainTools Analyzer Risk is broken. Gives authentication errors #338
  • +
  • Cortex-analyzer deb package? #336
  • +
  • Fix issues with VMRay analyzer #332
  • +
  • StopForumSpam analyzer #205
  • +
  • Fireeye iSIGHT Analyzer #160
  • +
  • Fix code in Domaintools analyzer #341
  • +
  • Wrong template in C1fApp analyzer short report #340
  • +
  • Whois History has no mini report #339
  • +
  • MISP Analysis failes #335
  • +
  • [URLhaus] Change of format from URLhaus #308
  • +
  • New analyzer: Pulsedive #303
  • +
  • FortiGuard URL: taxonomy is too rigid #295
  • +
  • New analyzer : Hunter.io #293
  • +
  • Manalyze analyzer #116
  • +
+

Merged pull requests:

+ +

1.12.0 (2018-07-31)#

+

Full Changelog

+

Closed issues:

+
    +
  • Analyzer Running Issues : Invalid Output error on Cortex GUI #302
  • +
+

Merged pull requests:

+ +

1.11.0 (2018-07-13)#

+

Full Changelog

+

Closed issues:

+
    +
  • disable #301
  • +
  • New analyzer: DShield #299
  • +
  • New Analyzer: hashdd #282
  • +
  • Analyzer Issue : Abuse_Finder #277
  • +
  • New DomainTools API services requires new analyzer #240
  • +
  • Malwares analyzer has wrong api URL #292
  • +
  • remove double quotes in short reports #291
  • +
  • MISP analyzer certificate validation and name configuration #286
  • +
  • FileInfo fixes #281
  • +
  • Update DomainTools Analyzer to pull Risk and Proximity Score #214
  • +
  • [OS3 Hackathon] Refactor File_Info Analyzer #212
  • +
+

Merged pull requests:

+ +

1.10.4 (2018-06-23)#

+

Full Changelog

+

Closed issues:

+
    +
  • IBM X-Force and Abuse finder problems found in shorts and long report #290
  • +
+

1.10.3 (2018-06-18)#

+

Full Changelog

+

Closed issues:

+
    +
  • Ofuscating an IOC signature before analyzing on VT #288
  • +
  • New analyzer : Threatcrowd #243
  • +
  • IBM X-Force Exchange Analyzer #144
  • +
  • Msg_Parser analyser show for all files #136
  • +
  • API Keys to be submitted through Cortex for Analyzers #7
  • +
  • ibm xforce analyzer "show-all" buttons don't work #287
  • +
+

1.10.2 (2018-06-08)#

+

Full Changelog

+

Closed issues:

+
    +
  • Yara config for multi pathes is not parsing correctly in platform #274
  • +
  • Install analyzers in Red Hat Enterprise 7 #257
  • +
  • File encoding issue in Threatcrowd json file #283
  • +
  • IBMXForce template name #280
  • +
  • Allow to set self signed certificates in VMRay analyzer #279
  • +
  • IBMXforce Analyzer forces TLP1 #278
  • +
  • Greynoise minireport does not give any info when there is no record in report #275
  • +
  • encoding problem in ThreatCrowd #273
  • +
+

1.10.1 (2018-06-06)#

+

Full Changelog

+

Closed issues:

+
    +
  • Wrong name for Staxx report template #272
  • +
+

1.10.0 (2018-06-06)#

+

Full Changelog

+

Closed issues:

+
    +
  • Phishtank checkURL fails #261
  • +
  • New analyzer: malwares.com #251
  • +
  • DomainTools authentication appears to be broken #206
  • +
  • Release 1.10.0 #270
  • +
  • Create GreyNoise analyzer template #269
  • +
  • No short report in Hybrid-Analysis when there is no result #267
  • +
  • Payloadsecurity #262
  • +
  • Bug in EmergingThreats_MalwareInfo analyzer #258
  • +
  • Error in permalink in Cymon long report template #238
  • +
  • Add ip dataType to CERT.at Passive DNS analyzer #237
  • +
  • Grey Noise analyzer #231
  • +
  • URLhaus analyzer #226
  • +
  • cybercrime-tracker.net analyzer #220
  • +
  • Anomali Staxx Analyzer #180
  • +
+

Merged pull requests:

+ +

1.9.7 (2018-05-29)#

+

Full Changelog

+

Closed issues:

+
    +
  • extend templates with external libraries #250
  • +
  • Update analyzers configuration for Cortex2 #172
  • +
  • Bluecoat Analyzer #85
  • +
  • Yara no longer processing rules after cortex 2.0 update #245
  • +
+

1.9.6 (2018-04-25)#

+

Full Changelog

+

Closed issues:

+
    +
  • Yeti pyton lib fails to install for python_version > 2.7 #241
  • +
+

1.9.5 (2018-04-18)#

+

Full Changelog

+

Closed issues:

+
    +
  • VirusTotal Analyzer requirements missing from docker image #230
  • +
  • Remove emerging threat wrong template files #233
  • +
  • Censys analyzer : no uid given but the parameter is set #232
  • +
+

1.9.4 (2018-04-13)#

+

Full Changelog

+

Closed issues:

+
    +
  • CIRCLPassiveSSL_2_0 requires colons or dashes in hashes #229
  • +
  • Hybrid Analysis returns success when filename query didn't work #223
  • +
+

Merged pull requests:

+
    +
  • Fix JSB Url Analysis template #207 (ant1)
  • +
+

1.9.3 (2018-04-09)#

+

Full Changelog

+

Closed issues:

+
    +
  • Feature Request: haveibeenpwned.com #189
  • +
  • Fix the default config of Cymon_Check_IP analyzer #225
  • +
  • Restrict abuse_finder and file_info dependencies to Python 2.7 #224
  • +
  • MISPWarningLists Analyzer searches for hashes case sensitive #221
  • +
  • Bluecoat Categorization failes #216
  • +
  • View All in template long not working #208
  • +
  • Cuckoo Analyzer changes the name of the file #188
  • +
+

1.9.2 (2018-04-04)#

+

Full Changelog

+

Closed issues:

+
    +
  • Hybrid Analysis analyzer successful even if rate limit reached #215
  • +
  • Supper the new auto extract config name #219
  • +
  • Data field missing on file submission #218
  • +
  • OTXQuery_2_0 failes with Cortex2 #217
  • +
+

1.9.1 (2018-03-30)#

+

Full Changelog

+

1.9.0 (2018-03-29)#

+

Full Changelog

+

Closed issues:

+
    +
  • Fortiguard analyzer : use HTTPS to request fortiguard service #201
  • +
  • DomainTools_ReverseIP should accept fqdn and/or domain as datatype #193
  • +
  • Manage domain datatype in Name_history service of DNSDB analyzer #183
  • +
  • Manage fqdn datatype in domain_name service of DNSDB analyzer #182
  • +
  • Improve Phishtank maliciousness results #181
  • +
  • IP type for CIRCL Passive DNS and others #99
  • +
+

Merged pull requests:

+
    +
  • Fixes some problems with automatic artifact extraction #184 (3c7)
  • +
  • WIP: PEP8 all the things #165 (3c7)
  • +
  • added Malpedia Analyzer #168 (garanews)
  • +
  • Addedd cymon cortex analyzers #133 (ST2Labs)
  • +
+

1.8.3 (2018-03-23)#

+

Full Changelog

+

Closed issues:

+
    +
  • Abuse_Finder_2_0 - Invalid analyzer output format #211
  • +
  • Bug in Abuse_Finder Analyzer #161
  • +
+

1.8.2 (2018-03-21)#

+

Full Changelog

+

Closed issues:

+
    +
  • Cortex-Analyzer - MISP-plugin no "ssl-verify = False" option #210
  • +
  • Cortex-Analyzer - MISP-plugin without proxy support/recognition #209
  • +
  • Bug: FortiGuard URLCategory Failure #203
  • +
  • MISP WarningLists long report does not display results #195
  • +
  • error in MISP/requirements.txt #179
  • +
  • Cuckoo Permission Denied #178
  • +
  • MISP Analyzer Tag and Sightings pull #175
  • +
  • Onyphe_Ports_1_0 return bad data in JSON object #169
  • +
  • Joe Sandbox Analyzer returning error #156
  • +
+

Merged pull requests:

+ +

1.8.1 (2018-02-05)#

+

Full Changelog

+

Closed issues:

+
    +
  • Bluecoat analyzer fails if domain contains subdomain #173
  • +
  • Bug in Onyphe_Threats_1 analyzer #170
  • +
  • Malpedia (yara) Analyzer #166
  • +
  • Updating VMRay Analyzer to accept files as dataType #157
  • +
+

1.8.0 (2018-01-11)#

+

Full Changelog

+

Closed issues:

+
    +
  • MISP analyzer certpath option doesn't accept bool value #164
  • +
  • VirusShare downloader bash script bug #149
  • +
  • Censys.io analyzer #135
  • +
  • VirusTotal ignores Environment Proxies #130
  • +
  • TLP checks #96
  • +
  • C1fApp Analyzer #64
  • +
  • URLQuery Analyzer #18
  • +
  • Cuckoo Analysis Fails #162
  • +
  • MISP Warninglists analyzer #124
  • +
  • PayloadSecurity Sandbox #121
  • +
  • SinkDB Analyzer #112
  • +
  • C1fApp OSINT analyzer #103
  • +
  • TOR Exit Nodes IPs Analyzer #45
  • +
+

Merged pull requests:

+ +

1.7.1 (2017-12-06)#

+

Full Changelog

+

Closed issues:

+
    +
  • Issue with Shodan Analyzer #150
  • +
  • Analyzers using online query fails to use system proxy settings #143
  • +
  • Hippocampe Analyzer Fails #137
  • +
+

Merged pull requests:

+
    +
  • Rename hybridanalysis_analyzer.py to HybridAnalysis_analyzer.py #151 (treed593)
  • +
+

1.7.0 (2017-11-08)#

+

Full Changelog

+

Closed issues:

+
    +
  • PhishTank analyzer doesn't work #126
  • +
  • Cuckoo Analyzer requires final slash #113
  • +
  • Missing olefile in MsgParser requirements #101
  • +
  • VirusTotal URL Scan Bug #93
  • +
+

Merged pull requests:

+ +

1.6.5 (2017-11-05)#

+

Full Changelog

+

1.6.4 (2017-11-04)#

+

Full Changelog

+

Closed issues:

+
    +
  • Virusshare short report enhancements if SHA1 hash passed #115
  • +
  • name parameter for the MISP analyzer does behave as expected #94
  • +
  • MISP_2_0 analyzer does not seems compatible with python 2.7 #90
  • +
  • ET Intelligence Analyzer #79
  • +
  • Use naming conventions for analyzer config properties #33
  • +
  • Hybrid Analysis Analyzer #26
  • +
+

Merged pull requests:

+ +

1.6.3 (2017-09-10)#

+

Full Changelog

+

Closed issues:

+
    +
  • GoogleSafebrowsing Analyzer Fails with AttributeErrors #92
  • +
+

Merged pull requests:

+
    +
  • MISP Analyzer: forgot to add same procedure if using just one MISP-Server #91 (3c7)
  • +
+

1.6.2 (2017-09-04)#

+

Full Changelog

+

Closed issues:

+
    +
  • Invalid Yeti templates folder name #89
  • +
+

Merged pull requests:

+ +

1.6.1 (2017-09-04)#

+

Full Changelog

+

Closed issues:

+
    +
  • MISPClient.__init__, ssl parameter default to True but later used as filename #87
  • +
+

Merged pull requests:

+
    +
  • Fixes bug in MISP client #88 (3c7)
  • +
  • added WOT analyzer & fixed cuckoo templates issue #77 (garanews)
  • +
  • Cuckoo Sandbox Analyzer #50 (garanews)
  • +
+

1.6.0 (2017-07-27)#

+

Full Changelog

+

Closed issues:

+
    +
  • WOT analyzer #82
  • +
  • Add Analyzer for Yeti Platform #68
  • +
  • Cuckoo Sandbox Analyzer #23
  • +
+

1.5.1 (2017-07-13)#

+

Full Changelog

+

Closed issues:

+
    +
  • Yara analyzer doesn't recognize 'sha1' field name from Yara-rules #62
  • +
  • Virustotal Scan returning incorrect taxonomy on URL scan #74
  • +
+

1.5.0 (2017-07-05)#

+

Full Changelog

+

Closed issues:

+
    +
  • AlienVault OTX API change #70
  • +
  • Missing newlines in requirements.txt #60
  • +
  • Add missing check_tlp config to GoogleSafeBrowsing analyzer #71
  • +
  • Fix the URL configuration of Hippocampe analyzer #69
  • +
  • Build a taxonomy in cortexutils #66
  • +
  • Joe Sandbox 19: New Information in Reports #65
  • +
  • Review summary() and short reports for https://github.com/CERT-BDF/TheHive/issues/131 #56
  • +
  • Abuse_Finder analyzer analyzes "email" instead of "mail" #52
  • +
  • CERT.at PassiveDNS Analyzer #13
  • +
+

Merged pull requests:

+
    +
  • Fixed mistake in blocklist script, added error on missing config #67 (3c7)
  • +
  • There were no carriage returns so it would break if you wanted to mass install the analyzer requirements #61 (Popsiclestick)
  • +
+

1.4.4 (2017-06-15)#

+

Full Changelog

+

Closed issues:

+
    +
  • Inconsistance between long and short reports in MISP analyzer #59
  • +
+

1.4.3 (2017-06-15)#

+

Full Changelog

+

Closed issues:

+
    +
  • How Can I contribute with? #53
  • +
  • cortexutils fails to generate error reports when the analyzer has no config #57
  • +
  • Encoding problem in cortexutils #54
  • +
+

1.4.2 (2017-05-24)#

+

Full Changelog

+

1.4.1 (2017-05-23)#

+

Full Changelog

+

1.4.0 (2017-05-22)#

+

Full Changelog

+

Closed issues:

+
    +
  • Joe Sandbox Analyser Issue #44
  • +
  • Fortiguard API Changed #37
  • +
  • FireHOL blocklists analyzer #31
  • +
  • VMRay Analyzer #16
  • +
+

Merged pull requests:

+
    +
  • corrected for change to fortiguard portal #51 (ecapuano)
  • +
+

1.3.1 (2017-05-12)#

+

Full Changelog

+

1.3.0 (2017-05-08)#

+

Full Changelog

+

Closed issues:

+
    +
  • Report template for JoeSandbox_Url_Analysis #46
  • +
  • File_Info analyzer has problems examining pe files #38
  • +
  • Update the polling interval in VT scan analyzer #42
  • +
  • Make cortexutils compatible with python 2 and 3 #35
  • +
  • Unify short template reports to use appropriate taxonomy #34
  • +
  • Add author and url attributes to analyzer descriptior files #32
  • +
  • Virusshare.com analyzer #30
  • +
  • YARA Analyzer #19
  • +
  • Google Safe Browsing Analyzer #17
  • +
  • CIRCL.lu PassiveSSL Analyzer #12
  • +
  • CIRCL.lu PassiveDNS Analyzer #11
  • +
  • Cut python 2 dependency by replacing ioc-parser in cortexutils.analyzer #4
  • +
  • Nessus Analyzer #1
  • +
+

Merged pull requests:

+
    +
  • Automatic ioc extraction using RegEx #40 (3c7)
  • +
  • Added rate limit message for VirusTotal analyzer #39 (3c7)
  • +
  • Use StringIO.StringIO() with python2 #36 (3c7)
  • +
+

1.2.0 (2017-03-31)#

+

Full Changelog

+

Closed issues:

+
    +
  • OTXQuery : improve error handling #22
  • +
  • Analyzer Caching #6
  • +
  • Joe Sandbox Analyzer #27
  • +
  • MISP Analyzer #14
  • +
+

Merged pull requests:

+ +

1.1.0 (2017-03-07)#

+

Full Changelog

+

Closed issues:

+
    +
  • OTX Query error when processing a file in Cortex #21
  • +
  • Python \< 2.7 crashes on version check #10
  • +
  • VirusTotal GetReport can't get report for files from Cortex #9
  • +
  • Normalize analyzer's JSON configuration file #8
  • +
  • Analyzer Rate Limiting #5
  • +
  • Working on analyzers: CIRCL.lu PassiveSSL/DNS, CERT.AT PassiveDNS, MISP, IntelMQ, VMRay, Google Safebrowsing, URLQuery, yara #3
  • +
+

1.0.0 (2017-02-17)#

+

Full Changelog

+

Closed issues:

+
    +
  • "VirusTotal_Scan" analyzer is not checking for TLP #2
  • +
+

* This Changelog was automatically generated by github_changelog_generator

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/admin_guides/how-to-upgrade-analyzers-responders/index.html b/admin_guides/how-to-upgrade-analyzers-responders/index.html new file mode 100644 index 000000000..30dfa428f --- /dev/null +++ b/admin_guides/how-to-upgrade-analyzers-responders/index.html @@ -0,0 +1,4764 @@ + + + + + + + + + + + + + + + + + + + + + + + how-to-upgrade-analyzers-responders - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

How to upgrade analyzers & responders to the latest version#

+

This guide outlines the steps to take when there is a new release of Cortex-Analyzers so that you can benefit from the new or updated analyzers and responders.

+

There are three steps to perform, two of which require user action:

+
    +
  1. Catalog Update (automatic)
  2. +
  3. Configure Analyzers & Responders in Cortex (user action required)
  4. +
  5. Update Analyzers' Report Templates (user action required)
  6. +
+

Step 1: Catalog Update#

+

With TheHive version 5.0.14 and above and Cortex version 3.1.7 and above, Cortex automatically fetches and updates the catalog. As a result, you may receive a notification in TheHive indicating that action is required if there is any new version of an analyzer or responder you are already using.

+

This notification can be seen in the bottom left corner of your TheHive interface.

+

TheHive Notification for new analyzers/responders

+

Clicking on it will open a drawer indicating if there are any obsolete analyzers or responders.

+

TheHive Obsolete Analyzers

+

Step 2: Configure Analyzers & Responders in Cortex#

+

2a. Setting Up Newly Available Analyzers or Responders#

+

When new analyzers or responders are available, please refer to the changelog to review the new additions so you don't miss anything.

+

Then, perform the following steps:

+
    +
  • Log in to Cortex as an Org Administrator
  • +
  • Refresh Analyzers and Responders by navigating to the Organization section, selecting the Analyzers and Responders tab and pressing the Refresh button.
  • +
  • Enable new analyzers and responders you wish to use.
  • +
  • Configure the settings and authentication parameters as needed.
  • +
+

refresh responders

+

2b. Updating Obsolete Analyzers or Responders#

+

Analyzers or responders become obsolete when a new version is available.

+

Check for Updates in Cortex#

+
    +
  • Log in to Cortex as an Org Administrator to review available updates.
  • +
  • Look out for any red badge notifications, as they indicate actions that need your attention.
  • +
  • Refresh Analyzers and Responders by navigating to the Organization section, selecting the Analyzers and Responders tab and pressing the Refresh button.
  • +
+

obsolete analyzer refresh

+

Update Your Configuration#

+
    +
  • If there is a version increment, disable older versions that are no longer needed, and enable the new versions by pressing the "Enable" button on the newer one.
  • +
  • Configure the settings and authentication parameters as needed.
  • +
+

enable analyzer

+

Step 3: Update the Analyzers' Report Templates#

+

If you're using TheHive 5, remember to always import the new report templates into your instance. This step is essential for an optimal experience with the updated analyzers and responders. Otherwise, you may encounter issues with the report templates for the new analyzers.

+

Refer to the official documentation on how to update Analyzers templates in your TheHive tenant.

+

update-analyzers-template

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/admin_guides/manage-private-custom-analyzers-responders/index.html b/admin_guides/manage-private-custom-analyzers-responders/index.html new file mode 100644 index 000000000..146835ad0 --- /dev/null +++ b/admin_guides/manage-private-custom-analyzers-responders/index.html @@ -0,0 +1,4808 @@ + + + + + + + + + + + + + + + + + + + + + + + manage-private-custom-analyzers-responders - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+ +
+
+ + + +
+
+ + + + + + + +

How to manage your private or custom Analyzers or Responders#

+

This guide propose a way to manage your own analyzers without publishing them or installing all dependencies on the host running Cortex.

+

Configure Cortex#

+

Make Cortex know of custom Analyzers and Responders.

+

Update the /etc/cortex/application.conf or add the folders where you store your custom code. Ensure your configuration is similar to:

+
[..]
+analyzer {
+  # Absolute path where you have pulled the Cortex-Analyzers repository.
+  urls = [
+        "https://download.thehive-project.org/analyzers.json"
+        "/opt/customneurons/analyzers"
+        ]
+
+[..]
+}
+[..]
+responder { 
+  urls = [
+        "https://download.thehive-project.org/responders.json"
+        "/opt/customneurons/responders"
+
+]
+[..]
+}
+
+

Write your code#

+

See:

+ +

To prepare your package you have to write your Dockerfile. We recommend starting with this one and update it, especially if additional packages or programs are required in the image.

+

As a result, your program should be at least:

+
Analyzer/
+├── analyzer.json  #required
+├── analyzer.py    #required
+├── README.md            #optional
+├── Dockerfile           #required
+└── requirements.txt     #required
+
+

Build your docker images#

+

Configure the program#

+

A program helps you to manage the build of your private analyzers/responders. You can find it there.

+

Download it, and edit the file to adjust few variables:

+
#############################
+#  VARIABLES TO CUSTOMISE   #
+############################# 
+## Set the path to your custom analyzers repository (configured in Cortex)
+analyzerspath="/opt/customneurons/analyzers"
+## Set the path to your custom responders repository  (configured in Cortex)
+responderspath="/opt/customneurons/responders"
+# Set path to your docker images archives
+dockerimagearchives="/opt/backup-images"
+# Set a name for the docker image registry 
+dockerimageregistryname="localhost"
+# Set a name for the docker image repository 
+dockerimagerepositoryname="customimage"
+
+

4 variables should be set:

+
    +
  • analyzerspath, the path to your custom analyzers repository (it should be the same as in the Cortex configuration)
  • +
  • responderspath, the path to your custom responders repository (it should be the same as in the Cortex configuration)
  • +
  • dockerimagearchives, the path to your docker images archives. Indeed, once built, the program save the docker images in a dedicated folder
  • +
  • dockerimageregistryname, name for the docker image registry. By default this is localhost. Even if you do not have a docker registry, Cortex will ensure to use the local images loaded.
  • +
  • dockerimagerepositoryname, a name for the docker image repository, used in docker image names or tags. customimage is used by default
  • +
+

Once updated, save the file.

+

Install requirements#

+

Before running it, there are few requirements:

+
    +
  • jq (from https://stedolan.github.io/jq/) should be installed in the system. For example, if using Ubuntu or Debian, run the following command: apt install jq
  • +
  • Python3 + json lib should be available on the system
  • +
  • the Python library json-spec should be installed (pip3 install json-spec)
  • +
+

Run and build your image#

+

The program has several options.

+
Build docker images for Custom analyzers and responders
+
+   Syntax: build-customimage.sh [options]
+
+   options:
+   -h          Print this Help.
+   -t type     Type: 'analyzer' or 'responder' 
+   -b path     path to analyzer or responder json file
+
+

To run it successfully, you need to identify the type of neuron to build, analyzer or responder and specify the path to the neurons JSON file.

+

For example:

+
./build-customimage.sh -t analyzer -b /home/dev/PrivateAnalyzer/analyzer.json
+
+

This will:

+
    +
  • check if a Dockerfile`_ exist in the folder and create a default one if not
  • +
  • Build the Docker image and name it customimage-analyzer:latest
  • +
  • Save this image in /opt/backup-images/customimage-analyzer.tar
  • +
  • Modify the analyzer.json file accordingly and save it in /opt/customneurons/analyzers/PrivateAnalyzer/analyzer.json
  • +
+

Refresh Cortex#

+

Open Cortex web console, log in as orgadmin, and refresh Analyzers.

+

+

Then your analyzer should appear and be ready to be configured and used as a Docker image.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/AbuseIPDB/index.html b/analyzers/AbuseIPDB/index.html new file mode 100644 index 000000000..ec17d2cde --- /dev/null +++ b/analyzers/AbuseIPDB/index.html @@ -0,0 +1,4788 @@ + + + + + + + + + + + + + + + + + + + + + + + AbuseIPDB - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

AbuseIPDB#

+
+

README

+

AbuseIPDB#

+

AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.

+

The analyzer comes in only one flavor.

+

Requirements#

+

You need a valid AbuseIPDB API integration subscription to use the analyzer:

+
    +
  • Provide your API key as a value for the key parameter.
  • +
  • Set the days parameter to limit temporal range in search
  • +
+
+

AbuseIPDB#

+

+ +

+ +
+

Author: Matteo Lodi
+License: AGPL-v3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.abuseipdb.com/

+
+

Description#

+

Determine whether an IP was reported or not as malicious by AbuseIPDB

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for AbuseIPDB
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
daysCheck for IP Reports in the last X days
Default value if not configured30
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

AbuseIPDB: Long report template

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Abuse_Finder/index.html b/analyzers/Abuse_Finder/index.html new file mode 100644 index 000000000..701797a3c --- /dev/null +++ b/analyzers/Abuse_Finder/index.html @@ -0,0 +1,4704 @@ + + + + + + + + + + + + + + + + + + + + + + + Abuse_Finder - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Abuse_Finder#

+
+

README

+

Abuse_Finder#

+

Use CERT-SG's Abuse Finder +to find abuse contacts associated with domain names, URLs, IPs and email addresses.

+

The analyzer comes in only one flavor.

+

No configuration is required. It can be used out of the box.

+

This Analyzer can only be run as a docker container or as process with Python <= 3.6.

+
+

Abuse_Finder#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - url
+ - mail
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://github.com/certsocietegenerale/abuse_finder

+
+

Description#

+

Find abuse contacts associated with domain names, URLs, IPs and email addresses.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

Abuse_Finder: Long report template

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/AnyRun/index.html b/analyzers/AnyRun/index.html new file mode 100644 index 000000000..b0c2ec611 --- /dev/null +++ b/analyzers/AnyRun/index.html @@ -0,0 +1,5163 @@ + + + + + + + + + + + + + + + + + + + + + + + AnyRun - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

AnyRun#

+
+

README

+

AnyRun#

+

ANY.RUN is a malware sandbox service in the cloud. By using this analyzer, an analyst can submit a suspicious file or URL to the service for analysis and get a report. The report can contain various information such as:

+
    +
  • Interactive access
  • +
  • Research threats by filter in public submissions
  • +
  • File and URL dynamic analysis
  • +
  • Mitre ATT&CK mapping
  • +
  • Detailed malware reports
  • +
+

Requirements#

+

You need a valid AnyRun API integration subscription to use the analyzer. Free plan does not provide API access.

+
    +
  • Provide your API token as a value for the token parameter.
  • +
  • Define the privacy setting in privacy_type parameter.
  • +
  • Set verify_ssl parameter as false if you connection requires it
  • +
+

Optional Parameters#

+

AnyRun provides a number of parameters that can be modified to do additional/different analysis. +- Set the "bitness" of your runtime environment with the env_bitness parameter. +- Select which version of Windows to use by setting env_version parameter. +- Select which products to install by default with env_type parameter. +- Enable/disable networking with opt_network_connect parameter. +- Enable/disable "FakeNet" with opt_network_fakenet parameter. +- Enable/disable the TOR network with opt_network_tor parameter. +- Enable/disable MITM for https connections with opt_network_mitm parameter. +- Need a specific geolocation? use opt_network_geo parameter. +- Need to analyze something with evasion tactics? opt_kernel_heavyevasion +- Change the timeout settings with opt_timeout parameter. +- Select which folder the analysis starts in with obj_ext_startfolder parameter. +- Select which browser to use for analysis with obj_ext_browser parameter.

+
+

AnyRun_Sandbox_Analysis#

+
+

Author: Andrea Garavaglia, Davide Arcuri, LDO-CERT; Nate Olsen, WSECU
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - file
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://any.run/

+
+

Description#

+

Any.Run Sandbox file analysis

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
tokenAPI token
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
privacy_typeDefine the privacy setting (Allowed values: public, bylink, owner)
Default value if not configuredbylink
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
verify_sslVerify SSL certificate
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
env_bitnessdefault OS bitness; 32 or 64
Default value if not configured32
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
env_versionWhich version of Windows do you want to use by default? allowed values: "vista", "7", "8.1", "10"
Default value if not configured7
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
env_typeHow much do you want pre-installed in the runtime environment? allowed values: "clean", "office", "complete"
Default value if not configuredcomplete
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
opt_network_connectDo you want to disable networking? set false to disable
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
opt_network_fakenetFakeNet feature status; set true to enable.
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
opt_network_torTOR using.
Default value if not configuredFalse
Type of the configuration itemBoolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
opt_network_mitmHTTPS MITM proxy option.
Default value if not configuredFalse
Type of the configuration itemBoolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
opt_network_geoGeo location option. Allowed values: "fastest", "AU", "BR", "DE", "CH", "FR", "KR", "US", "RU", "GB", "IT"
Default value if not configuredfastest
Type of the configuration itemString
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
opt_kernel_heavyevasionHeavy evasion option. Default value: false
Default value if not configuredFalse
Type of the configuration itemBoolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
opt_timeoutTimeout option. Size range: 10-660
Default value if not configured60
Type of the configuration itemNumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
obj_ext_startfolderStart object from. Allowed values: "desktop", "home", "downloads", "appdata", "temp", "windows", "root"
Default value if not configuredtemp
Type of the configuration itemString
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
obj_ext_browserChoose which browser to use. Allowed values: "Google Chrome", "Mozilla Firefox", "Opera", "Internet Explorer"
Default value if not configuredInternet Explorer
Type of the configuration itemString
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

AnyRun: Short report template

+

AnyRun: Long report template

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Autofocus/index.html b/analyzers/Autofocus/index.html new file mode 100644 index 000000000..b7899878f --- /dev/null +++ b/analyzers/Autofocus/index.html @@ -0,0 +1,4959 @@ + + + + + + + + + + + + + + + + + + + + + + + Autofocus - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

Autofocus#

+

Autofocus_GetSampleAnalysis#

+
+

Author: ANSSI
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Get full analysis from a sample based on its hash

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
apikeyAutofocus API key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

Autofocus_SearchJSON#

+
+

Author: ANSSI
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - other
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Search samples in Autofocus with a full search query in JSON

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
apikeyAutofocus API key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

Autofocus_SearchIOC#

+
+

Author: ANSSI
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - user-agent
+ - imphash
+ - ip
+ - mutex
+ - tag
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Search samples in Autofocus based on a single IOC

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
apikeyAutofocus API key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/BackscatterIO/index.html b/analyzers/BackscatterIO/index.html new file mode 100644 index 000000000..ed776c355 --- /dev/null +++ b/analyzers/BackscatterIO/index.html @@ -0,0 +1,4830 @@ + + + + + + + + + + + + + + + + + + + + + + + BackscatterIO - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+ +
+ + + +
+
+ + + + + + + +

BackscatterIO#

+

BackscatterIO_Enrichment#

+
+

Author: brandon@backscatter.io
+License: APLv2
+Version: 1.0
+Supported observables types:
+ - ip
+ - network
+ - autonomous-system
+ - port
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Enrich values using Backscatter.io data.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for Backscatter.io
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

BackscatterIO_GetObservations#

+
+

Author: brandon@backscatter.io
+License: APLv2
+Version: 1.0
+Supported observables types:
+ - ip
+ - network
+ - autonomous-system
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Determine whether a value has known scanning activity using Backscatter.io data.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for Backscatter.io
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/BinalyzeAIR/index.html b/analyzers/BinalyzeAIR/index.html new file mode 100644 index 000000000..2034ee470 --- /dev/null +++ b/analyzers/BinalyzeAIR/index.html @@ -0,0 +1,5116 @@ + + + + + + + + + + + + + + + + + + + + + + + BinalyzeAIR - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

BinalyzeAIR#

+
+

README

+

What is Binalyze AIR?#

+

AIR is an "Automated Incident Response" platform that provides the complete feature set for:

+
    +
  • Remotely collecting 300+ evidence types in minutes,
  • +
  • Capturing the "Forensic State" of an endpoint as a well-organized HTML/JSON report,
  • +
  • Performing triage on thousands of endpoints using YARA,
  • +
  • Integrating with SIEM/SOAR/EDR products for automating the response phase IR,
  • +
  • Enriching alerts for eliminating false positives,
  • +
  • Investigating pre-cursors generated by other security products.
  • +
+

What does this integration do?#

+

This responder lets you start acquisition and isolation of an endpoint with Binalyze AIR.

+
Acquisition#
+

One of the core features of AIR is collecting evidence remotely. This feature is made possible by "Acquisition Profiles," a group of different evidence categories. With this integration, you can use following profiles:

+
    +
  • Full,
  • +
  • Quick,
  • +
  • Memory (RAM + PageFile),
  • +
  • Event Logs,
  • +
  • Browsing History,
  • +
  • Compromise Assessment
  • +
  • And much more!
  • +
+
Isolation#
+

Endpoint isolation works by terminating all connections of an endpoint and not allowing any new connections. +When an endpoint is isolated, you can still perform tasks such as Acquisition.

+

For more information, please refer to Knowledge Base +The program uses Binalyze AIR API

+
+

Binalyze_AIR_Acquisition#

+

+ +

+ +
+

Author: Binalyze Integration Team
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - thehive:case_artifact
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.binalyze.com/air

+
+

Description#

+

Start an acquisition with Binalyze AIR.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
air_console_urlConsole URL
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
air_api_keyAPI Key,
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
endpoint_hostnameEndpoint Hostname
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
acquisition_nameAcquisition name should match with the AIR console.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

Binalyze_AIR_Isolation#

+

+ +

+ +
+

Author: Binalyze Integration Team
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - thehive:case_artifact
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.binalyze.com/air

+
+

Description#

+

Isolate your endpoints with Binalyze AIR.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
air_console_urlConsole URL
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
air_api_keyAPI Key,
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
endpoint_hostnameEndpoint Hostname
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
isolationIsolation operation
Default value if not configuredN/A
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/BitcoinAbuse/index.html b/analyzers/BitcoinAbuse/index.html new file mode 100644 index 000000000..c8404155f --- /dev/null +++ b/analyzers/BitcoinAbuse/index.html @@ -0,0 +1,4698 @@ + + + + + + + + + + + + + + + + + + + + + + + BitcoinAbuse - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

BitcoinAbuse#

+

BitcoinAbuse#

+
+

Author: Peter Juhas
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - btc_address
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Check Bitcoin address against Bitcoin Abuse database

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for Bitcoin Abuse
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/C1fApp/index.html b/analyzers/C1fApp/index.html new file mode 100644 index 000000000..cb393d498 --- /dev/null +++ b/analyzers/C1fApp/index.html @@ -0,0 +1,4727 @@ + + + + + + + + + + + + + + + + + + + + + + + C1fApp - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

C1fApp#

+

C1fApp#

+
+

Author: etz69
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Query C1fApp OSINT Aggregator for IPs, domains and URLs

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlURL of C1fApp service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/CERTatPassiveDNS/index.html b/analyzers/CERTatPassiveDNS/index.html new file mode 100644 index 000000000..9c3f51300 --- /dev/null +++ b/analyzers/CERTatPassiveDNS/index.html @@ -0,0 +1,4700 @@ + + + + + + + + + + + + + + + + + + + + + + + CERTatPassiveDNS - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

CERTatPassiveDNS#

+

CERTatPassiveDNS#

+
+

Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Checks CERT.at Passive DNS for a given domain.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
limitDefine the maximum number of results per request
Default value if not configured100
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/CIRCLHashlookup/index.html b/analyzers/CIRCLHashlookup/index.html new file mode 100644 index 000000000..9883cec39 --- /dev/null +++ b/analyzers/CIRCLHashlookup/index.html @@ -0,0 +1,4678 @@ + + + + + + + + + + + + + + + + + + + + + + + CIRCLHashlookup - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

CIRCLHashlookup#

+

CIRCLHashlookup#

+

+ +

+ +
+

Author: Mikael Keri
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - hash
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: https://hashlookup.circl.lu/

+
+

Description#

+

CIRCL hashlookup uses a public API to lookup hash values against databases of known good files

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

screenshot

+

screenshot

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/CIRCLPassiveDNS/index.html b/analyzers/CIRCLPassiveDNS/index.html new file mode 100644 index 000000000..b9cd75f7a --- /dev/null +++ b/analyzers/CIRCLPassiveDNS/index.html @@ -0,0 +1,4795 @@ + + + + + + + + + + + + + + + + + + + + + + + CIRCLPassiveDNS - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

CIRCLPassiveDNS#

+
+

README

+

CIRCLPassiveDNS#

+

Check CIRCL's Passive DNS for a + given domain.

+

This analyzer comes in only one flavor.

+

Requirements#

+

Access to CIRCL Passive DNS is only allowed to trusted partners in Luxembourg +and abroad. Contact CIRCL if you would like +access. Include your affiliation and the foreseen use of the Passive DNS +data.

+

If the CIRCL positively answers your access request, you'll obtain a username + and password which are needed to make the analyzer work.

+

supply your username as the value for the user parameter and your password +as the value for the password parameter.

+
+

CIRCLPassiveDNS#

+

+ +

+ +
+

Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - url
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.circl.lu/services/passive-dns/

+
+

Description#

+

Check CIRCL's Passive DNS for a given domain or URL.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
userUsername
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordPassword
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

CIRCLPassiveDNS: short report

+

CIRCLPassiveDNS: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/CIRCLPassiveSSL/index.html b/analyzers/CIRCLPassiveSSL/index.html new file mode 100644 index 000000000..4bd157909 --- /dev/null +++ b/analyzers/CIRCLPassiveSSL/index.html @@ -0,0 +1,4794 @@ + + + + + + + + + + + + + + + + + + + + + + + CIRCLPassiveSSL - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

CIRCLPassiveSSL#

+
+

README

+

CIRCLPassiveSSL#

+

Check CIRCL's Passive SSL +service for a given IP address or certificate hash.

+

This analyzer comes in only one flavor.

+

Requirements#

+

Access to CIRCL Passive SSL is allowed to partners including security +researchers or incident analysts worldwide. Contact CIRCL +if you would like access.

+

If the CIRCL positively answers your access request, you'll obtain a username + and password which are needed to make the analyzer work.

+

Supply your username as the value for the user parameter and your password +as the value for the password parameter.

+
+

CIRCLPassiveSSL#

+

+ +

+ +
+

Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - certificate_hash
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.circl.lu/services/passive-ssl/

+
+

Description#

+

Check CIRCL's Passive SSL for a given IP address or a X509 certificate hash.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
userUsername
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordPassword
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

CIRCLPassiveSSL: short report

+

CIRCLPassiveSSL: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/CISMCAP/index.html b/analyzers/CISMCAP/index.html new file mode 100644 index 000000000..d3b24e8fa --- /dev/null +++ b/analyzers/CISMCAP/index.html @@ -0,0 +1,4845 @@ + + + + + + + + + + + + + + + + + + + + + + + CISMCAP - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

CISMCAP#

+
+

README

+

The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the rapidly changing cybersecurity needs of U.S. elections offices.

+

Malicious Code Analysis Platform (MCAP) is a no-cost web-based sandbox which enables MS-ISAC and EI-ISAC members to submit suspicious files such as executables, DLLs, documents, quarantine files, and archives for analysis in a controlled and non-public fashion. The platform also enables users to perform threat analysis based on domain, IP address, URL, hashes, and various Indicators of Compromise (IOCs).

+

This analyzer allows you to submit a variety of observables to MCAP to analyze files or check feeds for known indicators of compromise for other data types.

+

To read more, visit https://www.cisecurity.org/ms-isac

+
+

CISMCAP#

+

+ +

+ +
+

Author: Joe Lazaro
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - hash
+ - url
+ - domain
+ - fqdn
+ - file
+Registration required: True
+Subscription required: False
+Free subscription: False
+Third party service: https://www.cisecurity.org/ms-isac/services

+
+

Description#

+

Malicious Code Analysis Platform (MCAP) by the Center for Internet Security (CIS). Submit files for analysis or check feeds for known indicators of compromise for other data types.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
private_samplesSubmitted samples will not be shared with other members of the portal
Default value if not configuredN/A
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
minimum_confidenceRestrict to IOCs with this confidence score or higher.
Default value if not configured80
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
minimum_severityRestrict to IOCs with this severity score or higher.
Default value if not configured80
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
polling_intervalInterval (seconds) between requests for sample status.
Default value if not configured120
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_sample_result_waitMaximum time to retry requests for sample status.
Default value if not configured1000
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Analyzer report for a file

+

screenshot

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Capa/index.html b/analyzers/Capa/index.html new file mode 100644 index 000000000..2ff66c264 --- /dev/null +++ b/analyzers/Capa/index.html @@ -0,0 +1,4702 @@ + + + + + + + + + + + + + + + + + + + + + + + Capa - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Capa#

+

Capa#

+

+ +

+ +
+

Author: Wes Lambert; nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://github.com/mandiant/capa

+
+

Description#

+

Analyze files with Capa

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
capa_pathPath to Capa binary (if installed locally, should be /opt/Cortex-Analyzers/analyzers/Capa/capa)
Default value if not configured/worker/Capa/capa
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

CAPA: Long report template

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Censys/index.html b/analyzers/Censys/index.html new file mode 100644 index 000000000..f2c076d30 --- /dev/null +++ b/analyzers/Censys/index.html @@ -0,0 +1,4815 @@ + + + + + + + + + + + + + + + + + + + + + + + Censys - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Censys#

+
+

README

+

Censys#

+

Censys is a platform that helps information security practitioners discover, monitor, and analyze devices that are accessible from the Internet. Regularly probes every public IP address and popular domain names, curate and enrich the resulting data, and make it intelligible through an interactive search engine and API.

+

Requirements#

+

You need a valid Censys API integration subscription to use the analyzer.

+
    +
  • Provide your API uid as values for the uid parameter.
  • +
  • Provide your API key as values for the key parameter.
  • +
+
+

Censys#

+

+ +

+ +
+

Author: Nils Kuhnert, CERT-Bund; nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - hash
+ - domain
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://censys.io/

+
+

Description#

+

Check IPs, certificate hashes or domains against censys.io.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
uidUID for Censys
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_recordsMaximum number of records for domains
Default value if not configuredN/A
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Censys: Long report template

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/CheckPhish/index.html b/analyzers/CheckPhish/index.html new file mode 100644 index 000000000..14dd30aa1 --- /dev/null +++ b/analyzers/CheckPhish/index.html @@ -0,0 +1,4825 @@ + + + + + + + + + + + + + + + + + + + + + + + CheckPhish - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

CheckPhish#

+

CheckPhish#

+
+

Author: Peter Juhas
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - string
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: https://checkphish.ai

+
+

Description#

+

Check url address via CheckPhish using jobID returned from CheckPhish_Submit

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyApi key for CheckPhish
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

CheckPhish_Submit#

+
+

Author: Peter Juhas
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: https://checkphish.ai

+
+

Description#

+

Submit url address to CheckPhish

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyApi key for CheckPhish
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/ClamAV/index.html b/analyzers/ClamAV/index.html new file mode 100644 index 000000000..446f004c8 --- /dev/null +++ b/analyzers/ClamAV/index.html @@ -0,0 +1,4673 @@ + + + + + + + + + + + + + + + + + + + + + + + ClamAV - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

ClamAV#

+

ClamAV_FileInfo#

+
+

Author: Brian Laskowski
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use Clamscan with custom rules

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Crowdsec/index.html b/analyzers/Crowdsec/index.html new file mode 100644 index 000000000..ecb41e7a4 --- /dev/null +++ b/analyzers/Crowdsec/index.html @@ -0,0 +1,5359 @@ + + + + + + + + + + + + + + + + + + + + + + + Crowdsec - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Crowdsec#

+
+

README

+

CrowdSec#

+

Check CrowdSec Threat Intelligence about an ip address.

+

For further information, please consult the official documentation.

+

Running the analyzer will expose the result as taxonomies in the short report displayed in the ip observable.

+

short result example

+

The raw report contains the whole json response from CrowdSec.

+

e.g.:

+
{
+  "ip": "192.42.116.218",
+  "reputation": "malicious",
+  "ip_range": "192.42.116.0/22",
+  "background_noise": "high",
+  "confidence": "high",
+  "background_noise_score": 10,
+  "ip_range_score": 5,
+  "as_name": "SURF B.V.",
+  "as_num": 1101,
+  "ip_range_24": "192.42.116.0/24",
+  "ip_range_24_reputation": "malicious",
+  "ip_range_24_score": 5,
+  "location": {
+    "country": "NL",
+    "city": null,
+    "latitude": 52.3824,
+    "longitude": 4.8995
+  },
+  "reverse_dns": "44.tor-exit.nothingtohide.nl",
+  "behaviors": [
+    {
+      "name": "tcp:scan",
+      "label": "TCP Scan",
+      "description": "IP has been reported for performing TCP port scanning.",
+      "references": [],
+      "$$hashKey": "object:984"
+    },
+    {
+      "name": "http:bruteforce",
+      "label": "HTTP Bruteforce",
+      "description": "IP has been reported for performing a HTTP brute force attack (either generic HTTP probing or applicative related brute force).",
+      "references": [],
+      "$$hashKey": "object:985"
+    },
+    {
+      "name": "http:exploit",
+      "label": "HTTP Exploit",
+      "description": "IP has been reported for attempting to exploit a vulnerability in a web application.",
+      "references": [],
+      "$$hashKey": "object:986"
+    },
+    {
+      "name": "http:scan",
+      "label": "HTTP Scan",
+      "description": "IP has been reported for performing actions related to HTTP vulnerability scanning and discovery.",
+      "references": [],
+      "$$hashKey": "object:987"
+    },
+    {
+      "name": "http:spam",
+      "label": "Web form spam",
+      "description": "IP has been reported trying to perform spam via web forms/forums.",
+      "references": [],
+      "$$hashKey": "object:988"
+    },
+    {
+      "name": "generic:exploit",
+      "label": "Exploitation attempt",
+      "description": "IP has been reported trying to exploit known vulnerability/CVE on unspecified protocols.",
+      "references": [],
+      "$$hashKey": "object:989"
+    },
+    {
+      "name": "ssh:bruteforce",
+      "label": "SSH Bruteforce",
+      "description": "IP has been reported for performing brute force on ssh services.",
+      "references": [],
+      "$$hashKey": "object:990"
+    }
+  ],
+  "history": {
+    "first_seen": "2022-12-26T01:15:00+00:00",
+    "last_seen": "2024-07-31T10:00:00+00:00",
+    "full_age": 585,
+    "days_age": 584
+  },
+  "classifications": {
+    "false_positives": [],
+    "classifications": [
+      {
+        "name": "proxy:tor",
+        "label": "TOR exit node",
+        "description": "IP is being flagged as a TOR exit node.",
+        "references": [],
+        "$$hashKey": "object:1021"
+      },
+      {
+        "name": "crowdsec:ai_vpn_proxy",
+        "label": "VPN or Proxy",
+        "description": "IP is identified as a VPN or a Proxy by CrowdSec AI Detection Algorithm.",
+        "references": [],
+        "$$hashKey": "object:1022"
+      },
+      {
+        "name": "community-blocklist",
+        "label": "CrowdSec Community Blocklist",
+        "description": "IP belongs to the CrowdSec Community Blocklist",
+        "$$hashKey": "object:1023"
+      }
+    ]
+  },
+  "attack_details": [
+    {
+      "name": "firewallservices/pf-scan-multi_ports",
+      "label": "PF Scan Multi Ports",
+      "description": "ban IPs that are scanning us",
+      "references": [],
+      "$$hashKey": "object:1027"
+    },
+    {
+      "name": "crowdsecurity/http-path-traversal-probing",
+      "label": "HTTP Path Traversal Exploit",
+      "description": "Detect path traversal attempt",
+      "references": [],
+      "$$hashKey": "object:1028"
+    },
+    {
+      "name": "crowdsecurity/grafana-cve-2021-43798",
+      "label": "CVE-2021-43798",
+      "description": "Detect cve-2021-43798 exploitation attemps",
+      "references": [],
+      "$$hashKey": "object:1029"
+    },
+    {
+      "name": "crowdsecurity/http-admin-interface-probing",
+      "label": "HTTP Admin Interface Probing",
+      "description": "Detect generic HTTP admin interface probing",
+      "references": [],
+      "$$hashKey": "object:1030"
+    },
+    {
+      "name": "crowdsecurity/http-open-proxy",
+      "label": "HTTP Open Proxy Probing",
+      "description": "Detect scan for open proxy",
+      "references": [],
+      "$$hashKey": "object:1031"
+    },
+    {
+      "name": "crowdsecurity/http-cve-probing",
+      "label": "HTTP CVE Probing",
+      "description": "Detect generic HTTP cve probing",
+      "references": [],
+      "$$hashKey": "object:1032"
+    },
+    {
+      "name": "LePresidente/http-generic-403-bf",
+      "label": "HTTP Bruteforce",
+      "description": "Detect generic 403 Forbidden (Authorization) error brute force",
+      "references": [],
+      "$$hashKey": "object:1033"
+    },
+    {
+      "name": "crowdsecurity/http-sqli-probbing-detection",
+      "label": "SQL Injection Attempt",
+      "description": "A scenario that detects SQL injection probing with minimal false positives",
+      "references": [],
+      "$$hashKey": "object:1034"
+    },
+    {
+      "name": "crowdsecurity/http-sensitive-files",
+      "label": "Access to sensitive files over HTTP",
+      "description": "Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",
+      "references": [],
+      "$$hashKey": "object:1035"
+    },
+    {
+      "name": "crowdsecurity/http-bad-user-agent",
+      "label": "Bad User Agent",
+      "description": "Detect usage of bad User Agent",
+      "references": [],
+      "$$hashKey": "object:1036"
+    },
+    {
+      "name": "crowdsecurity/suricata-major-severity",
+      "label": "Suricata Severity 1 Event",
+      "description": "Detect exploit attempts via emerging threat rules",
+      "references": [],
+      "$$hashKey": "object:1037"
+    },
+    {
+      "name": "crowdsecurity/ssh-bf",
+      "label": "SSH Bruteforce",
+      "description": "Detect ssh bruteforce",
+      "references": [],
+      "$$hashKey": "object:1038"
+    },
+    {
+      "name": "crowdsecurity/apache_log4j2_cve-2021-44228",
+      "label": "Log4j CVE-2021-44228",
+      "description": "Detect cve-2021-44228 exploitation attemps",
+      "references": [],
+      "$$hashKey": "object:1039"
+    },
+    {
+      "name": "crowdsecurity/http-bf-wordpress_bf_xmlrpc",
+      "label": "WP XMLRPC bruteforce",
+      "description": "detect wordpress bruteforce on xmlrpc",
+      "references": [],
+      "$$hashKey": "object:1040"
+    },
+    {
+      "name": "crowdsecurity/ssh-slow-bf",
+      "label": "SSH Slow Bruteforce",
+      "description": "Detect slow ssh bruteforce",
+      "references": [],
+      "$$hashKey": "object:1041"
+    },
+    {
+      "name": "crowdsecurity/http-bf-wordpress_bf",
+      "label": "WordPress Bruteforce",
+      "description": "Detect WordPress bruteforce on admin interface",
+      "references": [],
+      "$$hashKey": "object:1042"
+    },
+    {
+      "name": "crowdsecurity/http-wordpress_wpconfig",
+      "label": "Access to WordPress wp-config.php",
+      "description": "Detect WordPress probing: variations around wp-config.php by wpscan",
+      "references": [],
+      "$$hashKey": "object:1043"
+    },
+    {
+      "name": "crowdsecurity/http-xss-probbing",
+      "label": "XSS Attempt",
+      "description": "A scenario that detects XSS probing with minimal false positives",
+      "references": [],
+      "$$hashKey": "object:1044"
+    },
+    {
+      "name": "crowdsecurity/modsecurity",
+      "label": "Modsecurity Alert",
+      "description": "Web exploitation via modsecurity",
+      "references": [],
+      "$$hashKey": "object:1045"
+    },
+    {
+      "name": "crowdsecurity/http-probing",
+      "label": "HTTP Probing",
+      "description": "Detect site scanning/probing from a single ip",
+      "references": [],
+      "$$hashKey": "object:1046"
+    }
+  ],
+  "target_countries": {
+    "US": 38,
+    "DE": 20,
+    "JP": 10,
+    "FR": 8,
+    "GB": 7,
+    "NL": 5,
+    "PL": 3,
+    "CA": 2,
+    "RU": 2,
+    "DK": 2
+  },
+  "mitre_techniques": [
+    {
+      "name": "T1595",
+      "label": "Active Scanning",
+      "description": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting.",
+      "references": [],
+      "$$hashKey": "object:1009"
+    },
+    {
+      "name": "T1018",
+      "label": "Remote System Discovery",
+      "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.",
+      "references": [],
+      "$$hashKey": "object:1010"
+    },
+    {
+      "name": "T1046",
+      "label": "Network Service Discovery",
+      "description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.",
+      "references": [],
+      "$$hashKey": "object:1011"
+    },
+    {
+      "name": "T1110",
+      "label": "Brute Force",
+      "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.",
+      "references": [],
+      "$$hashKey": "object:1012"
+    },
+    {
+      "name": "T1190",
+      "label": "Exploit Public-Facing Application",
+      "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.",
+      "references": [],
+      "$$hashKey": "object:1013"
+    },
+    {
+      "name": "T1589",
+      "label": "Gather Victim Identity Information",
+      "description": "Adversaries may gather information about the victim's identity that can be used during targeting.",
+      "references": [],
+      "$$hashKey": "object:1014"
+    }
+  ],
+  "cves": [
+    "CVE-2021-43798",
+    "CVE-2021-44228"
+  ],
+  "scores": {
+    "overall": {
+      "aggressiveness": 5,
+      "threat": 4,
+      "trust": 5,
+      "anomaly": 1,
+      "total": 5
+    },
+    "last_day": {
+      "aggressiveness": 5,
+      "threat": 4,
+      "trust": 5,
+      "anomaly": 1,
+      "total": 5
+    },
+    "last_week": {
+      "aggressiveness": 5,
+      "threat": 4,
+      "trust": 5,
+      "anomaly": 1,
+      "total": 5
+    },
+    "last_month": {
+      "aggressiveness": 5,
+      "threat": 4,
+      "trust": 5,
+      "anomaly": 1,
+      "total": 5
+    }
+  },
+  "references": [
+    {
+      "name": "list:crowdsec_high_background_noise",
+      "label": "CrowdSec High Background Noise List",
+      "description": "Contains all IPs in our database that are considered as background noise. These IPs are not necessarily malicious, but they are considered as a potential threat. Proactively block these IPs if you want to reduce the noise on your systems.",
+      "references": [],
+      "$$hashKey": "object:1077"
+    },
+    {
+      "name": "list:crowdsec_intelligence_blocklist",
+      "label": "CrowdSec Intelligence List",
+      "description": "Contains all IPs in our database that have been identified as actively aggressive, performing a wide variety of attacks. Proactively block these IPs if you don’t want to take any chances with malicious IPs potentially reaching your systems.",
+      "references": [],
+      "$$hashKey": "object:1078"
+    },
+    {
+      "name": "list:firehol_botscout_7d",
+      "label": "Firehol BotScout list",
+      "description": "BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. This list is composed of the most recently-caught bots.",
+      "references": [
+        "https://iplists.firehol.org/?ipset=botscout_7d"
+      ],
+      "$$hashKey": "object:1079"
+    }
+  ]
+}
+
+

Requirements#

+

Provide a CrowdSec CTI Api key +as a value for the api_key parameter.

+
+

Crowdsec_Analyzer#

+

+ +

+ +
+

Author: CERT-ARKEA
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.crowdsec.net/product/threat-intelligence

+
+

Description#

+

Query Crowdsec API

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyCrowdsec API key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
taxonomy_reputationCreate taxonomy for reputation
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
taxonomy_as_nameCreate taxonomy for AS name
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
taxonomy_ip_range_scoreCreate taxonomy for IP range score
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
taxonomy_last_seenCreate taxonomy for last seen date
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
taxonomy_attack_detailsCreate taxonomy for attack details
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
taxonomy_behaviorsCreate taxonomy for behaviors
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
taxonomy_mitre_techniquesCreate taxonomy for mitre techniques
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
taxonomy_cvesCreate taxonomy for cves
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
taxonomy_not_foundCreate taxonomy for not found IP
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

CrowdSec analyzer: long report

+

CrowdSec analyzer: short report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/CrowdstrikeFalcon/index.html b/analyzers/CrowdstrikeFalcon/index.html new file mode 100644 index 000000000..38a3c4364 --- /dev/null +++ b/analyzers/CrowdstrikeFalcon/index.html @@ -0,0 +1,5776 @@ + + + + + + + + + + + + + + + + + + + + + + + CrowdstrikeFalcon - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

CrowdstrikeFalcon#

+
+

README

+

CrowdStrike Falcon Analyzers#

+

This documentation covers the setup and usage of CrowdStrike Falcon analyzers for retrieving device information, vulnerabilities and alerts linked to a given hostname observable, as well as performing file analysis using the CrowdStrike Falcon Sandbox.

+
+

Pre-requisites#

+

To use these analyzers, you must have the following configured in your CrowdStrike Falcon tenant:

+
    +
  1. CrowdStrike Falcon Setup:
  2. +
  3. Log in to your CrowdStrike Falcon tenant.
  4. +
  5. Navigate to Support and resources > Resources and tools > API clients and keys.
  6. +
  7. Create an API Client with the required permissions:
      +
    • Hosts: Read (for getDeviceDetails and getDeviceVulnerabilities).
    • +
    • Vulnerabilities: Read (for getDeviceVulnerabilities).
    • +
    • Alerts: Read (for getDeviceAlerts).
    • +
    • Sandbox (Falcon Intelligence): Read, Write (for Falcon Sandbox).
    • +
    +
  8. +
+
+

Analyzers Overview#

+

1. getDeviceDetails Analyzer#

+
    +
  • Description: Retrieves and displays detailed device information based on a given hostname observable.
  • +
  • Permissions Required: Hosts: Read
  • +
+

Available Configuration#

+

Configuration - getDeviceDetails Analyzer

+

Short Report#

+

Displays basic details such as: +- Vendor +- OS version +- Agent status +- Last user logged in

+

Short Report - Device Info Analyzer

+

Long Report#

+

Provides detailed information about the device.

+

Long Report - Device Info Analyzer

+
+

2. getDeviceVulnerabilities Analyzer#

+
    +
  • Description: Retrieves and displays vulnerabilities linked to a hostname observable.
  • +
  • Permissions Required: Hosts: Read, Vulnerabilities: Read
  • +
+

Available Configuration#

+

Configuration - getDeviceVulnerabilities Analyzer

+

Short Report#

+

Displays the number of vulnerabilities linked to the hostname.

+

Short Report - Vulnerabilities Analyzer

+

Long Report#

+

Provides a detailed list of vulnerabilities with contextual information.

+

Long Report - Vulnerabilities Analyzer

+
+

3. getDeviceAlerts Analyzer#

+
    +
  • Description: Retrieves and displays alerts linked to a hostname observable for the past X days.
  • +
  • Permissions Required: Alerts: Read
  • +
+

Available Configuration#

+

Configuration - getDeviceAlerts Analyzer

+

Short Report#

+

Displays the number of alerts linked to the hostname.

+

Short Report - Alerts Analyzer

+

Long Report#

+

Provides a detailed list of alerts with contextual information.

+

Long Report - Alerts Analyzer

+
+

4. Falcon Sandbox Analyzer#

+
    +
  • Description: Sends a file observable to the CrowdStrike Falcon Sandbox for analysis. Once the analysis is complete, the results are displayed in a report.
  • +
  • Permissions Required: Sandbox (Falcon Intelligence): Read, Write
  • +
+

Available Configuration#

+
    +
  • +

    List of analyzers:
    +Analyzers List - Falcon Sandbox

    +
  • +
  • +

    Configuration interface:
    +Configuration - Falcon Sandbox Analyzer

    +
  • +
+

Short Report#

+

Displays whether the analyzed file is considered: +- Safe (green) +- Suspicious (orange) +- Malicious (red)

+

Short Report - Falcon Sandbox Analyzer

+

Long Report#

+

Provides a detailed analysis of the file.

+

Long Report - Falcon Sandbox Analyzer

+
+

Resources#

+

For more information on the relevant CrowdStrike Falcon APIs, refer to the following resources: +- CrowdStrike Falcon Hosts API +- CrowdStrike Falcon Vulnerabilities API +- CrowdStrike Falcon Alerts API +- CrowdStrike Falcon Sample Uploads API +- CrowdStrike Falcon Sandbox API

+
+

CrowdstrikeFalcon_Sandbox_Win10#

+
+

Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com

+
+

Description#

+

Send a file to CrowdstrikeFalcon Sandbox

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idCrowdstrike client ID key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_secretCrowdstrike client secret key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
network_settingsSpecifies the sandbox network_settings used for analysis : default, tor, simulated, offline
Default value if not configureddefault
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
action_scriptRuntime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles
Default value if not configureddefault
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Crowdstrike: Short report template

+

Crowdstrike: Long report template

+

CrowdstrikeFalcon_getDeviceDetails#

+
+

Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hostname
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com

+
+

Description#

+

Get device information from Crowdstrike Falcon

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idCrowdstrike client ID key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_secretCrowdstrike client secret key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Crowdstrike: Short report template

+

Crowdstrike: Long report template

+

CrowdstrikeFalcon_Sandbox_Win7#

+
+

Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com

+
+

Description#

+

Send a file to CrowdstrikeFalcon Sandbox

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idCrowdstrike client ID key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_secretCrowdstrike client secret key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
network_settingsSpecifies the sandbox network_settings used for analysis : default, tor, simulated, offline
Default value if not configureddefault
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
action_scriptRuntime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles
Default value if not configureddefault
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Crowdstrike: Short report template

+

Crowdstrike: Long report template

+

CrowdstrikeFalcon_getDeviceAlerts#

+
+

Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hostname
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com

+
+

Description#

+

Get Device alerts from Crowdstrike Falcon

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idCrowdstrike client ID key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_secretCrowdstrike client secret key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
alert_fieldsFields to return for each invidividual alerts
Default value if not configured['timestamp', 'description', 'status', 'user_name', 'severity', 'severity_name', 'scenario', 'filename', 'filepath', 'confidence', 'cmdline']
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_beforeOnly query alerts from the past X days.
Default value if not configured30
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Crowdstrike: Short report template

+

Crowdstrike: Long report template

+

CrowdstrikeFalcon_Sandbox_Win11#

+
+

Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com

+
+

Description#

+

Send a file to CrowdstrikeFalcon Sandbox

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idCrowdstrike client ID key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_secretCrowdstrike client secret key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
network_settingsSpecifies the sandbox network_settings used for analysis : default, tor, simulated, offline
Default value if not configureddefault
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
action_scriptRuntime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles
Default value if not configureddefault
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Crowdstrike: Short report template

+

Crowdstrike: Long report template

+

CrowdstrikeFalcon_Sandbox_MacOS#

+
+

Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com

+
+

Description#

+

Send a file to CrowdstrikeFalcon Sandbox

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idCrowdstrike client ID key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_secretCrowdstrike client secret key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
network_settingsSpecifies the sandbox network_settings used for analysis : default, tor, simulated, offline
Default value if not configureddefault
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
action_scriptRuntime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles
Default value if not configureddefault
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Crowdstrike: Short report template

+

Crowdstrike: Long report template

+

CrowdstrikeFalcon_Sandbox_Linux#

+
+

Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com

+
+

Description#

+

Send a file to CrowdstrikeFalcon Sandbox

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idCrowdstrike client ID key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_secretCrowdstrike client secret key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
network_settingsSpecifies the sandbox network_settings used for analysis : default, tor, simulated, offline
Default value if not configureddefault
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
action_scriptRuntime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles
Default value if not configureddefault
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Crowdstrike: Short report template

+

Crowdstrike: Long report template

+

CrowdstrikeFalcon_Sandbox_Win7_64#

+
+

Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com

+
+

Description#

+

Send a file to CrowdstrikeFalcon Sandbox

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idCrowdstrike client ID key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_secretCrowdstrike client secret key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
network_settingsSpecifies the sandbox network_settings used for analysis : default, tor, simulated, offline
Default value if not configureddefault
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
action_scriptRuntime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles
Default value if not configureddefault
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Crowdstrike: Short report template

+

Crowdstrike: Long report template

+

CrowdstrikeFalcon_GetDeviceVulnerabilities#

+
+

Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hostname
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com

+
+

Description#

+

Get device vulnerabilities from hostname

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idCrowdstrike client ID key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_secretCrowdstrike client secret key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
vuln_fieldsSpecific field values to keep in resulting payload for vulnerabilities
Default value if not configured['vulnerability_id', 'status', 'created_timestamp', 'updated_timestamp', 'apps.product_name_version', 'confidence', 'cve', 'host_info.asset_criticality', 'host_info.internet_exposure', 'remediation.entities.action']
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+

Templates samples for TheHive#

+

Crowdstrike: Short report template

+

Crowdstrike: Long report template

+

CrowdstrikeFalcon_Sandbox_Android#

+
+

Author: nusantara-self, StrangeBee
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com

+
+

Description#

+

Send a file to CrowdstrikeFalcon Sandbox

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idCrowdstrike client ID key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_secretCrowdstrike client secret key
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
network_settingsSpecifies the sandbox network_settings used for analysis : default, tor, simulated, offline
Default value if not configureddefault
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
action_scriptRuntime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles
Default value if not configureddefault
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Crowdstrike: Short report template

+

Crowdstrike: Long report template

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Crtsh/index.html b/analyzers/Crtsh/index.html new file mode 100644 index 000000000..e01f2eda7 --- /dev/null +++ b/analyzers/Crtsh/index.html @@ -0,0 +1,4732 @@ + + + + + + + + + + + + + + + + + + + + + + + Crtsh - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Crtsh#

+
+

README

+

Crtsh#

+

Crtsh is a platform that permits you search for certificates that have been logged by CT.

+

Requirements#

+

It does not require any requirements.

+
+

Crt_sh_Transparency_Logs#

+

+ +

+ +
+

Author: crackytsi
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://crt.sh/

+
+

Description#

+

Query domains against the certificate transparency lists available at crt.sh.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

Crt: Long report template

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/CuckooSandbox/index.html b/analyzers/CuckooSandbox/index.html new file mode 100644 index 000000000..3968a8e33 --- /dev/null +++ b/analyzers/CuckooSandbox/index.html @@ -0,0 +1,5053 @@ + + + + + + + + + + + + + + + + + + + + + + + CuckooSandbox - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

CuckooSandbox#

+
+

README

+

CuckooSandbox#

+

CuckooSandbox is an advanced, extremely modular, and 100% open source automated malware analysis system with infinite application opportunities.

+
    +
  • Analyze many different malicious files (executables, office documents, pdf files, emails, etc) as well as malicious websites under Windows, Linux, macOS, and Android virtualized environments.
  • +
  • Trace API calls and general behavior of the file and distill this into high level information and signatures comprehensible by anyone.
  • +
  • Dump and analyze network traffic, even when encrypted with SSL/TLS. With native network routing support to drop all traffic or route it through InetSIM, a network interface, or a VPN.
  • +
  • Perform advanced memory analysis of the infected virtualized system through Volatility as well as on a process memory granularity using YARA.
  • +
+

The analyzer comes in two different flavour to analzye url or file with internet access.

+

Requirements#

+

You need to have your cuckoosandox deployed in your infrastructure. You can download it and follow installation instructions.

+

The address of the machine must be se as url parameter and relative token as the value for the token parameter. +Depending on your network configuration you can configure verifyssl and cert_path accordingly.

+
+

CuckooSandbox_File_Analysis_Inet#

+

+ +

+ +
+

Author: Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.2
+Supported observables types:
+ - file
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://cuckoosandbox.org/

+
+

Description#

+

Cuckoo Sandbox file analysis with Internet access.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlURL
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
tokenAPI token
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
verifysslVerify SSL certificate
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
cert_pathPath to the CA on the system used to check server certificate
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

CuckooSandbox: Long report template

+

CuckooSandbox_Url_Analysis#

+

+ +

+ +
+

Author: Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.2
+Supported observables types:
+ - url
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://cuckoosandbox.org/

+
+

Description#

+

Cuckoo Sandbox URL analysis.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlURL
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
tokenAPI token
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
verifysslVerify SSL certificate
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
cert_pathPath to the CA on the system used to check server certificate
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

CuckooSandbox: Long report template

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/CyberChef/index.html b/analyzers/CyberChef/index.html new file mode 100644 index 000000000..4681a46f2 --- /dev/null +++ b/analyzers/CyberChef/index.html @@ -0,0 +1,5021 @@ + + + + + + + + + + + + + + + + + + + + + + + CyberChef - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

CyberChef#

+
+

README

+

Cyberchef#

+

Cyberchef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.

+

The analyzer comes in three flavours to help you convert from base64, hex or CharCode.

+

Requirements#

+

You need to deploy Cyberchef-server on your infrastructure.

+

The url of the server must be used to configure the url parameter.

+
+

CyberChef_FromHex#

+

+ +

+ +
+

Author: Wes Lambert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - other
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://github.com/gchq/CyberChef-server

+
+

Description#

+

Convert Hex with CyberChef Server

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlCyberChef Server URL
Default value if not configuredhttp://192.168.1.178:3000/
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Cyberchef: long report

+

CyberChef_FromCharCode#

+

+ +

+ +
+

Author: Wes Lambert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - other
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://github.com/gchq/CyberChef-server

+
+

Description#

+

Convert Char Code with CyberChef Server

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlCyberChef Server URL
Default value if not configuredhttp://192.168.1.178:3000/
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Cyberchef: long report

+

CyberChef_FromBase64#

+

+ +

+ +
+

Author: Wes Lambert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - other
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://github.com/gchq/CyberChef-server

+
+

Description#

+

Convert Base64 with CyberChef Server

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlCyberChef Server URL
Default value if not configuredhttp://192.168.1.178:3000/
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Cyberchef: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/CyberCrime-Tracker/index.html b/analyzers/CyberCrime-Tracker/index.html new file mode 100644 index 000000000..b6127252f --- /dev/null +++ b/analyzers/CyberCrime-Tracker/index.html @@ -0,0 +1,4736 @@ + + + + + + + + + + + + + + + + + + + + + + + CyberCrime-Tracker - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

CyberCrime-Tracker#

+
+

README

+

cybercrime-tracker#

+

cybercrime-tracker site is dedicated to tracking the C&C servers of botnets. This site is used as a source for many IP and domain blacklists.

+

Requirements#

+

No configuration is required.

+
+

CyberCrime-Tracker#

+

+ +

+ +
+

Author: ph34tur3
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+ - url
+ - other
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://cybercrime-tracker.net/

+
+

Description#

+

Search cybercrime-tracker.net for C2 servers.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

cybercrime: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Cyberprotect/index.html b/analyzers/Cyberprotect/index.html new file mode 100644 index 000000000..ec48300e6 --- /dev/null +++ b/analyzers/Cyberprotect/index.html @@ -0,0 +1,4736 @@ + + + + + + + + + + + + + + + + + + + + + + + Cyberprotect - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Cyberprotect#

+
+

README

+

cyberprotect#

+

cyberprotect collect more than 500 millions of network events per day and value those data by analyzed them with analysis engines (behavioral analysis, sandboxes, threat feeds, etc.).

+

Requirements#

+

No configuration is required.

+
+

Cyberprotect_ThreatScore#

+

+ +

+ +
+

Author: Rémi Allain, Cyberprotect
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - domain
+ - hash
+ - ip
+ - url
+ - user-agent
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://console.threatscore.cyberprotect.cloud/

+
+

Description#

+

ThreatScore is a cyber threat scoring system provided by Cyberprotect

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

cyberprotect: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Cylance/index.html b/analyzers/Cylance/index.html new file mode 100644 index 000000000..255e9865f --- /dev/null +++ b/analyzers/Cylance/index.html @@ -0,0 +1,4669 @@ + + + + + + + + + + + + + + + + + + + + + + + Cylance - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Cylance#

+
+

README

+

Cylance hashlookup#

+

Cylance hash lookup enables you to query possible infected clients of yours using a SHA256 hash. +The response includes information about the matching sample(s) along with information about affected clients.

+

FAQ#

+

Q: Why only SHA256#

+

Sadly, although the response data contains an MD5 hash, the API only allows you to query with a SHA256

+
+

Cylance#

+

+ +

+ +
+

Author: Mikael Keri
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.blackberry.com/

+
+

Description#

+

Search for a specific hash, if there is a match, coresponding client information

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
ten_idTenant ID
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
app_idApp ID
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
app_secretApp Secret
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
regionPortal region, : NA, US, APN, JP, APS, AU, EU, GOV, SA, SP
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Cylance Lookup sample Information full report

+

Cylance Lookup sample, client information full report

+

screenshot

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/DNSDB/index.html b/analyzers/DNSDB/index.html new file mode 100644 index 000000000..beead6acc --- /dev/null +++ b/analyzers/DNSDB/index.html @@ -0,0 +1,5032 @@ + + + + + + + + + + + + + + + + + + + + + + + DNSDB - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

DNSDB#

+

DNSDB_NameHistory#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use DNSDB to fetch historical records for a fully-qualified domain name.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
serverDNSDB server name
Default value if not configuredhttps://api.dnsdb.info
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyKey
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

DNSDB_DomainName#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use DNSDB to fetch historical records for a domain.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
serverDNSDB server name
Default value if not configuredhttps://api.dnsdb.info
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyKey
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

DNSDB_IPHistory#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use DNSDB to fetch historical records for an IP address.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
serverDNSDB server name
Default value if not configuredhttps://api.dnsdb.info
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyKey
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/DNSLookingglass/index.html b/analyzers/DNSLookingglass/index.html new file mode 100644 index 000000000..d5a1d2f6d --- /dev/null +++ b/analyzers/DNSLookingglass/index.html @@ -0,0 +1,4734 @@ + + + + + + + + + + + + + + + + + + + + + + + DNSLookingglass - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

DNSLookingglass#

+
+

README

+

DNS Lookingglass Analyzer#

+

Lookup domain names from different locations using the ISC SANS DNS Lookingglass API service.

+
Requirements#
+

There is no requirements to use this analyzer.

+
+

DNS_Lookingglass#

+

+ +

+ +
+

Author: Dennis Perto, Conscia
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://isc.sans.edu/

+
+

Description#

+

Query the SANS ISC Global DNS Lookingglass API to check a domain name for resolved IP addresses.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

DNS Lookingglass: Long report template

+

DNS Lookingglass: artifacts

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/DNSSinkhole/index.html b/analyzers/DNSSinkhole/index.html new file mode 100644 index 000000000..4b087372b --- /dev/null +++ b/analyzers/DNSSinkhole/index.html @@ -0,0 +1,4724 @@ + + + + + + + + + + + + + + + + + + + + + + + DNSSinkhole - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

DNSSinkhole#

+

DNSSinkhole#

+
+

Author: Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Check if a domain is sinkholed via DNS Sinkhole server

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
ipDefine the DNS Sinkhole Server IP
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
sink_ipDefine the sinkholed response address IP
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/DNSdumpster/index.html b/analyzers/DNSdumpster/index.html new file mode 100644 index 000000000..5f0515832 --- /dev/null +++ b/analyzers/DNSdumpster/index.html @@ -0,0 +1,4728 @@ + + + + + + + + + + + + + + + + + + + + + + + DNSdumpster - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

DNSdumpster#

+
+

README

+

DNSdumpster#

+

This analyzer makes a call to the DNSdumpster service to enrich the Domain information.

+

Usage#

+

Nothing special. Doesn't need API-key or credentials. Just enable and use.

+
+

DNSdumpster_report#

+
+

Author: Keijo Korte - @korteke
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://dnsdumpster.com

+
+

Description#

+

Query domain information from DNSdumpster.com.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/DShield/index.html b/analyzers/DShield/index.html new file mode 100644 index 000000000..568d9edeb --- /dev/null +++ b/analyzers/DShield/index.html @@ -0,0 +1,4733 @@ + + + + + + + + + + + + + + + + + + + + + + + DShield - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

DShield#

+
+

README

+

DShield#

+

DShield is a community-based collaborative firewall log correlation system. It receives logs from volunteers worldwide and uses them to analyze attack trends.

+

The analyzer comes in just one analyzer that returns info of submitted ip.

+

Requirements#

+

No configuration is required.

+
+

DShield_lookup#

+

+ +

+ +
+

Author: Xavier Xavier, SANS ISC
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: https://isc.sans.edu/

+
+

Description#

+

Query the SANS ISC DShield API to check for an IP address reputation.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

DShield: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Diario/index.html b/analyzers/Diario/index.html new file mode 100644 index 000000000..ae6eda393 --- /dev/null +++ b/analyzers/Diario/index.html @@ -0,0 +1,4940 @@ + + + + + + + + + + + + + + + + + + + + + + + Diario - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Diario#

+

Diario_GetReport#

+

+ +

+ +
+

Author: Ignacio Rodriguez Paez
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: N/A
+Third party service: https://diario.elevenpaths.com/

+
+

Description#

+

Get the latest Diario report for a file or hash.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idClient id for Diario
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
secretSecret for Diario
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
polling_intervalDefine time interval between two requests attempts for the report
Default value if not configured60
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

DIARIO: short report

+

DIARIO: long report

+

Diario_Scan#

+

+ +

+ +
+

Author: Ignacio Rodriguez Paez
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: N/A
+Third party service: https://diario.elevenpaths.com/

+
+

Description#

+

Use Diario to scan a file, it can be DOC, XLS, PPTX or PDF.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idClient id for Diario
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
secretSecret for Diario
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
polling_intervalDefine time interval between two requests attempts for the report
Default value if not configured60
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

DIARIO: short report

+

DIARIO: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/DomainMailSPFDMARC/index.html b/analyzers/DomainMailSPFDMARC/index.html new file mode 100644 index 000000000..5ce8b314e --- /dev/null +++ b/analyzers/DomainMailSPFDMARC/index.html @@ -0,0 +1,4675 @@ + + + + + + + + + + + + + + + + + + + + + + + DomainMailSPFDMARC - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

DomainMailSPFDMARC#

+

DomainMailSPFDMARC#

+
+

Author: torsolaso
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: N/A

+
+

Description#

+

DomainMailSPFDMARC

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

DomainMailSPFDMARC long report sample

+

DomainMailSPFDMARC mini report sample

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/DomainTools/index.html b/analyzers/DomainTools/index.html new file mode 100644 index 000000000..e81c8e902 --- /dev/null +++ b/analyzers/DomainTools/index.html @@ -0,0 +1,6113 @@ + + + + + + + + + + + + + + + + + + + + + + + DomainTools - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

DomainTools#

+

DomainTools_ReverseIPWhois#

+
+

Author: ANSSI
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - mail
+ - ip
+ - domain
+ - other
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use DomainTools to get a list of IP addresses which share the same registrant information.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

DomainTools_Reputation#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use DomainTools to get a reputation score on a domain or fqdn

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

DomainTools_Risk#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use DomainTools to get a risk score and evidence details on a domain or fqdn

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

DomainTools_ReverseIP#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use DomainTools to get a list of domain names sharing the same IP address.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

DomainTools_ReverseNameServer#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use DomainTools to get a list of domain names that share the same primary or secondary name server.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

DomainTools_ReverseWhois#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - mail
+ - ip
+ - domain
+ - other
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use DomainTools to get a list of domain names which share the same registrant information.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

DomainTools_WhoisLookup#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use DomainTools to get the ownership record for a domain or an IP address with basic registration details parsed.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

DomainTools_WhoisLookupUnparsed#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use DomainTools to get the ownership record for an IP address or a domain without parsing.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

DomainTools_WhoisHistory#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use DomainTools to get a list of historical Whois records associated with a domain name.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

DomainTools_HostingHistory#

+
+

Author: ANSSI
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use DomainTools to get a list of historical registrant, name servers and IP addresses for a domain name.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDomainTools API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/DomainToolsIris/index.html b/analyzers/DomainToolsIris/index.html new file mode 100644 index 000000000..a87698f11 --- /dev/null +++ b/analyzers/DomainToolsIris/index.html @@ -0,0 +1,4951 @@ + + + + + + + + + + + + + + + + + + + + + + + DomainToolsIris - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

DomainToolsIris#

+
+

README

+

Look up domain names, IP addresses, e-mail addresses, and SSL hashes using the popular + DomainTools Iris service API.

+

The analyzer comes in 2 flavors:

+
    +
  • DomainToolsIris_Investigate: Use DomainTools Iris API to investigate a domain.
  • +
  • DomainToolsIris_Pivot: Use DomainTools Iris API to pivot on ssl_hash, ip, or email.
  • +
+

Requirements#

+

You need a valid DomainTools API integration subscription to use the analyzer:

+
    +
  • Provide your username as a value for the username parameter and API key as + a value for the key parameter.
  • +
  • Set the pivot_count_threshold parameter to highlight any item below that value as being of interest in the + report's template.
  • +
+
+

DomainToolsIris_Pivot#

+

+ +

+ +
+

Author: DomainTools
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+ - ip
+ - mail
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.domaintools.com

+
+

Description#

+

Use DomainTools Iris API to pivot on ssl_hash, ip, or email.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDomainTools Iris API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDomainTools Iris API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

DomainToolsIris_Pivot long report sample

+

DomainToolsIris_Pivot mini report sample

+

DomainToolsIris_Investigate#

+

+ +

+ +
+

Author: DomainTools
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.domaintools.com

+
+

Description#

+

Use DomainTools Iris API to investigate a domain.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDomainTools Iris API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDomainTools Iris API credentials
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
pivot_count_thresholdPivot count threshold.
Default value if not configured500
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

DomainToolsIris_Investigate long report sample

+

DomainToolsIris_Investigate mini report sample

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/EchoTrail/index.html b/analyzers/EchoTrail/index.html new file mode 100644 index 000000000..9771e864c --- /dev/null +++ b/analyzers/EchoTrail/index.html @@ -0,0 +1,4703 @@ + + + + + + + + + + + + + + + + + + + + + + + EchoTrail - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

EchoTrail#

+

EchoTrail#

+

+ +

+ +
+

Author: Joe Lazaro
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+ - filename
+Registration required: True
+Subscription required: False
+Free subscription: True
+Third party service: https://www.echotrail.io/

+
+

Description#

+

EchoTrail Insights takes a Windows filename or hash and provides several unique pieces of analytical context including prevalence & rank scores, process ancestry, behavioral analysis, and security analysis.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Sample long form report on a filename from a Windows system

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/EclecticIQ/index.html b/analyzers/EclecticIQ/index.html new file mode 100644 index 000000000..598b7e0d6 --- /dev/null +++ b/analyzers/EclecticIQ/index.html @@ -0,0 +1,4825 @@ + + + + + + + + + + + + + + + + + + + + + + + EclecticIQ - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

EclecticIQ#

+
+

README

+

EclecticIQ is a cyber threat intelligence platform which provides aggregation and analysis capabilities for threat intelligence data and integration with organization assets.

+

The analyzer comes in one flavor to look for an observable in the platform and return any parent entities and their context.

+
    +
  • EclecticIQ_SearchObservable: returns entity data for a specific observable
  • +
+

Requirements#

+

The EclecticIQ analyzer requires you to have access to an EclecticIQ Intelligence Center instance.

+

Three parameters are required for each instance to make the analyzer work:

+
    +
  • url : URL of the instance, e.g. "https://intel-platform.local"
  • +
  • key : API Key for a user of the EclecticIQ Intelligence Center instance
  • +
+
+

EclecticIQ_SearchObservable#

+

+ +

+ +
+

Author: BW
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - ip
+ - url
+ - fqdn
+ - uri_path
+ - user-agent
+ - hash
+ - mail
+ - mail_subject
+ - registry
+ - regexp
+ - other
+ - filename
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.eclecticiq.com

+
+

Description#

+

Query EclecticIQ Intelligence Center for a specific observable.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
nameName of EclecticIQ instance
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlURL of EclecticIQ instance
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for EclecticIQ instance
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
cert_checkVerify server certificate
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Elasticsearch/index.html b/analyzers/Elasticsearch/index.html new file mode 100644 index 000000000..cc7e9113d --- /dev/null +++ b/analyzers/Elasticsearch/index.html @@ -0,0 +1,4963 @@ + + + + + + + + + + + + + + + + + + + + + + + Elasticsearch - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Elasticsearch#

+

Elasticsearch_Analysis#

+
+

Author: Nick Prokop
+License: MIT
+Version: 1.0
+Supported observables types:
+ - url
+ - domain
+ - ip
+ - hash
+ - filename
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Search for IoCs in Elasticsearch

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
endpointsDefine the Elasticsearch endpoints
Default value if not configured['http://127.0.0.1:9200']
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keysSet the Elasticsearch api keys for each endpoint. Note: Use api key or basic auth, but not both.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usersSet the Elasticsearch users for each endpoint. Note: Use api key or basic auth, but not both.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordsSet the Elasticsearch passwords for each endpoint. Note: Use api key or basic auth, but not both.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
kibanaDefine the kibana address
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
dashboardSet the kibana dashboard id that will be linked in the report
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
indexDefine the Elasticsearch indices to use
Default value if not configured['apm--transaction', 'auditbeat-', 'endgame-', 'filebeat-', 'packetbeat-', 'winlogbeat-*']
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
fieldDefine the fields to query
Default value if not configured['destination.ip', 'dll.hash.md5', 'dll.hash.sha256', 'dns.question.name', 'dns.resolved_ip', 'file.hash.md5', 'file.hash.sha256', 'file.name', 'hash.md5', 'hash.sha256', 'process.args', 'process.hash.md5', 'process.hash.sha256', 'process.parent.hash.md5', 'process.parent.hash.sha256', 'source.ip', 'url.domain', 'url.full']
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
sizeDefine the number of hits per index to return
Default value if not configured10
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
verifysslVerify SSL certificate
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
cert_pathPath to the CA on the system used to check server certificate
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/EmailRep/index.html b/analyzers/EmailRep/index.html new file mode 100644 index 000000000..23100affd --- /dev/null +++ b/analyzers/EmailRep/index.html @@ -0,0 +1,4758 @@ + + + + + + + + + + + + + + + + + + + + + + + EmailRep - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

EmailRep#

+
+

README

+

Emailrep#

+

DShiEmailrepeld is a system of crawlers, scanners and enrichment services that collects data on email addresses, domains, and internet personas.

+

EmailRep uses hundreds of data points from social media profiles, professional networking sites, dark web credential leaks, data breaches, phishing kits, phishing emails, spam lists, open mail relays, domain age and reputation, deliverability, and more to predict the risk of an email address.

+

Requirements#

+

A key can be added to configuration but it's not necessary.

+
+

EmailRep#

+

+ +

+ +
+

Author: Manabu Niseki
+License: MIT
+Version: 1.0
+Supported observables types:
+ - mail
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: https://emailrep.io/

+
+

Description#

+

emailrep.io lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Emailrep: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/EmergingThreats/index.html b/analyzers/EmergingThreats/index.html new file mode 100644 index 000000000..fa02667f1 --- /dev/null +++ b/analyzers/EmergingThreats/index.html @@ -0,0 +1,5028 @@ + + + + + + + + + + + + + + + + + + + + + + + EmergingThreats - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

EmergingThreats#

+
+

README

+

EmergingThreats#

+

EmergingThreats intelligence helps prevent attacks and reduce risk by helping you understand the historical context of where these threats originated, who is behind them, when have they attacked, what methods they used, and what they're after.

+

The analyzer is available in 3 flavors: +- EmergingThreats_DomainInfo: retrieve ET reputation, related malware, and IDS requests for a given domain. +- EmergingThreats_IPInfo: retrieve ET reputation, related malware, and IDS requests for a given IP address. +- EmergingThreats_MalwareInfo: retrieve ET details and info related to a malware hash.

+

Requirements#

+

You need a valid EmergingThreats API subscription to use the analyzer:

+
    +
  • Provide your API key as a value for the key parameter.
  • +
+
+

EmergingThreats_DomainInfo#

+

+ +

+ +
+

Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://threatintel.proofpoint.com/

+
+

Description#

+

Retrieve ET reputation, related malware, and IDS requests for a given domain.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

EmergingThreats: domain long report

+

EmergingThreats_IPInfo#

+

+ +

+ +
+

Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://threatintel.proofpoint.com/

+
+

Description#

+

Retrieve ET reputation, related malware, and IDS requests for a given IP address.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

EmergingThreats: IP long report

+

EmergingThreats_MalwareInfo#

+

+ +

+ +
+

Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://threatintel.proofpoint.com/

+
+

Description#

+

Retrieve ET details and info related to a malware hash.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

EmergingThreats: hash long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/EmlParser/index.html b/analyzers/EmlParser/index.html new file mode 100644 index 000000000..54b84c8b2 --- /dev/null +++ b/analyzers/EmlParser/index.html @@ -0,0 +1,4789 @@ + + + + + + + + + + + + + + + + + + + + + + + EmlParser - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

EmlParser#

+
+

README

+

This Analyzer allows you to view the content of an email without opening it in a dedicated application.

+

This programs gathers headers, message content, files, gives access to the raw message and extracts following observables:

+
    +
  • email addresses from headers
  • +
  • IP addresses and hostnames from headers
  • +
  • URLs found in plain text and html content
  • +
  • filenames and Files attached
  • +
+

Extracted observables are enriched with tags giving context.

+

Email visualisation#

+

An option permits to get an overview of the HTML rendered email. The program creates a screenshot of html parts of the message, inline and attachment parts. +By default, this option is not enabled. To proceed, the Analyzer requires the program wkhtmltoimage beeing installed on the system.

+

When enabled, the Analyzer tries to render the html included in the email. If it fails, a dedicated message is displayed.

+

+

Requirements#

+

wkhtmltopdf program is required to enable visualisation. DEB and RPM packages exist. +Once installed, in Cortex, configure the Analyzer accordingly :

+
    +
  • set the parameter email_visualisation to true.
  • +
  • If needed, replace the default value of the wkhtmltoimage program path in the parameter wkhtmltoimage_path (the default value suits the docker image of the Analyzer).
  • +
+
+

EmlParser#

+

+ +

+ +
+

Author: StrangeBee
+License: AGPL-V3
+Version: 2.1
+Supported observables types:
+ - file
+Registration required: False
+Subscription required: False
+Free subscription: N/A
+Third party service: https://www.strangebee.com

+
+

Description#

+

Parse and visualise EML email message. Submit a .eml formatted file and extract some useful information.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
email_visualisationEnable email visualisation in report. This option requires the program wkhtmltoimage and installation of wkhtmltopdf package on the system. Docker image has this program installed. Refer to the documentation for more information.
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
wkhtmltoimage_pathPath of wkhtmltoimage program on the system. This program is required to generate visualisation of the message as it seen in mail client program. If using Docker image, use default configuration.
Default value if not configured/usr/bin/wkhtmltoimage
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

EmlParser: short report

+

EmlParser: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/FalconSandbox/index.html b/analyzers/FalconSandbox/index.html new file mode 100644 index 000000000..0ab9407d1 --- /dev/null +++ b/analyzers/FalconSandbox/index.html @@ -0,0 +1,4750 @@ + + + + + + + + + + + + + + + + + + + + + + + FalconSandbox - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

FalconSandbox#

+

FalconSandbox#

+
+

Author: Sebastian Schmerl - Computacenter
+License: AGPL-v3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.crowdstrike.com

+
+

Description#

+

Submit observables to the Crowdstrike FalconX Sandbox

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
API_Base_UrlCrowdstrike Api Base Url
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
Client_IDCrowdstrike Api ClientID
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
Client_SecretCrowdstrike Api Client Secret
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/FileInfo/index.html b/analyzers/FileInfo/index.html new file mode 100644 index 000000000..ba95fdae3 --- /dev/null +++ b/analyzers/FileInfo/index.html @@ -0,0 +1,4854 @@ + + + + + + + + + + + + + + + + + + + + + + + FileInfo - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

FileInfo#

+

FileInfo#

+
+

Author: TheHive-Project
+License: AGPL-V3
+Version: 8.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Parse files in several formats such as OLE and OpenXML to detect VBA macros, extract their source code, generate useful information on PE, PDF files...

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
manalyze_enableWether to enable manalyze submodule or not.
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
manalyze_enable_dockerUse docker to run Manalyze. Can be used only if not using the docker image of FileInfo
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
manalyze_enable_binaryUse local binary to run Manalyze. Need to compile it before!
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
manalyze_binary_pathPath to the Manalyze binary that was compiled before. Keep the default value if using the docker image of FileInfo
Default value if not configured/worker/Manalyze/bin/manalyze
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
floss_enableEnable the use of FireEye FLARE FLOSS
Default value if not configuredN/A
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
floss_binary_pathPath to the FLOSS binary.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
floss_minimal_string_lengthLength of strings must be in order to be considered.
Default value if not configuredN/A
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/FireEyeiSight/index.html b/analyzers/FireEyeiSight/index.html new file mode 100644 index 000000000..ce2a3bcf5 --- /dev/null +++ b/analyzers/FireEyeiSight/index.html @@ -0,0 +1,4791 @@ + + + + + + + + + + + + + + + + + + + + + + + FireEyeiSight - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

FireEyeiSight#

+
+

README

+

FireEyeiSight#

+

FireEyeiSight adds context and priority to global threats before, during and after an attack. Data is gleaned from the adversarial underground, virtual network detection sensors and Mandiant IR investigations from the world’s largest breaches.

+

The analyzer comes in only one flavor.

+

Requirements#

+

You need a valid FireEye iSight subscription to use the analyzer.

+
    +
  • Provide your API key as a value for the key parameter.
  • +
  • Provide your associated password as a value for pwd parameter.
  • +
+
+

FireEyeiSight#

+

+ +

+ +
+

Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - ip
+ - hash
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://intelligence.fireeye.com/

+
+

Description#

+

Query domains, IPs, hashes and URLs on FireEye's iSIGHT threat intelligence service.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for FireEye iSIGHT.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
pwdPassword associated to the API key.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

FireEyeiSight: Long report template

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/FireHOLBlocklists/index.html b/analyzers/FireHOLBlocklists/index.html new file mode 100644 index 000000000..a994db286 --- /dev/null +++ b/analyzers/FireHOLBlocklists/index.html @@ -0,0 +1,4759 @@ + + + + + + + + + + + + + + + + + + + + + + + FireHOLBlocklists - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

FireHOLBlocklists#

+
+

README

+

FireJOLBlocklists#

+

FireJOLBlocklists is a composition of other IP lists. +The objective is to create a blacklist that can be safe enough to be used on all systems, with a firewall, to block access entirely, from and to its listed IPs.

+

The analyzer comes in a single flavout that will return if provided ip is in block list and link to its report.

+

Requirements#

+

You need to clone original repo on the cortex machine [git clone https://github.com/firehol/blocklist-ipsets] and update relative path in blocklistpath variable.

+
+

FireHOLBlocklists#

+

+ +

+ +
+

Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://iplists.firehol.org/

+
+

Description#

+

Check IP addresses against the FireHOL blocklists

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
blocklistpathPath to blocklists
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

FireHOL Blocklists: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/ForcepointWebsensePing/index.html b/analyzers/ForcepointWebsensePing/index.html new file mode 100644 index 000000000..b1aa90889 --- /dev/null +++ b/analyzers/ForcepointWebsensePing/index.html @@ -0,0 +1,4858 @@ + + + + + + + + + + + + + + + + + + + + + + + ForcepointWebsensePing - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

ForcepointWebsensePing#

+
+

README

+

Categorize domain names, URL, fqdn, IP addresses using the popular Forcepoint Master Database service .

+

Requirements#

+

You need a valid Forcepoint license to use the analyzer:

+
    +
  • Install WebsensePing on instance where you will run this analyzer
  • +
  • Provide hostname of remote Filtering Service as a value for the hostname parameter and timeout as a value for the timeout parameter.
  • +
+
+

ForcepointWebsensePing#

+
+

Author: Andrea Garavaglia, Davide Arcuri - LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+ - ip
+ - domain
+ - fqdn
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.forcepoint.com

+
+

Description#

+

Use ForcepointWebsensePing to determine which category a certain URL is assigned to.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
hostnameForcepoint remote Filtering Service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
timeoutWebsensePing timeout-secs
Default value if not configured10
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
pathWebsensePing path
Default value if not configured/opt/Websense/bin
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
malicious_categoriesList of Forcepoint categories to be considered as malicious
Default value if not configured['Dynamic DNS', 'Elevated Exposure', 'Emerging Exploits', 'Extended Protection', 'Newly Registered Websites', 'Suspicious Content', 'Advanced Malware Command and Control', 'Advanced Malware Payloads', 'Botnets', 'Bot Networks', 'Compromised Websites', 'Malicious Web Sites', 'Custom-Encrypted Uploads', 'Files Containing Passwords', 'Keyloggers', 'Malicious Embedded Link', 'Malicious Embedded Iframe', 'Malicious Websites', 'Mobile Malware', 'Phishing and Other Frauds', 'Potentially Exploited Documents', 'Potentially Unwanted Software', 'Spyware', 'Suspicious Embedded Link', 'Elevated Exposure Newly Registered Websites', 'Unauthorized Mobile Marketplaces', 'User-Defined']
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
suspicious_categoriesList of Forcepoint categories you would consider as suspicious
Default value if not configured['Uncategorized', 'Parked Domain', 'Hacking', 'Proxy Avoidance', 'Intolerance', 'Abused Drugs', 'Adult Content', 'Adult Material', 'Advertisements', 'Computer Security', 'Drugs', 'Dynamic Content', 'Illegal or Questionable', 'Marijuana', 'Militancy and Extremist', 'Network Errors', 'Peer-to-Peer File Sharing', 'Personal Network Storage and Backup', 'Private IP Addresses', 'Sex', 'Tastelesstopics or to improper language', 'Violence', 'Web and Email Spam', 'Security']
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
safe_categoriesList of Forcepoint categories you would consider as safe
Default value if not configured['Business and Economy', 'Bandwidth', 'Education', 'Government', 'News and Media', 'Productivity', 'Religion', 'Society and Lifestyles', 'Special Events', 'Information Technology', 'Abortion', 'Advocacy Groups', 'Entertainment', 'Facebook Apps ', 'Facebook Chat', 'Facebook Commenting', 'Facebook Events', 'Facebook Friends', 'Facebook Games', 'Facebook Groups', 'Facebook Mail', 'Facebook Photo Upload', 'Facebook Posting', 'Facebook Questions', 'Facebook Video Upload', 'File Download Servers', 'LinkedIn Connections', 'LinkedIn Jobs', 'LinkedIn Mail', 'LinkedIn Updates', 'Twitter Follow', 'Twitter Mail', 'Twitter Posting', 'YouTube Commenting', 'YouTube Sharing', 'YouTube Video Upload', 'Alternative Journals', 'Application and Software Download', 'Blog Commenting', 'Blog Posting', 'Blogs and Personal Sites', 'Classified Posting', 'Social and Affiliation Organizations', 'Social Networking', 'Social Organizations', 'Social Web - Facebook', 'Social Web - LinkedIn', 'Social Web - Twitter', 'Social Web - YouTube', 'Social Web Controls - Various', 'Sports', 'Entertainment Video', 'Financial Data and Services', 'Instant Messaging', 'Job Search', 'Shopping', 'Travel', 'Vehicles', 'Search Engines and Portals', 'Alcohol and Tobacco', 'Collaboration – Office', 'Content Delivery Networks', 'Cultural Institutions', 'Educational Institutions', 'Educational Materials', 'Educational Video', 'General Email', 'Health', 'Hobbies', 'Gay or Lesbian or Bisexual Interest', 'Gambling', 'Games', 'Hosted Business Applications', 'Internet Auctions', 'Internet Communication', 'Internet Radio and TV', 'Internet Telephony', 'Media File Download', 'Message Boards and Forums', 'Non-Traditional Religion', 'Nudity', 'Nutrition', 'Office - Apps', 'Office - Documents', 'Office - Drive', 'Office - Mail', 'Office Category used to manage the Office domain', 'Online Brokerage and Trading', 'Organizational Email', 'Personals and Dating', 'Pay-to-Surf', 'Political Organizations', 'Prescribed Medications', 'Pro-Choice', 'Pro-Life', 'Professional and Worker Organizations', 'Real Estate', 'Reference Materials', 'Restaurants and Dining', 'Service and Philanthropic Organizations', 'Sex Education', 'Lingerie and Swimsuit', 'Sport Hunting and Gun Clubs', 'Streaming Media', 'Surveillance', 'Text and Media Messaging', 'Traditional Religions', 'Viral Video', 'Weapons', 'Web Analytics', 'Web and Email Marketing', 'Web Chat', 'Web Collaboration', 'Web Hosting', 'Web Images', 'Web Infrastructure', 'Website Translation']
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+

Templates samples for TheHive#

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Fortiguard/index.html b/analyzers/Fortiguard/index.html new file mode 100644 index 000000000..55cc99a11 --- /dev/null +++ b/analyzers/Fortiguard/index.html @@ -0,0 +1,4786 @@ + + + + + + + + + + + + + + + + + + + + + + + Fortiguard - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Fortiguard#

+
+

README

+

Fortiguard#

+

Fortiguard is a web filtering service commonly used in organizations.

+

The analyzer comes in a single flavout that will return websense categorization for provided url or domain.

+

Requirements#

+

The analyzer returns just their categorization, you can customize which category must be considerd suspiciour or malicious adding them to suspicious_categories or malicious_categories variables.

+
+

Fortiguard_URLCategory#

+

+ +

+ +
+

Author: Eric Capuano
+License: AGPL-V3
+Version: 2.1
+Supported observables types:
+ - domain
+ - url
+ - fqdn
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://www.fortiguard.com/webfilter

+
+

Description#

+

Check the Fortiguard category of a URL, FQDN or a domain. Check the full available list at https://fortiguard.com/webfilter/categories

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
malicious_categoriesList of FortiGuard categories to be considered as malicious
Default value if not configured['Malicious Websites', 'Phishing', 'Spam URLs']
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
suspicious_categoriesList of FortiGuard categories to be considered as suspicious
Default value if not configured['Newly Observed Domain', 'Newly Registered Domain', 'Dynamic DNS', 'Proxy Avoidance', 'Hacking']
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+

Templates samples for TheHive#

+

Fortiguard: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/GRR/index.html b/analyzers/GRR/index.html new file mode 100644 index 000000000..96b7148b2 --- /dev/null +++ b/analyzers/GRR/index.html @@ -0,0 +1,4751 @@ + + + + + + + + + + + + + + + + + + + + + + + GRR - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

GRR#

+

GRR#

+
+

Author: pettai@sunet.se, SUNET
+License: AGPL-V3
+Version: 0.1
+Supported observables types:
+ - ip
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Search GRR for the host agent.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlURL of the GRR API.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI user to use
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordAPI password to the API user
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Gatewatcher_CTI/index.html b/analyzers/Gatewatcher_CTI/index.html new file mode 100644 index 000000000..a08e262bb --- /dev/null +++ b/analyzers/Gatewatcher_CTI/index.html @@ -0,0 +1,4863 @@ + + + + + + + + + + + + + + + + + + + + + + + Gatewatcher_CTI - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

Gatewatcher_CTI#

+
+

README

+

Gatewatcher#

+

Gatewatcher is a European leader in advanced Threats detection, protecting critical networks of large Entreprises and Governement organisations since 2015.

+

Gatewatcher CTI#

+

The Gatewatcher CTI (Cyber Threat Intelligence) offer is compatible with all cybersecurity solutions. It immediately enhances your detection with contextual information about internal and external cyber threats specifically targeting your business.

+

Cortex Integration#

+

This cortex analyzer allows you to search for an IOC (url, hash, host/domain) in the Gatewatcher CTI database

+

How to obtain credentials ?#

+

If you want to try our freemium offer your can obtain your API key : https://info.gatewatcher.com/en/lp-free-ioc-analysis-api-key

+

If you want more you can contact us : https://info.gatewatcher.com/fr/speed-meeting-lastinfosec

+

TheHive Integration#

+

With this cortex integration, we also provide you templates for TheHive available in the thehive-templates directory.

+

+
+

Gatewatcher_CTI#

+

+ +

+ +
+

Author: Gatewatcher
+License: AGPL-3.0
+Version: 1.0
+Supported observables types:
+ - hash
+ - domain
+ - fqdn
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.gatewatcher.com/

+
+

Description#

+

Get Gatewatcher CTI Report

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
apiKeyGatewatcher CTI Api Key.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
extendedReportShow reports for relations.
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
maxRelationsMax relation reports to display if you have enabled the extendReport option. Set -1 to show all report
Default value if not configured50
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Gatewatcher CTI long report sample

+

screenshot

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/GoogleDNS/index.html b/analyzers/GoogleDNS/index.html new file mode 100644 index 000000000..72ea21058 --- /dev/null +++ b/analyzers/GoogleDNS/index.html @@ -0,0 +1,4675 @@ + + + + + + + + + + + + + + + + + + + + + + + GoogleDNS - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

GoogleDNS#

+

GoogleDNS_resolve#

+
+

Author: CERT-LaPoste
+License: AGPL-V3
+Version: 1.0.0
+Supported observables types:
+ - domain
+ - ip
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Request Google DNS over HTTPS service

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/GoogleSafebrowsing/index.html b/analyzers/GoogleSafebrowsing/index.html new file mode 100644 index 000000000..cfc0bb3ec --- /dev/null +++ b/analyzers/GoogleSafebrowsing/index.html @@ -0,0 +1,4725 @@ + + + + + + + + + + + + + + + + + + + + + + + GoogleSafebrowsing - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

GoogleSafebrowsing#

+

GoogleSafebrowsing#

+
+

Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - url
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use Google Safebrowing to check URLs and domain names.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idClient identifier
Default value if not configuredcortex
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/GoogleVisionAPI/index.html b/analyzers/GoogleVisionAPI/index.html new file mode 100644 index 000000000..7b1b95f34 --- /dev/null +++ b/analyzers/GoogleVisionAPI/index.html @@ -0,0 +1,4725 @@ + + + + + + + + + + + + + + + + + + + + + + + GoogleVisionAPI - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

GoogleVisionAPI#

+

GoogleVisionAPI_WebDetection#

+
+

Author: CERT-LaPoste
+License: AGPL-V3
+Version: 1.0.0
+Supported observables types:
+ - file
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Find look alike image via Google Cloud Vision API using the Web_Detection service

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key for this service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_resultMaximum number of url to fetch
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/GreyNoise/index.html b/analyzers/GreyNoise/index.html new file mode 100644 index 000000000..193027881 --- /dev/null +++ b/analyzers/GreyNoise/index.html @@ -0,0 +1,4792 @@ + + + + + + + + + + + + + + + + + + + + + + + GreyNoise - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

GreyNoise#

+
+

README

+

GreyNoise#

+

GreyNoise collect and analyze untargeted, widespread, and opportunistic scan and attack +activity that reaches every server directly connected to the Internet. Mass scanners (such as Shodan and Censys), +search engines, bots, worms, and crawlers generate logs and events omnidirectionally on every IP address in the IPv4 +space. GreyNoise gives you the ability to filter this useless noise out.

+

The analyzer comes in a single flavour, but supports both the GreyNoise Paid and Community APIs, that will return +GreyNoise additional information categorization for provided ip.

+

Requirements#

+

You need a valid GreyNoise API integration subscription or Community account to use the analyzer.

+
    +
  • Provide your API key as values for the key parameter.
  • +
  • Provide your API key type as "enterprise" (the default) or "community" for the api_type parameter
  • +
+
+

GreyNoise#

+

+ +

+ +
+

Author: Nclose
+License: APLv2
+Version: 3.1
+Supported observables types:
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://viz.greynoise.io/

+
+

Description#

+

Determine whether an IP has known scanning activity using GreyNoise.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for GreyNoise
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_typeAPI Type to Match Key, either 'enterprise' or 'community'
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

GreyNoise: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/HIBP/index.html b/analyzers/HIBP/index.html new file mode 100644 index 000000000..d607e88c9 --- /dev/null +++ b/analyzers/HIBP/index.html @@ -0,0 +1,4776 @@ + + + + + + + + + + + + + + + + + + + + + + + HIBP - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

HIBP#

+

HIBP_Query#

+
+

Author: Matt Erasmus, Jonas Hergenhahn
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - mail
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Query haveibeenpwned.com for a compromised email address

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
unverifiedInclude unverified breaches
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
truncateTruncated response means only the name of data breaches
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyApi key for hibp
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
retriesRetries to request api while getting status code 429
Default value if not configured5
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Hashdd/index.html b/analyzers/Hashdd/index.html new file mode 100644 index 000000000..454700047 --- /dev/null +++ b/analyzers/Hashdd/index.html @@ -0,0 +1,4888 @@ + + + + + + + + + + + + + + + + + + + + + + + Hashdd - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Hashdd#

+
+

README

+

Hashdd#

+

Hashdd search engine for file hashes which automatically queries 3rd party services like VirusTotal and enriches the information provided based on the 3rd party data.

+

The analyzer includes two flavors: Status and Detail. The first one is used to query hashdd without an API key for the threat level only. The latter produces additional meta information about the sample, but requires an API key.

+

Requirements#

+

A valid Hashdd API is necessary just for detail flavour, for status can still be added.

+
    +
  • Provide your API key as values for the key parameter.
  • +
+
+

Hashdd_Status#

+
+

Author: iosonogio, dadokkio
+License: AGPLv3
+Version: 2.0
+Supported observables types:
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Determine whether a hash is good or bad.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key for hashdd
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

Hashdd_Detail#

+

+ +

+ +
+

Author: iosonogio, dadokkio
+License: AGPLv3
+Version: 2.0
+Supported observables types:
+ - hash
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: https://www.hashdd.com/

+
+

Description#

+

Determine whether a hash is good or bad; if good then list what it is.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key for hashdd
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Hashdd: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Hippocampe/index.html b/analyzers/Hippocampe/index.html new file mode 100644 index 000000000..be6ace575 --- /dev/null +++ b/analyzers/Hippocampe/index.html @@ -0,0 +1,4831 @@ + + + + + + + + + + + + + + + + + + + + + + + Hippocampe - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Hippocampe#

+

HippoMore#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Get the Hippocampe detailed report for an IP address, a domain or a URL.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlURL of the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

Hipposcore#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Get the Hippocampe Score report associated with an IP address, a domain or a URL.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlURL of the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Hunterio/index.html b/analyzers/Hunterio/index.html new file mode 100644 index 000000000..0dec73d2b --- /dev/null +++ b/analyzers/Hunterio/index.html @@ -0,0 +1,4703 @@ + + + + + + + + + + + + + + + + + + + + + + + Hunterio - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Hunterio#

+

Hunterio_DomainSearch#

+

+ +

+ +
+

Author: Rémi Allain, Cyberprotect
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://hunter.io/

+
+

Description#

+

hunter.io is a service to find email addresses from a domain.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyapi key of hunter.io
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Hunter: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/HybridAnalysis/index.html b/analyzers/HybridAnalysis/index.html new file mode 100644 index 000000000..8a2e7eec2 --- /dev/null +++ b/analyzers/HybridAnalysis/index.html @@ -0,0 +1,4702 @@ + + + + + + + + + + + + + + + + + + + + + + + HybridAnalysis - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

HybridAnalysis#

+

HybridAnalysis_GetReport#

+
+

Author: Daniil Yugoslavskiy, Tieto
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+ - file
+ - filename
+ - url
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Fetch Hybrid Analysis reports associated with hashes and filenames.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/IBMXForce/index.html b/analyzers/IBMXForce/index.html new file mode 100644 index 000000000..23383bd58 --- /dev/null +++ b/analyzers/IBMXForce/index.html @@ -0,0 +1,4779 @@ + + + + + + + + + + + + + + + + + + + + + + + IBMXForce - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

IBMXForce#

+

IBMXForce_Lookup#

+
+

Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - ip
+ - hash
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Query domains, IPs, hashes and URLs against IBM X-Force threat intelligence sharing platform.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlX-Force API URL
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyX-Force API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
pwdX-Force API Password
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
verifyEnable/Disable certificate verification
Default value if not configuredN/A
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/IP-API/index.html b/analyzers/IP-API/index.html new file mode 100644 index 000000000..a3d4c28e3 --- /dev/null +++ b/analyzers/IP-API/index.html @@ -0,0 +1,4674 @@ + + + + + + + + + + + + + + + + + + + + + + + IP-API - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

IP-API#

+

IP-API#

+
+

Author: Peter Juhas
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Check IP address or domain using ip-api.com

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/IPVoid/index.html b/analyzers/IPVoid/index.html new file mode 100644 index 000000000..5468d88f5 --- /dev/null +++ b/analyzers/IPVoid/index.html @@ -0,0 +1,4698 @@ + + + + + + + + + + + + + + + + + + + + + + + IPVoid - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

IPVoid#

+

IPVoid#

+
+

Author: Joel Snape @ Nettitude
+License: AGPL-v3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Determine whether an IP is present on any of the feeds consumed by IPVoid

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for IPVoid
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/IPinfo/index.html b/analyzers/IPinfo/index.html new file mode 100644 index 000000000..cf39b9c79 --- /dev/null +++ b/analyzers/IPinfo/index.html @@ -0,0 +1,4825 @@ + + + + + + + + + + + + + + + + + + + + + + + IPinfo - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

IPinfo#

+

IPinfo_Hosted_Domains#

+
+

Author: Manabu Niseki
+License: MIT
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

IPinfo hosted domains lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

IPinfo_Details#

+
+

Author: Manabu Niseki
+License: MIT
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

IPinfo details lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/IVRE/index.html b/analyzers/IVRE/index.html new file mode 100644 index 000000000..c8dfbe937 --- /dev/null +++ b/analyzers/IVRE/index.html @@ -0,0 +1,4942 @@ + + + + + + + + + + + + + + + + + + + + + + + IVRE - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

IVRE#

+
+

README

+

IVRE#

+

Get intelligence from an IVRE instance.

+

Requirements#

+

You need an access to an IVRE instance. Unlike most analyzers, IVRE +does not exist as a public service but is an open-source tool: you +need to install and run your own instance. The repository is on +GitHub.

+

To learn more about IVRE (and its "purposes"), you can read the +documentation, particularly about the +principles, +and some use +cases.

+

Supply the following parameters to the analyzer in order to use it:

+
    +
  • db_url (string): the IVRE instance database URL (format: same as IVRE's + configuration; default: use IVRE's configuration)
  • +
  • db_url_data (string): the IVRE instance database URL for the data purpose + (idem)
  • +
  • db_url_passive (string): the IVRE instance database URL for the passive purpose + (idem)
  • +
  • db_url_scans (string): the IVRE instance database URL for the scans purpose + (idem)
  • +
  • use_data (boolean): should the analyzer use the data purpose?
  • +
  • use_passive (boolean): should the analyzer use the passive purpose?
  • +
  • use_scans (boolean): should the analyzer use the scans purpose?
  • +
+
+

IVRE#

+

+ +

+ +
+

Author: Pierre Lalet
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - autonomous-system
+ - certificate_hash
+ - domain
+ - fqdn
+ - ip
+ - network
+ - port
+ - user-agent
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: https://ivre.rocks/

+
+

Description#

+

Fetch details from an IVRE instance.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
use_dataUse data from the data purpose (MaxMind)
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
use_passiveUse data from the passive purpose
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
use_scansUse data from the scans (nmap) purpose
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
db_urlThe URL of the IVRE database (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
db_url_dataThe URL of the IVRE database for the data purpose (e.g., maxmind:///usr/share/ivre/geoip or http://host/cgi); defaults to using IVRE's configuration
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
db_url_passiveThe URL of the IVRE database for the passive purpose (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
db_url_scansThe URL of the IVRE database for the scans (nmap) purpose (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Inoitsu/index.html b/analyzers/Inoitsu/index.html new file mode 100644 index 000000000..1f9f07358 --- /dev/null +++ b/analyzers/Inoitsu/index.html @@ -0,0 +1,4586 @@ + + + + + + + + + + + + + + + + + + + + + + + Inoitsu - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Inoitsu#

+
+

README

+

Inoitsu-analyzer#

+

This analyzer helps you investigate suspicious emails received from known or unknown senders to ensure that their email addresses aren't compromised.

+

No API key required.

+

If the email is compromised then it returns: +- Total breaches +- Most recent breach +- Breached data +- Critical data +- Exposure rating: The comparative data exposure and risk rating assigned to this email address.

+

Testing Inoitsu analyzer (Cortex)#

+

You need first to enable the analyzer.

+

enable analyzer

+

Navigate to Analyzers then run Inoitsu analyzer.

+

run analyzer

+

Test Inoitsu analyzer on a compromised email address.

+

report

+

Test Inoitsu analyzer on an uncompromised email address.

+

uncompromised

+

Testing Inoitsu analyzer (TheHive)#

+

In the observables section add emails to test.

+

Then select the emails that you want to analyze, select Inoitsu and click on Run selected analyzers.

+

thehive iocs

+

response

+

To view the report of the compromised email, click on Inoitsu:Compromised="True"

+

analyzer report

+

To view the report of the uncompromised email, click on Inoitsu:Compromised="False"

+

analyzer report 2

+
+

Inoitsu#

+

+ +

+ +
+

Author: Abdelkader Ben Ali
+License: MIT
+Version: 1.0
+Supported observables types:
+ - mail
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: https://www.hotsheet.com/inoitsu/

+
+

Description#

+

Query Inoitsu for a compromised email address.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

Inoitsu long report sample

+

Inoitsu mini report sample

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/IntezerCommunity/index.html b/analyzers/IntezerCommunity/index.html new file mode 100644 index 000000000..8cd52d962 --- /dev/null +++ b/analyzers/IntezerCommunity/index.html @@ -0,0 +1,4761 @@ + + + + + + + + + + + + + + + + + + + + + + + IntezerCommunity - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

IntezerCommunity#

+
+

README

+

Intezer#

+

Intezer is a subscription-based SaaS product that provides rapid malware detection and analysis.

+

The analyzer comes in a single flavour that permits user to upload files and detect code reuse in trusted and malicious software, and obtain new insights and information about malware families and threat actors.

+

Requirements#

+

You need a valid Intezer Community API integration subscription to use the analyzer.

+
    +
  • Provide your API key as values for the key parameter.
  • +
+
+

IntezerCommunity#

+

+ +

+ +
+

Author: Matteo Lodi
+License: AGPL-v3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://analyze.intezer.com/

+
+

Description#

+

Analyze a possible malicious file with Intezer Analyzer

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for Intezer
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Intezer: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Investigate/index.html b/analyzers/Investigate/index.html new file mode 100644 index 000000000..606973cc7 --- /dev/null +++ b/analyzers/Investigate/index.html @@ -0,0 +1,4826 @@ + + + + + + + + + + + + + + + + + + + + + + + Investigate - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+ +
+
+ + + +
+
+ + + + + + + +

Investigate#

+

Investigate_Categorization#

+
+

Author: Cisco Umbrella Research @opendns
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Retrieve Investigate categorization and security features for a domain.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the Investigate API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

Investigate_Sample#

+
+

Author: Cisco Umbrella Research @opendns
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Retrieve sample data from Investigate for a hash. (Sample data provided by ThreatGrid)

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the Investigate API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/JoeSandbox/index.html b/analyzers/JoeSandbox/index.html new file mode 100644 index 000000000..0f1a5f8ea --- /dev/null +++ b/analyzers/JoeSandbox/index.html @@ -0,0 +1,5379 @@ + + + + + + + + + + + + + + + + + + + + + + + JoeSandbox - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

JoeSandbox#

+
+

README

+

Joe SandBox#

+

With the version 3.0 this analyzer allow you to have:

+
    +
  • the HTML report as an observable
  • +
  • the screenshot from Joe Sandbox in the analysis report
  • +
  • IP and URL as observable
  • +
+

This analyzer has 3 flavors:

+
    +
  • URL analysis
  • +
  • File analysis inet
  • +
  • File analysis noinet
  • +
+
+

JoeSandbox_Url_Analysis#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Joe Sandbox URL analysis.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlURL of JoeSandbox service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
analysistimeoutAnalysis timeout (seconds)
Default value if not configured1800
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
networktimeoutNetwork timeout (second)
Default value if not configured30
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

JoeSandbox_File_Analysis_Inet#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Joe Sandbox file analysis with Internet access.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlURL of JoeSandbox service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
analysistimeoutAnalysis timeout (seconds)
Default value if not configured1800
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
networktimeoutNetwork timeout (second)
Default value if not configured30
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
HTML_reportDownload HTML report
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
imagesAllow images in the report
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
observablesCreat observables form report
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

EmlParser: HTML report

+

EmlParser: images preview

+

EmlParser: IP and URL

+

JoeSandbox_File_Analysis_Noinet#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Joe Sandbox file analysis without Internet access.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlURL of JoeSandbox service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
analysistimeoutAnalysis timeout (seconds)
Default value if not configured1800
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
networktimeoutNetwork timeout (second)
Default value if not configured30
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
HTML_reportDownload HTML report
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
imagesAllow images in the report
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
observablesCreat observables form report
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

EmlParser: HTML report

+

EmlParser: images preview

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Jupyter_Analyzer/index.html b/analyzers/Jupyter_Analyzer/index.html new file mode 100644 index 000000000..6ee7f38e2 --- /dev/null +++ b/analyzers/Jupyter_Analyzer/index.html @@ -0,0 +1,5017 @@ + + + + + + + + + + + + + + + + + + + + + + + Jupyter_Analyzer - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Jupyter_Analyzer#

+
+

README

+

Summary#

+

This analyzer allows you to execute a parametrized notebook in Jupyter. This can help you investigate observables by submitting them to custom notebooks for automated investigation tasks. +You can choose to execute your notebooks locally or remotely.

+

This was designed to run with a running remote JupyterHub instance but you can work directly with local/remote storages (Azure, S3 etc.)

+

You can run several notebooks at the same time for one observable.

+

You can setup several Jupyter connectors just with a copy/paste of the file "Jupyter_Run_Notebook_Analyzer.json" file.

+

Prerequisites#

+

Cortex connector#

+

You must install the required librairies described in the requirements.txt file.

+

You are using HTTP Handlers#

+
+

⚠️ A current issue was identified in the Papermill on how the requests are managed when HTTP handler is used. The Jupyter HTTP REST API is adding an additionnal layer in the JSON response that need to be removed before recovering the notebook. An issue was raised accordingly: +Nbformat/nbformat_minor not well extracted with HTTP handler #727

+
+

You can fix the issue by replacing the HTTPHandler class in papermill source code (iorw.py#L180) to this code:

+
class HttpHandler(object):
+    @classmethod
+    def read(cls, path):
+-        return requests.get(path, headers={'Accept': 'application/json'}).text
++        return json.dumps(requests.get(path, headers={'Accept': 'application/json'}).json()["content"])
+
+    @classmethod
+    def listdir(cls, path):
+        raise PapermillException('listdir is not supported by HttpHandler')
+
+    @classmethod
+    def write(cls, buf, path):
++        payload = {"type": "notebook", "format": "json", "path": path}
++        payload["content"] = json.loads(buf)
++        result = requests.put(path, json=payload)
+-        result = requests.put(path, json=json.loads(buf))
+        result.raise_for_status()
+
+    @classmethod
+    def pretty_path(cls, path):
+        return path
+
+

JupyterHub#

+

You must create a service account to access the JupyterHub instance. +This is a proposed configuration:

+
c.JupyterHub.load_roles = [
+    {
+        "name": "role_cortex_servers",
+        "scopes": [
+            "servers",  # manage servers
+            "access:servers",  # access servers themselves
+        ],
+        # assign role to our 'cortex' service
+        "services": ["cortex"],
+    }
+]
+
+# persist token to a file, to share it with the launch-server.py script
+import pathlib
+import secrets
+
+here = pathlib.Path(__file__).parent
+token_file = here.joinpath("service-token-cortex")
+if token_file.exists():
+    with token_file.open("r") as f:
+        token = f.read()
+else:
+    token = secrets.token_hex(16)
+    with token_file.open("w") as f:
+        f.write(token)
+
+# define our service
+c.JupyterHub.services = [
+    {
+        "name": "cortex",
+        "api_token": token,
+    }
+]
+
+

A token will be available locally to your JupyterHub instance under the file named "service-token-cortex"

+

You must enable the named servers by adding this into your configuration: +

c.JupyterHub.allow_named_servers = True
+

+

Technical details#

+

Local execution of your notebooks#

+

This connector is using the Papermill library to work. It will allow you to get the notebook, execute it locally after parameterize the notebook and then store it. +Please refer to the Supported Name Handles description to have more details.

+

Remote execution of your notebooks#

+

Papermill is also used in this case but additional code (specific to this connector) was added to let you work with remote JupyterHun instance instead of having the notebooks run locally on the Cortex instance. This should help you to avoid having to install local dependencies on your Cortex instance.

+

To do so, the connector is communicating directly with the remote kernel using the Jupyter HTTP REST API and Jupyter Websocket API so you must use HTTP handlers accordingly (with the provided fix above applied). It's sending automatically the code to execute following the kernel logic explained here: Messaging in Jupyter.

+

You must use HTTP handlers provided by Papermill, meaning that input notebooks must be starting with "http://" or "https://" and allow traffic using the websocket protocol ("ws://").

+

How to use#

+

Configure the connector#

+

You'll have to setup several parameters for the connector. +Parameters can be identified with:

+
    +
  • [INPUT]: Concerns only input notebooks
  • +
  • [OUTPUT]: Concerns only output notebooks
  • +
  • [ANY]: Concerns either an input or output notebooks
  • +
  • [HTTP Handler]: Need to be setup only if you are using HTTP Handlers. Not used for local/remote storage (Azure, S3 etc)
  • +
+

Here is the description for each parameter:

+
    +
  • input_hostname: [INPUT] Hostname representing the Jupyter(Hub) instance (or Azure, S3 etc location) to reach to get the input notebook. See https://github.com/nteract/papermill#supported-name-handlers for more information.
  • +
  • input_handler_http_service_api_token: [HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate an API token used by a dedicated service, otherwise don't take this parameter into account
  • +
  • input_handler_http_is_jupyterhub: [INPUT][HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate if you're behind a JupyterHub instance or not, otherwise don't take this parameter into account (Default: true)
  • +
  • input_handler_http_execute_remotely: [INPUT][HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate if you want to run your code locally (papermill) or remotely (websocket through HTTP), otherwise don't take this parameter into account
  • +
  • input_paths: [INPUT] List of paths of the notebooks you want to run
  • +
  • output_hostname: [OUTPUT] Hostname representing the Jupyter(Hub) instance (or Azure, S3 etc location) to reach to store the output notebook. See https://github.com/nteract/papermill#supported-name-handlers for more information.
  • +
  • output_handler_http_service_api_token: [HTTP Handler] If you want to use the REST API to store the output notebook, you must indicate an API token used by a dedicated service, otherwise don't take this parameter into account
  • +
  • output_handler_http_is_jupyterhub: [OUTPUT][HTTP Handler] If you want to use the REST API to store the output notebook, you must indicate if you're behind a JupyterHub instance or not, otherwise don't take this parameter into account (Default: true)
  • +
  • output_folder: [OUTPUT] Folder path in which executed notebooks will be stored. This field is supporting format code for datetime such as the one used by the strftime() function.
  • +
  • any_handler_http_user: [ANY][HTTP Handler] If you want to use the REST API directly (HTTP handler), you must indicate which user will be used as the reference for having the original notebooks, otherwise don't take this parameter into account.
  • +
  • any_generate_html: [ANY] Indicates if you want only the HTML conversion as a response (not the full detailed payload) (Default: true)
  • +
+

Here is an example of what it could looks like:

+

Cortex Analyzer Settings example

+

Run the connector#

+

Inputs#

+

As we are using Papermill, we can parameterize the notebooks before execution. +The connector will recover the input playbook, find the associated tagged cell with "parameters" and add these four parameters:

+
    +
  • thehive_organisation: This is specifying the organisation in which the connector was executed
  • +
  • thehive_user: This is specifying which user executed the connector
  • +
  • thehive_observable_type: This is indicating the observable type (from the predefined list from TheHive)
  • +
  • thehive_observable_value: This is indicating the observable value
  • +
+

Here is an example of what it look like: +Screenshot Jupyter Parameters

+

An analysis report (notebook execution exported in HTML) wil be available in TheHive:

+

Screenshot TheHive Report

+

Outputs#

+

Artifacts#

+

You can return new artifacts/observables from the notebook to TheHive by using a tag named "artifacts" on the code block that will contain the artifacts.

+

Screenshot Jupyter Artifacts

+

Once you've add the tag to the block, ensure that the code block is given json outputs containing information about new artifacts to return. As you can see, you can have several artifacts separated by a newline ("/n"). In this example, we are returning two artifacts.

+

Within TheHive, you'll be able to see the artifacts proposed to be imported and with the given information:

+

Screenshot TheHive Artifacts

+

Short reports (taxonomies)#

+

Short reports can be built directly from the executed notebooks as artifacts thanks to the tag named "taxonomies".

+

Screenshot Jupyter Taxonomies

+

Once you've add the tag to the block, ensure that the code block is given json outputs containing information about taxonomies to return. As you can see, you can have several taxonomies separated by a newline ("/n"). In this example, we are returning two taxonomies.

+

Screenshot TheHive Taxonomies 1 +Screenshot TheHive Taxonomies 2

+

All taxonomies must follow the same pattern:

+
    +
  • level: Indicates the level of the taxonomy (used for the color). Values can be "info", "safe", "suspicious" or "malicious".
  • +
  • namespace: Indicates the namespace of the taxonomy. We recommand to use the default value set to "Jupyter".
  • +
  • predicate: Indicates a specific subname for the given namespace.
  • +
  • value: Indicates the value associated to the predicate.
  • +
+

Long report#

+

The long report template is used to render the notebook execution from a HTML export of the same notebook. In the raw data sent back to TheHive, you can have the all detail of the execution additionally to the HTML embedded code (be sure to set any_generate_html to True accordingly). If you don't want to have the render directly in TheHive and lower the size of the response, please set this parameter to False.

+

FAQ#

+

I'm getting this error: jupyter_client.kernelspec.NoSuchKernel: No such kernel named python3 on the Cortex instance#

+

This means that you are missing librairies on your local Cortex instance to be able to run your notebooks. It must have a dedicated folder for the cortex user with the kernel spec to be able to run it. +You have to execute those commands on the Cortex instance to fix the issue:

+

console +root#> mkdir /home/cortex +root#> chown cortex: /home/cortex +root#> su cortex +cortex#> ipython kernel install --name "python3" --user

+

I have some trouble with the library Papermill and more precisely on the file papermill/iorw.py#

+

If you're using a hostname input or output starting with "http(s)", please check that you applied the patch mentionned above as expected. Otherwise, please raise an issue.

+

You can reach the developer directly by email: letmer00t@gmail.com

+
+

Jupyter_Run_Notebook_Analyzer#

+

+ +

+ +
+

Author: Alexandre Demeyer
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - hostname
+ - ip
+ - url
+ - fqdn
+ - uri_path
+ - user-agent
+ - hash
+ - mail
+ - mail_subject
+ - registry
+ - regexp
+ - other
+ - filename
+ - mail-subject
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A

+
+

Description#

+

Execute a parameterized notebook in Jupyter

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
input_hostname[INPUT] Hostname representing the Jupyter(Hub) instance (or Azure, S3 etc location) to reach to get the input notebook. See https://github.com/nteract/papermill#supported-name-handlers for more information.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
input_handler_http_service_api_token[HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate an API token used by a dedicated service, otherwise don't take this parameter into account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
input_handler_http_is_jupyterhub[INPUT][HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate if you're behind a JupyterHub instance or not, otherwise don't take this parameter into account
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
input_handler_http_execute_remotely[INPUT][HTTP Handler] If you want to use the REST API to get the input notebook, you must indicate if you want to run your code locally (papermill) or remotely (websocket through HTTP), otherwise don't take this parameter into account
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
input_paths[INPUT] List of paths of the notebooks you want to run
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
output_hostname[OUTPUT] Hostname representing the Jupyter(Hub) instance (or Azure, S3 etc location) to reach to store the output notebook. See https://github.com/nteract/papermill#supported-name-handlers for more information.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
output_handler_http_service_api_token[HTTP Handler] If you want to use the REST API to store the output notebook, you must indicate an API token used by a dedicated service, otherwise don't take this parameter into account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
output_handler_http_is_jupyterhub[OUTPUT][HTTP Handler] If you want to use the REST API to store the output notebook, you must indicate if you're behind a JupyterHub instance or not, otherwise don't take this parameter into account
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
output_folder[OUTPUT] Folder path in which executed notebooks will be stored. This field is supporting datetime format (see 'strftime' function).
Default value if not configured/
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
any_handler_http_user[ANY][HTTP Handler] If you want to use the REST API directly (HTTP handler), you must indicate which user will be used as the reference for having the original notebooks, otherwise don't take this parameter into account.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
any_generate_html[ANY] Indicates if you want the HTML generation within the response. This setting is helpful if you want to reduce the size of the answer returned by the script and manage the HTML render yourself.
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/KasperskyTIP/index.html b/analyzers/KasperskyTIP/index.html new file mode 100644 index 000000000..44c86b6c7 --- /dev/null +++ b/analyzers/KasperskyTIP/index.html @@ -0,0 +1,4700 @@ + + + + + + + + + + + + + + + + + + + + + + + KasperskyTIP - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

KasperskyTIP#

+

KasperskyThreatIntelligencePortal#

+
+

Author: Peter Juhas
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Analyze IP address, domain or hash via Kaspersky Threat Intelligence Portal

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for Kaspersky Threat Intelligence Portal
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/LdapQuery/index.html b/analyzers/LdapQuery/index.html new file mode 100644 index 000000000..9080ecffd --- /dev/null +++ b/analyzers/LdapQuery/index.html @@ -0,0 +1,4855 @@ + + + + + + + + + + + + + + + + + + + + + + + LdapQuery - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

LdapQuery#

+

Ldap_Query#

+
+

Author: Florian Perret @cyber_pescadito
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - username
+ - mail
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Query your LDAP server to harvest informations about an user of your organization

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
LDAP_addressShould contain the protocol. Eg: ldaps://myldap.myorg.com
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
LDAP_portShould contain the ldap port. Eg: 389 or 636
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
LDAP_usernameUsernae of the account that will be used to bind to LDAP server. The Account should have permissions to read ldap objects and attributes.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
LDAP_passwordPassword of the account used to bind to LDAP server.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
base_DNThe base DN to use in your LDAP. Eg: dc=myorg,dc=com
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
uid_search_fieldSpecify here the field to use when searching by username. Eg: uid or sAMAccountName
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
attributesSpecify here the attributes you want to harvest. Eg: mail
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/MISP/index.html b/analyzers/MISP/index.html new file mode 100644 index 000000000..202438e58 --- /dev/null +++ b/analyzers/MISP/index.html @@ -0,0 +1,4878 @@ + + + + + + + + + + + + + + + + + + + + + + + MISP - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

MISP#

+
+

README

+

MISP#

+

MISP A threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.

+

The analyzer comes in a single flavour that will return MISP additional information for provided observable.

+

Requirements#

+

You need a valid MISP API integration to use the analyzer.

+
    +
  • Provide your API key as values for the key parameter.
  • +
+
+

MISP#

+

+ +

+ +
+

Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.1
+Supported observables types:
+ - domain
+ - ip
+ - url
+ - fqdn
+ - uri_path
+ - user-agent
+ - hash
+ - mail
+ - mail_subject
+ - registry
+ - regexp
+ - other
+ - filename
+ - mail-subject
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: https://www.misp-project.org/

+
+

Description#

+

Query multiple MISP instances for events containing an observable.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
nameName of MISP servers
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlURL of MISP servers
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for each server
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
cert_checkVerify server certificate
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
cert_pathPath to the CA on the system used to check server certificate
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredFalse
+

Templates samples for TheHive#

+

MISP: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/MISPWarningLists/index.html b/analyzers/MISPWarningLists/index.html new file mode 100644 index 000000000..8cb9939ff --- /dev/null +++ b/analyzers/MISPWarningLists/index.html @@ -0,0 +1,4795 @@ + + + + + + + + + + + + + + + + + + + + + + + MISPWarningLists - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

MISPWarningLists#

+
+

README

+

MISPWarningLists#

+

MISPWarningLists are lists of well-known indicators that can be associated to potential false positives, errors or mistakes.

+

The analyzer comes in a single flavour that will check observables against MISP Warninglists to filter false positives.

+

Requirements#

+

Option 1 low performances: + - Clone the MISPWarningLists GitHub repository. + - In the analyzer parameters configure the path of WarningLists folder.

+

Option 2 high performances: + - Clone the MISPWarningLists GitHub repository. + - Install PostgreSQL database. + - Set conn_string and warninglists_path located inside script warninglists_create_db.py and run it in order to parse all MISPWarningLists and insert into PostgreSQL. + - In the analyzer parameters configure the conn to DB (for example: postgresql+psycopg2://user:password@localhost:5432/warninglists').

+
+

MISPWarningLists#

+

+ +

+ +
+

Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - hash
+ - domain
+ - fqdn
+ - url
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://github.com/MISP/misp-warninglists

+
+

Description#

+

Check IoCs/Observables against MISP Warninglists to filter false positives.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
pathpath to Warninglists folder
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
connsqlalchemy connection string
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

MISPWarningLists: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/MSEntraID/index.html b/analyzers/MSEntraID/index.html new file mode 100644 index 000000000..d1be0bf4c --- /dev/null +++ b/analyzers/MSEntraID/index.html @@ -0,0 +1,5127 @@ + + + + + + + + + + + + + + + + + + + + + + + MSEntraID - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

MSEntraID#

+
+

README

+

Microsoft Entra ID Sign In Retriever#

+

This responder allows you to revoke the session tokens for an Microsoft Entra ID user. Requires the UPN of the account in question, which should be entered as a "mail" oberservable in TheHive.

+

Config#

+

To enable the responder, you need three values: +1. Microsoft Entra ID Tenant ID +2. Application ID +3. Application Secret

+

The first two values can be found at any time in the application's Overview page in the Microsoft Entra ID portal. The secret must be generated and then stored in a safe place, as it is only fully visible when you first make it.

+

You can also specify the limits for how far back the analyzer requests sign ins. You can specify time and count for how many sign ins get returned.

+

Finally, you can specify a state and country/region. These are used as taxonomies. If you run a query on a particular user and they return a few out-of-state sign ins, a taxonomy label will be added to the observable to reflect that. Likewise for the country/region. By default, this analyzer does not support selecting multiple states or countries, so if you have more than one that users will be signing in to, feel free to leave them blank. If the value is not configured, then the analyzer will simply not use the taxonomies.

+

Setup#

+

Prereqs#

+

User account with the Cloud Application Administrator role. +User account with the Global Administrator Role (most of the steps can be done with only the Cloud App Administrator role, but the final authorization for its API permissions requires GA).

+

Steps#

+

Creation#

+
    +
  1. Navigate to the Microsoft Entra ID Portal and sign in with the relevant administrator account.
  2. +
  3. Navigate to App Registrations, and create a new registration.
  4. +
  5. Provide a display name (this can be anything, and can be changed later). Click Register.
  6. +
+

Secret#

+
    +
  1. Navigate to Certificates and Secrets.
  2. +
  3. Create a new client secret. Enter a relevant description and set a security-conscious expiration date.
  4. +
  5. Copy the Value. This will only be fully visible for a short time, so you should immediately copy it and store it in a safe place.
  6. +
+

API Permissions#

+
    +
  1. Navigate to API permissions.
  2. +
  3. Add the Directory.Read.All, AuditLog.Read.All, and Policy.Read.ConditionalAccess permissions (Microsoft Graph API, application permissions).
  4. +
  5. +

    Using a GA account, select the "Grant admin consent for TENANTNAME" button.

    +
  6. +
  7. +

    Place the relevant values into the config within Cortex.

    +
  8. +
+

Customization#

+

It is possible to add a color coding system to the long report as viewed from TheHive. Specifically, you can color code the Sign Ins table so that certain ones stand out.

+

Example#

+

Let's say you are in an organization where almost all of your users will be signing in from a single state. You could color code the table so that out-of-state sign ins are highlighted yellow, and out-of-country sign ins are highlighted in red. To enable customization like this, you must modify this analyzer's long.html to check for values within the full JSON report using the ng-style tag in the table body > table row element. An example exists as a comment in the long.html file at line 34.

+
+

MSEntraID_GetSignIns#

+
+

Author: @jahamilto
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - mail
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.microsoft.com/security/business/identity-access/microsoft-entra-id

+
+

Description#

+

Pull all Microsoft Entra ID sign ins for a user within the specified amount of time.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
tenant_idMicrosoft Entra ID Tenant ID
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idClient ID/Application ID of Microsoft Entra ID Registered App
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_secretSecret for Microsoft Entra ID Registered Application
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
lookup_rangeCheck for sign ins in the last X days. Should be between 1 and 31 days.
Default value if not configured7
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
lookup_limitDisplay no more than this many sign ins.
Default value if not configured12
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
stateExpected sign in state (used as a taxonomy when sign ins appear outside of this area).
Default value if not configuredN/A
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
countryExpected sign in country or region (used as a taxonomy when sign ins appear outside of this area).
Default value if not configuredN/A
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Malpedia/index.html b/analyzers/Malpedia/index.html new file mode 100644 index 000000000..d9716535e --- /dev/null +++ b/analyzers/Malpedia/index.html @@ -0,0 +1,4750 @@ + + + + + + + + + + + + + + + + + + + + + + + Malpedia - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Malpedia#

+

Malpedia#

+
+

Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Check files against Malpedia YARA rules.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
pathRulepath
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameUsername
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordPassword
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Maltiverse/index.html b/analyzers/Maltiverse/index.html new file mode 100644 index 000000000..b01b9a6ef --- /dev/null +++ b/analyzers/Maltiverse/index.html @@ -0,0 +1,4787 @@ + + + + + + + + + + + + + + + + + + + + + + + Maltiverse - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Maltiverse#

+
+

README

+

Maltiverse#

+

This analyzer lets you query the free Maltiverse Threat Intelligence platform for enrichment information about a particular hash, domain, ip or url.

+

The analyzer comes in a single flavour that will return Maltiverse additional information categorization for provided ip.

+

Requirements#

+

You can specify time interval between two requests attempts for the report with the polling_interval parameter.

+
+

Maltiverse_Report#

+

+ +

+ +
+

Author: ottimo
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+ - domain
+ - ip
+ - url
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://maltiverse.com/search

+
+

Description#

+

Get the latest Maltiverse report for an hash, domain or an IP address.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
polling_intervalDefine time interval between two requests attempts for the report
Default value if not configured60
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAuth token to use when requesting data to Maltiverse
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Maltiverse: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/MalwareBazaar/index.html b/analyzers/MalwareBazaar/index.html new file mode 100644 index 000000000..f8847da82 --- /dev/null +++ b/analyzers/MalwareBazaar/index.html @@ -0,0 +1,4761 @@ + + + + + + + + + + + + + + + + + + + + + + + MalwareBazaar - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

MalwareBazaar#

+
+

README

+

MalwareBazaar#

+

MalwareBazaar is a project operated by abuse.ch. The purpose of the project is to collect and share malware samples, helping IT-security researchers and threat analysts protecting their constituency and customers from cyber threats.

+

The analyzer comes in a single flavour that takes as input an hash and enrich it with additional intelligence .

+

Requirements#

+

You need a valid MalwareBazaar API subscription to use the analyzer.

+
    +
  • Provide your API key as values for the key parameter.
  • +
+
+

MalwareBazaar#

+

+ +

+ +
+

Author: Andrea Garavaglia, Davide Arcuri - LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://bazaar.abuse.ch/

+
+

Description#

+

Search hashes on MalwareBazaar.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyMalwareBazaar api key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

MalwareBazaar: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/MalwareClustering/index.html b/analyzers/MalwareClustering/index.html new file mode 100644 index 000000000..584417091 --- /dev/null +++ b/analyzers/MalwareClustering/index.html @@ -0,0 +1,4700 @@ + + + + + + + + + + + + + + + + + + + + + + + MalwareClustering - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

MalwareClustering#

+
+

README

+

Prerequisites:#

+

Required:#

+
- [neo4j db instance](https://neo4j.com/download/)
+- pip3 install -r requirements
+
+ +

Optional:#

+
- bulk import known malware samples in db from:
+    - [cloned malpedia repo](https://malpedia.caad.fkie.fraunhofer.de/)
+    - folder with some malicious sample with optional json malpedia like definition
+
+ +
from malwareclustering_api import Api
+test = Api(host='127.0.0.1', port=7474, user='neo4j', password='password', threshold=40, folder_path='/home/user/malware_samples')
+test.process()
+
+
+ +
+

Author: LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+ - hash
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service:

+
+

Description#

+

Uses ApiVectors to find similarities between malware samples.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
n4j_hostNeo4j server host
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
n4j_portNeo4j server port
Default value if not configuredN/A
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
n4j_userNeo4j server user
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
n4j_pwdNeo4j server password
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
thresholdApiScout correlation threshold
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

MalwareCustering long report sample

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Malwares/index.html b/analyzers/Malwares/index.html new file mode 100644 index 000000000..86d41b99d --- /dev/null +++ b/analyzers/Malwares/index.html @@ -0,0 +1,4896 @@ + + + + + + + + + + + + + + + + + + + + + + + Malwares - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Malwares#

+
+

README

+

Malwares#

+

Malwares is a web service to collect, analyze and detect various malicious codes or malwares such as Trojans, Viruses, Worms so that customers or end-users can make proper security policies to take countermeasures against security threats.

+

The analyzer comes in a two flavour that permit you to query different data types (file, hash, domain, ip) or submit new sample for analysis (file, hash).

+

Requirements#

+

You need a valid Malware API subscription to use the analyzer.

+
    +
  • Provide your API key as values for the key parameter.
  • +
+
+

Malwares_Scan#

+

+ +

+ +
+

Author: LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.malwares.com/

+
+

Description#

+

Use Malwares' API to scan a file or URL.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyMalwares.com API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Malwares: long report

+

Malwares_GetReport#

+

+ +

+ +
+

Author: LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+ - hash
+ - domain
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.malwares.com/

+
+

Description#

+

Get the latest Malwares report for a file, hash, domain or an IP address.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyMalwares.com API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Malwares: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/MaxMind/index.html b/analyzers/MaxMind/index.html new file mode 100644 index 000000000..5e04ee997 --- /dev/null +++ b/analyzers/MaxMind/index.html @@ -0,0 +1,4673 @@ + + + + + + + + + + + + + + + + + + + + + + + MaxMind - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

MaxMind#

+

MaxMind_GeoIP#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 4.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use MaxMind to geolocate an IP address.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/MetaDefender/index.html b/analyzers/MetaDefender/index.html new file mode 100644 index 000000000..0ab14e6b9 --- /dev/null +++ b/analyzers/MetaDefender/index.html @@ -0,0 +1,5390 @@ + + + + + + + + + + + + + + + + + + + + + + + MetaDefender - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

MetaDefender#

+

MetaDefenderCloud_GetReport#

+
+

Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Get the latest MetaDefender Cloud report for hash.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for MetaDefender
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlurl address for MetaDefender server
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

MetaDefenderCloud_Scan#

+
+

Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Scan a file with MetaDefender Cloud

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for MetaDefender
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlurl address for MetaDefender server
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
pollingDefine time interval between two requests attempts for the report
Default value if not configured10
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

MetaDefenderCore_GetReport#

+
+

Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Get the latest MetaDefender Core report for hash.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for MetaDefender
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlurl address for MetaDefender server
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

MetaDefenderCloud_Reputation#

+
+

Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - url
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Get the latest MetaDefender Cloud reputation report .

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for MetaDefender
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlurl address for MetaDefender server
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

MetaDefenderCore_Scan#

+
+

Author: Davide Arcuri and Andrea Garavaglia, LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Scan a file with MetaDefender Core

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for MetaDefender
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlurl address for MetaDefender server
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
pollingDefine time interval between two requests attempts for the report
Default value if not configured10
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/MnemonicPDNS/index.html b/analyzers/MnemonicPDNS/index.html new file mode 100644 index 000000000..096672883 --- /dev/null +++ b/analyzers/MnemonicPDNS/index.html @@ -0,0 +1,4802 @@ + + + + + + + + + + + + + + + + + + + + + + + MnemonicPDNS - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

MnemonicPDNS#

+

Mnemonic_pDNS_Public#

+
+

Author: Michael Stensrud, Nordic Financial CERT
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - ip
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Query IP addresses and domains against Mnemonic pDNS public service.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+

Mnemonic_pDNS_Closed#

+
+

Author: Michael Stensrud, Nordic Financial CERT
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - ip
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Query IP addresses and domains against Mnemonic pDNS restricted service.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/MsgParser/index.html b/analyzers/MsgParser/index.html new file mode 100644 index 000000000..d9f53aa72 --- /dev/null +++ b/analyzers/MsgParser/index.html @@ -0,0 +1,4673 @@ + + + + + + + + + + + + + + + + + + + + + + + MsgParser - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

MsgParser#

+

Msg_Parser#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Parse Outlook MSG files and extract the main artifacts.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/NERD/index.html b/analyzers/NERD/index.html new file mode 100644 index 000000000..0d90ebed6 --- /dev/null +++ b/analyzers/NERD/index.html @@ -0,0 +1,4793 @@ + + + + + + + + + + + + + + + + + + + + + + + NERD - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

NERD#

+
+

README

+

NERD#

+

NERD is a service provided by CESNET which collects information about malicious IP addresses +from CESNET's own detection systems as well as several public sources. +It keeps a profile of each known malicious IP address, containing all security-relevant information about the +address, and it summarizes it into a reputation score - a number from 0.0 (good) to 1.0 (bad) representing the amount +and confidence of recently received reports about that address.

+

The analyzer comes in a single flavour that will return the reputation score and various tags for provided IP.

+

Requirements#

+

You need a valid NERD API integration subscription to use the analyzer.

+
    +
  • Provide your API key as values for the key parameter.
  • +
  • Default url of NERD instance is provided for url parameter, but you could override it.
  • +
+
+

NERD#

+

+ +

+ +
+

Author: Vaclav Bartos, CESNET
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - ip
+Registration required: True
+Subscription required: False
+Free subscription: True
+Third party service: https://nerd.cesnet.cz/

+
+

Description#

+

Get Reputation score and other basic information from Network Entity Reputation Database (NERD)

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlBase URL of the NERD instance
Default value if not configuredhttps://nerd.cesnet.cz/nerd/
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

NERD long report sample

+

NERD mini report sample

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/NSRL/index.html b/analyzers/NSRL/index.html new file mode 100644 index 000000000..8365b5df7 --- /dev/null +++ b/analyzers/NSRL/index.html @@ -0,0 +1,4751 @@ + + + + + + + + + + + + + + + + + + + + + + + NSRL - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

NSRL#

+

NSRL#

+
+

Author: Andrea Garavaglia, Davide Arcuri - LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+ - filename
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Query NSRL

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
connsqlalchemy connection string
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
grep_pathpath of grep
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
nsrl_folderpath of NSRL folder
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Nessus/index.html b/analyzers/Nessus/index.html new file mode 100644 index 000000000..7ac0239b9 --- /dev/null +++ b/analyzers/Nessus/index.html @@ -0,0 +1,4829 @@ + + + + + + + + + + + + + + + + + + + + + + + Nessus - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Nessus#

+

Nessus#

+
+

Author: Guillaume Rousse
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use Nessus Professional to scan hosts.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlDefine the URL to the Nessus service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
loginDefine the login to Nessus
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordDefine the password to the Nessus account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
policyDefine the policy used to run scans
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ca_bundleDefine the path to the Nessus CA
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
allowed_networkDefine networks allowed to be scanned
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/OTXQuery/index.html b/analyzers/OTXQuery/index.html new file mode 100644 index 000000000..152b48199 --- /dev/null +++ b/analyzers/OTXQuery/index.html @@ -0,0 +1,4764 @@ + + + + + + + + + + + + + + + + + + + + + + + OTXQuery - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

OTXQuery#

+
+

README

+

OXT Alienvault#

+

OXT Alienvault is the world’s first and largest truly open threat intelligence community. OTX provides access to a global community of threat researchers and security professionals, with more than 100,000 participants in 140 countries, who contribute over 19 million threat indicators daily. OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques, thereby helping one another strengthen cyber defenses and raise awareness of emerging threats on a global level.

+

Requirements#

+

You need a valid OXT Alienvault API subscription to use the analyzer.

+
    +
  • Provide your API key as values for the key parameter.
  • +
+
+

OTXQuery#

+

+ +

+ +
+

Author: Eric Capuano
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - url
+ - domain
+ - file
+ - hash
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://otx.alienvault.com/

+
+

Description#

+

Query AlienVault OTX for IPs, domains, URLs, or file hashes.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

OTX Alienvault: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/OktaUserLookup/index.html b/analyzers/OktaUserLookup/index.html new file mode 100644 index 000000000..ef44cd6d5 --- /dev/null +++ b/analyzers/OktaUserLookup/index.html @@ -0,0 +1,4724 @@ + + + + + + + + + + + + + + + + + + + + + + + OktaUserLookup - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

OktaUserLookup#

+

OktaUserLookup#

+
+

Author: Martin Jaan Leesment
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - mail
+Registration required: True
+Subscription required: False
+Free subscription: False
+Third party service: https://developer.okta.com/docs/reference/api/users/

+
+

Description#

+

Okta User Lookup is an analyzer for TheHive to enrich mail observables from data through the Okta users API

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
OktaOrgUrlMust contain your okta organisation URL. Eg: https://.okta.com
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
OktaTokenMust contain the Okta access token.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Onyphe/index.html b/analyzers/Onyphe/index.html new file mode 100644 index 000000000..405ab4ad1 --- /dev/null +++ b/analyzers/Onyphe/index.html @@ -0,0 +1,5530 @@ + + + + + + + + + + + + + + + + + + + + + + + Onyphe - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

Onyphe#

+

ONYPHE_Summary_API#

+

+ +

+ +
+

Author: Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.onyphe.io

+
+

Description#

+

Retrieve summary information Onyphe has for given ip, domain, or fqdn.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
verbose_taxonomiesSet true if you want detailed taxonomies for port, subnet, geoloc, domain
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Onyphe_Summary long report sample

+

Onyphe_Summary mini report sample

+

ONYPHE_ASM#

+

+ +

+ +
+

Author: Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.onyphe.io

+
+

Description#

+

Retrieve results from ONYPHE Search API for a given ip, domain or fqdn from specified category

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
time_filterSpecify ONYPHE time filter to be used for searches (see https://www.onyphe.io/docs/onyphe-query-language)
Default value if not configured-since:1M
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
fields_filter[!!Advanced!!] Modify ONYPHE fields to return in raw data (see https://www.onyphe.io/docs/onyphe-query-language)
Default value if not configuredip,port,protocol,tag,tls,cpe,cve,hostname,domain,alternativeip,forward,url,organization,transport,organization,device.class,device.product,device.productvendor,device.productversion,product,productvendor,productversion
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
auto_importAutomatically import artifacts as observables (risks, cves, assets, ...)
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

ONYPHE ASM report sample (IPs obscured) with click to expand accordion.

+

ONYPHE ASM mini report showing no. of risks

+

Onyphe_Summary#

+

+ +

+ +
+

Author: Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.onyphe.io

+
+

Description#

+

Retrieve summary information Onyphe has for given ip, domain or fqdn.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
verbose_taxonomiesSet true if you want detailed taxonomies for port, subnet, geoloc, domain
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Onyphe_Summary long report sample

+

Onyphe_Summary mini report sample

+

ONYPHE_Vulnscan#

+

+ +

+ +
+

Author: Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.onyphe.io

+
+

Description#

+

Retrieve vulnerability data from ONYPHE vulnscan category for a given ip, domain, fqdn or hash (sha256 TLS fingerprint)

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
time_filterSpecify ONYPHE time filter to be used for searches (see https://www.onyphe.io/docs/onyphe-query-language)
Default value if not configured-since:1M
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
only_vulnerableOnly return results where a CVE exists (-exists:cve)
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
auto_importAutomatically import artifacts as observables (risks, cves, assets, ...)
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

ONYPHE Vulnscan report sample (IPs obscured)

+

ONYPHE Vulnscan mini report showing no. of CVEs

+ +

+ +

+ +
+

Author: Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://www.onyphe.io

+
+

Description#

+

Retrieve results from ONYPHE Search API for a given ip, domain, fqdn or hash (sha256 TLS fingerprint) from specified category

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
categorySpecify ONYPHE category to be used for search API (default datascan)
Default value if not configureddatascan
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
time_filterSpecify ONYPHE time filter to be used for searches (see https://www.onyphe.io/docs/onyphe-query-language)
Default value if not configured-since:1M
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
auto_importAutomatically import artifacts as observables (risks, cves, assets, ...)
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

ONYPHE Search report sample (IPs obscured)

+

ONYPHE Search mini report showing no. of open ports

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/OpenCTI/index.html b/analyzers/OpenCTI/index.html new file mode 100644 index 000000000..d4451a07a --- /dev/null +++ b/analyzers/OpenCTI/index.html @@ -0,0 +1,5051 @@ + + + + + + + + + + + + + + + + + + + + + + + OpenCTI - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

OpenCTI#

+
+

README

+

OpenCTI is an open cyber threat intelligence platform which aims at providing a powerful knowledge management database with an enforced schema especially tailored for cyber threat intelligence and cyber operations and based on STIX 2.

+

The analyzer comes in only one flavor to look for an observable in the platform. +The analyzer comes in two flavors to search for an observable in the platform:

+
    +
  • OpenCTI_SearchExactObservable: returns an exact match only
  • +
  • OpenCTI_SearchObservables: returns all observables containing the input data
  • +
+

Requirements#

+

The OpenCTI analyzer requires you to have access to one or several OpenCTI + instances. You can also deploy your own instance. + instances in version 4. You can also deploy your own instance.

+

Three parameters are required for each instance to make the analyzer work:

+
    +
  • url : URL of the instance, e.g. "https://demo.opencti.io"
  • +
+
+

OpenCTI_SearchExactObservable#

+

+ +

+ +
+

Author: ANSSI
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - ip
+ - url
+ - fqdn
+ - uri_path
+ - user-agent
+ - hash
+ - mail
+ - mail_subject
+ - registry
+ - regexp
+ - other
+ - filename
+ - mail-subject
+Registration required: True
+Subscription required: False
+Free subscription: False
+Third party service: https://www.opencti.io

+
+

Description#

+

Query multiple OpenCTI instances for a specific observable.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
nameName of OpenCTI servers
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlURL of OpenCTI servers
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for each server
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
cert_checkVerify server certificate
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

OpenCTI_SearchObservables#

+

+ +

+ +
+

Author: ANSSI
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - ip
+ - url
+ - fqdn
+ - uri_path
+ - user-agent
+ - hash
+ - mail
+ - mail_subject
+ - registry
+ - regexp
+ - other
+ - filename
+ - mail-subject
+Registration required: True
+Subscription required: False
+Free subscription: False
+Third party service: https://www.opencti.io

+
+

Description#

+

Query multiple OpenCTI instances for a list of observables matching a pattern.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
nameName of OpenCTI servers
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlURL of OpenCTI servers
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for each server
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
cert_checkVerify server certificate
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/PaloAltoWildFire/index.html b/analyzers/PaloAltoWildFire/index.html new file mode 100644 index 000000000..862a48415 --- /dev/null +++ b/analyzers/PaloAltoWildFire/index.html @@ -0,0 +1,4768 @@ + + + + + + + + + + + + + + + + + + + + + + + PaloAltoWildFire - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

PaloAltoWildFire#

+
+

README

+

WildFire® is the industry's largest, most integrated cloud malware protection engine that utilizes patented machine learning models for real-time detection of previously unseen, targeted malware and advanced persistent threats, keeping your organization protected.

+

When you submit observables to WildFire, they are analyzed in a sandboxed environment using multiple techniques: +* Dynamic analysis observes the files as they execute +* Machine learning extracts unique feathres form each file +* Static analysis provides instant identification of malware variants +* Uses a custom hypervisor to prevent malware evasion techniques

+

This analyzer supports "file", "url", and "hash" observables to be submitted to WildFire and produces a nicely formatted report in TheHive with all the pertinent information.

+

Product website: https://www.paloaltonetworks.com/network-security/wildfire

+
+

PaloAltoWildFire#

+

+ +

+ +
+

Author: Ignacio Rodriguez Paez, Joe Lazaro
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+ - url
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.paloaltonetworks.com/network-security/wildfire

+
+

Description#

+

Run Palo Alto WildFire analysis on a file, hash, or URL

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_hostYou can send requests to the WildFire global cloud (U.S., default option) or to the WildFire regional clouds that Palo Alto Networks owns and maintains. See the WildFire Public Cloud documentation for a list of valid servers.
Default value if not configuredwildfire.paloaltonetworks.com
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for WildFire
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
polling_intervalDefine time interval between two requests attempts for the report
Default value if not configured60
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

WildFire file analysis long report sample

+

WildFire URL analysis long report sample

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/PassiveTotal/index.html b/analyzers/PassiveTotal/index.html new file mode 100644 index 000000000..3b7abb13b --- /dev/null +++ b/analyzers/PassiveTotal/index.html @@ -0,0 +1,6274 @@ + + + + + + + + + + + + + + + + + + + + + + + PassiveTotal - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

PassiveTotal#

+

PassiveTotal_Malware#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

PassiveTotal Malware Lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDefine the username of the account used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

PassiveTotal_Passive_Dns#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.1
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

PassiveTotal Passive DNS Lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDefine the username of the account used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

PassiveTotal_Host_Pairs#

+
+

Author: Brandon Dixon (9bplus)
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

PassiveTotal Host Pairs Lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDefine the username of the account used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

PassiveTotal_Enrichment#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

PassiveTotal Enrichment Lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDefine the username of the account used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

PassiveTotal_Trackers#

+
+

Author: Brandon Dixon (9bplus)
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

PassiveTotal Trackers Lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDefine the username of the account used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

PassiveTotal_Unique_Resolutions#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

PassiveTotal Unique Resolutions Lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDefine the username of the account used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

PassiveTotal_Components#

+
+

Author: Brandon Dixon (9bplus)
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

PassiveTotal Components Lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDefine the username of the account used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

PassiveTotal_Whois_Details#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

PassiveTotal Whois Details Lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDefine the username of the account used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

PassiveTotal_Ssl_Certificate_Details#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - hash
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

PassiveTotal SSL Certificate Details Lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDefine the username of the account used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

PassiveTotal_Osint#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

PassiveTotal OSINT Lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDefine the username of the account used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

PassiveTotal_Ssl_Certificate_History#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - hash
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

PassiveTotal SSL Certificate History Lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDefine the username of the account used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Patrowl/index.html b/analyzers/Patrowl/index.html new file mode 100644 index 000000000..4f5de3abb --- /dev/null +++ b/analyzers/Patrowl/index.html @@ -0,0 +1,4791 @@ + + + + + + + + + + + + + + + + + + + + + + + Patrowl - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Patrowl#

+
+

README

+

Patrowl#

+

Get the current Patrowl report for a fdqn, a domain or an IP address.

+

The analyzer comes in only one flavor called Patrowl_GetReport.

+

Requirements#

+

You need a running Patrowl instance or to have access to one to use the analyzer. Supply the following parameters to the analyzer in order to use it:

+
    +
  • url: The PatrowlManager service URL
  • +
  • api_key: A valid API Key of a Patrowl user
  • +
+
+

Patrowl_GetReport#

+

+ +

+ +
+

Author: Nicolas Mattiocco
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - fqdn
+ - domain
+ - ip
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://patrowl.io/home

+
+

Description#

+

Get the current Patrowl report for a fdqn, a domain or an IP address.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlDefine the PatrOwl url
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyDefine the PatrOwl API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Patrowl_GetReport: short report template

+

Patrowl_GetReport: long report template

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/PayloadSecurity/index.html b/analyzers/PayloadSecurity/index.html new file mode 100644 index 000000000..22a5f602f --- /dev/null +++ b/analyzers/PayloadSecurity/index.html @@ -0,0 +1,5085 @@ + + + + + + + + + + + + + + + + + + + + + + + PayloadSecurity - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

PayloadSecurity#

+

PayloadSecurity_File_Analysis#

+
+

Author: Emmanuel Torquato
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

PayloadSecurity Sandbox File Analysis

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlDefine the url of the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
secretDefine the secret used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
environmentIdDefine the environment Id used by the service
Default value if not configured100
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
timeoutDefine the timeout of requests to the service
Default value if not configured15
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
verifysslVerify SSL certificate
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

PayloadSecurity_Url_Analysis#

+
+

Author: Emmanuel Torquato
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

PayloadSecurity Sandbox Url Analysis

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlDefine the url of the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
secretDefine the secret used to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
environmentIdDefine the environment Id used by the service
Default value if not configured100
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
timeoutDefine the timeout of requests to the service
Default value if not configured15
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
verifysslVerify SSL certificate
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/PhishTank/index.html b/analyzers/PhishTank/index.html new file mode 100644 index 000000000..e2c7184fb --- /dev/null +++ b/analyzers/PhishTank/index.html @@ -0,0 +1,4761 @@ + + + + + + + + + + + + + + + + + + + + + + + PhishTank - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

PhishTank#

+
+

README

+

PhishTank#

+

PhishTank is a free community site where anyone can submit, verify, track and share phishing data.

+

The analyzer comes in a single flavour that returns the availability of submitted url in PhishTank database.

+

Requirements#

+

You need a valid PhishTank API subscription to use the analyzer.

+
    +
  • Provide your API key as values for the key parameter.
  • +
+
+

PhishTank_CheckURL#

+

+ +

+ +
+

Author: Eric Capuano
+License: AGPL-V3
+Version: 2.1
+Supported observables types:
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://phishtank.com/

+
+

Description#

+

Use PhishTank to check if a URL is a verified phishing site.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

PhishTank: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/PhishingInitiative/index.html b/analyzers/PhishingInitiative/index.html new file mode 100644 index 000000000..c040b0c3d --- /dev/null +++ b/analyzers/PhishingInitiative/index.html @@ -0,0 +1,4892 @@ + + + + + + + + + + + + + + + + + + + + + + + PhishingInitiative - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+ +
+ + + +
+
+ + + + + + + +

PhishingInitiative#

+
+

README

+

Phishing-Initiative#

+

Phishing-Initiative ables any Internet user to help fight against phishing attacks. When reporting us the address of a suspected phishing website, we’ll analyze it and have it blocked in the participating Web browsers.

+

The analyzer comes in two flavours: lookup and scan. The first search in the database and can be used with basic API access while the second one requires higher profile role.

+

Requirements#

+

You need a valid Phishing-Initiative API integration subscription to use the analyzer.

+
    +
  • Provide your API key as values for the key parameter.
  • +
+
+

PhishingInitiative_Lookup#

+

+ +

+ +
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://phishing-initiative.fr/

+
+

Description#

+

Use Phishing Initiative to check if a URL is a verified phishing site.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

PhishingInitiative_Scan#

+

+ +

+ +
+

Author: Remi Pointel
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://phishing-initiative.fr/

+
+

Description#

+

Use Phishing Initiative to scan a URL.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/ProofPoint/index.html b/analyzers/ProofPoint/index.html new file mode 100644 index 000000000..1ef822bcc --- /dev/null +++ b/analyzers/ProofPoint/index.html @@ -0,0 +1,4778 @@ + + + + + + + + + + + + + + + + + + + + + + + ProofPoint - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

ProofPoint#

+

ProofPoint_Lookup#

+
+

Author: Emmanuel Torquato
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+ - file
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Check URL, file, SHA256 against ProofPoint forensics

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlURL of the Proofpoint API, the default should be okay.
Default value if not configuredhttps://tap-api-v2.proofpoint.com
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
apikeyAPI key to use
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
secretSecret to the API key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
verifysslVerify server's SSL certificate
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Pulsedive/index.html b/analyzers/Pulsedive/index.html new file mode 100644 index 000000000..933696c98 --- /dev/null +++ b/analyzers/Pulsedive/index.html @@ -0,0 +1,4701 @@ + + + + + + + + + + + + + + + + + + + + + + + Pulsedive - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Pulsedive#

+

Pulsedive_GetIndicator#

+
+

Author: Nils Kuhnert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+ - domain
+ - ip
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Search Pulsedive.com for a giver domain name, hash, ip or url

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/QrDecode/index.html b/analyzers/QrDecode/index.html new file mode 100644 index 000000000..e02a46ebf --- /dev/null +++ b/analyzers/QrDecode/index.html @@ -0,0 +1,4609 @@ + + + + + + + + + + + + + + + + + + + + + + + QrDecode - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

QrDecode#

+
+

README

+

QrDecode#

+

Overview#

+

QrDecode is a QR code analyzer used to extracts and categorizes data from QR codes embedded in various file formats. It supports images in JPEG, PNG, GIF formats, and PDF documents.

+

Features#

+
    +
  • Multi-format support: Handles JPEG, PNG, GIF, and PDF files.
  • +
  • Data extraction: Decodes QR codes and identifies data types such as URLs, email addresses, IP addresses, and cryptocurrency addresses.
  • +
  • Categorization: Categorizes extracted data into predefined types and categories.
  • +
  • Report Templates: Report templates available for readability.
  • +
  • Error handling: Detects and reports errors in QR code reading and file format issues.
  • +
+

Requirements#

+

The following dependencies are required for QrDecode:

+

System Libraries#

+
sudo apt-get install libzbar0
+sudo apt-get install poppler-utils
+
+

Python Libraries#

+
cortexutils
+pyzbar
+pdf2image
+pillow
+
+

To install the Python libraries, run:

+
pip install -r requirements.txt
+
+

Usage#

+

Once installed and configured, QrDecode analyzes files containing QR codes. The analyzer extracts data from QR codes, categorizes it, and returns the results in a structured format. For PDF files, the analyzer automatically converts each page to an image format for comprehensive analysis. It also efficiently processes multiple QR codes within a single image or PDF.

+

Running the Analyzer#

+

To run the analyzer, submit a file through The Hive or Cortex interface, selecting QrDecode as the analyzer. The analyzer will process the file and return results including:

+
    +
  • Decoded data from QR codes
  • +
  • Data types and categories
  • +
+

Results Details#

+

When the analyze is finished, the report can display: +* A Summary: with qualitative information about the detection

+

+
    +
  • Stats: with information like : File Name, File Extension, Total number of QR Codes
  • +
+

+

Extracted Observables#

+

Moreover, these domains, IP addresses, URLs, bitcoin addresses, email addresses are added to the extracted Observables, ready to be imported and actioned in TheHive.

+

+

Error Handling#

+

The analyzer includes a set of predefined errors to handle cases such as unsupported file formats, failed PDF conversion, and QR code reading issues. These errors are reported back in the analysis results.

+

License#

+

QrDecode is licensed under the AGPL-V3 license.

+

Version#

+

1.0

+

Author#

+
    +
  • THA-CERT
  • +
+
+

QrDecode#

+
+

Author: THA-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Extracts data from one or more QR codes.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/RecordedFuture/index.html b/analyzers/RecordedFuture/index.html new file mode 100644 index 000000000..b84033daa --- /dev/null +++ b/analyzers/RecordedFuture/index.html @@ -0,0 +1,4735 @@ + + + + + + + + + + + + + + + + + + + + + + + RecordedFuture - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

RecordedFuture#

+
+

README

+

This analyzer will return Recorded Future Intelligence for the following datatypes: +* ip +* domain +* fqdn +* hash +* url

+

Enriched observables can display: +* Risk Summary: Risk Score, Criticality, and link to the Intelligence Card +* Recorded Future AI Insights

+

+
    +
  • Risk Rules and Evidence Details
  • +
+

+
    +
  • Technical & Insikt Group Research Links
  • +
+

+
    +
  • Related Threat Actors
  • +
  • Related Attack Vectors
  • +
  • Malware Family / Category
  • +
  • Related IPs
  • +
  • Related Domains
  • +
  • Related Hashes
  • +
+
+

RecordedFuture#

+

+ +

+ +
+

Author: Recorded Future
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - hash
+ - url
+Registration required: True
+Subscription required: True
+Free subscription: N/A
+Third party service: https://www.recordedfuture.com/

+
+

Description#

+

Enrich IP, Domain, FQDN, URL, or Hash with Recorded Future context: Risk Score, Risk Details, AI Insights, Links, Threat Actor, Attack Vector, Malware Category / Family, and Related Entities (IPs, Domains, and Hashes)

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI Token
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/RiskIQ/index.html b/analyzers/RiskIQ/index.html new file mode 100644 index 000000000..5a26c2d8f --- /dev/null +++ b/analyzers/RiskIQ/index.html @@ -0,0 +1,7464 @@ + + + + + + + + + + + + + + + + + + + + + + + RiskIQ - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

RiskIQ#

+

RiskIQ_Projects#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ: Illuminate / PassiveTotal projects that contain an artifact which matches an IOC.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_Malware#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ: malware hashes from various sources associated with an IOC.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_Reputation#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ Illuminate Reputation Score for an indicator.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_Services#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ: services observed on an IP address.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_Whois#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ Whois lookup for an indicator.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_Components#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ: web components observed during crawls on a hostname.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_Articles#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ: OSINT articles that reference an indicator.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_Resolutions#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ: PDNS resolutions for an IOC.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_Summary#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ Illuminate and PassiveTotal datasets with records for an indicator.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_HostpairChildren#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ: hosts with a child web component relationship to an IOC.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_Subdomains#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - fqdn
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ: subdomains observed historically in pDNS records.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_HostpairParents#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ: hosts with a parent web component relationship to an IOC.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_Trackers#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ: trackers observed during a crawl on a host.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_Cookies#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ: cookies observed during crawls on a hostname.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_Certificates#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ: SSL/TLS certificates associated with an indicator.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

RiskIQ_Artifacts#

+
+

Author: RiskIQ
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

RiskIQ: Illuminate / PassiveTotal project artifacts that match an indicator.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameAPI username of the RiskIQ Illuminate or PassiveTotal account (usually an email address)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key of the RiskIQ Illuminate or PassiveTotal account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
days_backNumber of days back to search for date-bounded historical queries
Default value if not configured180
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Robtex/index.html b/analyzers/Robtex/index.html new file mode 100644 index 000000000..4cbda7f30 --- /dev/null +++ b/analyzers/Robtex/index.html @@ -0,0 +1,4878 @@ + + + + + + + + + + + + + + + + + + + + + + + Robtex - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

Robtex#

+

Robtex_IP_Query#

+
+

Author: Nils Kuhnert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Check IPs using the Robtex IP API.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+

Robtex_Forward_PDNS_Query#

+
+

Author: Nils Kuhnert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Check domains and FQDNs using the Robtex passive DNS API.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+

Robtex_Reverse_PDNS_Query#

+
+

Author: Nils Kuhnert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Check IPs using the Robtex reverse passive DNS API.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/SEKOIAIntelligenceCenter/index.html b/analyzers/SEKOIAIntelligenceCenter/index.html new file mode 100644 index 000000000..28b5c771c --- /dev/null +++ b/analyzers/SEKOIAIntelligenceCenter/index.html @@ -0,0 +1,5089 @@ + + + + + + + + + + + + + + + + + + + + + + + SEKOIAIntelligenceCenter - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

SEKOIAIntelligenceCenter#

+
+

README

+

Get more context around domain names, IP adresses, urls and file hashes using the + SEKOIA.IO Intelligence Database.

+

The analyzer comes in 3 flavors:

+
    +
  • SEKOIAIntelligenceCenter_Indicators: Find indicators matching the observable provided.
  • +
  • SEKOIAIntelligenceCenter_Context: Get indicators and their context for the observable provided.
  • +
  • SEKOIAIntelligenceCenter_Observables: Query the Intelligence Center to retrieve known observables.
  • +
+

Requirements#

+

You need an active SEKOIA.IO Intelligence Center subscription to use the analyzer:

+
    +
  • Provide your API key as a value for the api_key parameter.
  • +
+

To get any help don't hesitate to contact support@sekoia.io.

+
+

SEKOIAIntelligenceCenter_Observables#

+

+ +

+ +
+

Author: SEKOIA
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - url
+ - hash
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://sekoia.io/

+
+

Description#

+

Query the Intelligence Center to retrieve known observables

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlBase URL (default to https://app.sekoia.io)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

SEKOIAIntelligenceCenter_Context long report sample

+

SEKOIAIntelligenceCenter_Indicators#

+

+ +

+ +
+

Author: SEKOIA
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - url
+ - hash
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://sekoia.io/

+
+

Description#

+

Query the Intelligence Center to retrieve indicators

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlBase URL (default to https://app.sekoia.io)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

SEKOIAIntelligenceCenter_Indicators long report sample

+

SEKOIAIntelligenceCenter_Context#

+

+ +

+ +
+

Author: SEKOIA
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - url
+ - hash
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://sekoia.io/

+
+

Description#

+

Query the Intelligence Center to retrieve the context of an observable

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlBase URL (default to https://app.sekoia.io)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

SEKOIAIntelligenceCenter_Context long report sample

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/SecurityTrails/index.html b/analyzers/SecurityTrails/index.html new file mode 100644 index 000000000..e5316b0d2 --- /dev/null +++ b/analyzers/SecurityTrails/index.html @@ -0,0 +1,4825 @@ + + + + + + + + + + + + + + + + + + + + + + + SecurityTrails - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+ +
+
+ + + +
+
+ + + + + + + +

SecurityTrails#

+

SecurityTrails_Whois#

+
+

Author: Manabu Niseki, @ninoseki
+License: MIT
+Version: 1.0
+Supported observables types:
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

SecurityTrails Whois Lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

SecurityTrails_Passive_DNS#

+
+

Author: Manabu Niseki, @ninoseki
+License: MIT
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

SecurityTrails Passive DNS Lookup.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyDefine the API key to use to connect the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/SentinelOne/index.html b/analyzers/SentinelOne/index.html new file mode 100644 index 000000000..27598fe67 --- /dev/null +++ b/analyzers/SentinelOne/index.html @@ -0,0 +1,4778 @@ + + + + + + + + + + + + + + + + + + + + + + + SentinelOne - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

SentinelOne#

+

SentinelOne_DeepVisibility_DNSQuery#

+
+

Author: Joe Vasquez
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Query Sentinel One Deep Visibility API v2.1 for hosts that have requested DNS lookups for a domain/URL/FQDN.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
s1_console_urlConsole URL
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
s1_api_keyAPI Key, don't forget this will expire!
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
s1_account_idAccount ID
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
hours_agoNumber of hours ago for the fromDate of the query. ToDate will be now. Default is 12.
Default value if not configuredN/A
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Shodan/index.html b/analyzers/Shodan/index.html new file mode 100644 index 000000000..a43b483c0 --- /dev/null +++ b/analyzers/Shodan/index.html @@ -0,0 +1,5335 @@ + + + + + + + + + + + + + + + + + + + + + + + Shodan - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

Shodan#

+

Shodan_DNSResolve#

+
+

Author: ANSSI
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Retrieve domain resolutions on Shodan.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

Shodan_Host#

+
+

Author: Sebastien Larinier @Sebdraven
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Retrieve key Shodan information on an IP address.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ +
+

Author: Sebastien Larinier @Sebdraven
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - other
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Search query on Shodan

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

Shodan_Host_History#

+
+

Author: ANSSI
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Retrieve Shodan history scan results for an IP address.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

Shodan_InfoDomain#

+
+

Author: ANSSI
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Retrieve key Shodan information on a domain.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+

Shodan_ReverseDNS#

+
+

Author: ANSSI
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Retrieve ip reverse DNS resolutions on Shodan.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/SinkDB/index.html b/analyzers/SinkDB/index.html new file mode 100644 index 000000000..cd66a56f7 --- /dev/null +++ b/analyzers/SinkDB/index.html @@ -0,0 +1,4701 @@ + + + + + + + + + + + + + + + + + + + + + + + SinkDB - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

SinkDB#

+

SinkDB#

+
+

Author: Mark Kikta, RedLegg Cybersecurity Solutions
+License: AGPL-V3
+Version: 1.1
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+ - mail
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Check if ip is sinkholed via the new sinkdb.abuse.ch HTTPS API. Original analyzer can be found at https://github.com/BSI-CERT-Bund/sinkdb-analyzer

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the HTTPS API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/SoltraEdge/index.html b/analyzers/SoltraEdge/index.html new file mode 100644 index 000000000..46d4f242f --- /dev/null +++ b/analyzers/SoltraEdge/index.html @@ -0,0 +1,4789 @@ + + + + + + + + + + + + + + + + + + + + + + + SoltraEdge - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

SoltraEdge#

+

SoltraEdge#

+
+

Author: Michael Stensrud, Nordic Financial CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - ip
+ - url
+ - fqdn
+ - uri_path
+ - user-agent
+ - hash
+ - mail
+ - mail_subject
+ - registry
+ - regexp
+ - other
+ - filename
+ - mail-subject
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Query against Soltra Edge.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
tokenDefine the Token Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameDefine the Username
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
base_urlBase API URL for Soltra Edge Server. (Example: https://test.soltra.com/api/stix)
Default value if not configuredhttps://feed.yourdomain./api/stix
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
verify_sslVerify server certificate
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/SophosIntelix/index.html b/analyzers/SophosIntelix/index.html new file mode 100644 index 000000000..70853d09c --- /dev/null +++ b/analyzers/SophosIntelix/index.html @@ -0,0 +1,5111 @@ + + + + + + + + + + + + + + + + + + + + + + + SophosIntelix - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

SophosIntelix#

+

SophosIntelix_Submit_Dynamic#

+
+

Author: SOL
+License: AGPL-V3
+Version: 0.1
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Detonate your suspicious file in SophosLabs Sandbox and find what behaviours the file has. For more information or to sign up for SophosLabs Intelix (with a free tier) see https://www.sophos.com/en-us/labs/intelix.aspx

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
clientIDClient ID for Sophos Labs Intelix
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
clientSecretClient Secret for Sophos Labs Intelix
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
polling_intervalDefine time interval between two requests attempts for the report
Default value if not configured60
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

SophosIntelix_Submit_Static#

+
+

Author: SOL
+License: AGPL-V3
+Version: 0.1
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use SophosLabs machine learning to understand the characteristics of your suspicious file allowing you to see if the file is similar to known malware. For more information or to sign up for SophosLabs Intelix (with a free tier) see https://www.sophos.com/en-us/labs/intelix.aspx

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
clientIDClient ID for Sophos Labs Intelix
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
clientSecretClient Secret for Sophos Labs Intelix
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
polling_intervalDefine time interval between two requests attempts for the report
Default value if not configured60
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

SophosIntelix_GetReport#

+
+

Author: SOL
+License: AGPL-V3
+Version: 0.3
+Supported observables types:
+ - hash
+ - domain
+ - fqdn
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Fast and easy way to find out if the file is known Good, PUA (Potentially Unwanted Application), or, Malware. For more information or to sign up for SophosLabs Intelix (with a free tier) see https://www.sophos.com/en-us/labs/intelix.aspx

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
clientIDClient ID for Sophos Labs Intelix
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
clientSecretClient Secret for Sophos Labs Intelix
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
polling_intervalDefine time interval between two requests attempts for the report
Default value if not configured60
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/SpamAssassin/index.html b/analyzers/SpamAssassin/index.html new file mode 100644 index 000000000..b4b458868 --- /dev/null +++ b/analyzers/SpamAssassin/index.html @@ -0,0 +1,4781 @@ + + + + + + + + + + + + + + + + + + + + + + + SpamAssassin - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

SpamAssassin#

+

SpamAssassin#

+

+ +

+ +
+

Author: Davide Arcuri - LDO-CERT
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - file
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://spamassassin.apache.org/

+
+

Description#

+

Get spam score from local SpamAssassin instance

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlSpamAssassin url
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
portSpamAssassin port
Default value if not configured783
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
spam_scoreMinimum score to consider mail as spam
Default value if not configured5
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
timeoutTimout for socket operations in seconds
Default value if not configured20
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

SpamAssassin long report sample

+

SpamAssassin mini report sample

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/SpamhausDBL/index.html b/analyzers/SpamhausDBL/index.html new file mode 100644 index 000000000..71f475691 --- /dev/null +++ b/analyzers/SpamhausDBL/index.html @@ -0,0 +1,4674 @@ + + + + + + + + + + + + + + + + + + + + + + + SpamhausDBL - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

SpamhausDBL#

+

SpamhausDBL#

+
+

Author: Wes Lambert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Perform domain lookup to Spamhaus DBL

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Splunk/index.html b/analyzers/Splunk/index.html new file mode 100644 index 000000000..c75c67328 --- /dev/null +++ b/analyzers/Splunk/index.html @@ -0,0 +1,9011 @@ + + + + + + + + + + + + + + + + + + + + + + + Splunk - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Splunk#

+
+

README

+

This analyzer allows you to execute a list of searches in Splunk by passing the element you are looking for as a parameter

+

This analyzer comes in 10 flavors:

+
    +
  • Splunk_Search_Domain_FQDN: Dispatch a list of saved searches on a given domain/fqdn
  • +
  • Splunk_Search_File_Filename: Dispatch a list of saved searches on a given file/filename
  • +
  • Splunk_Search_Hash: Dispatch a list of saved searches on a given hash
  • +
  • Splunk_Search_IP: Dispatch a list of saved searches on a given IP (IPv4 only)
  • +
  • Splunk_Search_Mail_Email: Dispatch a list of saved searches on a given mail/email
  • +
  • Splunk_Search_Mail_Subject: Dispatch a list of saved searches on a given mail_subject
  • +
  • Splunk_Search_Other: Dispatch a list of saved searches on a given data (any type)
  • +
  • Splunk_Search_Registry: Dispatch a list of saved searches on a given registry
  • +
  • Splunk_Search_URL_URI_Path: Dispatch a list of saved searches on a given url/uri_path
  • +
  • Splunk_Search_User_Agent: Dispatch a list of saved searches on a given user_agent
  • +
  • Splunk_Search_User: Dispatch a list of saved searches on a given user id (variable name is 'other'
  • +
+

Requirements#

+

You need to have access to a Splunk instance with a dedicated account. For any saved search you want to use, you have to group them in the same Application and with the same owner. +When you configure an analyzer, it will ask you these information:

+
    +
  • host: This is the domain name or the IP of your Splunk instance.
  • +
  • port: This is the port to reach to access Splunk (API) (Splunk default to 8089).
  • +
  • port_gui: This is the port to reach to access Splunk (HTTP) (Splunk default to 8000).
  • +
  • username (optional): If your Splunk instance has authentication, you need an account to access to it (and to the indexes you want to search). Please avoid to use admin.
  • +
  • password (optional): If your Splunk instance has authentication, this is the password of the previous account. Please avoid to use admin and respect password complexity. No token access is supported.
  • +
  • application: This is the application in which all the saved searches are stored on your Splunk instance.
  • +
  • owner: This is the owner of all the saved searches, it must be the same for all of them. This can be different from the username mentionned above but you will need shared rights.
  • +
  • savedsearches: A list of all saved searches you want to execute. You just have to put the name of the saved searches here. Each saved search will be executed/dispatch in parallel (and so they will become jobs) but the Cortex job will finish once all Splunk jobs are done.
  • +
  • earliest_time: If not empty, this parameter will specify the earliest time to use for all searches. If empty, the earliest time set in the saved search will be used by Splunk
  • +
  • latest_time: If not empty, this parameter will specify the latest time to use for all searches. If empty, the latest time set in the saved search will be used by Splunk
  • +
  • max_count: This parameter is set to 1,000 by default. It's the number of results to recover from the job. A limit is set to avoid any trouble in TheHive/Cortex on the GUI. If value is set to 0, then all available results are returned.
  • +
+

How to recover arguments in Splunk ?#

+

All arguments can be retrieve using "$args.DATATYPE$". As an example is better than a long speech, here it is:

+

Imagine that you have a search with this query:

+
index=myindex_internet sourcetype=mysourcetype url=$args.url$*
+| stats count by user, url, src_ip
+
+

This query will recover the data using $args.url$.

+

So, you can recover your data using :

+
    +
  • $args.type$: This parameter indicates the type of data (if you need so)
  • +
  • $args.domain$: This parameter contains the data for an analysis over a domain
  • +
  • $args.fqdn$: This parameter contains the data for an analysis over a fqdn
  • +
  • $args.file$: This parameter contains the data for an analysis over a file
  • +
  • $args.filename$: This parameter contains the data for an analysis over a filename
  • +
  • $args.hash$: This parameter contains the data for an analysis over a hash
  • +
  • $args.ip$: This parameter contains the data for an analysis over a ip
  • +
  • $args.mail$: This parameter contains the data for an analysis over a mail
  • +
  • $args.email$: This parameter contains the data for an analysis over a email
  • +
  • $args.mail_subject$: This parameter contains the data for an analysis over a email_subject
  • +
  • $args.other$: This parameter contains the data for an analysis over a other
  • +
  • $args.registry$: This parameter contains the data for an analysis over a registry
  • +
  • $args.url$: This parameter contains the data for an analysis over a url
  • +
  • $args.uri_path$: This parameter contains the data for an analysis over a uri_path
  • +
  • $args.user-agent$: This parameter contains the data for an analysis over a user-agent
  • +
+

Taxonomies#

+

They are 5 taxonomies available on this analyzer:

+
    +
  • Splunk:Results: Indicates the total number of results found by all the saved searches
  • +
  • Splunk:Info (optional): Indicates the total number of results which have a field "level" set to "info"
  • +
  • Splunk:Safe (optional): Indicates the total number of results which have a field "level" set to "safe"
  • +
  • Splunk:Suspicious (optional): Indicates the total number of results which have a field "level" set to "suspicious"
  • +
  • Splunk:Malicious (optional): Indicates the total number of results which have a field "level" set to "malicious"
  • +
+

As mentionned above, your saved searches can return a field named "level" which will be interpreted by Cortex/TheHive as a taxonomy and will create reports accordingly to the value (info,safe,suspicious or malicious)

+
+

Splunk_Search_IP#

+

+ +

+ +
+

Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - ip
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A

+
+

Description#

+

Execute a savedsearch on a Splunk instance with an IP as argument

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
hostSplunk API host or IP
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
portSplunk API port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
port_guiSplunk GUI port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameUser account used for searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordUser password of the previous mentionned account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
applicationSpunk application in which the saved searches are stored
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ownerUsername that corresponds to the owner of the saved searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
saved_searchesName of the saved searches to use
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
earliest_timeIf not empty, this will set the earliest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
latest_timeIf not empty, this will set the latest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_countMaximum number of results to return for a search
Default value if not configured1000
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Splunk_Search_IP long report sample

+

Splunk_Search_IP short report sample

+

Splunk_Search_Mail_Subject#

+

+ +

+ +
+

Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - mail_subject
+ - mail-subject
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A

+
+

Description#

+

Execute a savedsearch on a Splunk instance with a mail subject as argument

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
hostSplunk API host or IP
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
portSplunk API port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
port_guiSplunk GUI port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameUser account used for searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordUser password of the previous mentionned account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
applicationSpunk application in which the saved searches are stored
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ownerUsername that corresponds to the owner of the saved searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
saved_searchesName of the saved searches to use
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
earliest_timeIf not empty, this will set the earliest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
latest_timeIf not empty, this will set the latest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_countMaximum number of results to return for a search
Default value if not configured1000
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Splunk_Search_Mail_Subject long report sample

+

Splunk_Search_Mail_Subject short report sample

+

Splunk_Search_Domain_FQDN#

+

+ +

+ +
+

Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A

+
+

Description#

+

Execute a savedsearch on a Splunk instance with a domain or a FQDN as argument

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
hostSplunk API host or IP
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
portSplunk API port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
port_guiSplunk GUI port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameUser account used for searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordUser password of the previous mentionned account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
applicationSpunk application in which the saved searches are stored
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ownerUsername that corresponds to the owner of the saved searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
saved_searchesName of the saved searches to use
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
earliest_timeIf not empty, this will set the earliest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
latest_timeIf not empty, this will set the latest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_countMaximum number of results to return for a search
Default value if not configured1000
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Splunk_Search_Domain_FQDN long report sample

+

Splunk_Search_Domain_FQDN short report sample

+

Splunk_Search_Hash#

+

+ +

+ +
+

Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - hash
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A

+
+

Description#

+

Execute a savedsearch on a Splunk instance with a hash as argument

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
hostSplunk API host or IP
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
portSplunk API port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
port_guiSplunk GUI port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameUser account used for searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordUser password of the previous mentionned account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
applicationSpunk application in which the saved searches are stored
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ownerUsername that corresponds to the owner of the saved searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
saved_searchesName of the saved searches to use
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
earliest_timeIf not empty, this will set the earliest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
latest_timeIf not empty, this will set the latest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_countMaximum number of results to return for a search
Default value if not configured1000
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Splunk_Search_Hash long report sample

+

Splunk_Search_Hash short report sample

+

Splunk_Search_Mail_Email#

+

+ +

+ +
+

Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - mail
+ - email
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A

+
+

Description#

+

Execute a savedsearch on a Splunk instance with a mail/email as argument

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
hostSplunk API host or IP
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
portSplunk API port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
port_guiSplunk GUI port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameUser account used for searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordUser password of the previous mentionned account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
applicationSpunk application in which the saved searches are stored
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ownerUsername that corresponds to the owner of the saved searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
saved_searchesName of the saved searches to use
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
earliest_timeIf not empty, this will set the earliest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
latest_timeIf not empty, this will set the latest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_countMaximum number of results to return for a search
Default value if not configured1000
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Splunk_Search_Mail_Email long report sample

+

Splunk_Search_Mail_Email short report sample

+

Splunk_Search_Registry#

+

+ +

+ +
+

Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - registry
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A

+
+

Description#

+

Execute a savedsearch on a Splunk instance with a registry data as argument

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
hostSplunk API host or IP
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
portSplunk API port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
port_guiSplunk GUI port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameUser account used for searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordUser password of the previous mentionned account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
applicationSpunk application in which the saved searches are stored
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ownerUsername that corresponds to the owner of the saved searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
saved_searchesName of the saved searches to use
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
earliest_timeIf not empty, this will set the earliest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
latest_timeIf not empty, this will set the latest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_countMaximum number of results to return for a search
Default value if not configured1000
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Splunk_Search_Registry long report sample

+

Splunk_Search_Registry short report sample

+

Splunk_Search_Other#

+

+ +

+ +
+

Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - other
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A

+
+

Description#

+

Execute a savedsearch on a Splunk instance with an unidentified data as argument

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
hostSplunk API host or IP
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
portSplunk API port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
port_guiSplunk GUI port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameUser account used for searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordUser password of the previous mentionned account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
applicationSpunk application in which the saved searches are stored
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ownerUsername that corresponds to the owner of the saved searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
saved_searchesName of the saved searches to use
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
earliest_timeIf not empty, this will set the earliest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
latest_timeIf not empty, this will set the latest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_countMaximum number of results to return for a search
Default value if not configured1000
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Splunk_Search_Other long report sample

+

Splunk_Search_Other short report sample

+

Splunk_Search_URL_URI_Path#

+

+ +

+ +
+

Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - url
+ - uri_path
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A

+
+

Description#

+

Execute a savedsearch on a Splunk instance with an URL or a URI path as argument

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
hostSplunk API host or IP
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
portSplunk API port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
port_guiSplunk GUI port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameUser account used for searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordUser password of the previous mentionned account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
applicationSpunk application in which the saved searches are stored
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ownerUsername that corresponds to the owner of the saved searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
saved_searchesName of the saved searches to use
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
earliest_timeIf not empty, this will set the earliest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
latest_timeIf not empty, this will set the latest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_countMaximum number of results to return for a search
Default value if not configured1000
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Splunk_Search_URL_URI_Path long report sample

+

Splunk_Search_URL_URI_Path short report sample

+

Splunk_Search_File_Filename#

+

+ +

+ +
+

Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - file
+ - filename
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A

+
+

Description#

+

Execute a savedsearch on a Splunk instance with a file/filename as argument

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
hostSplunk API host or IP
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
portSplunk API port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
port_guiSplunk GUI port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameUser account used for searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordUser password of the previous mentionned account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
applicationSpunk application in which the saved searches are stored
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ownerUsername that corresponds to the owner of the saved searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
saved_searchesName of the saved searches to use
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
earliest_timeIf not empty, this will set the earliest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
latest_timeIf not empty, this will set the latest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_countMaximum number of results to return for a search
Default value if not configured1000
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Splunk_Search_File_Filename long report sample

+

Splunk_Search_File_Filename short report sample

+

Splunk_Search_User_Agent#

+

+ +

+ +
+

Author: Unit777, LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - user-agent
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A

+
+

Description#

+

Execute a savedsearch on a Splunk instance with a user agent as argument

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
hostSplunk API host or IP
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
portSplunk API port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
port_guiSplunk GUI port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameUser account used for searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordUser password of the previous mentionned account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
applicationSpunk application in which the saved searches are stored
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ownerUsername that corresponds to the owner of the saved searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
saved_searchesName of the saved searches to use
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
earliest_timeIf not empty, this will set the earliest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
latest_timeIf not empty, this will set the latest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_countMaximum number of results to return for a search
Default value if not configured1000
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Splunk_Search_User_Agent long report sample

+

Splunk_Search_User_Agent short report sample

+

Splunk_Search_User#

+

+ +

+ +
+

Author: LetMeR00t
+License: AGPL-V3
+Version: 3.0
+Supported observables types:
+ - other
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: N/A

+
+

Description#

+

Execute a savedsearch on a Splunk instance with a user ID as argument

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
hostSplunk API host or IP
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
portSplunk API port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
port_guiSplunk GUI port
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameUser account used for searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordUser password of the previous mentionned account
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
applicationSpunk application in which the saved searches are stored
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ownerUsername that corresponds to the owner of the saved searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
saved_searchesName of the saved searches to use
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
earliest_timeIf not empty, this will set the earliest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
latest_timeIf not empty, this will set the latest time of the searches
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_countMaximum number of results to return for a search
Default value if not configured1000
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Splunk_Search_User long report sample

+

Splunk_Search_User short report sample

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/StamusNetworks/index.html b/analyzers/StamusNetworks/index.html new file mode 100644 index 000000000..9e51c3886 --- /dev/null +++ b/analyzers/StamusNetworks/index.html @@ -0,0 +1,4776 @@ + + + + + + + + + + + + + + + + + + + + + + + StamusNetworks - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

StamusNetworks#

+

StamusNetworks_HostID#

+
+

Author: Stamus Networks
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Get information from your Scirius Security Platform for an IP address.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlBase URL of Scirius Security Platform
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for Scirius Security Platform
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ssl_verifyVerify TLS certificate when connection to Scirius Security Platform
Default value if not configuredN/A
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
tenantTenant value for organization in Scirius Security Platform
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/StaxxSearch/index.html b/analyzers/StaxxSearch/index.html new file mode 100644 index 000000000..7851e38ba --- /dev/null +++ b/analyzers/StaxxSearch/index.html @@ -0,0 +1,4833 @@ + + + + + + + + + + + + + + + + + + + + + + + StaxxSearch - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

StaxxSearch#

+

StaxxSearch#

+
+

Author: Robert Nixon
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+ - url
+ - hash
+ - mail
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Fetch observable details from an Anomali STAXX instance.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
auth_urlDefine the URL of the auth endpoint
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
query_urlDefine the URL of the intelligence endpoint
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameSTAXX User Name
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordSTAXX Password
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
cert_checkVerify server certificate
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
cert_pathPath to the CA on the system used to check the server certificate
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/StopForumSpam/index.html b/analyzers/StopForumSpam/index.html new file mode 100644 index 000000000..1282ad45d --- /dev/null +++ b/analyzers/StopForumSpam/index.html @@ -0,0 +1,4725 @@ + + + + + + + + + + + + + + + + + + + + + + + StopForumSpam - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

StopForumSpam#

+

StopForumSpam#

+
+

Author: Marc-Andre Doll, STARC by EXAPROBE
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - mail
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Query http://www.stopforumspam.com to check if an IP or email address is a known spammer.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
suspicious_confidence_levelConfidence threshold above which the artifact should be marked as suspicious
Default value if not configured0.0
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
malicious_confidence_levelConfidence threshold above which the artifact should be marked as malicious
Default value if not configured90.0
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/TalosReputation/index.html b/analyzers/TalosReputation/index.html new file mode 100644 index 000000000..f5eff0b22 --- /dev/null +++ b/analyzers/TalosReputation/index.html @@ -0,0 +1,4673 @@ + + + + + + + + + + + + + + + + + + + + + + + TalosReputation - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

TalosReputation#

+

TalosReputation#

+
+

Author: Gabriel Antonio da Silva
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Get the Talos IP reputation

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/TeamCymruMHR/index.html b/analyzers/TeamCymruMHR/index.html new file mode 100644 index 000000000..50654afbe --- /dev/null +++ b/analyzers/TeamCymruMHR/index.html @@ -0,0 +1,4673 @@ + + + + + + + + + + + + + + + + + + + + + + + TeamCymruMHR - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

TeamCymruMHR#

+

TeamCymruMHR#

+
+

Author: Wes Lambert
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Submit hash to Team Cymru's Malware Hash Registry

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/ThreatGrid/index.html b/analyzers/ThreatGrid/index.html new file mode 100644 index 000000000..19cdaf095 --- /dev/null +++ b/analyzers/ThreatGrid/index.html @@ -0,0 +1,4726 @@ + + + + + + + + + + + + + + + + + + + + + + + ThreatGrid - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

ThreatGrid#

+

ThreatGrid#

+
+

Author: Cisco Security
+License: MIT
+Version: 1.0
+Supported observables types:
+ - file
+ - url
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Threat Grid Sandbox

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
tg_hostThreat Grid Host
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyThreat Grid API Key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/ThreatMiner/index.html b/analyzers/ThreatMiner/index.html new file mode 100644 index 000000000..c00672693 --- /dev/null +++ b/analyzers/ThreatMiner/index.html @@ -0,0 +1,4674 @@ + + + + + + + + + + + + + + + + + + + + + + + ThreatMiner - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

ThreatMiner#

+

ThreatMiner#

+
+

Author: Peter Juhas
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

WHOIS queries from threatminer.org

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/ThreatResponse/index.html b/analyzers/ThreatResponse/index.html new file mode 100644 index 000000000..0bc6aff97 --- /dev/null +++ b/analyzers/ThreatResponse/index.html @@ -0,0 +1,4781 @@ + + + + + + + + + + + + + + + + + + + + + + + ThreatResponse - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

ThreatResponse#

+

ThreatResponse#

+
+

Author: Cisco Security
+License: MIT
+Version: 1.0
+Supported observables types:
+ - domain
+ - filename
+ - fqdn
+ - hash
+ - ip
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Threat Response

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
regionThreat Response Region (us, eu, or apjc). Will default to 'us' region if left blank
Default value if not configured__
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_idThreat Response Client ID
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
client_passwordThreat Response API Client Password
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
extract_amp_targetsWould you like to extract AMP connector GUIDs as artifacts?
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Threatcrowd/index.html b/analyzers/Threatcrowd/index.html new file mode 100644 index 000000000..920085f2f --- /dev/null +++ b/analyzers/Threatcrowd/index.html @@ -0,0 +1,4676 @@ + + + + + + + + + + + + + + + + + + + + + + + Threatcrowd - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Threatcrowd#

+

Threatcrowd#

+
+

Author: Rémi Allain, Cyberprotect
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - mail
+ - ip
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Look up domains, mail and IP addresses on ThreatCrowd.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Thunderstorm/index.html b/analyzers/Thunderstorm/index.html new file mode 100644 index 000000000..2b7a2a818 --- /dev/null +++ b/analyzers/Thunderstorm/index.html @@ -0,0 +1,4927 @@ + + + + + + + + + + + + + + + + + + + + + + + Thunderstorm - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Thunderstorm#

+
+

README

+

Thunderstorm#

+

The Thunderstorm analyzer submits a file sample to a local or public THOR Thunderstorm service and processes the scan result

+

Requirements#

+ +

Scope#

+

THOR Thunderstorm is a web service version of the well-known scanner THOR. THOR focuses on APTs, hacking activity, traces of hacking activity and file anomalies like obfuscation techniques, suspicious PE packers or PE header anomalies.

+

Matches#

+

The reports contain useful meta data and a list of matching rules. Each rule links to a related public report or states that the rules was based on internal research.

+

The reports include a total score and sub scores defined in the matching YARA rules.

+

The score and level indicate the criticality of the finding.

+

Access to Thunderstorm#

+

THOR Thunderstorm is a high-speed, multi-threaded, caching scan service that is licensed and installed on-premise on the Linux system of your choice. Nextron systems offers access to test systems with the FQDN thunderstorm.nextron-systems.com on request.

+
+

THOR_Thunderstorm_ScanSample#

+

+ +

+ +
+

Author: Florian Roth
+License: AGPL-V3
+Version: 0.3.1
+Supported observables types:
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.nextron-systems.com/thor-thunderstorm/

+
+

Description#

+

Submits sample to an on-premise THOR Thunderstorm web service and processes the scan result

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
thunderstorm_serverThunderstorm Server
Default value if not configuredthunderstorm.nextron-systems.com
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
thunderstorm_portThunderstorm Port
Default value if not configured8080
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
thunderstorm_sourceSource System
Default value if not configuredcortex-analyzer
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
thunderstorm_sslUse an SSL encrypted HTTP connection
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
thunderstorm_ssl_verifyVerify the SSL certificate of the remote service
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

THOR Thunderstorm long report sample

+

screenshot

+

THOR Thunderstorm raw JSON

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/TorBlutmagie/index.html b/analyzers/TorBlutmagie/index.html new file mode 100644 index 000000000..411619cfe --- /dev/null +++ b/analyzers/TorBlutmagie/index.html @@ -0,0 +1,4726 @@ + + + + + + + + + + + + + + + + + + + + + + + TorBlutmagie - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

TorBlutmagie#

+

TorBlutmagie#

+
+

Author: Marc-André DOLL, STARC by EXAPROBE
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+ - domain
+ - fqdn
+Registration required: False
+Subscription required: False
+Free subscription: True
+Third party service: https://torstatus.rueckgr.at

+
+

Description#

+

Query https://torstatus.rueckgr.at/query_export.php/Tor_query_EXPORT.csv (formerly TorBlutmagie) for TOR exit nodes IP addresses or names.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
cache.durationDefine the cache duration
Default value if not configured3600
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
cache.rootDefine the path to the stored data
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/TorProject/index.html b/analyzers/TorProject/index.html new file mode 100644 index 000000000..a14a11646 --- /dev/null +++ b/analyzers/TorProject/index.html @@ -0,0 +1,4750 @@ + + + + + + + + + + + + + + + + + + + + + + + TorProject - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

TorProject#

+

TorProject#

+
+

Author: Marc-André DOLL, STARC by EXAPROBE
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Query https://check.torproject.org/exit-addresses for TOR exit nodes IP addresses.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
ttlDefine the TTL
Default value if not configured86400
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
cache.durationDefine the cache duration
Default value if not configured3600
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
cache.rootDefine the path to the stored data
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Triage/index.html b/analyzers/Triage/index.html new file mode 100644 index 000000000..48260663d --- /dev/null +++ b/analyzers/Triage/index.html @@ -0,0 +1,4669 @@ + + + + + + + + + + + + + + + + + + + + + + + Triage - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Triage#

+
+

README

+

Triage Sandbox analyzer#

+

Triage Sandbox is a commercial malware sandbox that let's you run malware in a safe way.

+

You can read more about the underlying solutions at: https://hatching.io/

+

This analyzer requires you to have a commercial license for the Recorded Future sandbox and Private sandbox.

+
+

Triage#

+

+ +

+ +
+

Author: Mikael Keri
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - ip
+ - url
+ - file
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://tria.ge

+
+

Description#

+

Submit artifacts to the Recorded Future Triage sandbox service. This analyzer requires a paid subscription for the Private and Recorded Future sandboxes.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_urlSandbox API URL: public sandbox (https://tria.ge/api), private sandbox (https://private.tria.ge/api), or Recorded Future sandbox (https://sandbox.recordedfuture.com/api)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
timeoutSandbox run timeout in seconds (default: 200)
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
zip_pwZip archive password
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

Triage analyzer cortex setting

+

screenshot

+

screenshot

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/URLhaus/index.html b/analyzers/URLhaus/index.html new file mode 100644 index 000000000..d57768a97 --- /dev/null +++ b/analyzers/URLhaus/index.html @@ -0,0 +1,4677 @@ + + + + + + + + + + + + + + + + + + + + + + + URLhaus - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

URLhaus#

+

URLhaus#

+
+

Author: ninoseki, Nils Kuhnert
+License: MIT
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+ - url
+ - hash
+ - ip
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Search domains, IPs, URLs or hashes on URLhaus.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Umbrella/index.html b/analyzers/Umbrella/index.html new file mode 100644 index 000000000..20f10ad41 --- /dev/null +++ b/analyzers/Umbrella/index.html @@ -0,0 +1,4777 @@ + + + + + + + + + + + + + + + + + + + + + + + Umbrella - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Umbrella#

+

Umbrella_Report#

+
+

Author: Kyle Parrish
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Query the Umbrella Reporting API for recent DNS queries and their status.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyApi Key provided by Umbrella Admin Console.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_secretApi Secret provided by Umbrella Admin Console.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
organization_idOrganization ID provided by Umbrella Admin Console.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
query_limitMaximum number of results to return.
Default value if not configuredN/A
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/UnshortenLink/index.html b/analyzers/UnshortenLink/index.html new file mode 100644 index 000000000..5baf80357 --- /dev/null +++ b/analyzers/UnshortenLink/index.html @@ -0,0 +1,4673 @@ + + + + + + + + + + + + + + + + + + + + + + + UnshortenLink - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

UnshortenLink#

+ +
+

Author: Remi Pointel, CERT-BDF
+License: AGPL-V3
+Version: 1.2
+Supported observables types:
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use UnshortenLink to reveal the real URL.

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Urlscan.io/index.html b/analyzers/Urlscan.io/index.html new file mode 100644 index 000000000..127d2a1d3 --- /dev/null +++ b/analyzers/Urlscan.io/index.html @@ -0,0 +1,4806 @@ + + + + + + + + + + + + + + + + + + + + + + + Urlscan - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Urlscan.io#

+

Urlscan.io_Scan#

+
+

Author: ninoseki, Kyle Parrish (@arnydo)
+License: MIT
+Version: 0.1.0
+Supported observables types:
+ - url
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Scan URLs on urlscan.io

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for Urlscan.io
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ +
+

Author: ninoseki, Kyle Parrish (@arnydo)
+License: MIT
+Version: 0.1.1
+Supported observables types:
+ - ip
+ - domain
+ - hash
+ - fqdn
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Search IPs, domains, hashes or URLs on urlscan.io

+

Configuration#

+

No specific configuration required.

+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/VMRay/index.html b/analyzers/VMRay/index.html new file mode 100644 index 000000000..6e2b93479 --- /dev/null +++ b/analyzers/VMRay/index.html @@ -0,0 +1,5194 @@ + + + + + + + + + + + + + + + + + + + + + + + VMRay - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

VMRay#

+

VMRay#

+
+

Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 4.1
+Supported observables types:
+ - hash
+ - file
+ - url
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

VMRay Sandbox file and URL analysis.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlDefine the URL of the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
certverifyVerify certificates
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
certpathPath to certificate file, in case of self-signed etc.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
verdict_onlyIf set to true, only the verdict (or the score for VMRay versions < 4.0) will be added as labels.
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
query_retry_waitThe amount of seconds to wait before trying to fetch the results.
Default value if not configured10
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
recursive_sample_limitThe maximum amount of recursive samples which will be analyzed. 0 disables recursion.
Default value if not configured10
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
reanalyzeIf set to true, known samples will be re-analyzed on submission. This is enabled by default.
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
shareableIf set to true, the hash of the sample will be shared with VirusTotal if the TLP level is white or green.
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
archive_passwordThe password that will be used to extract archives.
Default value if not configuredmalware
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
archive_compound_sampleIf set to true, files inside archives are treated as a single, compound sample. Otherwise, each file is treated as its own sample.
Default value if not configuredFalse
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
max_jobsLimits the amount of jobs that can be created by jobrules for a submission.
Default value if not configuredN/A
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
enable_reputationIf set to true, reputation lookups will be performed for submitted samples and analysis artifacts (file hash and URL lookups) by the VMRay cloud reputation service and additional third party services. The user analyzer setting is used as default value for this parameter.
Default value if not configuredN/A
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
enable_whoisIf set to true, domains seen during analyses are queried with external WHOIS service. The user analyzer setting is used as default value for this parameter.
Default value if not configuredN/A
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
analyzer_modeSpecifies which types of analyzers will be used for analyzing this sample. Supported strings are 'reputation', 'reputation_static', 'reputation_static_dynamic', 'static_dynamic', and 'static'. The user analyzer setting is used as default value for this parameter.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
known_maliciousIf set to true, triage will be used to pre-filter known malicious samples by results of reputation lookup (if allowed) and static analysis. The user analyzer setting is used as default value for this parameter.
Default value if not configuredN/A
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
known_benignIf set to true, triage will be used to pre-filter known benign samples by results of reputation lookup (if allowed) and static analysis. The user analyzer setting is used as default value for this parameter.
Default value if not configuredN/A
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
tagsTags to attach to the sample.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
timeoutAnalysis timeout in seconds.
Default value if not configuredN/A
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
net_scheme_nameName of the network schema.
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Valhalla/index.html b/analyzers/Valhalla/index.html new file mode 100644 index 000000000..54626afe6 --- /dev/null +++ b/analyzers/Valhalla/index.html @@ -0,0 +1,4812 @@ + + + + + + + + + + + + + + + + + + + + + + + Valhalla - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Valhalla#

+
+

README

+

Valhalla#

+

The Valhalla analyzer queries the Valhalla YARA rule databased and retrieves the matching YARA rules.

+

Requirements#

+ +

Scope#

+

The result contains all matching YARA rules including

+ +

The result does not contain matches with YARA rules

+
    +
  • submitted by 3rd parties into the public rule repository due to legal restrictions
  • +
  • rules that are tagged as confidential and can therefore only be used in Nextron's scanner THOR
  • +
  • rules that require external variables and can therefore only be used in Nextron's scanner THOR
  • +
+

The database contains YARA rule matches on samples submitted to Virustotal and Nextron's internal sample matching, which accounts for less than 1% of the matches within that database. The database does not contain information on samples that have not been transmitted to Virustotal.

+

Matches#

+

The matches in the long report link to rule info pages that contain more information, like other matching samples, a report or public source in which the sample from which that rule was derived has been mentioned.

+

They also include the Antivirus detection rate at the moment of the first submission to Virustotal, which gives a good indication of the overall coverage.

+
+

Valhalla_GetRuleMatches#

+

+ +

+ +
+

Author: Florian Roth
+License: AGPL-V3
+Version: 0.3.1
+Supported observables types:
+ - hash
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://valhalla.nextron-systems.com

+
+

Description#

+

Gets matching YARA rules for a given sample SHA256 hash

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for Valhalla
Default value if not configured1111111111111111111111111111111111111111111111111111111111111111
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Valhalla Get Hashes short report sample

+

screenshot

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Verifalia/index.html b/analyzers/Verifalia/index.html new file mode 100644 index 000000000..a121782b9 --- /dev/null +++ b/analyzers/Verifalia/index.html @@ -0,0 +1,4724 @@ + + + + + + + + + + + + + + + + + + + + + + + Verifalia - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Verifalia#

+

Verifalia#

+
+

Author: Peter Juhas
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - mail
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Analyze e-mail address via Verifalia

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
loginUsername for Verifalia
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordPassword for Verifalia
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/VirusTotal/index.html b/analyzers/VirusTotal/index.html new file mode 100644 index 000000000..ee64dfcbc --- /dev/null +++ b/analyzers/VirusTotal/index.html @@ -0,0 +1,5437 @@ + + + + + + + + + + + + + + + + + + + + + + + VirusTotal - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

VirusTotal#

+
+

README

+

This analyzer let you run Virustotal services on several datatypes:

+
    +
  • file
  • +
  • hash
  • +
  • domain
  • +
  • fqdn
  • +
  • ip
  • +
  • url
  • +
+

The program uses VirusTotal API v3.

+

Major improvements have been added with VirusTotal_GetReport flavor. Now, with the classical scan results, the report can display:

+
    +
  • A Summary: with qualitative informnation about the detection
  • +
+

+
    +
  • Crowdsourced YARA results with known Yara rules to detect the threat
  • +
+

+
    +
  • Contacted IP addresses, domains and URLs if any
  • +
  • Crowdsourced IDS results with known IDS rules to detect the threat
  • +
  • Sandbox verdict if any
  • +
+

+

Extracted Observables#

+

Moreover, these domains, IP addresses, URLs as well as detection YARA and IDS rules reported are added to the extracted Observables, ready +to be imported and actioned in TheHive.

+

+
+

VirusTotal_Scan#

+

+ +

+ +
+

Author: CERT-BDF, StrangeBee
+License: AGPL-V3
+Version: 3.1
+Supported observables types:
+ - file
+ - url
+Registration required: True
+Subscription required: False
+Free subscription: N/A
+Third party service: https://www.virustotal.com/

+
+

Description#

+

Use VirusTotal to scan a file or URL.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for Virustotal
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
polling_intervalDefine time interval between two requests attempts for the report
Default value if not configured60
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
highlighted_antivirusAdd taxonomy if selected AV don't recognize observable
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

VirusTotal_Rescan#

+

+ +

+ +
+

Author: CERT-LDO
+License: AGPL-V3
+Version: 3.1
+Supported observables types:
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: N/A
+Third party service: https://www.virustotal.com/

+
+

Description#

+

Use VirusTotal to run new analysis on hash.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for Virustotal
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
polling_intervalDefine time interval between two requests attempts for the report
Default value if not configured60
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
highlighted_antivirusAdd taxonomy if selected AV don't recognize observable
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
download_sampleDownload automatically sample as observable when looking for hash
Default value if not configuredN/A
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
download_sample_if_highlightedDownload automatically sample as observable if highlighted antivirus didn't recognize
Default value if not configuredN/A
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

No template samples to display.

+

VirusTotal_GetReport#

+

+ +

+ +
+

Author: CERT-BDF, StrangeBee
+License: AGPL-V3
+Version: 3.1
+Supported observables types:
+ - file
+ - hash
+ - domain
+ - fqdn
+ - ip
+ - url
+Registration required: True
+Subscription required: False
+Free subscription: N/A
+Third party service: https://www.virustotal.com/

+
+

Description#

+

Get the latest VirusTotal report for a file, hash, domain or an IP address.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for Virustotal
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
polling_intervalDefine time interval between two requests attempts for the report
Default value if not configured60
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
rescan_hash_older_than_daysRescan hash observable if report is older than selected days
Default value if not configured30
Type of the configuration itemnumber
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
highlighted_antivirusAdd taxonomy if selected AV don't recognize observable
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
download_sampleDownload automatically sample as observable when looking for hash
Default value if not configuredN/A
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
download_sample_if_highlightedDownload automatically sample as observable if highlighted antivirus didn't recognize
Default value if not configuredN/A
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

VirusTotal: long report

+

VirusTotal_DownloadSample#

+

+ +

+ +
+

Author: LDO-CERT
+License: AGPL-V3
+Version: 3.1
+Supported observables types:
+ - hash
+Registration required: True
+Subscription required: True
+Free subscription: N/A
+Third party service: https://www.virustotal.com/

+
+

Description#

+

Use VirusTotal to download the original file for an hash.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI private key for Virustotal
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Virusshare/index.html b/analyzers/Virusshare/index.html new file mode 100644 index 000000000..6e07e026d --- /dev/null +++ b/analyzers/Virusshare/index.html @@ -0,0 +1,4762 @@ + + + + + + + + + + + + + + + + + + + + + + + Virusshare - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Virusshare#

+
+

README

+

VirusShare#

+

VirusShare is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of live malicious code.

+

The analyzer enables local searching for md5 hashes in Virusshare.com hash list.

+

Requirements#

+
    +
  • Download the VirusShare hashlists. For convenience the getHashes.sh script is provided
  • +
  • In the analyzer parameters configure the path of downloaded hashlists folder.
  • +
+
+

Virusshare#

+

+ +

+ +
+

Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - hash
+ - file
+Registration required: False
+Subscription required: False
+Free subscription: False
+Third party service: https://virusshare.com/

+
+

Description#

+

Search for MD5 hashes in Virusshare.com hash list

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
pathDefine the path to the stored data
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+

Templates samples for TheHive#

+

VirusShare: long report

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Vulners/index.html b/analyzers/Vulners/index.html new file mode 100644 index 000000000..f9555641b --- /dev/null +++ b/analyzers/Vulners/index.html @@ -0,0 +1,5001 @@ + + + + + + + + + + + + + + + + + + + + + + + Vulners - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + + + + + +
+
+ + + + + + + +

Vulners#

+
+

README

+

Vulners-analyzer#

+

This analyzer consists of 2 parts. +1. Vulners_IOC: As a result of collaboration between Vulners and RST Threat Feed, the idea was to send IOC analysis results through theHive analyzer: blog post +2. Vulners_CVE: Vulners have a strong vulnerability database. This data is useful if: +"if the case (incident) is related to the exploitation of a vulnerability, then the analyst (manually / automatically) can add it to observables and quickly get all the basic information on it in order to continue analyzing the case."

+

Vulners API key required.

+

Setting up analyzer#

+
    +
  • copy the folders "Vulners" analyzer & "Vulners" into your Cortex analyzer path
  • +
  • install necessary python modules from the requirements.txt (pip install -r requirements.txt)
  • +
  • restart Cortex to initialize the new Responder "systemctl restart cortex"
  • +
+

Get your Vulners api key: Vulners API

+

Add your Vulners API in Cortex settings: API key in Cortex

+

Add Observable type in TheHive#

+

By default theHive does not have a "cve" type to be observables, so we have to add it to Administrator Settings:

+

add observable

+

Run the Analyzer in TheHive#

+
Network IOCs:#
+

Short template:

+

Short IOC template

+

Long template:

+

Long IOC template

+

Long_IOC_threat_template

+
Vulnerabilities:#
+

Short template:

+

Short CVE template

+

Long template:

+

Long CVE template

+
+

Vulners_CVE#

+

+ +

+ +
+

Author: Dmitry Uchakin, Vulners team
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - cve
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://vulners.com

+
+

Description#

+

Get information about CVE from powerful Vulners database.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for Vulners
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Long template for CVE

+

Vulners_IOC#

+

+ +

+ +
+

Author: Dmitry Uchakin, Vulners team
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - url
+ - domain
+ - ip
+Registration required: True
+Subscription required: True
+Free subscription: True
+Third party service: https://vulners.com

+
+

Description#

+

Get information from the RST Threat Feed, which integrated with Vulners, for a domain, url or an IP address.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyAPI key for Vulners
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

Vulners API key for analyzer

+

Long template for network IOCs (ip, url, domain)

+

Short template for network IOCs (ip, url, domain)

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/WOT/index.html b/analyzers/WOT/index.html new file mode 100644 index 000000000..73765bcff --- /dev/null +++ b/analyzers/WOT/index.html @@ -0,0 +1,4725 @@ + + + + + + + + + + + + + + + + + + + + + + + WOT - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

WOT#

+

WOT_Lookup#

+
+

Author: Andrea Garavaglia, Davide Arcuri, LDO-CERT
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - domain
+ - fqdn
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Use Web of Trust to check a domain's reputation.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
userDefine the API user
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
keyDefine the API key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Yara/index.html b/analyzers/Yara/index.html new file mode 100644 index 000000000..c40902a06 --- /dev/null +++ b/analyzers/Yara/index.html @@ -0,0 +1,4698 @@ + + + + + + + + + + + + + + + + + + + + + + + Yara - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Yara#

+

Yara#

+
+

Author: Nils Kuhnert, CERT-Bund
+License: AGPL-V3
+Version: 2.0
+Supported observables types:
+ - file
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Check files against YARA rules.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
rulesDefine the path rules folder
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Yeti/index.html b/analyzers/Yeti/index.html new file mode 100644 index 000000000..a5ad444d3 --- /dev/null +++ b/analyzers/Yeti/index.html @@ -0,0 +1,4754 @@ + + + + + + + + + + + + + + + + + + + + + + + Yeti - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Yeti#

+

Yeti#

+
+

Author: CERT-BDF
+License: AGPL-V3
+Version: 1.0
+Supported observables types:
+ - domain
+ - fqdn
+ - ip
+ - url
+ - hash
+Registration required: N/A
+Subscription required: N/A
+Free subscription: N/A
+Third party service: N/A

+
+

Description#

+

Fetch observable details from a YETI instance.

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
urlDefine the URL of the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyDefine the api key of the service
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredFalse
+ + + + + + + + + + + + + + + + + + + + + + + + + +
verify_sslVerify SSL certificate
Default value if not configuredTrue
Type of the configuration itemboolean
The configuration item can contain multiple valuesFalse
Is requiredTrue
+

Templates samples for TheHive#

+

No template samples to display.

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/Zscaler/index.html b/analyzers/Zscaler/index.html new file mode 100644 index 000000000..8e3c91913 --- /dev/null +++ b/analyzers/Zscaler/index.html @@ -0,0 +1,4910 @@ + + + + + + + + + + + + + + + + + + + + + + + Zscaler - Cortex Neurons documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + +
+ +
+ + + + + + +
+
+ + + +
+
+
+ + + + + +
+
+
+ + + +
+
+
+ + + +
+
+
+ + + +
+
+ + + + + + + +

Zscaler#

+
+

README

+

Zscaler#

+

General requirements#

+

You will need to have an active Zscaler ZIA subscription to be able to utilize this analyzer.

+

Credit#

+

Full credit should go to Simon Lavigne for creating this analyzer in the first place.

+
+

Zscaler#

+

+ +

+ +
+

Author: Simon Lavigne, Mikael Keri
+License: AGPL-V3
+Version: 1.3
+Supported observables types:
+ - ip
+ - domain
+ - url
+ - fqdn
+Registration required: True
+Subscription required: True
+Free subscription: False
+Third party service: https://www.zscaler.com/

+
+

Description#

+

Check Zscaler category for a domain, fqdn, IP address or FQDN. This analyzer requires a paid subscription to Zscaler ZIA

+

Configuration#

+ + + + + + + + + + + + + + + + + + + + + + + + + +
usernameZscaler username
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
passwordZscaler password
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
api_keyAPI key
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
base_uriThe base URL of your Zscaler subscription
Default value if not configuredN/A
Type of the configuration itemstring
The configuration item can contain multiple valuesFalse
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
malicious_categoriesList of Zscaler categories to be considered as malicious
Default value if not configured['PHISHING', 'MALWARE_SITE', 'BOTNET', 'SPYWARE_OR_ADWARE', 'ADSPYWARE_SITES', 'ADWARE_OR_SPYWARE', 'CRYPTOMINING', 'WEB_SPAM', 'MALICIOUS_TLD']
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+ + + + + + + + + + + + + + + + + + + + + + + + + +
suspicious_categoriesList of Zscaler categories to be considered as suspicious
Default value if not configured['SHAREWARE_DOWNLOAD', 'REMOTE_ACCESS', 'MISCELLANEOUS_OR_UNKNOWN', 'NEWLY_REG_DOMAINS', 'OTHER_ILLEGAL_OR_QUESTIONABLE', 'COPYRIGHT_INFRINGEMENT', 'GAMBLING', 'COMPUTER_HACKING', 'ANONYMIZER', 'MISCELLANEOUS_OR_UNKNOWN', 'DNS_OVER_HTTPS', 'ENCR_WEB_CONTENT']
Type of the configuration itemstring
The configuration item can contain multiple valuesTrue
Is requiredTrue
+

Templates samples for TheHive#

+

Zscaler Lookup sample Information full report

+

screenshot

+ + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+ +
+ + + +
+
+
+
+ + + + + + + + + + \ No newline at end of file diff --git a/analyzers/assets/AbuseIPDB_0.png b/analyzers/assets/AbuseIPDB_0.png new file mode 100644 index 000000000..c682a23d8 Binary files /dev/null and b/analyzers/assets/AbuseIPDB_0.png differ diff --git a/analyzers/assets/AbuseIPDB_logo.png b/analyzers/assets/AbuseIPDB_logo.png new file mode 100644 index 000000000..c520af36c Binary files /dev/null and b/analyzers/assets/AbuseIPDB_logo.png differ diff --git a/analyzers/assets/Abuse_Finder_0.png b/analyzers/assets/Abuse_Finder_0.png new file mode 100644 index 000000000..b0e659ee5 Binary files /dev/null and b/analyzers/assets/Abuse_Finder_0.png differ diff --git a/analyzers/assets/AnyRun.png b/analyzers/assets/AnyRun.png new file mode 100644 index 000000000..e4cd7b1fb Binary files /dev/null and b/analyzers/assets/AnyRun.png differ diff --git a/analyzers/assets/AnyRun_Sandbox_Analysis_0.png b/analyzers/assets/AnyRun_Sandbox_Analysis_0.png new file mode 100644 index 000000000..b5e750e62 Binary files /dev/null and b/analyzers/assets/AnyRun_Sandbox_Analysis_0.png differ diff --git a/analyzers/assets/AnyRun_Sandbox_Analysis_1.png b/analyzers/assets/AnyRun_Sandbox_Analysis_1.png new file mode 100644 index 000000000..97c58b2a3 Binary files /dev/null and b/analyzers/assets/AnyRun_Sandbox_Analysis_1.png differ diff --git a/analyzers/assets/CIRCLHashlookup_0.png b/analyzers/assets/CIRCLHashlookup_0.png new file mode 100644 index 000000000..a9eb83358 Binary files /dev/null and b/analyzers/assets/CIRCLHashlookup_0.png differ diff --git a/analyzers/assets/CIRCLHashlookup_1.png b/analyzers/assets/CIRCLHashlookup_1.png new file mode 100644 index 000000000..bf1c299b5 Binary files /dev/null and b/analyzers/assets/CIRCLHashlookup_1.png differ diff --git a/analyzers/assets/CIRCLHashlookup_logo.png b/analyzers/assets/CIRCLHashlookup_logo.png new file mode 100644 index 000000000..516678dea Binary files /dev/null and b/analyzers/assets/CIRCLHashlookup_logo.png differ diff --git a/analyzers/assets/CIRCLPassiveDNS_0.png b/analyzers/assets/CIRCLPassiveDNS_0.png new file mode 100644 index 000000000..ad6762982 Binary files /dev/null and b/analyzers/assets/CIRCLPassiveDNS_0.png differ diff --git a/analyzers/assets/CIRCLPassiveDNS_1.png b/analyzers/assets/CIRCLPassiveDNS_1.png new file mode 100644 index 000000000..a37c9a132 Binary files /dev/null and b/analyzers/assets/CIRCLPassiveDNS_1.png differ diff --git a/analyzers/assets/CIRCLPassiveDNS_logo.png b/analyzers/assets/CIRCLPassiveDNS_logo.png new file mode 100644 index 000000000..4959a8477 Binary files /dev/null and b/analyzers/assets/CIRCLPassiveDNS_logo.png differ diff --git a/analyzers/assets/CIRCLPassiveSSL_0.png b/analyzers/assets/CIRCLPassiveSSL_0.png new file mode 100644 index 000000000..f876cea6b Binary files /dev/null and b/analyzers/assets/CIRCLPassiveSSL_0.png differ diff --git a/analyzers/assets/CIRCLPassiveSSL_1.png b/analyzers/assets/CIRCLPassiveSSL_1.png new file mode 100644 index 000000000..35a055c84 Binary files /dev/null and b/analyzers/assets/CIRCLPassiveSSL_1.png differ diff --git a/analyzers/assets/CIRCLPassiveSSL_logo.png b/analyzers/assets/CIRCLPassiveSSL_logo.png new file mode 100644 index 000000000..e92c87d0f Binary files /dev/null and b/analyzers/assets/CIRCLPassiveSSL_logo.png differ diff --git a/analyzers/assets/CISMCAP_0.png b/analyzers/assets/CISMCAP_0.png new file mode 100644 index 000000000..799ae8445 Binary files /dev/null and b/analyzers/assets/CISMCAP_0.png differ diff --git a/analyzers/assets/CISMCAP_1.png b/analyzers/assets/CISMCAP_1.png new file mode 100644 index 000000000..f7ea03510 Binary files /dev/null and b/analyzers/assets/CISMCAP_1.png differ diff --git a/analyzers/assets/CISMCAP_IP.png b/analyzers/assets/CISMCAP_IP.png new file mode 100644 index 000000000..f7ea03510 Binary files /dev/null and b/analyzers/assets/CISMCAP_IP.png differ diff --git a/analyzers/assets/CISMCAP_file.png b/analyzers/assets/CISMCAP_file.png new file mode 100644 index 000000000..799ae8445 Binary files /dev/null and b/analyzers/assets/CISMCAP_file.png differ diff --git a/analyzers/assets/CISMCAP_logo.png b/analyzers/assets/CISMCAP_logo.png new file mode 100644 index 000000000..19895fc20 Binary files /dev/null and b/analyzers/assets/CISMCAP_logo.png differ diff --git a/analyzers/assets/Capa_0.png b/analyzers/assets/Capa_0.png new file mode 100644 index 000000000..fa4260e0d Binary files /dev/null and b/analyzers/assets/Capa_0.png differ diff --git a/analyzers/assets/Capa_logo.png b/analyzers/assets/Capa_logo.png new file mode 100644 index 000000000..712544794 Binary files /dev/null and b/analyzers/assets/Capa_logo.png differ diff --git a/analyzers/assets/Censys_0.png b/analyzers/assets/Censys_0.png new file mode 100644 index 000000000..8ca5a75c8 Binary files /dev/null and b/analyzers/assets/Censys_0.png differ diff --git a/analyzers/assets/Censys_logo.png b/analyzers/assets/Censys_logo.png new file mode 100644 index 000000000..ac066a21d Binary files /dev/null and b/analyzers/assets/Censys_logo.png differ diff --git a/analyzers/assets/Cortex_settings.PNG b/analyzers/assets/Cortex_settings.PNG new file mode 100644 index 000000000..454b5876b Binary files /dev/null and b/analyzers/assets/Cortex_settings.PNG differ diff --git a/analyzers/assets/Crowdsec_analyzer_0.png b/analyzers/assets/Crowdsec_analyzer_0.png new file mode 100644 index 000000000..3deed2f1f Binary files /dev/null and b/analyzers/assets/Crowdsec_analyzer_0.png differ diff --git a/analyzers/assets/Crowdsec_analyzer_1.png b/analyzers/assets/Crowdsec_analyzer_1.png new file mode 100644 index 000000000..e09efea53 Binary files /dev/null and b/analyzers/assets/Crowdsec_analyzer_1.png differ diff --git a/analyzers/assets/Crowdsec_analyzer_logo.png b/analyzers/assets/Crowdsec_analyzer_logo.png new file mode 100644 index 000000000..b52c55514 Binary files /dev/null and b/analyzers/assets/Crowdsec_analyzer_logo.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_GetDeviceVulnerabilities_0.png b/analyzers/assets/CrowdstrikeFalcon_GetDeviceVulnerabilities_0.png new file mode 100644 index 000000000..63307dd5e Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_GetDeviceVulnerabilities_0.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_GetDeviceVulnerabilities_1.png b/analyzers/assets/CrowdstrikeFalcon_GetDeviceVulnerabilities_1.png new file mode 100644 index 000000000..731bac331 Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_GetDeviceVulnerabilities_1.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_Sandbox_Android_0.png b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Android_0.png new file mode 100644 index 000000000..31e87539c Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Android_0.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_Sandbox_Android_1.png b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Android_1.png new file mode 100644 index 000000000..57d516e60 Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Android_1.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_Sandbox_Linux_0.png b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Linux_0.png new file mode 100644 index 000000000..31e87539c Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Linux_0.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_Sandbox_Linux_1.png b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Linux_1.png new file mode 100644 index 000000000..57d516e60 Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Linux_1.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_Sandbox_MacOS_0.png b/analyzers/assets/CrowdstrikeFalcon_Sandbox_MacOS_0.png new file mode 100644 index 000000000..31e87539c Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_Sandbox_MacOS_0.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_Sandbox_MacOS_1.png b/analyzers/assets/CrowdstrikeFalcon_Sandbox_MacOS_1.png new file mode 100644 index 000000000..57d516e60 Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_Sandbox_MacOS_1.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win10_0.png b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win10_0.png new file mode 100644 index 000000000..31e87539c Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win10_0.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win10_1.png b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win10_1.png new file mode 100644 index 000000000..57d516e60 Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win10_1.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win11_0.png b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win11_0.png new file mode 100644 index 000000000..31e87539c Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win11_0.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win11_1.png b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win11_1.png new file mode 100644 index 000000000..57d516e60 Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win11_1.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win7_0.png b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win7_0.png new file mode 100644 index 000000000..31e87539c Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win7_0.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win7_1.png b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win7_1.png new file mode 100644 index 000000000..57d516e60 Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win7_1.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win7_64_0.png b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win7_64_0.png new file mode 100644 index 000000000..31e87539c Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win7_64_0.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win7_64_1.png b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win7_64_1.png new file mode 100644 index 000000000..57d516e60 Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_Sandbox_Win7_64_1.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_getDeviceAlerts_0.png b/analyzers/assets/CrowdstrikeFalcon_getDeviceAlerts_0.png new file mode 100644 index 000000000..a7647ef86 Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_getDeviceAlerts_0.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_getDeviceAlerts_1.png b/analyzers/assets/CrowdstrikeFalcon_getDeviceAlerts_1.png new file mode 100644 index 000000000..cbbaf3cde Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_getDeviceAlerts_1.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_getDeviceDetails_0.png b/analyzers/assets/CrowdstrikeFalcon_getDeviceDetails_0.png new file mode 100644 index 000000000..df8acafd0 Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_getDeviceDetails_0.png differ diff --git a/analyzers/assets/CrowdstrikeFalcon_getDeviceDetails_1.png b/analyzers/assets/CrowdstrikeFalcon_getDeviceDetails_1.png new file mode 100644 index 000000000..2987eafac Binary files /dev/null and b/analyzers/assets/CrowdstrikeFalcon_getDeviceDetails_1.png differ diff --git a/analyzers/assets/Crtsh_0.png b/analyzers/assets/Crtsh_0.png new file mode 100644 index 000000000..62adb5d1e Binary files /dev/null and b/analyzers/assets/Crtsh_0.png differ diff --git a/analyzers/assets/Crtsh_logo.png b/analyzers/assets/Crtsh_logo.png new file mode 100644 index 000000000..c8ea23c7a Binary files /dev/null and b/analyzers/assets/Crtsh_logo.png differ diff --git a/analyzers/assets/CuckooSandbox_File_Analysis_0.png b/analyzers/assets/CuckooSandbox_File_Analysis_0.png new file mode 100644 index 000000000..ee51f2949 Binary files /dev/null and b/analyzers/assets/CuckooSandbox_File_Analysis_0.png differ diff --git a/analyzers/assets/CuckooSandbox_File_Analysis_logo.png b/analyzers/assets/CuckooSandbox_File_Analysis_logo.png new file mode 100644 index 000000000..883922209 Binary files /dev/null and b/analyzers/assets/CuckooSandbox_File_Analysis_logo.png differ diff --git a/analyzers/assets/CuckooSandbox_Url_Analysis_0.png b/analyzers/assets/CuckooSandbox_Url_Analysis_0.png new file mode 100644 index 000000000..ee51f2949 Binary files /dev/null and b/analyzers/assets/CuckooSandbox_Url_Analysis_0.png differ diff --git a/analyzers/assets/CuckooSandbox_Url_Analysis_logo.png b/analyzers/assets/CuckooSandbox_Url_Analysis_logo.png new file mode 100644 index 000000000..883922209 Binary files /dev/null and b/analyzers/assets/CuckooSandbox_Url_Analysis_logo.png differ diff --git a/analyzers/assets/CyberChef_FromBase64_0.png b/analyzers/assets/CyberChef_FromBase64_0.png new file mode 100644 index 000000000..ff6ea1887 Binary files /dev/null and b/analyzers/assets/CyberChef_FromBase64_0.png differ diff --git a/analyzers/assets/CyberChef_FromBase64_logo.png b/analyzers/assets/CyberChef_FromBase64_logo.png new file mode 100644 index 000000000..eb1822862 Binary files /dev/null and b/analyzers/assets/CyberChef_FromBase64_logo.png differ diff --git a/analyzers/assets/CyberChef_FromCharCode_0.png b/analyzers/assets/CyberChef_FromCharCode_0.png new file mode 100644 index 000000000..ff6ea1887 Binary files /dev/null and b/analyzers/assets/CyberChef_FromCharCode_0.png differ diff --git a/analyzers/assets/CyberChef_FromCharCode_logo.png b/analyzers/assets/CyberChef_FromCharCode_logo.png new file mode 100644 index 000000000..eb1822862 Binary files /dev/null and b/analyzers/assets/CyberChef_FromCharCode_logo.png differ diff --git a/analyzers/assets/CyberChef_FromHex_0.png b/analyzers/assets/CyberChef_FromHex_0.png new file mode 100644 index 000000000..ff6ea1887 Binary files /dev/null and b/analyzers/assets/CyberChef_FromHex_0.png differ diff --git a/analyzers/assets/CyberChef_FromHex_logo.png b/analyzers/assets/CyberChef_FromHex_logo.png new file mode 100644 index 000000000..eb1822862 Binary files /dev/null and b/analyzers/assets/CyberChef_FromHex_logo.png differ diff --git a/analyzers/assets/CyberCrimeTracker_0.png b/analyzers/assets/CyberCrimeTracker_0.png new file mode 100644 index 000000000..66c9ca0ec Binary files /dev/null and b/analyzers/assets/CyberCrimeTracker_0.png differ diff --git a/analyzers/assets/CyberCrimeTracker_logo.png b/analyzers/assets/CyberCrimeTracker_logo.png new file mode 100644 index 000000000..467c95262 Binary files /dev/null and b/analyzers/assets/CyberCrimeTracker_logo.png differ diff --git a/analyzers/assets/Cyberprotect_ThreatScore_0.png b/analyzers/assets/Cyberprotect_ThreatScore_0.png new file mode 100644 index 000000000..438016336 Binary files /dev/null and b/analyzers/assets/Cyberprotect_ThreatScore_0.png differ diff --git a/analyzers/assets/Cyberprotect_ThreatScore_logo.jpg b/analyzers/assets/Cyberprotect_ThreatScore_logo.jpg new file mode 100644 index 000000000..3d8f0b3ec Binary files /dev/null and b/analyzers/assets/Cyberprotect_ThreatScore_logo.jpg differ diff --git a/analyzers/assets/Cylance_0.png b/analyzers/assets/Cylance_0.png new file mode 100644 index 000000000..b2113ea1a Binary files /dev/null and b/analyzers/assets/Cylance_0.png differ diff --git a/analyzers/assets/Cylance_1.png b/analyzers/assets/Cylance_1.png new file mode 100644 index 000000000..e4dabbfad Binary files /dev/null and b/analyzers/assets/Cylance_1.png differ diff --git a/analyzers/assets/Cylance_2.png b/analyzers/assets/Cylance_2.png new file mode 100644 index 000000000..768c20f61 Binary files /dev/null and b/analyzers/assets/Cylance_2.png differ diff --git a/analyzers/assets/Cylance_logo.png b/analyzers/assets/Cylance_logo.png new file mode 100644 index 000000000..0205eae04 Binary files /dev/null and b/analyzers/assets/Cylance_logo.png differ diff --git a/analyzers/assets/DNSLookingglass_0.png b/analyzers/assets/DNSLookingglass_0.png new file mode 100644 index 000000000..f4aa8c9d4 Binary files /dev/null and b/analyzers/assets/DNSLookingglass_0.png differ diff --git a/analyzers/assets/DNSLookingglass_1.png b/analyzers/assets/DNSLookingglass_1.png new file mode 100644 index 000000000..4531d0208 Binary files /dev/null and b/analyzers/assets/DNSLookingglass_1.png differ diff --git a/analyzers/assets/DNSLookingglass_logo.png b/analyzers/assets/DNSLookingglass_logo.png new file mode 100644 index 000000000..4724f6afe Binary files /dev/null and b/analyzers/assets/DNSLookingglass_logo.png differ diff --git a/analyzers/assets/DNS_Lookingglass_artifacts.png b/analyzers/assets/DNS_Lookingglass_artifacts.png new file mode 100644 index 000000000..4531d0208 Binary files /dev/null and b/analyzers/assets/DNS_Lookingglass_artifacts.png differ diff --git a/analyzers/assets/DNS_Lookingglass_long.png b/analyzers/assets/DNS_Lookingglass_long.png new file mode 100644 index 000000000..f4aa8c9d4 Binary files /dev/null and b/analyzers/assets/DNS_Lookingglass_long.png differ diff --git a/analyzers/assets/DShield_lookup_0.png b/analyzers/assets/DShield_lookup_0.png new file mode 100644 index 000000000..75aed93b1 Binary files /dev/null and b/analyzers/assets/DShield_lookup_0.png differ diff --git a/analyzers/assets/DShield_lookup_logo.png b/analyzers/assets/DShield_lookup_logo.png new file mode 100644 index 000000000..4724f6afe Binary files /dev/null and b/analyzers/assets/DShield_lookup_logo.png differ diff --git a/analyzers/assets/Diario_GetReport_0.png b/analyzers/assets/Diario_GetReport_0.png new file mode 100644 index 000000000..eea8f9c71 Binary files /dev/null and b/analyzers/assets/Diario_GetReport_0.png differ diff --git a/analyzers/assets/Diario_GetReport_1.png b/analyzers/assets/Diario_GetReport_1.png new file mode 100644 index 000000000..40f70b6ff Binary files /dev/null and b/analyzers/assets/Diario_GetReport_1.png differ diff --git a/analyzers/assets/Diario_GetReport_logo.png b/analyzers/assets/Diario_GetReport_logo.png new file mode 100644 index 000000000..c8687fc0e Binary files /dev/null and b/analyzers/assets/Diario_GetReport_logo.png differ diff --git a/analyzers/assets/Diario_Scan_0.png b/analyzers/assets/Diario_Scan_0.png new file mode 100644 index 000000000..d347d9cd8 Binary files /dev/null and b/analyzers/assets/Diario_Scan_0.png differ diff --git a/analyzers/assets/Diario_Scan_1.png b/analyzers/assets/Diario_Scan_1.png new file mode 100644 index 000000000..18c2ff674 Binary files /dev/null and b/analyzers/assets/Diario_Scan_1.png differ diff --git a/analyzers/assets/Diario_Scan_logo.png b/analyzers/assets/Diario_Scan_logo.png new file mode 100644 index 000000000..c8687fc0e Binary files /dev/null and b/analyzers/assets/Diario_Scan_logo.png differ diff --git a/analyzers/assets/DomainMailSPFDMARC_long.png b/analyzers/assets/DomainMailSPFDMARC_long.png new file mode 100644 index 000000000..395b5f2c0 Binary files /dev/null and b/analyzers/assets/DomainMailSPFDMARC_long.png differ diff --git a/analyzers/assets/DomainMailSPFDMARC_short.png b/analyzers/assets/DomainMailSPFDMARC_short.png new file mode 100644 index 000000000..2b89fb9c0 Binary files /dev/null and b/analyzers/assets/DomainMailSPFDMARC_short.png differ diff --git a/analyzers/assets/DomainToolsIris_Investigate_0.png b/analyzers/assets/DomainToolsIris_Investigate_0.png new file mode 100644 index 000000000..42dd809d9 Binary files /dev/null and b/analyzers/assets/DomainToolsIris_Investigate_0.png differ diff --git a/analyzers/assets/DomainToolsIris_Investigate_1.png b/analyzers/assets/DomainToolsIris_Investigate_1.png new file mode 100644 index 000000000..728e00d22 Binary files /dev/null and b/analyzers/assets/DomainToolsIris_Investigate_1.png differ diff --git a/analyzers/assets/DomainToolsIris_Investigate_logo.png b/analyzers/assets/DomainToolsIris_Investigate_logo.png new file mode 100644 index 000000000..57cdec868 Binary files /dev/null and b/analyzers/assets/DomainToolsIris_Investigate_logo.png differ diff --git a/analyzers/assets/DomainToolsIris_Investigate_long.png b/analyzers/assets/DomainToolsIris_Investigate_long.png new file mode 100644 index 000000000..42dd809d9 Binary files /dev/null and b/analyzers/assets/DomainToolsIris_Investigate_long.png differ diff --git a/analyzers/assets/DomainToolsIris_Investigate_short.png b/analyzers/assets/DomainToolsIris_Investigate_short.png new file mode 100644 index 000000000..728e00d22 Binary files /dev/null and b/analyzers/assets/DomainToolsIris_Investigate_short.png differ diff --git a/analyzers/assets/DomainToolsIris_Pivot_0.png b/analyzers/assets/DomainToolsIris_Pivot_0.png new file mode 100644 index 000000000..68151a5b8 Binary files /dev/null and b/analyzers/assets/DomainToolsIris_Pivot_0.png differ diff --git a/analyzers/assets/DomainToolsIris_Pivot_1.png b/analyzers/assets/DomainToolsIris_Pivot_1.png new file mode 100644 index 000000000..5bc349cb9 Binary files /dev/null and b/analyzers/assets/DomainToolsIris_Pivot_1.png differ diff --git a/analyzers/assets/DomainToolsIris_Pivot_logo.png b/analyzers/assets/DomainToolsIris_Pivot_logo.png new file mode 100644 index 000000000..57cdec868 Binary files /dev/null and b/analyzers/assets/DomainToolsIris_Pivot_logo.png differ diff --git a/analyzers/assets/DomainToolsIris_Pivot_long.png b/analyzers/assets/DomainToolsIris_Pivot_long.png new file mode 100644 index 000000000..68151a5b8 Binary files /dev/null and b/analyzers/assets/DomainToolsIris_Pivot_long.png differ diff --git a/analyzers/assets/DomainToolsIris_Pivot_short.png b/analyzers/assets/DomainToolsIris_Pivot_short.png new file mode 100644 index 000000000..5bc349cb9 Binary files /dev/null and b/analyzers/assets/DomainToolsIris_Pivot_short.png differ diff --git a/analyzers/assets/EchoTrail_0.png b/analyzers/assets/EchoTrail_0.png new file mode 100644 index 000000000..76ba68144 Binary files /dev/null and b/analyzers/assets/EchoTrail_0.png differ diff --git a/analyzers/assets/EchoTrail_logo.png b/analyzers/assets/EchoTrail_logo.png new file mode 100644 index 000000000..d60260d62 Binary files /dev/null and b/analyzers/assets/EchoTrail_logo.png differ diff --git a/analyzers/assets/EclecticIQ_SearchObservable_logo.png b/analyzers/assets/EclecticIQ_SearchObservable_logo.png new file mode 100644 index 000000000..d9d4b5ebb Binary files /dev/null and b/analyzers/assets/EclecticIQ_SearchObservable_logo.png differ diff --git a/analyzers/assets/EmailRep_0.png b/analyzers/assets/EmailRep_0.png new file mode 100644 index 000000000..e15f18393 Binary files /dev/null and b/analyzers/assets/EmailRep_0.png differ diff --git a/analyzers/assets/EmailRep_logo.png b/analyzers/assets/EmailRep_logo.png new file mode 100644 index 000000000..22be2dcaf Binary files /dev/null and b/analyzers/assets/EmailRep_logo.png differ diff --git a/analyzers/assets/EmergingThreats_DomainInfo_0.png b/analyzers/assets/EmergingThreats_DomainInfo_0.png new file mode 100644 index 000000000..ab73e6853 Binary files /dev/null and b/analyzers/assets/EmergingThreats_DomainInfo_0.png differ diff --git a/analyzers/assets/EmergingThreats_DomainInfo_logo.png b/analyzers/assets/EmergingThreats_DomainInfo_logo.png new file mode 100644 index 000000000..9b2e10c03 Binary files /dev/null and b/analyzers/assets/EmergingThreats_DomainInfo_logo.png differ diff --git a/analyzers/assets/EmergingThreats_IPInfo_0.png b/analyzers/assets/EmergingThreats_IPInfo_0.png new file mode 100644 index 000000000..05875359e Binary files /dev/null and b/analyzers/assets/EmergingThreats_IPInfo_0.png differ diff --git a/analyzers/assets/EmergingThreats_IPInfo_logo.png b/analyzers/assets/EmergingThreats_IPInfo_logo.png new file mode 100644 index 000000000..9b2e10c03 Binary files /dev/null and b/analyzers/assets/EmergingThreats_IPInfo_logo.png differ diff --git a/analyzers/assets/EmergingThreats_MalwareInfo_0.png b/analyzers/assets/EmergingThreats_MalwareInfo_0.png new file mode 100644 index 000000000..a1d8f7648 Binary files /dev/null and b/analyzers/assets/EmergingThreats_MalwareInfo_0.png differ diff --git a/analyzers/assets/EmergingThreats_MalwareInfo_logo.png b/analyzers/assets/EmergingThreats_MalwareInfo_logo.png new file mode 100644 index 000000000..9b2e10c03 Binary files /dev/null and b/analyzers/assets/EmergingThreats_MalwareInfo_logo.png differ diff --git a/analyzers/assets/EmlParser_0.png b/analyzers/assets/EmlParser_0.png new file mode 100644 index 000000000..c57557ff3 Binary files /dev/null and b/analyzers/assets/EmlParser_0.png differ diff --git a/analyzers/assets/EmlParser_1.png b/analyzers/assets/EmlParser_1.png new file mode 100644 index 000000000..02efcb6ed Binary files /dev/null and b/analyzers/assets/EmlParser_1.png differ diff --git a/analyzers/assets/EmlParser_logo.jpg b/analyzers/assets/EmlParser_logo.jpg new file mode 100644 index 000000000..20d1c74d0 Binary files /dev/null and b/analyzers/assets/EmlParser_logo.jpg differ diff --git a/analyzers/assets/FireEyeiSight_0.png b/analyzers/assets/FireEyeiSight_0.png new file mode 100644 index 000000000..e5ab93dc4 Binary files /dev/null and b/analyzers/assets/FireEyeiSight_0.png differ diff --git a/analyzers/assets/FireEyeiSight_logo.png b/analyzers/assets/FireEyeiSight_logo.png new file mode 100644 index 000000000..768675421 Binary files /dev/null and b/analyzers/assets/FireEyeiSight_logo.png differ diff --git a/analyzers/assets/FireHOLBlocklists_0.png b/analyzers/assets/FireHOLBlocklists_0.png new file mode 100644 index 000000000..d226d5e53 Binary files /dev/null and b/analyzers/assets/FireHOLBlocklists_0.png differ diff --git a/analyzers/assets/FireHOLBlocklists_logo.png b/analyzers/assets/FireHOLBlocklists_logo.png new file mode 100644 index 000000000..5dd564b75 Binary files /dev/null and b/analyzers/assets/FireHOLBlocklists_logo.png differ diff --git a/analyzers/assets/ForcepointWebsensePing_long.PNG b/analyzers/assets/ForcepointWebsensePing_long.PNG new file mode 100644 index 000000000..38b1f083b Binary files /dev/null and b/analyzers/assets/ForcepointWebsensePing_long.PNG differ diff --git a/analyzers/assets/ForcepointWebsensePing_short.PNG b/analyzers/assets/ForcepointWebsensePing_short.PNG new file mode 100644 index 000000000..089e5837b Binary files /dev/null and b/analyzers/assets/ForcepointWebsensePing_short.PNG differ diff --git a/analyzers/assets/Fortiguard_URLCategory_0.png b/analyzers/assets/Fortiguard_URLCategory_0.png new file mode 100644 index 000000000..d40fbcd82 Binary files /dev/null and b/analyzers/assets/Fortiguard_URLCategory_0.png differ diff --git a/analyzers/assets/Fortiguard_URLCategory_logo.png b/analyzers/assets/Fortiguard_URLCategory_logo.png new file mode 100644 index 000000000..b5619b7dd Binary files /dev/null and b/analyzers/assets/Fortiguard_URLCategory_logo.png differ diff --git a/analyzers/assets/Gatewatcher_CTI_0.png b/analyzers/assets/Gatewatcher_CTI_0.png new file mode 100644 index 000000000..7b2e8b301 Binary files /dev/null and b/analyzers/assets/Gatewatcher_CTI_0.png differ diff --git a/analyzers/assets/Gatewatcher_CTI_1.png b/analyzers/assets/Gatewatcher_CTI_1.png new file mode 100644 index 000000000..7098fda9c Binary files /dev/null and b/analyzers/assets/Gatewatcher_CTI_1.png differ diff --git a/analyzers/assets/Gatewatcher_CTI_logo.png b/analyzers/assets/Gatewatcher_CTI_logo.png new file mode 100644 index 000000000..3aa6bccb7 Binary files /dev/null and b/analyzers/assets/Gatewatcher_CTI_logo.png differ diff --git a/analyzers/assets/Gatewatcher_CTI_long.png b/analyzers/assets/Gatewatcher_CTI_long.png new file mode 100644 index 000000000..7b2e8b301 Binary files /dev/null and b/analyzers/assets/Gatewatcher_CTI_long.png differ diff --git a/analyzers/assets/Gatewatcher_CTI_short.png b/analyzers/assets/Gatewatcher_CTI_short.png new file mode 100644 index 000000000..7098fda9c Binary files /dev/null and b/analyzers/assets/Gatewatcher_CTI_short.png differ diff --git a/analyzers/assets/GreyNoise_0.png b/analyzers/assets/GreyNoise_0.png new file mode 100644 index 000000000..d9150540f Binary files /dev/null and b/analyzers/assets/GreyNoise_0.png differ diff --git a/analyzers/assets/GreyNoise_logo.png b/analyzers/assets/GreyNoise_logo.png new file mode 100644 index 000000000..57ac0542c Binary files /dev/null and b/analyzers/assets/GreyNoise_logo.png differ diff --git a/analyzers/assets/HTML_report.png b/analyzers/assets/HTML_report.png new file mode 100644 index 000000000..9b195cf72 Binary files /dev/null and b/analyzers/assets/HTML_report.png differ diff --git a/analyzers/assets/Hashdd_Detail_0.png b/analyzers/assets/Hashdd_Detail_0.png new file mode 100644 index 000000000..90ede851b Binary files /dev/null and b/analyzers/assets/Hashdd_Detail_0.png differ diff --git a/analyzers/assets/Hashdd_Detail_logo.png b/analyzers/assets/Hashdd_Detail_logo.png new file mode 100644 index 000000000..4c95858b2 Binary files /dev/null and b/analyzers/assets/Hashdd_Detail_logo.png differ diff --git a/analyzers/assets/Hunterio_domainsearch_0.png b/analyzers/assets/Hunterio_domainsearch_0.png new file mode 100644 index 000000000..f4d0c0415 Binary files /dev/null and b/analyzers/assets/Hunterio_domainsearch_0.png differ diff --git a/analyzers/assets/Hunterio_domainsearch_logo.png b/analyzers/assets/Hunterio_domainsearch_logo.png new file mode 100644 index 000000000..4c2dc566e Binary files /dev/null and b/analyzers/assets/Hunterio_domainsearch_logo.png differ diff --git a/analyzers/assets/IP_URL.png b/analyzers/assets/IP_URL.png new file mode 100644 index 000000000..a6a8d25d0 Binary files /dev/null and b/analyzers/assets/IP_URL.png differ diff --git a/analyzers/assets/IVRE_logo.png b/analyzers/assets/IVRE_logo.png new file mode 100644 index 000000000..a22935b0c Binary files /dev/null and b/analyzers/assets/IVRE_logo.png differ diff --git a/analyzers/assets/Inoitsu_0.png b/analyzers/assets/Inoitsu_0.png new file mode 100644 index 000000000..ed9726154 Binary files /dev/null and b/analyzers/assets/Inoitsu_0.png differ diff --git a/analyzers/assets/Inoitsu_1.png b/analyzers/assets/Inoitsu_1.png new file mode 100644 index 000000000..2aa7db2d8 Binary files /dev/null and b/analyzers/assets/Inoitsu_1.png differ diff --git a/analyzers/assets/Inoitsu_logo.png b/analyzers/assets/Inoitsu_logo.png new file mode 100644 index 000000000..79a7361ef Binary files /dev/null and b/analyzers/assets/Inoitsu_logo.png differ diff --git a/analyzers/assets/Inoitsu_long.png b/analyzers/assets/Inoitsu_long.png new file mode 100644 index 000000000..ed9726154 Binary files /dev/null and b/analyzers/assets/Inoitsu_long.png differ diff --git a/analyzers/assets/Inoitsu_short.png b/analyzers/assets/Inoitsu_short.png new file mode 100644 index 000000000..2aa7db2d8 Binary files /dev/null and b/analyzers/assets/Inoitsu_short.png differ diff --git a/analyzers/assets/IntelligenceCenter_Context_0.png b/analyzers/assets/IntelligenceCenter_Context_0.png new file mode 100644 index 000000000..141e7e58b Binary files /dev/null and b/analyzers/assets/IntelligenceCenter_Context_0.png differ diff --git a/analyzers/assets/IntelligenceCenter_Context_logo.png b/analyzers/assets/IntelligenceCenter_Context_logo.png new file mode 100644 index 000000000..9132e8d06 Binary files /dev/null and b/analyzers/assets/IntelligenceCenter_Context_logo.png differ diff --git a/analyzers/assets/IntelligenceCenter_Indicators_0.png b/analyzers/assets/IntelligenceCenter_Indicators_0.png new file mode 100644 index 000000000..2f7ae490d Binary files /dev/null and b/analyzers/assets/IntelligenceCenter_Indicators_0.png differ diff --git a/analyzers/assets/IntelligenceCenter_Indicators_logo.png b/analyzers/assets/IntelligenceCenter_Indicators_logo.png new file mode 100644 index 000000000..9132e8d06 Binary files /dev/null and b/analyzers/assets/IntelligenceCenter_Indicators_logo.png differ diff --git a/analyzers/assets/IntelligenceCenter_observables_0.png b/analyzers/assets/IntelligenceCenter_observables_0.png new file mode 100644 index 000000000..141e7e58b Binary files /dev/null and b/analyzers/assets/IntelligenceCenter_observables_0.png differ diff --git a/analyzers/assets/IntelligenceCenter_observables_logo.png b/analyzers/assets/IntelligenceCenter_observables_logo.png new file mode 100644 index 000000000..9132e8d06 Binary files /dev/null and b/analyzers/assets/IntelligenceCenter_observables_logo.png differ diff --git a/analyzers/assets/IntezerCommunity_0.png b/analyzers/assets/IntezerCommunity_0.png new file mode 100644 index 000000000..4d4d7c521 Binary files /dev/null and b/analyzers/assets/IntezerCommunity_0.png differ diff --git a/analyzers/assets/IntezerCommunity_logo.png b/analyzers/assets/IntezerCommunity_logo.png new file mode 100644 index 000000000..daf8cc621 Binary files /dev/null and b/analyzers/assets/IntezerCommunity_logo.png differ diff --git a/analyzers/assets/JoeSandbox_File_Analysis_Inet_0.png b/analyzers/assets/JoeSandbox_File_Analysis_Inet_0.png new file mode 100644 index 000000000..9b195cf72 Binary files /dev/null and b/analyzers/assets/JoeSandbox_File_Analysis_Inet_0.png differ diff --git a/analyzers/assets/JoeSandbox_File_Analysis_Inet_1.png b/analyzers/assets/JoeSandbox_File_Analysis_Inet_1.png new file mode 100644 index 000000000..037c0ff69 Binary files /dev/null and b/analyzers/assets/JoeSandbox_File_Analysis_Inet_1.png differ diff --git a/analyzers/assets/JoeSandbox_File_Analysis_Inet_2.png b/analyzers/assets/JoeSandbox_File_Analysis_Inet_2.png new file mode 100644 index 000000000..a6a8d25d0 Binary files /dev/null and b/analyzers/assets/JoeSandbox_File_Analysis_Inet_2.png differ diff --git a/analyzers/assets/JoeSandbox_File_Analysis_Noinet_0.png b/analyzers/assets/JoeSandbox_File_Analysis_Noinet_0.png new file mode 100644 index 000000000..9b195cf72 Binary files /dev/null and b/analyzers/assets/JoeSandbox_File_Analysis_Noinet_0.png differ diff --git a/analyzers/assets/JoeSandbox_File_Analysis_Noinet_1.png b/analyzers/assets/JoeSandbox_File_Analysis_Noinet_1.png new file mode 100644 index 000000000..037c0ff69 Binary files /dev/null and b/analyzers/assets/JoeSandbox_File_Analysis_Noinet_1.png differ diff --git a/analyzers/assets/Jupyter_Run_Notebook_Analyzer_logo.png b/analyzers/assets/Jupyter_Run_Notebook_Analyzer_logo.png new file mode 100644 index 000000000..743264980 Binary files /dev/null and b/analyzers/assets/Jupyter_Run_Notebook_Analyzer_logo.png differ diff --git a/analyzers/assets/LinksReport.jpg b/analyzers/assets/LinksReport.jpg new file mode 100644 index 000000000..ba7d222ec Binary files /dev/null and b/analyzers/assets/LinksReport.jpg differ diff --git a/analyzers/assets/MISPWarningLists_0.png b/analyzers/assets/MISPWarningLists_0.png new file mode 100644 index 000000000..5a2ab0daa Binary files /dev/null and b/analyzers/assets/MISPWarningLists_0.png differ diff --git a/analyzers/assets/MISPWarningLists_logo.png b/analyzers/assets/MISPWarningLists_logo.png new file mode 100644 index 000000000..c19ee1880 Binary files /dev/null and b/analyzers/assets/MISPWarningLists_logo.png differ diff --git a/analyzers/assets/MISP_0.png b/analyzers/assets/MISP_0.png new file mode 100644 index 000000000..103117032 Binary files /dev/null and b/analyzers/assets/MISP_0.png differ diff --git a/analyzers/assets/MISP_logo.png b/analyzers/assets/MISP_logo.png new file mode 100644 index 000000000..c19ee1880 Binary files /dev/null and b/analyzers/assets/MISP_logo.png differ diff --git a/analyzers/assets/Maltiverse_Report_0.png b/analyzers/assets/Maltiverse_Report_0.png new file mode 100644 index 000000000..17ae8478c Binary files /dev/null and b/analyzers/assets/Maltiverse_Report_0.png differ diff --git a/analyzers/assets/Maltiverse_Report_logo.png b/analyzers/assets/Maltiverse_Report_logo.png new file mode 100644 index 000000000..0954d1a0a Binary files /dev/null and b/analyzers/assets/Maltiverse_Report_logo.png differ diff --git a/analyzers/assets/MalwareBazaar_0.png b/analyzers/assets/MalwareBazaar_0.png new file mode 100644 index 000000000..df17e3c6e Binary files /dev/null and b/analyzers/assets/MalwareBazaar_0.png differ diff --git a/analyzers/assets/MalwareBazaar_logo.png b/analyzers/assets/MalwareBazaar_logo.png new file mode 100644 index 000000000..9a95608b5 Binary files /dev/null and b/analyzers/assets/MalwareBazaar_logo.png differ diff --git a/analyzers/assets/MalwareClustering_0.png b/analyzers/assets/MalwareClustering_0.png new file mode 100644 index 000000000..b3b9e457f Binary files /dev/null and b/analyzers/assets/MalwareClustering_0.png differ diff --git a/analyzers/assets/MalwareCustering_long.png b/analyzers/assets/MalwareCustering_long.png new file mode 100644 index 000000000..b3b9e457f Binary files /dev/null and b/analyzers/assets/MalwareCustering_long.png differ diff --git a/analyzers/assets/Malwares_GetReport_0.png b/analyzers/assets/Malwares_GetReport_0.png new file mode 100644 index 000000000..3674727da Binary files /dev/null and b/analyzers/assets/Malwares_GetReport_0.png differ diff --git a/analyzers/assets/Malwares_GetReport_logo.png b/analyzers/assets/Malwares_GetReport_logo.png new file mode 100644 index 000000000..879e3f449 Binary files /dev/null and b/analyzers/assets/Malwares_GetReport_logo.png differ diff --git a/analyzers/assets/Malwares_Scan_0.png b/analyzers/assets/Malwares_Scan_0.png new file mode 100644 index 000000000..3674727da Binary files /dev/null and b/analyzers/assets/Malwares_Scan_0.png differ diff --git a/analyzers/assets/Malwares_Scan_logo.png b/analyzers/assets/Malwares_Scan_logo.png new file mode 100644 index 000000000..879e3f449 Binary files /dev/null and b/analyzers/assets/Malwares_Scan_logo.png differ diff --git a/analyzers/assets/NERD_logo.png b/analyzers/assets/NERD_logo.png new file mode 100644 index 000000000..27166fb18 Binary files /dev/null and b/analyzers/assets/NERD_logo.png differ diff --git a/analyzers/assets/NERD_long.png b/analyzers/assets/NERD_long.png new file mode 100644 index 000000000..de1be6931 Binary files /dev/null and b/analyzers/assets/NERD_long.png differ diff --git a/analyzers/assets/NERD_short.png b/analyzers/assets/NERD_short.png new file mode 100644 index 000000000..94d57ea95 Binary files /dev/null and b/analyzers/assets/NERD_short.png differ diff --git a/analyzers/assets/ONYPHE_ASM_0.png b/analyzers/assets/ONYPHE_ASM_0.png new file mode 100644 index 000000000..7e96fd41c Binary files /dev/null and b/analyzers/assets/ONYPHE_ASM_0.png differ diff --git a/analyzers/assets/ONYPHE_ASM_1.png b/analyzers/assets/ONYPHE_ASM_1.png new file mode 100644 index 000000000..1a2e47c7f Binary files /dev/null and b/analyzers/assets/ONYPHE_ASM_1.png differ diff --git a/analyzers/assets/ONYPHE_ASM_logo.png b/analyzers/assets/ONYPHE_ASM_logo.png new file mode 100644 index 000000000..dfa143cb6 Binary files /dev/null and b/analyzers/assets/ONYPHE_ASM_logo.png differ diff --git a/analyzers/assets/ONYPHE_ASM_long.png b/analyzers/assets/ONYPHE_ASM_long.png new file mode 100644 index 000000000..7e96fd41c Binary files /dev/null and b/analyzers/assets/ONYPHE_ASM_long.png differ diff --git a/analyzers/assets/ONYPHE_ASM_short.png b/analyzers/assets/ONYPHE_ASM_short.png new file mode 100644 index 000000000..1a2e47c7f Binary files /dev/null and b/analyzers/assets/ONYPHE_ASM_short.png differ diff --git a/analyzers/assets/ONYPHE_Search_0.png b/analyzers/assets/ONYPHE_Search_0.png new file mode 100644 index 000000000..20b15630c Binary files /dev/null and b/analyzers/assets/ONYPHE_Search_0.png differ diff --git a/analyzers/assets/ONYPHE_Search_1.png b/analyzers/assets/ONYPHE_Search_1.png new file mode 100644 index 000000000..1a2e47c7f Binary files /dev/null and b/analyzers/assets/ONYPHE_Search_1.png differ diff --git a/analyzers/assets/ONYPHE_Search_logo.png b/analyzers/assets/ONYPHE_Search_logo.png new file mode 100644 index 000000000..dfa143cb6 Binary files /dev/null and b/analyzers/assets/ONYPHE_Search_logo.png differ diff --git a/analyzers/assets/ONYPHE_Search_long.png b/analyzers/assets/ONYPHE_Search_long.png new file mode 100644 index 000000000..20b15630c Binary files /dev/null and b/analyzers/assets/ONYPHE_Search_long.png differ diff --git a/analyzers/assets/ONYPHE_Search_short.png b/analyzers/assets/ONYPHE_Search_short.png new file mode 100644 index 000000000..1a2e47c7f Binary files /dev/null and b/analyzers/assets/ONYPHE_Search_short.png differ diff --git a/analyzers/assets/ONYPHE_Summary_API_0.png b/analyzers/assets/ONYPHE_Summary_API_0.png new file mode 100644 index 000000000..ce6e40c01 Binary files /dev/null and b/analyzers/assets/ONYPHE_Summary_API_0.png differ diff --git a/analyzers/assets/ONYPHE_Summary_API_1.png b/analyzers/assets/ONYPHE_Summary_API_1.png new file mode 100644 index 000000000..cc0f12be1 Binary files /dev/null and b/analyzers/assets/ONYPHE_Summary_API_1.png differ diff --git a/analyzers/assets/ONYPHE_Summary_API_logo.png b/analyzers/assets/ONYPHE_Summary_API_logo.png new file mode 100644 index 000000000..dfa143cb6 Binary files /dev/null and b/analyzers/assets/ONYPHE_Summary_API_logo.png differ diff --git a/analyzers/assets/ONYPHE_Vulnscan_0.png b/analyzers/assets/ONYPHE_Vulnscan_0.png new file mode 100644 index 000000000..70f0b337e Binary files /dev/null and b/analyzers/assets/ONYPHE_Vulnscan_0.png differ diff --git a/analyzers/assets/ONYPHE_Vulnscan_1.png b/analyzers/assets/ONYPHE_Vulnscan_1.png new file mode 100644 index 000000000..1a2e47c7f Binary files /dev/null and b/analyzers/assets/ONYPHE_Vulnscan_1.png differ diff --git a/analyzers/assets/ONYPHE_Vulnscan_logo.png b/analyzers/assets/ONYPHE_Vulnscan_logo.png new file mode 100644 index 000000000..dfa143cb6 Binary files /dev/null and b/analyzers/assets/ONYPHE_Vulnscan_logo.png differ diff --git a/analyzers/assets/ONYPHE_Vulnscan_long.png b/analyzers/assets/ONYPHE_Vulnscan_long.png new file mode 100644 index 000000000..70f0b337e Binary files /dev/null and b/analyzers/assets/ONYPHE_Vulnscan_long.png differ diff --git a/analyzers/assets/ONYPHE_Vulnscan_short.png b/analyzers/assets/ONYPHE_Vulnscan_short.png new file mode 100644 index 000000000..1a2e47c7f Binary files /dev/null and b/analyzers/assets/ONYPHE_Vulnscan_short.png differ diff --git a/analyzers/assets/OTX.png b/analyzers/assets/OTX.png new file mode 100644 index 000000000..840d22d10 Binary files /dev/null and b/analyzers/assets/OTX.png differ diff --git a/analyzers/assets/OTXQuery_0.png b/analyzers/assets/OTXQuery_0.png new file mode 100644 index 000000000..8a2258ee8 Binary files /dev/null and b/analyzers/assets/OTXQuery_0.png differ diff --git a/analyzers/assets/OTXQuery_logo.png b/analyzers/assets/OTXQuery_logo.png new file mode 100644 index 000000000..840d22d10 Binary files /dev/null and b/analyzers/assets/OTXQuery_logo.png differ diff --git a/analyzers/assets/Onyphe_Summary_0.png b/analyzers/assets/Onyphe_Summary_0.png new file mode 100644 index 000000000..ce6e40c01 Binary files /dev/null and b/analyzers/assets/Onyphe_Summary_0.png differ diff --git a/analyzers/assets/Onyphe_Summary_1.png b/analyzers/assets/Onyphe_Summary_1.png new file mode 100644 index 000000000..cc0f12be1 Binary files /dev/null and b/analyzers/assets/Onyphe_Summary_1.png differ diff --git a/analyzers/assets/Onyphe_Summary_logo.png b/analyzers/assets/Onyphe_Summary_logo.png new file mode 100644 index 000000000..dfa143cb6 Binary files /dev/null and b/analyzers/assets/Onyphe_Summary_logo.png differ diff --git a/analyzers/assets/Onyphe_Summary_long.png b/analyzers/assets/Onyphe_Summary_long.png new file mode 100644 index 000000000..ce6e40c01 Binary files /dev/null and b/analyzers/assets/Onyphe_Summary_long.png differ diff --git a/analyzers/assets/Onyphe_Summary_short.png b/analyzers/assets/Onyphe_Summary_short.png new file mode 100644 index 000000000..cc0f12be1 Binary files /dev/null and b/analyzers/assets/Onyphe_Summary_short.png differ diff --git a/analyzers/assets/OpenCTI_SearchExactObservable_logo.png b/analyzers/assets/OpenCTI_SearchExactObservable_logo.png new file mode 100644 index 000000000..f3516317d Binary files /dev/null and b/analyzers/assets/OpenCTI_SearchExactObservable_logo.png differ diff --git a/analyzers/assets/OpenCTI_SearchObservables_logo.png b/analyzers/assets/OpenCTI_SearchObservables_logo.png new file mode 100644 index 000000000..f3516317d Binary files /dev/null and b/analyzers/assets/OpenCTI_SearchObservables_logo.png differ diff --git a/analyzers/assets/PaloAltoWildFire_0.png b/analyzers/assets/PaloAltoWildFire_0.png new file mode 100644 index 000000000..e35dc918e Binary files /dev/null and b/analyzers/assets/PaloAltoWildFire_0.png differ diff --git a/analyzers/assets/PaloAltoWildFire_1.png b/analyzers/assets/PaloAltoWildFire_1.png new file mode 100644 index 000000000..283a3332f Binary files /dev/null and b/analyzers/assets/PaloAltoWildFire_1.png differ diff --git a/analyzers/assets/PaloAltoWildFire_logo.png b/analyzers/assets/PaloAltoWildFire_logo.png new file mode 100644 index 000000000..74abdf26b Binary files /dev/null and b/analyzers/assets/PaloAltoWildFire_logo.png differ diff --git a/analyzers/assets/Patrowl_GetReport_0.png b/analyzers/assets/Patrowl_GetReport_0.png new file mode 100644 index 000000000..7f05744bc Binary files /dev/null and b/analyzers/assets/Patrowl_GetReport_0.png differ diff --git a/analyzers/assets/Patrowl_GetReport_1.png b/analyzers/assets/Patrowl_GetReport_1.png new file mode 100644 index 000000000..6ce9dcff5 Binary files /dev/null and b/analyzers/assets/Patrowl_GetReport_1.png differ diff --git a/analyzers/assets/Patrowl_GetReport_logo.png b/analyzers/assets/Patrowl_GetReport_logo.png new file mode 100644 index 000000000..9f1463a02 Binary files /dev/null and b/analyzers/assets/Patrowl_GetReport_logo.png differ diff --git a/analyzers/assets/PhishTank_CheckURL_0.png b/analyzers/assets/PhishTank_CheckURL_0.png new file mode 100644 index 000000000..7fb941df5 Binary files /dev/null and b/analyzers/assets/PhishTank_CheckURL_0.png differ diff --git a/analyzers/assets/PhishTank_CheckURL_logo.png b/analyzers/assets/PhishTank_CheckURL_logo.png new file mode 100644 index 000000000..ff2e6ad26 Binary files /dev/null and b/analyzers/assets/PhishTank_CheckURL_logo.png differ diff --git a/analyzers/assets/PhishingInitiative_Lookup_logo.png b/analyzers/assets/PhishingInitiative_Lookup_logo.png new file mode 100644 index 000000000..05ab11eb0 Binary files /dev/null and b/analyzers/assets/PhishingInitiative_Lookup_logo.png differ diff --git a/analyzers/assets/PhishingInitiative_Scan_logo.png b/analyzers/assets/PhishingInitiative_Scan_logo.png new file mode 100644 index 000000000..05ab11eb0 Binary files /dev/null and b/analyzers/assets/PhishingInitiative_Scan_logo.png differ diff --git a/analyzers/assets/RecordedFutureAnalyzerReport.jpg b/analyzers/assets/RecordedFutureAnalyzerReport.jpg new file mode 100644 index 000000000..1a84f1a96 Binary files /dev/null and b/analyzers/assets/RecordedFutureAnalyzerReport.jpg differ diff --git a/analyzers/assets/RecordedFuture_logo.png b/analyzers/assets/RecordedFuture_logo.png new file mode 100644 index 000000000..2da3ffadd Binary files /dev/null and b/analyzers/assets/RecordedFuture_logo.png differ diff --git a/analyzers/assets/RiskRulesReport.jpg b/analyzers/assets/RiskRulesReport.jpg new file mode 100644 index 000000000..c844b7d4a Binary files /dev/null and b/analyzers/assets/RiskRulesReport.jpg differ diff --git a/analyzers/assets/SEKOIAIntelligenceCenter_Context_long.png b/analyzers/assets/SEKOIAIntelligenceCenter_Context_long.png new file mode 100644 index 000000000..141e7e58b Binary files /dev/null and b/analyzers/assets/SEKOIAIntelligenceCenter_Context_long.png differ diff --git a/analyzers/assets/SEKOIAIntelligenceCenter_Indicators_long.png b/analyzers/assets/SEKOIAIntelligenceCenter_Indicators_long.png new file mode 100644 index 000000000..2f7ae490d Binary files /dev/null and b/analyzers/assets/SEKOIAIntelligenceCenter_Indicators_long.png differ diff --git a/analyzers/assets/SEKOIAIntelligenceCenter_Observables_long.png b/analyzers/assets/SEKOIAIntelligenceCenter_Observables_long.png new file mode 100644 index 000000000..53791c2ae Binary files /dev/null and b/analyzers/assets/SEKOIAIntelligenceCenter_Observables_long.png differ diff --git a/analyzers/assets/SpamAssassin_0.png b/analyzers/assets/SpamAssassin_0.png new file mode 100644 index 000000000..7ae63cd4f Binary files /dev/null and b/analyzers/assets/SpamAssassin_0.png differ diff --git a/analyzers/assets/SpamAssassin_1.png b/analyzers/assets/SpamAssassin_1.png new file mode 100644 index 000000000..b9e37937d Binary files /dev/null and b/analyzers/assets/SpamAssassin_1.png differ diff --git a/analyzers/assets/SpamAssassin_logo.png b/analyzers/assets/SpamAssassin_logo.png new file mode 100644 index 000000000..23e779ff6 Binary files /dev/null and b/analyzers/assets/SpamAssassin_logo.png differ diff --git a/analyzers/assets/SpamAssassin_long.png b/analyzers/assets/SpamAssassin_long.png new file mode 100644 index 000000000..7ae63cd4f Binary files /dev/null and b/analyzers/assets/SpamAssassin_long.png differ diff --git a/analyzers/assets/SpamAssassin_short.png b/analyzers/assets/SpamAssassin_short.png new file mode 100644 index 000000000..b9e37937d Binary files /dev/null and b/analyzers/assets/SpamAssassin_short.png differ diff --git a/analyzers/assets/Splunk_Search_Domain_FQDN_long.png b/analyzers/assets/Splunk_Search_Domain_FQDN_long.png new file mode 100644 index 000000000..393211797 Binary files /dev/null and b/analyzers/assets/Splunk_Search_Domain_FQDN_long.png differ diff --git a/analyzers/assets/Splunk_Search_Domain_FQDN_short.png b/analyzers/assets/Splunk_Search_Domain_FQDN_short.png new file mode 100644 index 000000000..849481d9f Binary files /dev/null and b/analyzers/assets/Splunk_Search_Domain_FQDN_short.png differ diff --git a/analyzers/assets/Splunk_Search_File_Filename_long.png b/analyzers/assets/Splunk_Search_File_Filename_long.png new file mode 100644 index 000000000..d5ad2769d Binary files /dev/null and b/analyzers/assets/Splunk_Search_File_Filename_long.png differ diff --git a/analyzers/assets/Splunk_Search_File_Filename_short.png b/analyzers/assets/Splunk_Search_File_Filename_short.png new file mode 100644 index 000000000..8123669a7 Binary files /dev/null and b/analyzers/assets/Splunk_Search_File_Filename_short.png differ diff --git a/analyzers/assets/Splunk_Search_Hash_long.png b/analyzers/assets/Splunk_Search_Hash_long.png new file mode 100644 index 000000000..4543c9ffe Binary files /dev/null and b/analyzers/assets/Splunk_Search_Hash_long.png differ diff --git a/analyzers/assets/Splunk_Search_Hash_short.png b/analyzers/assets/Splunk_Search_Hash_short.png new file mode 100644 index 000000000..29fa2dd94 Binary files /dev/null and b/analyzers/assets/Splunk_Search_Hash_short.png differ diff --git a/analyzers/assets/Splunk_Search_IP_long.png b/analyzers/assets/Splunk_Search_IP_long.png new file mode 100644 index 000000000..d93502eab Binary files /dev/null and b/analyzers/assets/Splunk_Search_IP_long.png differ diff --git a/analyzers/assets/Splunk_Search_IP_short.png b/analyzers/assets/Splunk_Search_IP_short.png new file mode 100644 index 000000000..a00d936fa Binary files /dev/null and b/analyzers/assets/Splunk_Search_IP_short.png differ diff --git a/analyzers/assets/Splunk_Search_Mail_Email_long.png b/analyzers/assets/Splunk_Search_Mail_Email_long.png new file mode 100644 index 000000000..ab65173d7 Binary files /dev/null and b/analyzers/assets/Splunk_Search_Mail_Email_long.png differ diff --git a/analyzers/assets/Splunk_Search_Mail_Email_short.png b/analyzers/assets/Splunk_Search_Mail_Email_short.png new file mode 100644 index 000000000..55cd414db Binary files /dev/null and b/analyzers/assets/Splunk_Search_Mail_Email_short.png differ diff --git a/analyzers/assets/Splunk_Search_Mail_Subject_long.png b/analyzers/assets/Splunk_Search_Mail_Subject_long.png new file mode 100644 index 000000000..6546cf5c2 Binary files /dev/null and b/analyzers/assets/Splunk_Search_Mail_Subject_long.png differ diff --git a/analyzers/assets/Splunk_Search_Mail_Subject_short.png b/analyzers/assets/Splunk_Search_Mail_Subject_short.png new file mode 100644 index 000000000..4ef5d5831 Binary files /dev/null and b/analyzers/assets/Splunk_Search_Mail_Subject_short.png differ diff --git a/analyzers/assets/Splunk_Search_Other_long.png b/analyzers/assets/Splunk_Search_Other_long.png new file mode 100644 index 000000000..fcb934e3e Binary files /dev/null and b/analyzers/assets/Splunk_Search_Other_long.png differ diff --git a/analyzers/assets/Splunk_Search_Other_short.png b/analyzers/assets/Splunk_Search_Other_short.png new file mode 100644 index 000000000..237fbf5d8 Binary files /dev/null and b/analyzers/assets/Splunk_Search_Other_short.png differ diff --git a/analyzers/assets/Splunk_Search_Registry_long.png b/analyzers/assets/Splunk_Search_Registry_long.png new file mode 100644 index 000000000..20a066f6c Binary files /dev/null and b/analyzers/assets/Splunk_Search_Registry_long.png differ diff --git a/analyzers/assets/Splunk_Search_Registry_short.png b/analyzers/assets/Splunk_Search_Registry_short.png new file mode 100644 index 000000000..a5a455e96 Binary files /dev/null and b/analyzers/assets/Splunk_Search_Registry_short.png differ diff --git a/analyzers/assets/Splunk_Search_URL_URI_Path_long.png b/analyzers/assets/Splunk_Search_URL_URI_Path_long.png new file mode 100644 index 000000000..dd084231c Binary files /dev/null and b/analyzers/assets/Splunk_Search_URL_URI_Path_long.png differ diff --git a/analyzers/assets/Splunk_Search_URL_URI_Path_short.png b/analyzers/assets/Splunk_Search_URL_URI_Path_short.png new file mode 100644 index 000000000..8812731a5 Binary files /dev/null and b/analyzers/assets/Splunk_Search_URL_URI_Path_short.png differ diff --git a/analyzers/assets/Splunk_Search_User_Agent_long.png b/analyzers/assets/Splunk_Search_User_Agent_long.png new file mode 100644 index 000000000..1b4c61bef Binary files /dev/null and b/analyzers/assets/Splunk_Search_User_Agent_long.png differ diff --git a/analyzers/assets/Splunk_Search_User_Agent_short.png b/analyzers/assets/Splunk_Search_User_Agent_short.png new file mode 100644 index 000000000..8c5287e9d Binary files /dev/null and b/analyzers/assets/Splunk_Search_User_Agent_short.png differ diff --git a/analyzers/assets/Splunk_Search_User_long.png b/analyzers/assets/Splunk_Search_User_long.png new file mode 100644 index 000000000..de587b5b5 Binary files /dev/null and b/analyzers/assets/Splunk_Search_User_long.png differ diff --git a/analyzers/assets/Splunk_Search_User_short.png b/analyzers/assets/Splunk_Search_User_short.png new file mode 100644 index 000000000..fa8241144 Binary files /dev/null and b/analyzers/assets/Splunk_Search_User_short.png differ diff --git a/analyzers/assets/Splunk_Search_domain_fqdn_0.png b/analyzers/assets/Splunk_Search_domain_fqdn_0.png new file mode 100644 index 000000000..393211797 Binary files /dev/null and b/analyzers/assets/Splunk_Search_domain_fqdn_0.png differ diff --git a/analyzers/assets/Splunk_Search_domain_fqdn_1.png b/analyzers/assets/Splunk_Search_domain_fqdn_1.png new file mode 100644 index 000000000..849481d9f Binary files /dev/null and b/analyzers/assets/Splunk_Search_domain_fqdn_1.png differ diff --git a/analyzers/assets/Splunk_Search_domain_fqdn_logo.png b/analyzers/assets/Splunk_Search_domain_fqdn_logo.png new file mode 100644 index 000000000..c4f4c4d6c Binary files /dev/null and b/analyzers/assets/Splunk_Search_domain_fqdn_logo.png differ diff --git a/analyzers/assets/Splunk_Search_file_filename_0.png b/analyzers/assets/Splunk_Search_file_filename_0.png new file mode 100644 index 000000000..d5ad2769d Binary files /dev/null and b/analyzers/assets/Splunk_Search_file_filename_0.png differ diff --git a/analyzers/assets/Splunk_Search_file_filename_1.png b/analyzers/assets/Splunk_Search_file_filename_1.png new file mode 100644 index 000000000..8123669a7 Binary files /dev/null and b/analyzers/assets/Splunk_Search_file_filename_1.png differ diff --git a/analyzers/assets/Splunk_Search_file_filename_logo.png b/analyzers/assets/Splunk_Search_file_filename_logo.png new file mode 100644 index 000000000..9a5eb79e4 Binary files /dev/null and b/analyzers/assets/Splunk_Search_file_filename_logo.png differ diff --git a/analyzers/assets/Splunk_Search_hash_0.png b/analyzers/assets/Splunk_Search_hash_0.png new file mode 100644 index 000000000..4543c9ffe Binary files /dev/null and b/analyzers/assets/Splunk_Search_hash_0.png differ diff --git a/analyzers/assets/Splunk_Search_hash_1.png b/analyzers/assets/Splunk_Search_hash_1.png new file mode 100644 index 000000000..29fa2dd94 Binary files /dev/null and b/analyzers/assets/Splunk_Search_hash_1.png differ diff --git a/analyzers/assets/Splunk_Search_hash_logo.png b/analyzers/assets/Splunk_Search_hash_logo.png new file mode 100644 index 000000000..c9d853747 Binary files /dev/null and b/analyzers/assets/Splunk_Search_hash_logo.png differ diff --git a/analyzers/assets/Splunk_Search_ip_0.png b/analyzers/assets/Splunk_Search_ip_0.png new file mode 100644 index 000000000..d93502eab Binary files /dev/null and b/analyzers/assets/Splunk_Search_ip_0.png differ diff --git a/analyzers/assets/Splunk_Search_ip_1.png b/analyzers/assets/Splunk_Search_ip_1.png new file mode 100644 index 000000000..a00d936fa Binary files /dev/null and b/analyzers/assets/Splunk_Search_ip_1.png differ diff --git a/analyzers/assets/Splunk_Search_ip_logo.png b/analyzers/assets/Splunk_Search_ip_logo.png new file mode 100644 index 000000000..9274c1d59 Binary files /dev/null and b/analyzers/assets/Splunk_Search_ip_logo.png differ diff --git a/analyzers/assets/Splunk_Search_mail_email_0.png b/analyzers/assets/Splunk_Search_mail_email_0.png new file mode 100644 index 000000000..ab65173d7 Binary files /dev/null and b/analyzers/assets/Splunk_Search_mail_email_0.png differ diff --git a/analyzers/assets/Splunk_Search_mail_email_1.png b/analyzers/assets/Splunk_Search_mail_email_1.png new file mode 100644 index 000000000..55cd414db Binary files /dev/null and b/analyzers/assets/Splunk_Search_mail_email_1.png differ diff --git a/analyzers/assets/Splunk_Search_mail_email_logo.png b/analyzers/assets/Splunk_Search_mail_email_logo.png new file mode 100644 index 000000000..2a744b884 Binary files /dev/null and b/analyzers/assets/Splunk_Search_mail_email_logo.png differ diff --git a/analyzers/assets/Splunk_Search_mail_subject_0.png b/analyzers/assets/Splunk_Search_mail_subject_0.png new file mode 100644 index 000000000..6546cf5c2 Binary files /dev/null and b/analyzers/assets/Splunk_Search_mail_subject_0.png differ diff --git a/analyzers/assets/Splunk_Search_mail_subject_1.png b/analyzers/assets/Splunk_Search_mail_subject_1.png new file mode 100644 index 000000000..4ef5d5831 Binary files /dev/null and b/analyzers/assets/Splunk_Search_mail_subject_1.png differ diff --git a/analyzers/assets/Splunk_Search_mail_subject_logo.png b/analyzers/assets/Splunk_Search_mail_subject_logo.png new file mode 100644 index 000000000..2ccdb4592 Binary files /dev/null and b/analyzers/assets/Splunk_Search_mail_subject_logo.png differ diff --git a/analyzers/assets/Splunk_Search_other_0.png b/analyzers/assets/Splunk_Search_other_0.png new file mode 100644 index 000000000..fcb934e3e Binary files /dev/null and b/analyzers/assets/Splunk_Search_other_0.png differ diff --git a/analyzers/assets/Splunk_Search_other_1.png b/analyzers/assets/Splunk_Search_other_1.png new file mode 100644 index 000000000..237fbf5d8 Binary files /dev/null and b/analyzers/assets/Splunk_Search_other_1.png differ diff --git a/analyzers/assets/Splunk_Search_other_logo.png b/analyzers/assets/Splunk_Search_other_logo.png new file mode 100644 index 000000000..db14e5810 Binary files /dev/null and b/analyzers/assets/Splunk_Search_other_logo.png differ diff --git a/analyzers/assets/Splunk_Search_registry_0.png b/analyzers/assets/Splunk_Search_registry_0.png new file mode 100644 index 000000000..20a066f6c Binary files /dev/null and b/analyzers/assets/Splunk_Search_registry_0.png differ diff --git a/analyzers/assets/Splunk_Search_registry_1.png b/analyzers/assets/Splunk_Search_registry_1.png new file mode 100644 index 000000000..a5a455e96 Binary files /dev/null and b/analyzers/assets/Splunk_Search_registry_1.png differ diff --git a/analyzers/assets/Splunk_Search_registry_logo.png b/analyzers/assets/Splunk_Search_registry_logo.png new file mode 100644 index 000000000..b7f7e93dd Binary files /dev/null and b/analyzers/assets/Splunk_Search_registry_logo.png differ diff --git a/analyzers/assets/Splunk_Search_url_uri_path_0.png b/analyzers/assets/Splunk_Search_url_uri_path_0.png new file mode 100644 index 000000000..dd084231c Binary files /dev/null and b/analyzers/assets/Splunk_Search_url_uri_path_0.png differ diff --git a/analyzers/assets/Splunk_Search_url_uri_path_1.png b/analyzers/assets/Splunk_Search_url_uri_path_1.png new file mode 100644 index 000000000..8812731a5 Binary files /dev/null and b/analyzers/assets/Splunk_Search_url_uri_path_1.png differ diff --git a/analyzers/assets/Splunk_Search_url_uri_path_logo.png b/analyzers/assets/Splunk_Search_url_uri_path_logo.png new file mode 100644 index 000000000..e09a7124f Binary files /dev/null and b/analyzers/assets/Splunk_Search_url_uri_path_logo.png differ diff --git a/analyzers/assets/Splunk_Search_user_0.png b/analyzers/assets/Splunk_Search_user_0.png new file mode 100644 index 000000000..de587b5b5 Binary files /dev/null and b/analyzers/assets/Splunk_Search_user_0.png differ diff --git a/analyzers/assets/Splunk_Search_user_1.png b/analyzers/assets/Splunk_Search_user_1.png new file mode 100644 index 000000000..fa8241144 Binary files /dev/null and b/analyzers/assets/Splunk_Search_user_1.png differ diff --git a/analyzers/assets/Splunk_Search_user_agent_0.png b/analyzers/assets/Splunk_Search_user_agent_0.png new file mode 100644 index 000000000..1b4c61bef Binary files /dev/null and b/analyzers/assets/Splunk_Search_user_agent_0.png differ diff --git a/analyzers/assets/Splunk_Search_user_agent_1.png b/analyzers/assets/Splunk_Search_user_agent_1.png new file mode 100644 index 000000000..8c5287e9d Binary files /dev/null and b/analyzers/assets/Splunk_Search_user_agent_1.png differ diff --git a/analyzers/assets/Splunk_Search_user_agent_logo.png b/analyzers/assets/Splunk_Search_user_agent_logo.png new file mode 100644 index 000000000..01463cde4 Binary files /dev/null and b/analyzers/assets/Splunk_Search_user_agent_logo.png differ diff --git a/analyzers/assets/Splunk_Search_user_logo.png b/analyzers/assets/Splunk_Search_user_logo.png new file mode 100644 index 000000000..eae965512 Binary files /dev/null and b/analyzers/assets/Splunk_Search_user_logo.png differ diff --git a/analyzers/assets/THOR_Thunderstorm_ScanSample_long.png b/analyzers/assets/THOR_Thunderstorm_ScanSample_long.png new file mode 100644 index 000000000..26b7eeb2a Binary files /dev/null and b/analyzers/assets/THOR_Thunderstorm_ScanSample_long.png differ diff --git a/analyzers/assets/THOR_Thunderstorm_ScanSample_raw.png b/analyzers/assets/THOR_Thunderstorm_ScanSample_raw.png new file mode 100644 index 000000000..bb0303703 Binary files /dev/null and b/analyzers/assets/THOR_Thunderstorm_ScanSample_raw.png differ diff --git a/analyzers/assets/THOR_Thunderstorm_ScanSample_short.png b/analyzers/assets/THOR_Thunderstorm_ScanSample_short.png new file mode 100644 index 000000000..08cd8e971 Binary files /dev/null and b/analyzers/assets/THOR_Thunderstorm_ScanSample_short.png differ diff --git a/analyzers/assets/Thunderstorm_ScanSample_0.png b/analyzers/assets/Thunderstorm_ScanSample_0.png new file mode 100644 index 000000000..26b7eeb2a Binary files /dev/null and b/analyzers/assets/Thunderstorm_ScanSample_0.png differ diff --git a/analyzers/assets/Thunderstorm_ScanSample_1.png b/analyzers/assets/Thunderstorm_ScanSample_1.png new file mode 100644 index 000000000..08cd8e971 Binary files /dev/null and b/analyzers/assets/Thunderstorm_ScanSample_1.png differ diff --git a/analyzers/assets/Thunderstorm_ScanSample_2.png b/analyzers/assets/Thunderstorm_ScanSample_2.png new file mode 100644 index 000000000..bb0303703 Binary files /dev/null and b/analyzers/assets/Thunderstorm_ScanSample_2.png differ diff --git a/analyzers/assets/Thunderstorm_ScanSample_logo.png b/analyzers/assets/Thunderstorm_ScanSample_logo.png new file mode 100644 index 000000000..f9e4366b0 Binary files /dev/null and b/analyzers/assets/Thunderstorm_ScanSample_logo.png differ diff --git a/analyzers/assets/Triage_0.png b/analyzers/assets/Triage_0.png new file mode 100644 index 000000000..d994dfd5c Binary files /dev/null and b/analyzers/assets/Triage_0.png differ diff --git a/analyzers/assets/Triage_1.png b/analyzers/assets/Triage_1.png new file mode 100644 index 000000000..13c382e45 Binary files /dev/null and b/analyzers/assets/Triage_1.png differ diff --git a/analyzers/assets/Triage_2.png b/analyzers/assets/Triage_2.png new file mode 100644 index 000000000..5b7f144e3 Binary files /dev/null and b/analyzers/assets/Triage_2.png differ diff --git a/analyzers/assets/Triage_logo.png b/analyzers/assets/Triage_logo.png new file mode 100644 index 000000000..cd57b0a50 Binary files /dev/null and b/analyzers/assets/Triage_logo.png differ diff --git a/analyzers/assets/Valhalla_GetMatches_0.png b/analyzers/assets/Valhalla_GetMatches_0.png new file mode 100644 index 000000000..b0e521f2c Binary files /dev/null and b/analyzers/assets/Valhalla_GetMatches_0.png differ diff --git a/analyzers/assets/Valhalla_GetMatches_1.png b/analyzers/assets/Valhalla_GetMatches_1.png new file mode 100644 index 000000000..a756e1bd0 Binary files /dev/null and b/analyzers/assets/Valhalla_GetMatches_1.png differ diff --git a/analyzers/assets/Valhalla_GetMatches_logo.png b/analyzers/assets/Valhalla_GetMatches_logo.png new file mode 100644 index 000000000..599f9b5a0 Binary files /dev/null and b/analyzers/assets/Valhalla_GetMatches_logo.png differ diff --git a/analyzers/assets/Valhalla_GetMatches_long.png b/analyzers/assets/Valhalla_GetMatches_long.png new file mode 100644 index 000000000..a756e1bd0 Binary files /dev/null and b/analyzers/assets/Valhalla_GetMatches_long.png differ diff --git a/analyzers/assets/Valhalla_GetMatches_short.png b/analyzers/assets/Valhalla_GetMatches_short.png new file mode 100644 index 000000000..b0e521f2c Binary files /dev/null and b/analyzers/assets/Valhalla_GetMatches_short.png differ diff --git a/analyzers/assets/Valhalla_logo.png b/analyzers/assets/Valhalla_logo.png new file mode 100644 index 000000000..599f9b5a0 Binary files /dev/null and b/analyzers/assets/Valhalla_logo.png differ diff --git a/analyzers/assets/VirusTotal_DownloadSample_logo.png b/analyzers/assets/VirusTotal_DownloadSample_logo.png new file mode 100644 index 000000000..7e6024421 Binary files /dev/null and b/analyzers/assets/VirusTotal_DownloadSample_logo.png differ diff --git a/analyzers/assets/VirusTotal_GetReport_0.png b/analyzers/assets/VirusTotal_GetReport_0.png new file mode 100644 index 000000000..7eb3ea153 Binary files /dev/null and b/analyzers/assets/VirusTotal_GetReport_0.png differ diff --git a/analyzers/assets/VirusTotal_GetReport_logo.png b/analyzers/assets/VirusTotal_GetReport_logo.png new file mode 100644 index 000000000..7e6024421 Binary files /dev/null and b/analyzers/assets/VirusTotal_GetReport_logo.png differ diff --git a/analyzers/assets/VirusTotal_Rescan_logo.png b/analyzers/assets/VirusTotal_Rescan_logo.png new file mode 100644 index 000000000..7e6024421 Binary files /dev/null and b/analyzers/assets/VirusTotal_Rescan_logo.png differ diff --git a/analyzers/assets/VirusTotal_Scan_logo.png b/analyzers/assets/VirusTotal_Scan_logo.png new file mode 100644 index 000000000..7e6024421 Binary files /dev/null and b/analyzers/assets/VirusTotal_Scan_logo.png differ diff --git a/analyzers/assets/Virusshare_0.png b/analyzers/assets/Virusshare_0.png new file mode 100644 index 000000000..2ecffaa63 Binary files /dev/null and b/analyzers/assets/Virusshare_0.png differ diff --git a/analyzers/assets/Virusshare_logo.png b/analyzers/assets/Virusshare_logo.png new file mode 100644 index 000000000..1c9bb58d9 Binary files /dev/null and b/analyzers/assets/Virusshare_logo.png differ diff --git a/analyzers/assets/Vulners_CVE_1.gif b/analyzers/assets/Vulners_CVE_1.gif new file mode 100644 index 000000000..d491ffb23 Binary files /dev/null and b/analyzers/assets/Vulners_CVE_1.gif differ diff --git a/analyzers/assets/Vulners_CVE_logo.png b/analyzers/assets/Vulners_CVE_logo.png new file mode 100644 index 000000000..11c33de55 Binary files /dev/null and b/analyzers/assets/Vulners_CVE_logo.png differ diff --git a/analyzers/assets/Vulners_IOC_0.png b/analyzers/assets/Vulners_IOC_0.png new file mode 100644 index 000000000..54bf6602c Binary files /dev/null and b/analyzers/assets/Vulners_IOC_0.png differ diff --git a/analyzers/assets/Vulners_IOC_2.png b/analyzers/assets/Vulners_IOC_2.png new file mode 100644 index 000000000..2d0f7885a Binary files /dev/null and b/analyzers/assets/Vulners_IOC_2.png differ diff --git a/analyzers/assets/Vulners_IOC_3.png b/analyzers/assets/Vulners_IOC_3.png new file mode 100644 index 000000000..36686c9fb Binary files /dev/null and b/analyzers/assets/Vulners_IOC_3.png differ diff --git a/analyzers/assets/Vulners_IOC_logo.png b/analyzers/assets/Vulners_IOC_logo.png new file mode 100644 index 000000000..11c33de55 Binary files /dev/null and b/analyzers/assets/Vulners_IOC_logo.png differ diff --git a/analyzers/assets/Zscaler_0.png b/analyzers/assets/Zscaler_0.png new file mode 100644 index 000000000..d74b6a78c Binary files /dev/null and b/analyzers/assets/Zscaler_0.png differ diff --git a/analyzers/assets/Zscaler_1.png b/analyzers/assets/Zscaler_1.png new file mode 100644 index 000000000..019c790e1 Binary files /dev/null and b/analyzers/assets/Zscaler_1.png differ diff --git a/analyzers/assets/Zscaler_logo.png b/analyzers/assets/Zscaler_logo.png new file mode 100644 index 000000000..b8151850a Binary files /dev/null and b/analyzers/assets/Zscaler_logo.png differ diff --git a/analyzers/assets/abuse_finder_longreport.png b/analyzers/assets/abuse_finder_longreport.png new file mode 100644 index 000000000..b0e659ee5 Binary files /dev/null and b/analyzers/assets/abuse_finder_longreport.png differ diff --git a/analyzers/assets/abuseipdb.png b/analyzers/assets/abuseipdb.png new file mode 100644 index 000000000..c520af36c Binary files /dev/null and b/analyzers/assets/abuseipdb.png differ diff --git a/analyzers/assets/analyzers-list-sandbox.png b/analyzers/assets/analyzers-list-sandbox.png new file mode 100644 index 000000000..c559f1a03 Binary files /dev/null and b/analyzers/assets/analyzers-list-sandbox.png differ diff --git a/analyzers/assets/binalyze-logo.png b/analyzers/assets/binalyze-logo.png new file mode 100644 index 000000000..2b5ea0189 Binary files /dev/null and b/analyzers/assets/binalyze-logo.png differ diff --git a/analyzers/assets/binalyze_air_acquisition_logo.png b/analyzers/assets/binalyze_air_acquisition_logo.png new file mode 100644 index 000000000..2b5ea0189 Binary files /dev/null and b/analyzers/assets/binalyze_air_acquisition_logo.png differ diff --git a/analyzers/assets/binalyze_air_isolation_logo.png b/analyzers/assets/binalyze_air_isolation_logo.png new file mode 100644 index 000000000..2b5ea0189 Binary files /dev/null and b/analyzers/assets/binalyze_air_isolation_logo.png differ diff --git a/analyzers/assets/capa.png b/analyzers/assets/capa.png new file mode 100644 index 000000000..712544794 Binary files /dev/null and b/analyzers/assets/capa.png differ diff --git a/analyzers/assets/censys.png b/analyzers/assets/censys.png new file mode 100644 index 000000000..ac066a21d Binary files /dev/null and b/analyzers/assets/censys.png differ diff --git a/analyzers/assets/circlhashlookup_logo.png b/analyzers/assets/circlhashlookup_logo.png new file mode 100644 index 000000000..516678dea Binary files /dev/null and b/analyzers/assets/circlhashlookup_logo.png differ diff --git a/analyzers/assets/circlhashlookup_long_report.png b/analyzers/assets/circlhashlookup_long_report.png new file mode 100644 index 000000000..a9eb83358 Binary files /dev/null and b/analyzers/assets/circlhashlookup_long_report.png differ diff --git a/analyzers/assets/circlhashlookup_verdict.png b/analyzers/assets/circlhashlookup_verdict.png new file mode 100644 index 000000000..bf1c299b5 Binary files /dev/null and b/analyzers/assets/circlhashlookup_verdict.png differ diff --git a/analyzers/assets/cis_mcap_logo.png b/analyzers/assets/cis_mcap_logo.png new file mode 100644 index 000000000..19895fc20 Binary files /dev/null and b/analyzers/assets/cis_mcap_logo.png differ diff --git a/analyzers/assets/cortex-conf-alerts.png b/analyzers/assets/cortex-conf-alerts.png new file mode 100644 index 000000000..5551b6d53 Binary files /dev/null and b/analyzers/assets/cortex-conf-alerts.png differ diff --git a/analyzers/assets/cortex-conf-deviceinfo.png b/analyzers/assets/cortex-conf-deviceinfo.png new file mode 100644 index 000000000..0479fd0ae Binary files /dev/null and b/analyzers/assets/cortex-conf-deviceinfo.png differ diff --git a/analyzers/assets/cortex-conf-sandbox.png b/analyzers/assets/cortex-conf-sandbox.png new file mode 100644 index 000000000..91fbe3924 Binary files /dev/null and b/analyzers/assets/cortex-conf-sandbox.png differ diff --git a/analyzers/assets/cortex-conf-vulns.png b/analyzers/assets/cortex-conf-vulns.png new file mode 100644 index 000000000..c2f254653 Binary files /dev/null and b/analyzers/assets/cortex-conf-vulns.png differ diff --git a/analyzers/assets/crowdsec-analyzer-result-example.png b/analyzers/assets/crowdsec-analyzer-result-example.png new file mode 100644 index 000000000..e09efea53 Binary files /dev/null and b/analyzers/assets/crowdsec-analyzer-result-example.png differ diff --git a/analyzers/assets/crowdsec-logo.png b/analyzers/assets/crowdsec-logo.png new file mode 100644 index 000000000..b52c55514 Binary files /dev/null and b/analyzers/assets/crowdsec-logo.png differ diff --git a/analyzers/assets/crowdsec-report-long.png b/analyzers/assets/crowdsec-report-long.png new file mode 100644 index 000000000..3deed2f1f Binary files /dev/null and b/analyzers/assets/crowdsec-report-long.png differ diff --git a/analyzers/assets/cuckoosandbox.png b/analyzers/assets/cuckoosandbox.png new file mode 100644 index 000000000..883922209 Binary files /dev/null and b/analyzers/assets/cuckoosandbox.png differ diff --git a/analyzers/assets/cve_long_template.gif b/analyzers/assets/cve_long_template.gif new file mode 100644 index 000000000..d491ffb23 Binary files /dev/null and b/analyzers/assets/cve_long_template.gif differ diff --git a/analyzers/assets/cve_short_template.png b/analyzers/assets/cve_short_template.png new file mode 100644 index 000000000..8c71e8403 Binary files /dev/null and b/analyzers/assets/cve_short_template.png differ diff --git a/analyzers/assets/cyberchef.png b/analyzers/assets/cyberchef.png new file mode 100644 index 000000000..eb1822862 Binary files /dev/null and b/analyzers/assets/cyberchef.png differ diff --git a/analyzers/assets/cybercrime.png b/analyzers/assets/cybercrime.png new file mode 100644 index 000000000..467c95262 Binary files /dev/null and b/analyzers/assets/cybercrime.png differ diff --git a/analyzers/assets/cylance_host_lookup_long.png b/analyzers/assets/cylance_host_lookup_long.png new file mode 100644 index 000000000..e4dabbfad Binary files /dev/null and b/analyzers/assets/cylance_host_lookup_long.png differ diff --git a/analyzers/assets/cylance_logo.png b/analyzers/assets/cylance_logo.png new file mode 100644 index 000000000..0205eae04 Binary files /dev/null and b/analyzers/assets/cylance_logo.png differ diff --git a/analyzers/assets/cylance_sample_lookup_long.png b/analyzers/assets/cylance_sample_lookup_long.png new file mode 100644 index 000000000..b2113ea1a Binary files /dev/null and b/analyzers/assets/cylance_sample_lookup_long.png differ diff --git a/analyzers/assets/cylance_sample_lookup_short.png b/analyzers/assets/cylance_sample_lookup_short.png new file mode 100644 index 000000000..768c20f61 Binary files /dev/null and b/analyzers/assets/cylance_sample_lookup_short.png differ diff --git a/analyzers/assets/diario_get_report_long.png b/analyzers/assets/diario_get_report_long.png new file mode 100644 index 000000000..40f70b6ff Binary files /dev/null and b/analyzers/assets/diario_get_report_long.png differ diff --git a/analyzers/assets/diario_get_report_short.png b/analyzers/assets/diario_get_report_short.png new file mode 100644 index 000000000..eea8f9c71 Binary files /dev/null and b/analyzers/assets/diario_get_report_short.png differ diff --git a/analyzers/assets/diario_scan_long.png b/analyzers/assets/diario_scan_long.png new file mode 100644 index 000000000..18c2ff674 Binary files /dev/null and b/analyzers/assets/diario_scan_long.png differ diff --git a/analyzers/assets/diario_scan_short.png b/analyzers/assets/diario_scan_short.png new file mode 100644 index 000000000..d347d9cd8 Binary files /dev/null and b/analyzers/assets/diario_scan_short.png differ diff --git a/analyzers/assets/domainMailSPFDMARC_get_reports_0.png b/analyzers/assets/domainMailSPFDMARC_get_reports_0.png new file mode 100644 index 000000000..395b5f2c0 Binary files /dev/null and b/analyzers/assets/domainMailSPFDMARC_get_reports_0.png differ diff --git a/analyzers/assets/domainMailSPFDMARC_get_reports_1.png b/analyzers/assets/domainMailSPFDMARC_get_reports_1.png new file mode 100644 index 000000000..2b89fb9c0 Binary files /dev/null and b/analyzers/assets/domainMailSPFDMARC_get_reports_1.png differ diff --git a/analyzers/assets/domaintools_favicon.svg b/analyzers/assets/domaintools_favicon.svg new file mode 100644 index 000000000..655e38c86 --- /dev/null +++ b/analyzers/assets/domaintools_favicon.svg @@ -0,0 +1,41 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/analyzers/assets/domaintools_logo.png b/analyzers/assets/domaintools_logo.png new file mode 100644 index 000000000..57cdec868 Binary files /dev/null and b/analyzers/assets/domaintools_logo.png differ diff --git a/analyzers/assets/dshield.png b/analyzers/assets/dshield.png new file mode 100644 index 000000000..4724f6afe Binary files /dev/null and b/analyzers/assets/dshield.png differ diff --git a/analyzers/assets/echotrail_filename_report.png b/analyzers/assets/echotrail_filename_report.png new file mode 100644 index 000000000..76ba68144 Binary files /dev/null and b/analyzers/assets/echotrail_filename_report.png differ diff --git a/analyzers/assets/echotrail_logo.png b/analyzers/assets/echotrail_logo.png new file mode 100644 index 000000000..d60260d62 Binary files /dev/null and b/analyzers/assets/echotrail_logo.png differ diff --git a/analyzers/assets/emailrep.png b/analyzers/assets/emailrep.png new file mode 100644 index 000000000..22be2dcaf Binary files /dev/null and b/analyzers/assets/emailrep.png differ diff --git a/analyzers/assets/emlparser-extracted-observables.png b/analyzers/assets/emlparser-extracted-observables.png new file mode 100644 index 000000000..42fed54f2 Binary files /dev/null and b/analyzers/assets/emlparser-extracted-observables.png differ diff --git a/analyzers/assets/emlparser-long.png b/analyzers/assets/emlparser-long.png new file mode 100644 index 000000000..02efcb6ed Binary files /dev/null and b/analyzers/assets/emlparser-long.png differ diff --git a/analyzers/assets/emlparser-short.png b/analyzers/assets/emlparser-short.png new file mode 100644 index 000000000..c57557ff3 Binary files /dev/null and b/analyzers/assets/emlparser-short.png differ diff --git a/analyzers/assets/fireeyeisight.png b/analyzers/assets/fireeyeisight.png new file mode 100644 index 000000000..768675421 Binary files /dev/null and b/analyzers/assets/fireeyeisight.png differ diff --git a/analyzers/assets/firehol.png b/analyzers/assets/firehol.png new file mode 100644 index 000000000..5dd564b75 Binary files /dev/null and b/analyzers/assets/firehol.png differ diff --git a/analyzers/assets/forcepoin_logo.png b/analyzers/assets/forcepoin_logo.png new file mode 100644 index 000000000..fc2cbb217 Binary files /dev/null and b/analyzers/assets/forcepoin_logo.png differ diff --git a/analyzers/assets/fortiguard.png b/analyzers/assets/fortiguard.png new file mode 100644 index 000000000..b5619b7dd Binary files /dev/null and b/analyzers/assets/fortiguard.png differ diff --git a/analyzers/assets/greynoise.png b/analyzers/assets/greynoise.png new file mode 100644 index 000000000..57ac0542c Binary files /dev/null and b/analyzers/assets/greynoise.png differ diff --git a/analyzers/assets/hashdd.png b/analyzers/assets/hashdd.png new file mode 100644 index 000000000..4c95858b2 Binary files /dev/null and b/analyzers/assets/hashdd.png differ diff --git a/analyzers/assets/hunter.png b/analyzers/assets/hunter.png new file mode 100644 index 000000000..4c2dc566e Binary files /dev/null and b/analyzers/assets/hunter.png differ diff --git a/analyzers/assets/images_preview.png b/analyzers/assets/images_preview.png new file mode 100644 index 000000000..037c0ff69 Binary files /dev/null and b/analyzers/assets/images_preview.png differ diff --git a/analyzers/assets/inoitsu_logo.png b/analyzers/assets/inoitsu_logo.png new file mode 100644 index 000000000..79a7361ef Binary files /dev/null and b/analyzers/assets/inoitsu_logo.png differ diff --git a/analyzers/assets/intezer.png b/analyzers/assets/intezer.png new file mode 100644 index 000000000..daf8cc621 Binary files /dev/null and b/analyzers/assets/intezer.png differ diff --git a/analyzers/assets/ioc_long_template.png b/analyzers/assets/ioc_long_template.png new file mode 100644 index 000000000..2d0f7885a Binary files /dev/null and b/analyzers/assets/ioc_long_template.png differ diff --git a/analyzers/assets/ioc_short_template.png b/analyzers/assets/ioc_short_template.png new file mode 100644 index 000000000..36686c9fb Binary files /dev/null and b/analyzers/assets/ioc_short_template.png differ diff --git a/analyzers/assets/ioc_with_malware_family.PNG b/analyzers/assets/ioc_with_malware_family.PNG new file mode 100644 index 000000000..382bee776 Binary files /dev/null and b/analyzers/assets/ioc_with_malware_family.PNG differ diff --git a/analyzers/assets/ivre_logo.png b/analyzers/assets/ivre_logo.png new file mode 100644 index 000000000..a22935b0c Binary files /dev/null and b/analyzers/assets/ivre_logo.png differ diff --git a/analyzers/assets/jupyter.png b/analyzers/assets/jupyter.png new file mode 100644 index 000000000..743264980 Binary files /dev/null and b/analyzers/assets/jupyter.png differ diff --git a/analyzers/assets/logo.png b/analyzers/assets/logo.png new file mode 100644 index 000000000..c8687fc0e Binary files /dev/null and b/analyzers/assets/logo.png differ diff --git a/analyzers/assets/logo_opencti.png b/analyzers/assets/logo_opencti.png new file mode 100644 index 000000000..f3516317d Binary files /dev/null and b/analyzers/assets/logo_opencti.png differ diff --git a/analyzers/assets/long-report-alerts.png b/analyzers/assets/long-report-alerts.png new file mode 100644 index 000000000..cbbaf3cde Binary files /dev/null and b/analyzers/assets/long-report-alerts.png differ diff --git a/analyzers/assets/long-report-deviceinfo.png b/analyzers/assets/long-report-deviceinfo.png new file mode 100644 index 000000000..2987eafac Binary files /dev/null and b/analyzers/assets/long-report-deviceinfo.png differ diff --git a/analyzers/assets/long-report-sandbox.png b/analyzers/assets/long-report-sandbox.png new file mode 100644 index 000000000..57d516e60 Binary files /dev/null and b/analyzers/assets/long-report-sandbox.png differ diff --git a/analyzers/assets/long-report-vulns.png b/analyzers/assets/long-report-vulns.png new file mode 100644 index 000000000..731bac331 Binary files /dev/null and b/analyzers/assets/long-report-vulns.png differ diff --git a/analyzers/assets/long_report.png b/analyzers/assets/long_report.png new file mode 100644 index 000000000..3674727da Binary files /dev/null and b/analyzers/assets/long_report.png differ diff --git a/analyzers/assets/long_report_domain.png b/analyzers/assets/long_report_domain.png new file mode 100644 index 000000000..ab73e6853 Binary files /dev/null and b/analyzers/assets/long_report_domain.png differ diff --git a/analyzers/assets/long_report_hash.png b/analyzers/assets/long_report_hash.png new file mode 100644 index 000000000..a1d8f7648 Binary files /dev/null and b/analyzers/assets/long_report_hash.png differ diff --git a/analyzers/assets/long_report_ip.png b/analyzers/assets/long_report_ip.png new file mode 100644 index 000000000..05875359e Binary files /dev/null and b/analyzers/assets/long_report_ip.png differ diff --git a/analyzers/assets/maltiverse.png b/analyzers/assets/maltiverse.png new file mode 100644 index 000000000..0954d1a0a Binary files /dev/null and b/analyzers/assets/maltiverse.png differ diff --git a/analyzers/assets/malwarebazaar.png b/analyzers/assets/malwarebazaar.png new file mode 100644 index 000000000..9a95608b5 Binary files /dev/null and b/analyzers/assets/malwarebazaar.png differ diff --git a/analyzers/assets/malwares.png b/analyzers/assets/malwares.png new file mode 100644 index 000000000..879e3f449 Binary files /dev/null and b/analyzers/assets/malwares.png differ diff --git a/analyzers/assets/misp.png b/analyzers/assets/misp.png new file mode 100644 index 000000000..c19ee1880 Binary files /dev/null and b/analyzers/assets/misp.png differ diff --git a/analyzers/assets/nerd_0.png b/analyzers/assets/nerd_0.png new file mode 100644 index 000000000..de1be6931 Binary files /dev/null and b/analyzers/assets/nerd_0.png differ diff --git a/analyzers/assets/nerd_1.png b/analyzers/assets/nerd_1.png new file mode 100644 index 000000000..94d57ea95 Binary files /dev/null and b/analyzers/assets/nerd_1.png differ diff --git a/analyzers/assets/nerd_logo.png b/analyzers/assets/nerd_logo.png new file mode 100644 index 000000000..27166fb18 Binary files /dev/null and b/analyzers/assets/nerd_logo.png differ diff --git a/analyzers/assets/onyphe_logo.png b/analyzers/assets/onyphe_logo.png new file mode 100644 index 000000000..dfa143cb6 Binary files /dev/null and b/analyzers/assets/onyphe_logo.png differ diff --git a/analyzers/assets/palo_alto_logo.png b/analyzers/assets/palo_alto_logo.png new file mode 100644 index 000000000..74abdf26b Binary files /dev/null and b/analyzers/assets/palo_alto_logo.png differ diff --git a/analyzers/assets/passivedns.png b/analyzers/assets/passivedns.png new file mode 100644 index 000000000..4959a8477 Binary files /dev/null and b/analyzers/assets/passivedns.png differ diff --git a/analyzers/assets/patrowl-longreport.png b/analyzers/assets/patrowl-longreport.png new file mode 100644 index 000000000..6ce9dcff5 Binary files /dev/null and b/analyzers/assets/patrowl-longreport.png differ diff --git a/analyzers/assets/patrowl-minireport.png b/analyzers/assets/patrowl-minireport.png new file mode 100644 index 000000000..7f05744bc Binary files /dev/null and b/analyzers/assets/patrowl-minireport.png differ diff --git a/analyzers/assets/phish_tank.png b/analyzers/assets/phish_tank.png new file mode 100644 index 000000000..ff2e6ad26 Binary files /dev/null and b/analyzers/assets/phish_tank.png differ diff --git a/analyzers/assets/phishing-initiative.png b/analyzers/assets/phishing-initiative.png new file mode 100644 index 000000000..05ab11eb0 Binary files /dev/null and b/analyzers/assets/phishing-initiative.png differ diff --git a/analyzers/assets/proofpoint.png b/analyzers/assets/proofpoint.png new file mode 100644 index 000000000..9b2e10c03 Binary files /dev/null and b/analyzers/assets/proofpoint.png differ diff --git a/analyzers/assets/pssl.png b/analyzers/assets/pssl.png new file mode 100644 index 000000000..e92c87d0f Binary files /dev/null and b/analyzers/assets/pssl.png differ diff --git a/analyzers/assets/qrdecode-extracted-observables.png b/analyzers/assets/qrdecode-extracted-observables.png new file mode 100644 index 000000000..4787594b4 Binary files /dev/null and b/analyzers/assets/qrdecode-extracted-observables.png differ diff --git a/analyzers/assets/qrdecode-stats.png b/analyzers/assets/qrdecode-stats.png new file mode 100644 index 000000000..44e57dc78 Binary files /dev/null and b/analyzers/assets/qrdecode-stats.png differ diff --git a/analyzers/assets/qrdecode-summary-report.png b/analyzers/assets/qrdecode-summary-report.png new file mode 100644 index 000000000..100f25fc1 Binary files /dev/null and b/analyzers/assets/qrdecode-summary-report.png differ diff --git a/analyzers/assets/recorded_future_triage_logo.png b/analyzers/assets/recorded_future_triage_logo.png new file mode 100644 index 000000000..cd57b0a50 Binary files /dev/null and b/analyzers/assets/recorded_future_triage_logo.png differ diff --git a/analyzers/assets/recordedfuture-logo.png b/analyzers/assets/recordedfuture-logo.png new file mode 100644 index 000000000..2da3ffadd Binary files /dev/null and b/analyzers/assets/recordedfuture-logo.png differ diff --git a/analyzers/assets/sb-logo.jpg b/analyzers/assets/sb-logo.jpg new file mode 100644 index 000000000..20d1c74d0 Binary files /dev/null and b/analyzers/assets/sb-logo.jpg differ diff --git a/analyzers/assets/sc-long-circlpassivedns.png b/analyzers/assets/sc-long-circlpassivedns.png new file mode 100644 index 000000000..a37c9a132 Binary files /dev/null and b/analyzers/assets/sc-long-circlpassivedns.png differ diff --git a/analyzers/assets/sc-long-circlpassivessl.png b/analyzers/assets/sc-long-circlpassivessl.png new file mode 100644 index 000000000..35a055c84 Binary files /dev/null and b/analyzers/assets/sc-long-circlpassivessl.png differ diff --git a/analyzers/assets/sc-short-circlpassivedns.png b/analyzers/assets/sc-short-circlpassivedns.png new file mode 100644 index 000000000..ad6762982 Binary files /dev/null and b/analyzers/assets/sc-short-circlpassivedns.png differ diff --git a/analyzers/assets/sc-short-circlpassivessl.png b/analyzers/assets/sc-short-circlpassivessl.png new file mode 100644 index 000000000..f876cea6b Binary files /dev/null and b/analyzers/assets/sc-short-circlpassivessl.png differ diff --git a/analyzers/assets/screenshot_cortex_analyzer_settings_example.png b/analyzers/assets/screenshot_cortex_analyzer_settings_example.png new file mode 100644 index 000000000..860bd6b4b Binary files /dev/null and b/analyzers/assets/screenshot_cortex_analyzer_settings_example.png differ diff --git a/analyzers/assets/screenshot_jupyter_artifacts.png b/analyzers/assets/screenshot_jupyter_artifacts.png new file mode 100644 index 000000000..4e9c9b12f Binary files /dev/null and b/analyzers/assets/screenshot_jupyter_artifacts.png differ diff --git a/analyzers/assets/screenshot_jupyter_parameters.png b/analyzers/assets/screenshot_jupyter_parameters.png new file mode 100644 index 000000000..2201f1f15 Binary files /dev/null and b/analyzers/assets/screenshot_jupyter_parameters.png differ diff --git a/analyzers/assets/screenshot_jupyter_taxonomies.png b/analyzers/assets/screenshot_jupyter_taxonomies.png new file mode 100644 index 000000000..8fa5c61e0 Binary files /dev/null and b/analyzers/assets/screenshot_jupyter_taxonomies.png differ diff --git a/analyzers/assets/screenshot_thehive_artifacts.png b/analyzers/assets/screenshot_thehive_artifacts.png new file mode 100644 index 000000000..e245488a7 Binary files /dev/null and b/analyzers/assets/screenshot_thehive_artifacts.png differ diff --git a/analyzers/assets/screenshot_thehive_report.png b/analyzers/assets/screenshot_thehive_report.png new file mode 100644 index 000000000..bb15cb306 Binary files /dev/null and b/analyzers/assets/screenshot_thehive_report.png differ diff --git a/analyzers/assets/screenshot_thehive_taxonomies1.png b/analyzers/assets/screenshot_thehive_taxonomies1.png new file mode 100644 index 000000000..ce7ab5476 Binary files /dev/null and b/analyzers/assets/screenshot_thehive_taxonomies1.png differ diff --git a/analyzers/assets/screenshot_thehive_taxonomies2.png b/analyzers/assets/screenshot_thehive_taxonomies2.png new file mode 100644 index 000000000..833ef0061 Binary files /dev/null and b/analyzers/assets/screenshot_thehive_taxonomies2.png differ diff --git a/analyzers/assets/sekoia_logo.png b/analyzers/assets/sekoia_logo.png new file mode 100644 index 000000000..9132e8d06 Binary files /dev/null and b/analyzers/assets/sekoia_logo.png differ diff --git a/analyzers/assets/short-report-alerts.png b/analyzers/assets/short-report-alerts.png new file mode 100644 index 000000000..a7647ef86 Binary files /dev/null and b/analyzers/assets/short-report-alerts.png differ diff --git a/analyzers/assets/short-report-deviceinfo.png b/analyzers/assets/short-report-deviceinfo.png new file mode 100644 index 000000000..df8acafd0 Binary files /dev/null and b/analyzers/assets/short-report-deviceinfo.png differ diff --git a/analyzers/assets/short-report-sandbox.png b/analyzers/assets/short-report-sandbox.png new file mode 100644 index 000000000..31e87539c Binary files /dev/null and b/analyzers/assets/short-report-sandbox.png differ diff --git a/analyzers/assets/short-report-vulns.png b/analyzers/assets/short-report-vulns.png new file mode 100644 index 000000000..63307dd5e Binary files /dev/null and b/analyzers/assets/short-report-vulns.png differ diff --git a/analyzers/assets/short_report.png b/analyzers/assets/short_report.png new file mode 100644 index 000000000..b5e750e62 Binary files /dev/null and b/analyzers/assets/short_report.png differ diff --git a/analyzers/assets/splunk_domain_logo.png b/analyzers/assets/splunk_domain_logo.png new file mode 100644 index 000000000..c4f4c4d6c Binary files /dev/null and b/analyzers/assets/splunk_domain_logo.png differ diff --git a/analyzers/assets/splunk_file_logo.png b/analyzers/assets/splunk_file_logo.png new file mode 100644 index 000000000..9a5eb79e4 Binary files /dev/null and b/analyzers/assets/splunk_file_logo.png differ diff --git a/analyzers/assets/splunk_hash_logo.png b/analyzers/assets/splunk_hash_logo.png new file mode 100644 index 000000000..c9d853747 Binary files /dev/null and b/analyzers/assets/splunk_hash_logo.png differ diff --git a/analyzers/assets/splunk_ip_logo.png b/analyzers/assets/splunk_ip_logo.png new file mode 100644 index 000000000..9274c1d59 Binary files /dev/null and b/analyzers/assets/splunk_ip_logo.png differ diff --git a/analyzers/assets/splunk_mail_logo.png b/analyzers/assets/splunk_mail_logo.png new file mode 100644 index 000000000..2a744b884 Binary files /dev/null and b/analyzers/assets/splunk_mail_logo.png differ diff --git a/analyzers/assets/splunk_mail_subject_logo.png b/analyzers/assets/splunk_mail_subject_logo.png new file mode 100644 index 000000000..2ccdb4592 Binary files /dev/null and b/analyzers/assets/splunk_mail_subject_logo.png differ diff --git a/analyzers/assets/splunk_other_logo.png b/analyzers/assets/splunk_other_logo.png new file mode 100644 index 000000000..db14e5810 Binary files /dev/null and b/analyzers/assets/splunk_other_logo.png differ diff --git a/analyzers/assets/splunk_registry_logo.png b/analyzers/assets/splunk_registry_logo.png new file mode 100644 index 000000000..b7f7e93dd Binary files /dev/null and b/analyzers/assets/splunk_registry_logo.png differ diff --git a/analyzers/assets/splunk_url_logo.png b/analyzers/assets/splunk_url_logo.png new file mode 100644 index 000000000..e09a7124f Binary files /dev/null and b/analyzers/assets/splunk_url_logo.png differ diff --git a/analyzers/assets/splunk_user_agent_logo.png b/analyzers/assets/splunk_user_agent_logo.png new file mode 100644 index 000000000..01463cde4 Binary files /dev/null and b/analyzers/assets/splunk_user_agent_logo.png differ diff --git a/analyzers/assets/splunk_user_logo.png b/analyzers/assets/splunk_user_logo.png new file mode 100644 index 000000000..eae965512 Binary files /dev/null and b/analyzers/assets/splunk_user_logo.png differ diff --git a/analyzers/assets/theHive_add_cve.png b/analyzers/assets/theHive_add_cve.png new file mode 100644 index 000000000..ac79047eb Binary files /dev/null and b/analyzers/assets/theHive_add_cve.png differ diff --git a/analyzers/assets/thor_thunderstorm_logo.png b/analyzers/assets/thor_thunderstorm_logo.png new file mode 100644 index 000000000..f9e4366b0 Binary files /dev/null and b/analyzers/assets/thor_thunderstorm_logo.png differ diff --git a/analyzers/assets/threatscore.jpg b/analyzers/assets/threatscore.jpg new file mode 100644 index 000000000..3d8f0b3ec Binary files /dev/null and b/analyzers/assets/threatscore.jpg differ diff --git a/analyzers/assets/triage_cortex_settings.png b/analyzers/assets/triage_cortex_settings.png new file mode 100644 index 000000000..d994dfd5c Binary files /dev/null and b/analyzers/assets/triage_cortex_settings.png differ diff --git a/analyzers/assets/triage_long_report.png b/analyzers/assets/triage_long_report.png new file mode 100644 index 000000000..13c382e45 Binary files /dev/null and b/analyzers/assets/triage_long_report.png differ diff --git a/analyzers/assets/triage_verdict.png b/analyzers/assets/triage_verdict.png new file mode 100644 index 000000000..5b7f144e3 Binary files /dev/null and b/analyzers/assets/triage_verdict.png differ diff --git a/analyzers/assets/virusshare.png b/analyzers/assets/virusshare.png new file mode 100644 index 000000000..1c9bb58d9 Binary files /dev/null and b/analyzers/assets/virusshare.png differ diff --git a/analyzers/assets/virustotal-extracted-observables.png b/analyzers/assets/virustotal-extracted-observables.png new file mode 100644 index 000000000..2a9d14a10 Binary files /dev/null and b/analyzers/assets/virustotal-extracted-observables.png differ diff --git a/analyzers/assets/virustotal-ids-sandbox-urls.png b/analyzers/assets/virustotal-ids-sandbox-urls.png new file mode 100644 index 000000000..d17c0465e Binary files /dev/null and b/analyzers/assets/virustotal-ids-sandbox-urls.png differ diff --git a/analyzers/assets/virustotal-logo.png b/analyzers/assets/virustotal-logo.png new file mode 100644 index 000000000..7e6024421 Binary files /dev/null and b/analyzers/assets/virustotal-logo.png differ diff --git a/analyzers/assets/virustotal-scan.png b/analyzers/assets/virustotal-scan.png new file mode 100644 index 000000000..7eb3ea153 Binary files /dev/null and b/analyzers/assets/virustotal-scan.png differ diff --git a/analyzers/assets/virustotal-summary-report.png b/analyzers/assets/virustotal-summary-report.png new file mode 100644 index 000000000..6cde36f12 Binary files /dev/null and b/analyzers/assets/virustotal-summary-report.png differ diff --git a/analyzers/assets/virustotal-yara.png b/analyzers/assets/virustotal-yara.png new file mode 100644 index 000000000..4516ec329 Binary files /dev/null and b/analyzers/assets/virustotal-yara.png differ diff --git a/analyzers/assets/vulners_api.png b/analyzers/assets/vulners_api.png new file mode 100644 index 000000000..54bf6602c Binary files /dev/null and b/analyzers/assets/vulners_api.png differ diff --git a/analyzers/assets/vulners_logo.png b/analyzers/assets/vulners_logo.png new file mode 100644 index 000000000..11c33de55 Binary files /dev/null and b/analyzers/assets/vulners_logo.png differ diff --git a/analyzers/assets/wildfire_file.png b/analyzers/assets/wildfire_file.png new file mode 100644 index 000000000..e35dc918e Binary files /dev/null and b/analyzers/assets/wildfire_file.png differ diff --git a/analyzers/assets/wildfire_url.png b/analyzers/assets/wildfire_url.png new file mode 100644 index 000000000..283a3332f Binary files /dev/null and b/analyzers/assets/wildfire_url.png differ diff --git a/analyzers/assets/zscaler_logo.png b/analyzers/assets/zscaler_logo.png new file mode 100644 index 000000000..b8151850a Binary files /dev/null and b/analyzers/assets/zscaler_logo.png differ diff --git a/analyzers/assets/zscaler_url_lookup_long.png b/analyzers/assets/zscaler_url_lookup_long.png new file mode 100644 index 000000000..d74b6a78c Binary files /dev/null and b/analyzers/assets/zscaler_url_lookup_long.png differ diff --git a/analyzers/assets/zscaler_url_lookup_short.png b/analyzers/assets/zscaler_url_lookup_short.png new file mode 100644 index 000000000..019c790e1 Binary files /dev/null and b/analyzers/assets/zscaler_url_lookup_short.png differ diff --git a/assets/images/favicon.png b/assets/images/favicon.png new file mode 100644 index 000000000..1cf13b9f9 Binary files /dev/null and b/assets/images/favicon.png differ diff --git a/assets/javascripts/bundle.88dd0f4e.min.js b/assets/javascripts/bundle.88dd0f4e.min.js new file mode 100644 index 000000000..fb8f31090 --- /dev/null +++ b/assets/javascripts/bundle.88dd0f4e.min.js @@ -0,0 +1,16 @@ +"use strict";(()=>{var Wi=Object.create;var gr=Object.defineProperty;var Di=Object.getOwnPropertyDescriptor;var Vi=Object.getOwnPropertyNames,Vt=Object.getOwnPropertySymbols,Ni=Object.getPrototypeOf,yr=Object.prototype.hasOwnProperty,ao=Object.prototype.propertyIsEnumerable;var io=(e,t,r)=>t in e?gr(e,t,{enumerable:!0,configurable:!0,writable:!0,value:r}):e[t]=r,$=(e,t)=>{for(var r in t||(t={}))yr.call(t,r)&&io(e,r,t[r]);if(Vt)for(var r of Vt(t))ao.call(t,r)&&io(e,r,t[r]);return e};var so=(e,t)=>{var r={};for(var o in e)yr.call(e,o)&&t.indexOf(o)<0&&(r[o]=e[o]);if(e!=null&&Vt)for(var o of Vt(e))t.indexOf(o)<0&&ao.call(e,o)&&(r[o]=e[o]);return r};var xr=(e,t)=>()=>(t||e((t={exports:{}}).exports,t),t.exports);var zi=(e,t,r,o)=>{if(t&&typeof t=="object"||typeof t=="function")for(let n of Vi(t))!yr.call(e,n)&&n!==r&&gr(e,n,{get:()=>t[n],enumerable:!(o=Di(t,n))||o.enumerable});return e};var Mt=(e,t,r)=>(r=e!=null?Wi(Ni(e)):{},zi(t||!e||!e.__esModule?gr(r,"default",{value:e,enumerable:!0}):r,e));var co=(e,t,r)=>new Promise((o,n)=>{var i=p=>{try{s(r.next(p))}catch(c){n(c)}},a=p=>{try{s(r.throw(p))}catch(c){n(c)}},s=p=>p.done?o(p.value):Promise.resolve(p.value).then(i,a);s((r=r.apply(e,t)).next())});var lo=xr((Er,po)=>{(function(e,t){typeof Er=="object"&&typeof po!="undefined"?t():typeof define=="function"&&define.amd?define(t):t()})(Er,function(){"use strict";function e(r){var o=!0,n=!1,i=null,a={text:!0,search:!0,url:!0,tel:!0,email:!0,password:!0,number:!0,date:!0,month:!0,week:!0,time:!0,datetime:!0,"datetime-local":!0};function s(k){return!!(k&&k!==document&&k.nodeName!=="HTML"&&k.nodeName!=="BODY"&&"classList"in k&&"contains"in k.classList)}function p(k){var ft=k.type,qe=k.tagName;return!!(qe==="INPUT"&&a[ft]&&!k.readOnly||qe==="TEXTAREA"&&!k.readOnly||k.isContentEditable)}function c(k){k.classList.contains("focus-visible")||(k.classList.add("focus-visible"),k.setAttribute("data-focus-visible-added",""))}function l(k){k.hasAttribute("data-focus-visible-added")&&(k.classList.remove("focus-visible"),k.removeAttribute("data-focus-visible-added"))}function f(k){k.metaKey||k.altKey||k.ctrlKey||(s(r.activeElement)&&c(r.activeElement),o=!0)}function u(k){o=!1}function d(k){s(k.target)&&(o||p(k.target))&&c(k.target)}function y(k){s(k.target)&&(k.target.classList.contains("focus-visible")||k.target.hasAttribute("data-focus-visible-added"))&&(n=!0,window.clearTimeout(i),i=window.setTimeout(function(){n=!1},100),l(k.target))}function L(k){document.visibilityState==="hidden"&&(n&&(o=!0),X())}function X(){document.addEventListener("mousemove",J),document.addEventListener("mousedown",J),document.addEventListener("mouseup",J),document.addEventListener("pointermove",J),document.addEventListener("pointerdown",J),document.addEventListener("pointerup",J),document.addEventListener("touchmove",J),document.addEventListener("touchstart",J),document.addEventListener("touchend",J)}function te(){document.removeEventListener("mousemove",J),document.removeEventListener("mousedown",J),document.removeEventListener("mouseup",J),document.removeEventListener("pointermove",J),document.removeEventListener("pointerdown",J),document.removeEventListener("pointerup",J),document.removeEventListener("touchmove",J),document.removeEventListener("touchstart",J),document.removeEventListener("touchend",J)}function J(k){k.target.nodeName&&k.target.nodeName.toLowerCase()==="html"||(o=!1,te())}document.addEventListener("keydown",f,!0),document.addEventListener("mousedown",u,!0),document.addEventListener("pointerdown",u,!0),document.addEventListener("touchstart",u,!0),document.addEventListener("visibilitychange",L,!0),X(),r.addEventListener("focus",d,!0),r.addEventListener("blur",y,!0),r.nodeType===Node.DOCUMENT_FRAGMENT_NODE&&r.host?r.host.setAttribute("data-js-focus-visible",""):r.nodeType===Node.DOCUMENT_NODE&&(document.documentElement.classList.add("js-focus-visible"),document.documentElement.setAttribute("data-js-focus-visible",""))}if(typeof window!="undefined"&&typeof document!="undefined"){window.applyFocusVisiblePolyfill=e;var t;try{t=new CustomEvent("focus-visible-polyfill-ready")}catch(r){t=document.createEvent("CustomEvent"),t.initCustomEvent("focus-visible-polyfill-ready",!1,!1,{})}window.dispatchEvent(t)}typeof document!="undefined"&&e(document)})});var qr=xr((hy,On)=>{"use strict";/*! + * escape-html + * Copyright(c) 2012-2013 TJ Holowaychuk + * Copyright(c) 2015 Andreas Lubbe + * Copyright(c) 2015 Tiancheng "Timothy" Gu + * MIT Licensed + */var $a=/["'&<>]/;On.exports=Pa;function Pa(e){var t=""+e,r=$a.exec(t);if(!r)return t;var o,n="",i=0,a=0;for(i=r.index;i{/*! + * clipboard.js v2.0.11 + * https://clipboardjs.com/ + * + * Licensed MIT © Zeno Rocha + */(function(t,r){typeof It=="object"&&typeof Yr=="object"?Yr.exports=r():typeof define=="function"&&define.amd?define([],r):typeof It=="object"?It.ClipboardJS=r():t.ClipboardJS=r()})(It,function(){return function(){var e={686:function(o,n,i){"use strict";i.d(n,{default:function(){return Ui}});var a=i(279),s=i.n(a),p=i(370),c=i.n(p),l=i(817),f=i.n(l);function u(V){try{return document.execCommand(V)}catch(A){return!1}}var d=function(A){var M=f()(A);return u("cut"),M},y=d;function L(V){var A=document.documentElement.getAttribute("dir")==="rtl",M=document.createElement("textarea");M.style.fontSize="12pt",M.style.border="0",M.style.padding="0",M.style.margin="0",M.style.position="absolute",M.style[A?"right":"left"]="-9999px";var F=window.pageYOffset||document.documentElement.scrollTop;return M.style.top="".concat(F,"px"),M.setAttribute("readonly",""),M.value=V,M}var X=function(A,M){var F=L(A);M.container.appendChild(F);var D=f()(F);return u("copy"),F.remove(),D},te=function(A){var M=arguments.length>1&&arguments[1]!==void 0?arguments[1]:{container:document.body},F="";return typeof A=="string"?F=X(A,M):A instanceof HTMLInputElement&&!["text","search","url","tel","password"].includes(A==null?void 0:A.type)?F=X(A.value,M):(F=f()(A),u("copy")),F},J=te;function k(V){"@babel/helpers - typeof";return typeof Symbol=="function"&&typeof Symbol.iterator=="symbol"?k=function(M){return typeof M}:k=function(M){return M&&typeof Symbol=="function"&&M.constructor===Symbol&&M!==Symbol.prototype?"symbol":typeof M},k(V)}var ft=function(){var A=arguments.length>0&&arguments[0]!==void 0?arguments[0]:{},M=A.action,F=M===void 0?"copy":M,D=A.container,Y=A.target,$e=A.text;if(F!=="copy"&&F!=="cut")throw new Error('Invalid "action" value, use either "copy" or "cut"');if(Y!==void 0)if(Y&&k(Y)==="object"&&Y.nodeType===1){if(F==="copy"&&Y.hasAttribute("disabled"))throw new Error('Invalid "target" attribute. Please use "readonly" instead of "disabled" attribute');if(F==="cut"&&(Y.hasAttribute("readonly")||Y.hasAttribute("disabled")))throw new Error(`Invalid "target" attribute. You can't cut text from elements with "readonly" or "disabled" attributes`)}else throw new Error('Invalid "target" value, use a valid Element');if($e)return J($e,{container:D});if(Y)return F==="cut"?y(Y):J(Y,{container:D})},qe=ft;function Fe(V){"@babel/helpers - typeof";return typeof Symbol=="function"&&typeof Symbol.iterator=="symbol"?Fe=function(M){return typeof M}:Fe=function(M){return M&&typeof Symbol=="function"&&M.constructor===Symbol&&M!==Symbol.prototype?"symbol":typeof M},Fe(V)}function ki(V,A){if(!(V instanceof A))throw new TypeError("Cannot call a class as a function")}function no(V,A){for(var M=0;M0&&arguments[0]!==void 0?arguments[0]:{};this.action=typeof D.action=="function"?D.action:this.defaultAction,this.target=typeof D.target=="function"?D.target:this.defaultTarget,this.text=typeof D.text=="function"?D.text:this.defaultText,this.container=Fe(D.container)==="object"?D.container:document.body}},{key:"listenClick",value:function(D){var Y=this;this.listener=c()(D,"click",function($e){return Y.onClick($e)})}},{key:"onClick",value:function(D){var Y=D.delegateTarget||D.currentTarget,$e=this.action(Y)||"copy",Dt=qe({action:$e,container:this.container,target:this.target(Y),text:this.text(Y)});this.emit(Dt?"success":"error",{action:$e,text:Dt,trigger:Y,clearSelection:function(){Y&&Y.focus(),window.getSelection().removeAllRanges()}})}},{key:"defaultAction",value:function(D){return vr("action",D)}},{key:"defaultTarget",value:function(D){var Y=vr("target",D);if(Y)return document.querySelector(Y)}},{key:"defaultText",value:function(D){return vr("text",D)}},{key:"destroy",value:function(){this.listener.destroy()}}],[{key:"copy",value:function(D){var Y=arguments.length>1&&arguments[1]!==void 0?arguments[1]:{container:document.body};return J(D,Y)}},{key:"cut",value:function(D){return y(D)}},{key:"isSupported",value:function(){var D=arguments.length>0&&arguments[0]!==void 0?arguments[0]:["copy","cut"],Y=typeof D=="string"?[D]:D,$e=!!document.queryCommandSupported;return Y.forEach(function(Dt){$e=$e&&!!document.queryCommandSupported(Dt)}),$e}}]),M}(s()),Ui=Fi},828:function(o){var n=9;if(typeof Element!="undefined"&&!Element.prototype.matches){var i=Element.prototype;i.matches=i.matchesSelector||i.mozMatchesSelector||i.msMatchesSelector||i.oMatchesSelector||i.webkitMatchesSelector}function a(s,p){for(;s&&s.nodeType!==n;){if(typeof s.matches=="function"&&s.matches(p))return s;s=s.parentNode}}o.exports=a},438:function(o,n,i){var a=i(828);function s(l,f,u,d,y){var L=c.apply(this,arguments);return l.addEventListener(u,L,y),{destroy:function(){l.removeEventListener(u,L,y)}}}function p(l,f,u,d,y){return typeof l.addEventListener=="function"?s.apply(null,arguments):typeof u=="function"?s.bind(null,document).apply(null,arguments):(typeof l=="string"&&(l=document.querySelectorAll(l)),Array.prototype.map.call(l,function(L){return s(L,f,u,d,y)}))}function c(l,f,u,d){return function(y){y.delegateTarget=a(y.target,f),y.delegateTarget&&d.call(l,y)}}o.exports=p},879:function(o,n){n.node=function(i){return i!==void 0&&i instanceof HTMLElement&&i.nodeType===1},n.nodeList=function(i){var a=Object.prototype.toString.call(i);return i!==void 0&&(a==="[object NodeList]"||a==="[object HTMLCollection]")&&"length"in i&&(i.length===0||n.node(i[0]))},n.string=function(i){return typeof i=="string"||i instanceof String},n.fn=function(i){var a=Object.prototype.toString.call(i);return a==="[object Function]"}},370:function(o,n,i){var a=i(879),s=i(438);function p(u,d,y){if(!u&&!d&&!y)throw new Error("Missing required arguments");if(!a.string(d))throw new TypeError("Second argument must be a String");if(!a.fn(y))throw new TypeError("Third argument must be a Function");if(a.node(u))return c(u,d,y);if(a.nodeList(u))return l(u,d,y);if(a.string(u))return f(u,d,y);throw new TypeError("First argument must be a String, HTMLElement, HTMLCollection, or NodeList")}function c(u,d,y){return u.addEventListener(d,y),{destroy:function(){u.removeEventListener(d,y)}}}function l(u,d,y){return Array.prototype.forEach.call(u,function(L){L.addEventListener(d,y)}),{destroy:function(){Array.prototype.forEach.call(u,function(L){L.removeEventListener(d,y)})}}}function f(u,d,y){return s(document.body,u,d,y)}o.exports=p},817:function(o){function n(i){var a;if(i.nodeName==="SELECT")i.focus(),a=i.value;else if(i.nodeName==="INPUT"||i.nodeName==="TEXTAREA"){var s=i.hasAttribute("readonly");s||i.setAttribute("readonly",""),i.select(),i.setSelectionRange(0,i.value.length),s||i.removeAttribute("readonly"),a=i.value}else{i.hasAttribute("contenteditable")&&i.focus();var p=window.getSelection(),c=document.createRange();c.selectNodeContents(i),p.removeAllRanges(),p.addRange(c),a=p.toString()}return a}o.exports=n},279:function(o){function n(){}n.prototype={on:function(i,a,s){var p=this.e||(this.e={});return(p[i]||(p[i]=[])).push({fn:a,ctx:s}),this},once:function(i,a,s){var p=this;function c(){p.off(i,c),a.apply(s,arguments)}return c._=a,this.on(i,c,s)},emit:function(i){var a=[].slice.call(arguments,1),s=((this.e||(this.e={}))[i]||[]).slice(),p=0,c=s.length;for(p;p0&&i[i.length-1])&&(c[0]===6||c[0]===2)){r=0;continue}if(c[0]===3&&(!i||c[1]>i[0]&&c[1]=e.length&&(e=void 0),{value:e&&e[o++],done:!e}}};throw new TypeError(t?"Object is not iterable.":"Symbol.iterator is not defined.")}function N(e,t){var r=typeof Symbol=="function"&&e[Symbol.iterator];if(!r)return e;var o=r.call(e),n,i=[],a;try{for(;(t===void 0||t-- >0)&&!(n=o.next()).done;)i.push(n.value)}catch(s){a={error:s}}finally{try{n&&!n.done&&(r=o.return)&&r.call(o)}finally{if(a)throw a.error}}return i}function q(e,t,r){if(r||arguments.length===2)for(var o=0,n=t.length,i;o1||p(d,L)})},y&&(n[d]=y(n[d])))}function p(d,y){try{c(o[d](y))}catch(L){u(i[0][3],L)}}function c(d){d.value instanceof nt?Promise.resolve(d.value.v).then(l,f):u(i[0][2],d)}function l(d){p("next",d)}function f(d){p("throw",d)}function u(d,y){d(y),i.shift(),i.length&&p(i[0][0],i[0][1])}}function uo(e){if(!Symbol.asyncIterator)throw new TypeError("Symbol.asyncIterator is not defined.");var t=e[Symbol.asyncIterator],r;return t?t.call(e):(e=typeof he=="function"?he(e):e[Symbol.iterator](),r={},o("next"),o("throw"),o("return"),r[Symbol.asyncIterator]=function(){return this},r);function o(i){r[i]=e[i]&&function(a){return new Promise(function(s,p){a=e[i](a),n(s,p,a.done,a.value)})}}function n(i,a,s,p){Promise.resolve(p).then(function(c){i({value:c,done:s})},a)}}function H(e){return typeof e=="function"}function ut(e){var t=function(o){Error.call(o),o.stack=new Error().stack},r=e(t);return r.prototype=Object.create(Error.prototype),r.prototype.constructor=r,r}var zt=ut(function(e){return function(r){e(this),this.message=r?r.length+` errors occurred during unsubscription: +`+r.map(function(o,n){return n+1+") "+o.toString()}).join(` + `):"",this.name="UnsubscriptionError",this.errors=r}});function Qe(e,t){if(e){var r=e.indexOf(t);0<=r&&e.splice(r,1)}}var Ue=function(){function e(t){this.initialTeardown=t,this.closed=!1,this._parentage=null,this._finalizers=null}return e.prototype.unsubscribe=function(){var t,r,o,n,i;if(!this.closed){this.closed=!0;var a=this._parentage;if(a)if(this._parentage=null,Array.isArray(a))try{for(var s=he(a),p=s.next();!p.done;p=s.next()){var c=p.value;c.remove(this)}}catch(L){t={error:L}}finally{try{p&&!p.done&&(r=s.return)&&r.call(s)}finally{if(t)throw t.error}}else a.remove(this);var l=this.initialTeardown;if(H(l))try{l()}catch(L){i=L instanceof zt?L.errors:[L]}var f=this._finalizers;if(f){this._finalizers=null;try{for(var u=he(f),d=u.next();!d.done;d=u.next()){var y=d.value;try{ho(y)}catch(L){i=i!=null?i:[],L instanceof zt?i=q(q([],N(i)),N(L.errors)):i.push(L)}}}catch(L){o={error:L}}finally{try{d&&!d.done&&(n=u.return)&&n.call(u)}finally{if(o)throw o.error}}}if(i)throw new zt(i)}},e.prototype.add=function(t){var r;if(t&&t!==this)if(this.closed)ho(t);else{if(t instanceof e){if(t.closed||t._hasParent(this))return;t._addParent(this)}(this._finalizers=(r=this._finalizers)!==null&&r!==void 0?r:[]).push(t)}},e.prototype._hasParent=function(t){var r=this._parentage;return r===t||Array.isArray(r)&&r.includes(t)},e.prototype._addParent=function(t){var r=this._parentage;this._parentage=Array.isArray(r)?(r.push(t),r):r?[r,t]:t},e.prototype._removeParent=function(t){var r=this._parentage;r===t?this._parentage=null:Array.isArray(r)&&Qe(r,t)},e.prototype.remove=function(t){var r=this._finalizers;r&&Qe(r,t),t instanceof e&&t._removeParent(this)},e.EMPTY=function(){var t=new e;return t.closed=!0,t}(),e}();var Tr=Ue.EMPTY;function qt(e){return e instanceof Ue||e&&"closed"in e&&H(e.remove)&&H(e.add)&&H(e.unsubscribe)}function ho(e){H(e)?e():e.unsubscribe()}var Pe={onUnhandledError:null,onStoppedNotification:null,Promise:void 0,useDeprecatedSynchronousErrorHandling:!1,useDeprecatedNextContext:!1};var dt={setTimeout:function(e,t){for(var r=[],o=2;o0},enumerable:!1,configurable:!0}),t.prototype._trySubscribe=function(r){return this._throwIfClosed(),e.prototype._trySubscribe.call(this,r)},t.prototype._subscribe=function(r){return this._throwIfClosed(),this._checkFinalizedStatuses(r),this._innerSubscribe(r)},t.prototype._innerSubscribe=function(r){var o=this,n=this,i=n.hasError,a=n.isStopped,s=n.observers;return i||a?Tr:(this.currentObservers=null,s.push(r),new Ue(function(){o.currentObservers=null,Qe(s,r)}))},t.prototype._checkFinalizedStatuses=function(r){var o=this,n=o.hasError,i=o.thrownError,a=o.isStopped;n?r.error(i):a&&r.complete()},t.prototype.asObservable=function(){var r=new j;return r.source=this,r},t.create=function(r,o){return new To(r,o)},t}(j);var To=function(e){oe(t,e);function t(r,o){var n=e.call(this)||this;return n.destination=r,n.source=o,n}return t.prototype.next=function(r){var o,n;(n=(o=this.destination)===null||o===void 0?void 0:o.next)===null||n===void 0||n.call(o,r)},t.prototype.error=function(r){var o,n;(n=(o=this.destination)===null||o===void 0?void 0:o.error)===null||n===void 0||n.call(o,r)},t.prototype.complete=function(){var r,o;(o=(r=this.destination)===null||r===void 0?void 0:r.complete)===null||o===void 0||o.call(r)},t.prototype._subscribe=function(r){var o,n;return(n=(o=this.source)===null||o===void 0?void 0:o.subscribe(r))!==null&&n!==void 0?n:Tr},t}(g);var _r=function(e){oe(t,e);function t(r){var o=e.call(this)||this;return o._value=r,o}return Object.defineProperty(t.prototype,"value",{get:function(){return this.getValue()},enumerable:!1,configurable:!0}),t.prototype._subscribe=function(r){var o=e.prototype._subscribe.call(this,r);return!o.closed&&r.next(this._value),o},t.prototype.getValue=function(){var r=this,o=r.hasError,n=r.thrownError,i=r._value;if(o)throw n;return this._throwIfClosed(),i},t.prototype.next=function(r){e.prototype.next.call(this,this._value=r)},t}(g);var At={now:function(){return(At.delegate||Date).now()},delegate:void 0};var Ct=function(e){oe(t,e);function t(r,o,n){r===void 0&&(r=1/0),o===void 0&&(o=1/0),n===void 0&&(n=At);var i=e.call(this)||this;return i._bufferSize=r,i._windowTime=o,i._timestampProvider=n,i._buffer=[],i._infiniteTimeWindow=!0,i._infiniteTimeWindow=o===1/0,i._bufferSize=Math.max(1,r),i._windowTime=Math.max(1,o),i}return t.prototype.next=function(r){var o=this,n=o.isStopped,i=o._buffer,a=o._infiniteTimeWindow,s=o._timestampProvider,p=o._windowTime;n||(i.push(r),!a&&i.push(s.now()+p)),this._trimBuffer(),e.prototype.next.call(this,r)},t.prototype._subscribe=function(r){this._throwIfClosed(),this._trimBuffer();for(var o=this._innerSubscribe(r),n=this,i=n._infiniteTimeWindow,a=n._buffer,s=a.slice(),p=0;p0?e.prototype.schedule.call(this,r,o):(this.delay=o,this.state=r,this.scheduler.flush(this),this)},t.prototype.execute=function(r,o){return o>0||this.closed?e.prototype.execute.call(this,r,o):this._execute(r,o)},t.prototype.requestAsyncId=function(r,o,n){return n===void 0&&(n=0),n!=null&&n>0||n==null&&this.delay>0?e.prototype.requestAsyncId.call(this,r,o,n):(r.flush(this),0)},t}(gt);var Lo=function(e){oe(t,e);function t(){return e!==null&&e.apply(this,arguments)||this}return t}(yt);var kr=new Lo(Oo);var Mo=function(e){oe(t,e);function t(r,o){var n=e.call(this,r,o)||this;return n.scheduler=r,n.work=o,n}return t.prototype.requestAsyncId=function(r,o,n){return n===void 0&&(n=0),n!==null&&n>0?e.prototype.requestAsyncId.call(this,r,o,n):(r.actions.push(this),r._scheduled||(r._scheduled=vt.requestAnimationFrame(function(){return r.flush(void 0)})))},t.prototype.recycleAsyncId=function(r,o,n){var i;if(n===void 0&&(n=0),n!=null?n>0:this.delay>0)return e.prototype.recycleAsyncId.call(this,r,o,n);var a=r.actions;o!=null&&((i=a[a.length-1])===null||i===void 0?void 0:i.id)!==o&&(vt.cancelAnimationFrame(o),r._scheduled=void 0)},t}(gt);var _o=function(e){oe(t,e);function t(){return e!==null&&e.apply(this,arguments)||this}return t.prototype.flush=function(r){this._active=!0;var o=this._scheduled;this._scheduled=void 0;var n=this.actions,i;r=r||n.shift();do if(i=r.execute(r.state,r.delay))break;while((r=n[0])&&r.id===o&&n.shift());if(this._active=!1,i){for(;(r=n[0])&&r.id===o&&n.shift();)r.unsubscribe();throw i}},t}(yt);var me=new _o(Mo);var S=new j(function(e){return e.complete()});function Yt(e){return e&&H(e.schedule)}function Hr(e){return e[e.length-1]}function Xe(e){return H(Hr(e))?e.pop():void 0}function ke(e){return Yt(Hr(e))?e.pop():void 0}function Bt(e,t){return typeof Hr(e)=="number"?e.pop():t}var xt=function(e){return e&&typeof e.length=="number"&&typeof e!="function"};function Gt(e){return H(e==null?void 0:e.then)}function Jt(e){return H(e[bt])}function Xt(e){return Symbol.asyncIterator&&H(e==null?void 0:e[Symbol.asyncIterator])}function Zt(e){return new TypeError("You provided "+(e!==null&&typeof e=="object"?"an invalid object":"'"+e+"'")+" where a stream was expected. You can provide an Observable, Promise, ReadableStream, Array, AsyncIterable, or Iterable.")}function Zi(){return typeof Symbol!="function"||!Symbol.iterator?"@@iterator":Symbol.iterator}var er=Zi();function tr(e){return H(e==null?void 0:e[er])}function rr(e){return fo(this,arguments,function(){var r,o,n,i;return Nt(this,function(a){switch(a.label){case 0:r=e.getReader(),a.label=1;case 1:a.trys.push([1,,9,10]),a.label=2;case 2:return[4,nt(r.read())];case 3:return o=a.sent(),n=o.value,i=o.done,i?[4,nt(void 0)]:[3,5];case 4:return[2,a.sent()];case 5:return[4,nt(n)];case 6:return[4,a.sent()];case 7:return a.sent(),[3,2];case 8:return[3,10];case 9:return r.releaseLock(),[7];case 10:return[2]}})})}function or(e){return H(e==null?void 0:e.getReader)}function U(e){if(e instanceof j)return e;if(e!=null){if(Jt(e))return ea(e);if(xt(e))return ta(e);if(Gt(e))return ra(e);if(Xt(e))return Ao(e);if(tr(e))return oa(e);if(or(e))return na(e)}throw Zt(e)}function ea(e){return new j(function(t){var r=e[bt]();if(H(r.subscribe))return r.subscribe(t);throw new TypeError("Provided object does not correctly implement Symbol.observable")})}function ta(e){return new j(function(t){for(var r=0;r=2;return function(o){return o.pipe(e?b(function(n,i){return e(n,i,o)}):le,Te(1),r?De(t):Qo(function(){return new ir}))}}function jr(e){return e<=0?function(){return S}:E(function(t,r){var o=[];t.subscribe(T(r,function(n){o.push(n),e=2,!0))}function pe(e){e===void 0&&(e={});var t=e.connector,r=t===void 0?function(){return new g}:t,o=e.resetOnError,n=o===void 0?!0:o,i=e.resetOnComplete,a=i===void 0?!0:i,s=e.resetOnRefCountZero,p=s===void 0?!0:s;return function(c){var l,f,u,d=0,y=!1,L=!1,X=function(){f==null||f.unsubscribe(),f=void 0},te=function(){X(),l=u=void 0,y=L=!1},J=function(){var k=l;te(),k==null||k.unsubscribe()};return E(function(k,ft){d++,!L&&!y&&X();var qe=u=u!=null?u:r();ft.add(function(){d--,d===0&&!L&&!y&&(f=Ur(J,p))}),qe.subscribe(ft),!l&&d>0&&(l=new at({next:function(Fe){return qe.next(Fe)},error:function(Fe){L=!0,X(),f=Ur(te,n,Fe),qe.error(Fe)},complete:function(){y=!0,X(),f=Ur(te,a),qe.complete()}}),U(k).subscribe(l))})(c)}}function Ur(e,t){for(var r=[],o=2;oe.next(document)),e}function P(e,t=document){return Array.from(t.querySelectorAll(e))}function R(e,t=document){let r=fe(e,t);if(typeof r=="undefined")throw new ReferenceError(`Missing element: expected "${e}" to be present`);return r}function fe(e,t=document){return t.querySelector(e)||void 0}function Ie(){var e,t,r,o;return(o=(r=(t=(e=document.activeElement)==null?void 0:e.shadowRoot)==null?void 0:t.activeElement)!=null?r:document.activeElement)!=null?o:void 0}var wa=O(h(document.body,"focusin"),h(document.body,"focusout")).pipe(_e(1),Q(void 0),m(()=>Ie()||document.body),G(1));function et(e){return wa.pipe(m(t=>e.contains(t)),K())}function $t(e,t){return C(()=>O(h(e,"mouseenter").pipe(m(()=>!0)),h(e,"mouseleave").pipe(m(()=>!1))).pipe(t?Ht(r=>Le(+!r*t)):le,Q(e.matches(":hover"))))}function Jo(e,t){if(typeof t=="string"||typeof t=="number")e.innerHTML+=t.toString();else if(t instanceof Node)e.appendChild(t);else if(Array.isArray(t))for(let r of t)Jo(e,r)}function x(e,t,...r){let o=document.createElement(e);if(t)for(let n of Object.keys(t))typeof t[n]!="undefined"&&(typeof t[n]!="boolean"?o.setAttribute(n,t[n]):o.setAttribute(n,""));for(let n of r)Jo(o,n);return o}function sr(e){if(e>999){let t=+((e-950)%1e3>99);return`${((e+1e-6)/1e3).toFixed(t)}k`}else return e.toString()}function Tt(e){let t=x("script",{src:e});return C(()=>(document.head.appendChild(t),O(h(t,"load"),h(t,"error").pipe(v(()=>$r(()=>new ReferenceError(`Invalid script: ${e}`))))).pipe(m(()=>{}),_(()=>document.head.removeChild(t)),Te(1))))}var Xo=new g,Ta=C(()=>typeof ResizeObserver=="undefined"?Tt("https://unpkg.com/resize-observer-polyfill"):I(void 0)).pipe(m(()=>new ResizeObserver(e=>e.forEach(t=>Xo.next(t)))),v(e=>O(Ye,I(e)).pipe(_(()=>e.disconnect()))),G(1));function ce(e){return{width:e.offsetWidth,height:e.offsetHeight}}function ge(e){let t=e;for(;t.clientWidth===0&&t.parentElement;)t=t.parentElement;return Ta.pipe(w(r=>r.observe(t)),v(r=>Xo.pipe(b(o=>o.target===t),_(()=>r.unobserve(t)))),m(()=>ce(e)),Q(ce(e)))}function St(e){return{width:e.scrollWidth,height:e.scrollHeight}}function cr(e){let t=e.parentElement;for(;t&&(e.scrollWidth<=t.scrollWidth&&e.scrollHeight<=t.scrollHeight);)t=(e=t).parentElement;return t?e:void 0}function Zo(e){let t=[],r=e.parentElement;for(;r;)(e.clientWidth>r.clientWidth||e.clientHeight>r.clientHeight)&&t.push(r),r=(e=r).parentElement;return t.length===0&&t.push(document.documentElement),t}function Ve(e){return{x:e.offsetLeft,y:e.offsetTop}}function en(e){let t=e.getBoundingClientRect();return{x:t.x+window.scrollX,y:t.y+window.scrollY}}function tn(e){return O(h(window,"load"),h(window,"resize")).pipe(Me(0,me),m(()=>Ve(e)),Q(Ve(e)))}function pr(e){return{x:e.scrollLeft,y:e.scrollTop}}function Ne(e){return O(h(e,"scroll"),h(window,"scroll"),h(window,"resize")).pipe(Me(0,me),m(()=>pr(e)),Q(pr(e)))}var rn=new g,Sa=C(()=>I(new IntersectionObserver(e=>{for(let t of e)rn.next(t)},{threshold:0}))).pipe(v(e=>O(Ye,I(e)).pipe(_(()=>e.disconnect()))),G(1));function tt(e){return Sa.pipe(w(t=>t.observe(e)),v(t=>rn.pipe(b(({target:r})=>r===e),_(()=>t.unobserve(e)),m(({isIntersecting:r})=>r))))}function on(e,t=16){return Ne(e).pipe(m(({y:r})=>{let o=ce(e),n=St(e);return r>=n.height-o.height-t}),K())}var lr={drawer:R("[data-md-toggle=drawer]"),search:R("[data-md-toggle=search]")};function nn(e){return lr[e].checked}function Je(e,t){lr[e].checked!==t&&lr[e].click()}function ze(e){let t=lr[e];return h(t,"change").pipe(m(()=>t.checked),Q(t.checked))}function Oa(e,t){switch(e.constructor){case HTMLInputElement:return e.type==="radio"?/^Arrow/.test(t):!0;case HTMLSelectElement:case HTMLTextAreaElement:return!0;default:return e.isContentEditable}}function La(){return O(h(window,"compositionstart").pipe(m(()=>!0)),h(window,"compositionend").pipe(m(()=>!1))).pipe(Q(!1))}function an(){let e=h(window,"keydown").pipe(b(t=>!(t.metaKey||t.ctrlKey)),m(t=>({mode:nn("search")?"search":"global",type:t.key,claim(){t.preventDefault(),t.stopPropagation()}})),b(({mode:t,type:r})=>{if(t==="global"){let o=Ie();if(typeof o!="undefined")return!Oa(o,r)}return!0}),pe());return La().pipe(v(t=>t?S:e))}function ye(){return new URL(location.href)}function lt(e,t=!1){if(B("navigation.instant")&&!t){let r=x("a",{href:e.href});document.body.appendChild(r),r.click(),r.remove()}else location.href=e.href}function sn(){return new g}function cn(){return location.hash.slice(1)}function pn(e){let t=x("a",{href:e});t.addEventListener("click",r=>r.stopPropagation()),t.click()}function Ma(e){return O(h(window,"hashchange"),e).pipe(m(cn),Q(cn()),b(t=>t.length>0),G(1))}function ln(e){return Ma(e).pipe(m(t=>fe(`[id="${t}"]`)),b(t=>typeof t!="undefined"))}function Pt(e){let t=matchMedia(e);return ar(r=>t.addListener(()=>r(t.matches))).pipe(Q(t.matches))}function mn(){let e=matchMedia("print");return O(h(window,"beforeprint").pipe(m(()=>!0)),h(window,"afterprint").pipe(m(()=>!1))).pipe(Q(e.matches))}function Nr(e,t){return e.pipe(v(r=>r?t():S))}function zr(e,t){return new j(r=>{let o=new XMLHttpRequest;return o.open("GET",`${e}`),o.responseType="blob",o.addEventListener("load",()=>{o.status>=200&&o.status<300?(r.next(o.response),r.complete()):r.error(new Error(o.statusText))}),o.addEventListener("error",()=>{r.error(new Error("Network error"))}),o.addEventListener("abort",()=>{r.complete()}),typeof(t==null?void 0:t.progress$)!="undefined"&&(o.addEventListener("progress",n=>{var i;if(n.lengthComputable)t.progress$.next(n.loaded/n.total*100);else{let a=(i=o.getResponseHeader("Content-Length"))!=null?i:0;t.progress$.next(n.loaded/+a*100)}}),t.progress$.next(5)),o.send(),()=>o.abort()})}function je(e,t){return zr(e,t).pipe(v(r=>r.text()),m(r=>JSON.parse(r)),G(1))}function fn(e,t){let r=new DOMParser;return zr(e,t).pipe(v(o=>o.text()),m(o=>r.parseFromString(o,"text/html")),G(1))}function un(e,t){let r=new DOMParser;return zr(e,t).pipe(v(o=>o.text()),m(o=>r.parseFromString(o,"text/xml")),G(1))}function dn(){return{x:Math.max(0,scrollX),y:Math.max(0,scrollY)}}function hn(){return O(h(window,"scroll",{passive:!0}),h(window,"resize",{passive:!0})).pipe(m(dn),Q(dn()))}function bn(){return{width:innerWidth,height:innerHeight}}function vn(){return h(window,"resize",{passive:!0}).pipe(m(bn),Q(bn()))}function gn(){return z([hn(),vn()]).pipe(m(([e,t])=>({offset:e,size:t})),G(1))}function mr(e,{viewport$:t,header$:r}){let o=t.pipe(ee("size")),n=z([o,r]).pipe(m(()=>Ve(e)));return z([r,t,n]).pipe(m(([{height:i},{offset:a,size:s},{x:p,y:c}])=>({offset:{x:a.x-p,y:a.y-c+i},size:s})))}function _a(e){return h(e,"message",t=>t.data)}function Aa(e){let t=new g;return t.subscribe(r=>e.postMessage(r)),t}function yn(e,t=new Worker(e)){let r=_a(t),o=Aa(t),n=new g;n.subscribe(o);let i=o.pipe(Z(),ie(!0));return n.pipe(Z(),Re(r.pipe(W(i))),pe())}var Ca=R("#__config"),Ot=JSON.parse(Ca.textContent);Ot.base=`${new URL(Ot.base,ye())}`;function xe(){return Ot}function B(e){return Ot.features.includes(e)}function Ee(e,t){return typeof t!="undefined"?Ot.translations[e].replace("#",t.toString()):Ot.translations[e]}function Se(e,t=document){return R(`[data-md-component=${e}]`,t)}function ae(e,t=document){return P(`[data-md-component=${e}]`,t)}function ka(e){let t=R(".md-typeset > :first-child",e);return h(t,"click",{once:!0}).pipe(m(()=>R(".md-typeset",e)),m(r=>({hash:__md_hash(r.innerHTML)})))}function xn(e){if(!B("announce.dismiss")||!e.childElementCount)return S;if(!e.hidden){let t=R(".md-typeset",e);__md_hash(t.innerHTML)===__md_get("__announce")&&(e.hidden=!0)}return C(()=>{let t=new g;return t.subscribe(({hash:r})=>{e.hidden=!0,__md_set("__announce",r)}),ka(e).pipe(w(r=>t.next(r)),_(()=>t.complete()),m(r=>$({ref:e},r)))})}function Ha(e,{target$:t}){return t.pipe(m(r=>({hidden:r!==e})))}function En(e,t){let r=new g;return r.subscribe(({hidden:o})=>{e.hidden=o}),Ha(e,t).pipe(w(o=>r.next(o)),_(()=>r.complete()),m(o=>$({ref:e},o)))}function Rt(e,t){return t==="inline"?x("div",{class:"md-tooltip md-tooltip--inline",id:e,role:"tooltip"},x("div",{class:"md-tooltip__inner md-typeset"})):x("div",{class:"md-tooltip",id:e,role:"tooltip"},x("div",{class:"md-tooltip__inner md-typeset"}))}function wn(...e){return x("div",{class:"md-tooltip2",role:"tooltip"},x("div",{class:"md-tooltip2__inner md-typeset"},e))}function Tn(e,t){if(t=t?`${t}_annotation_${e}`:void 0,t){let r=t?`#${t}`:void 0;return x("aside",{class:"md-annotation",tabIndex:0},Rt(t),x("a",{href:r,class:"md-annotation__index",tabIndex:-1},x("span",{"data-md-annotation-id":e})))}else return x("aside",{class:"md-annotation",tabIndex:0},Rt(t),x("span",{class:"md-annotation__index",tabIndex:-1},x("span",{"data-md-annotation-id":e})))}function Sn(e){return x("button",{class:"md-clipboard md-icon",title:Ee("clipboard.copy"),"data-clipboard-target":`#${e} > code`})}var Ln=Mt(qr());function Qr(e,t){let r=t&2,o=t&1,n=Object.keys(e.terms).filter(p=>!e.terms[p]).reduce((p,c)=>[...p,x("del",null,(0,Ln.default)(c))," "],[]).slice(0,-1),i=xe(),a=new URL(e.location,i.base);B("search.highlight")&&a.searchParams.set("h",Object.entries(e.terms).filter(([,p])=>p).reduce((p,[c])=>`${p} ${c}`.trim(),""));let{tags:s}=xe();return x("a",{href:`${a}`,class:"md-search-result__link",tabIndex:-1},x("article",{class:"md-search-result__article md-typeset","data-md-score":e.score.toFixed(2)},r>0&&x("div",{class:"md-search-result__icon md-icon"}),r>0&&x("h1",null,e.title),r<=0&&x("h2",null,e.title),o>0&&e.text.length>0&&e.text,e.tags&&x("nav",{class:"md-tags"},e.tags.map(p=>{let c=s?p in s?`md-tag-icon md-tag--${s[p]}`:"md-tag-icon":"";return x("span",{class:`md-tag ${c}`},p)})),o>0&&n.length>0&&x("p",{class:"md-search-result__terms"},Ee("search.result.term.missing"),": ",...n)))}function Mn(e){let t=e[0].score,r=[...e],o=xe(),n=r.findIndex(l=>!`${new URL(l.location,o.base)}`.includes("#")),[i]=r.splice(n,1),a=r.findIndex(l=>l.scoreQr(l,1)),...p.length?[x("details",{class:"md-search-result__more"},x("summary",{tabIndex:-1},x("div",null,p.length>0&&p.length===1?Ee("search.result.more.one"):Ee("search.result.more.other",p.length))),...p.map(l=>Qr(l,1)))]:[]];return x("li",{class:"md-search-result__item"},c)}function _n(e){return x("ul",{class:"md-source__facts"},Object.entries(e).map(([t,r])=>x("li",{class:`md-source__fact md-source__fact--${t}`},typeof r=="number"?sr(r):r)))}function Kr(e){let t=`tabbed-control tabbed-control--${e}`;return x("div",{class:t,hidden:!0},x("button",{class:"tabbed-button",tabIndex:-1,"aria-hidden":"true"}))}function An(e){return x("div",{class:"md-typeset__scrollwrap"},x("div",{class:"md-typeset__table"},e))}function Ra(e){var o;let t=xe(),r=new URL(`../${e.version}/`,t.base);return x("li",{class:"md-version__item"},x("a",{href:`${r}`,class:"md-version__link"},e.title,((o=t.version)==null?void 0:o.alias)&&e.aliases.length>0&&x("span",{class:"md-version__alias"},e.aliases[0])))}function Cn(e,t){var o;let r=xe();return e=e.filter(n=>{var i;return!((i=n.properties)!=null&&i.hidden)}),x("div",{class:"md-version"},x("button",{class:"md-version__current","aria-label":Ee("select.version")},t.title,((o=r.version)==null?void 0:o.alias)&&t.aliases.length>0&&x("span",{class:"md-version__alias"},t.aliases[0])),x("ul",{class:"md-version__list"},e.map(Ra)))}var Ia=0;function ja(e){let t=z([et(e),$t(e)]).pipe(m(([o,n])=>o||n),K()),r=C(()=>Zo(e)).pipe(ne(Ne),pt(1),He(t),m(()=>en(e)));return t.pipe(Ae(o=>o),v(()=>z([t,r])),m(([o,n])=>({active:o,offset:n})),pe())}function Fa(e,t){let{content$:r,viewport$:o}=t,n=`__tooltip2_${Ia++}`;return C(()=>{let i=new g,a=new _r(!1);i.pipe(Z(),ie(!1)).subscribe(a);let s=a.pipe(Ht(c=>Le(+!c*250,kr)),K(),v(c=>c?r:S),w(c=>c.id=n),pe());z([i.pipe(m(({active:c})=>c)),s.pipe(v(c=>$t(c,250)),Q(!1))]).pipe(m(c=>c.some(l=>l))).subscribe(a);let p=a.pipe(b(c=>c),re(s,o),m(([c,l,{size:f}])=>{let u=e.getBoundingClientRect(),d=u.width/2;if(l.role==="tooltip")return{x:d,y:8+u.height};if(u.y>=f.height/2){let{height:y}=ce(l);return{x:d,y:-16-y}}else return{x:d,y:16+u.height}}));return z([s,i,p]).subscribe(([c,{offset:l},f])=>{c.style.setProperty("--md-tooltip-host-x",`${l.x}px`),c.style.setProperty("--md-tooltip-host-y",`${l.y}px`),c.style.setProperty("--md-tooltip-x",`${f.x}px`),c.style.setProperty("--md-tooltip-y",`${f.y}px`),c.classList.toggle("md-tooltip2--top",f.y<0),c.classList.toggle("md-tooltip2--bottom",f.y>=0)}),a.pipe(b(c=>c),re(s,(c,l)=>l),b(c=>c.role==="tooltip")).subscribe(c=>{let l=ce(R(":scope > *",c));c.style.setProperty("--md-tooltip-width",`${l.width}px`),c.style.setProperty("--md-tooltip-tail","0px")}),a.pipe(K(),ve(me),re(s)).subscribe(([c,l])=>{l.classList.toggle("md-tooltip2--active",c)}),z([a.pipe(b(c=>c)),s]).subscribe(([c,l])=>{l.role==="dialog"?(e.setAttribute("aria-controls",n),e.setAttribute("aria-haspopup","dialog")):e.setAttribute("aria-describedby",n)}),a.pipe(b(c=>!c)).subscribe(()=>{e.removeAttribute("aria-controls"),e.removeAttribute("aria-describedby"),e.removeAttribute("aria-haspopup")}),ja(e).pipe(w(c=>i.next(c)),_(()=>i.complete()),m(c=>$({ref:e},c)))})}function mt(e,{viewport$:t},r=document.body){return Fa(e,{content$:new j(o=>{let n=e.title,i=wn(n);return o.next(i),e.removeAttribute("title"),r.append(i),()=>{i.remove(),e.setAttribute("title",n)}}),viewport$:t})}function Ua(e,t){let r=C(()=>z([tn(e),Ne(t)])).pipe(m(([{x:o,y:n},i])=>{let{width:a,height:s}=ce(e);return{x:o-i.x+a/2,y:n-i.y+s/2}}));return et(e).pipe(v(o=>r.pipe(m(n=>({active:o,offset:n})),Te(+!o||1/0))))}function kn(e,t,{target$:r}){let[o,n]=Array.from(e.children);return C(()=>{let i=new g,a=i.pipe(Z(),ie(!0));return i.subscribe({next({offset:s}){e.style.setProperty("--md-tooltip-x",`${s.x}px`),e.style.setProperty("--md-tooltip-y",`${s.y}px`)},complete(){e.style.removeProperty("--md-tooltip-x"),e.style.removeProperty("--md-tooltip-y")}}),tt(e).pipe(W(a)).subscribe(s=>{e.toggleAttribute("data-md-visible",s)}),O(i.pipe(b(({active:s})=>s)),i.pipe(_e(250),b(({active:s})=>!s))).subscribe({next({active:s}){s?e.prepend(o):o.remove()},complete(){e.prepend(o)}}),i.pipe(Me(16,me)).subscribe(({active:s})=>{o.classList.toggle("md-tooltip--active",s)}),i.pipe(pt(125,me),b(()=>!!e.offsetParent),m(()=>e.offsetParent.getBoundingClientRect()),m(({x:s})=>s)).subscribe({next(s){s?e.style.setProperty("--md-tooltip-0",`${-s}px`):e.style.removeProperty("--md-tooltip-0")},complete(){e.style.removeProperty("--md-tooltip-0")}}),h(n,"click").pipe(W(a),b(s=>!(s.metaKey||s.ctrlKey))).subscribe(s=>{s.stopPropagation(),s.preventDefault()}),h(n,"mousedown").pipe(W(a),re(i)).subscribe(([s,{active:p}])=>{var c;if(s.button!==0||s.metaKey||s.ctrlKey)s.preventDefault();else if(p){s.preventDefault();let l=e.parentElement.closest(".md-annotation");l instanceof HTMLElement?l.focus():(c=Ie())==null||c.blur()}}),r.pipe(W(a),b(s=>s===o),Ge(125)).subscribe(()=>e.focus()),Ua(e,t).pipe(w(s=>i.next(s)),_(()=>i.complete()),m(s=>$({ref:e},s)))})}function Wa(e){return e.tagName==="CODE"?P(".c, .c1, .cm",e):[e]}function Da(e){let t=[];for(let r of Wa(e)){let o=[],n=document.createNodeIterator(r,NodeFilter.SHOW_TEXT);for(let i=n.nextNode();i;i=n.nextNode())o.push(i);for(let i of o){let a;for(;a=/(\(\d+\))(!)?/.exec(i.textContent);){let[,s,p]=a;if(typeof p=="undefined"){let c=i.splitText(a.index);i=c.splitText(s.length),t.push(c)}else{i.textContent=s,t.push(i);break}}}}return t}function Hn(e,t){t.append(...Array.from(e.childNodes))}function fr(e,t,{target$:r,print$:o}){let n=t.closest("[id]"),i=n==null?void 0:n.id,a=new Map;for(let s of Da(t)){let[,p]=s.textContent.match(/\((\d+)\)/);fe(`:scope > li:nth-child(${p})`,e)&&(a.set(p,Tn(p,i)),s.replaceWith(a.get(p)))}return a.size===0?S:C(()=>{let s=new g,p=s.pipe(Z(),ie(!0)),c=[];for(let[l,f]of a)c.push([R(".md-typeset",f),R(`:scope > li:nth-child(${l})`,e)]);return o.pipe(W(p)).subscribe(l=>{e.hidden=!l,e.classList.toggle("md-annotation-list",l);for(let[f,u]of c)l?Hn(f,u):Hn(u,f)}),O(...[...a].map(([,l])=>kn(l,t,{target$:r}))).pipe(_(()=>s.complete()),pe())})}function $n(e){if(e.nextElementSibling){let t=e.nextElementSibling;if(t.tagName==="OL")return t;if(t.tagName==="P"&&!t.children.length)return $n(t)}}function Pn(e,t){return C(()=>{let r=$n(e);return typeof r!="undefined"?fr(r,e,t):S})}var Rn=Mt(Br());var Va=0;function In(e){if(e.nextElementSibling){let t=e.nextElementSibling;if(t.tagName==="OL")return t;if(t.tagName==="P"&&!t.children.length)return In(t)}}function Na(e){return ge(e).pipe(m(({width:t})=>({scrollable:St(e).width>t})),ee("scrollable"))}function jn(e,t){let{matches:r}=matchMedia("(hover)"),o=C(()=>{let n=new g,i=n.pipe(jr(1));n.subscribe(({scrollable:c})=>{c&&r?e.setAttribute("tabindex","0"):e.removeAttribute("tabindex")});let a=[];if(Rn.default.isSupported()&&(e.closest(".copy")||B("content.code.copy")&&!e.closest(".no-copy"))){let c=e.closest("pre");c.id=`__code_${Va++}`;let l=Sn(c.id);c.insertBefore(l,e),B("content.tooltips")&&a.push(mt(l,{viewport$}))}let s=e.closest(".highlight");if(s instanceof HTMLElement){let c=In(s);if(typeof c!="undefined"&&(s.classList.contains("annotate")||B("content.code.annotate"))){let l=fr(c,e,t);a.push(ge(s).pipe(W(i),m(({width:f,height:u})=>f&&u),K(),v(f=>f?l:S)))}}return P(":scope > span[id]",e).length&&e.classList.add("md-code__content"),Na(e).pipe(w(c=>n.next(c)),_(()=>n.complete()),m(c=>$({ref:e},c)),Re(...a))});return B("content.lazy")?tt(e).pipe(b(n=>n),Te(1),v(()=>o)):o}function za(e,{target$:t,print$:r}){let o=!0;return O(t.pipe(m(n=>n.closest("details:not([open])")),b(n=>e===n),m(()=>({action:"open",reveal:!0}))),r.pipe(b(n=>n||!o),w(()=>o=e.open),m(n=>({action:n?"open":"close"}))))}function Fn(e,t){return C(()=>{let r=new g;return r.subscribe(({action:o,reveal:n})=>{e.toggleAttribute("open",o==="open"),n&&e.scrollIntoView()}),za(e,t).pipe(w(o=>r.next(o)),_(()=>r.complete()),m(o=>$({ref:e},o)))})}var Un=".node circle,.node ellipse,.node path,.node polygon,.node rect{fill:var(--md-mermaid-node-bg-color);stroke:var(--md-mermaid-node-fg-color)}marker{fill:var(--md-mermaid-edge-color)!important}.edgeLabel .label rect{fill:#0000}.flowchartTitleText{fill:var(--md-mermaid-label-fg-color)}.label{color:var(--md-mermaid-label-fg-color);font-family:var(--md-mermaid-font-family)}.label foreignObject{line-height:normal;overflow:visible}.label div .edgeLabel{color:var(--md-mermaid-label-fg-color)}.edgeLabel,.edgeLabel p,.label div .edgeLabel{background-color:var(--md-mermaid-label-bg-color)}.edgeLabel,.edgeLabel p{fill:var(--md-mermaid-label-bg-color);color:var(--md-mermaid-edge-color)}.edgePath .path,.flowchart-link{stroke:var(--md-mermaid-edge-color);stroke-width:.05rem}.edgePath .arrowheadPath{fill:var(--md-mermaid-edge-color);stroke:none}.cluster rect{fill:var(--md-default-fg-color--lightest);stroke:var(--md-default-fg-color--lighter)}.cluster span{color:var(--md-mermaid-label-fg-color);font-family:var(--md-mermaid-font-family)}g #flowchart-circleEnd,g #flowchart-circleStart,g #flowchart-crossEnd,g #flowchart-crossStart,g #flowchart-pointEnd,g #flowchart-pointStart{stroke:none}.classDiagramTitleText{fill:var(--md-mermaid-label-fg-color)}g.classGroup line,g.classGroup rect{fill:var(--md-mermaid-node-bg-color);stroke:var(--md-mermaid-node-fg-color)}g.classGroup text{fill:var(--md-mermaid-label-fg-color);font-family:var(--md-mermaid-font-family)}.classLabel .box{fill:var(--md-mermaid-label-bg-color);background-color:var(--md-mermaid-label-bg-color);opacity:1}.classLabel .label{fill:var(--md-mermaid-label-fg-color);font-family:var(--md-mermaid-font-family)}.node .divider{stroke:var(--md-mermaid-node-fg-color)}.relation{stroke:var(--md-mermaid-edge-color)}.cardinality{fill:var(--md-mermaid-label-fg-color);font-family:var(--md-mermaid-font-family)}.cardinality text{fill:inherit!important}defs #classDiagram-compositionEnd,defs #classDiagram-compositionStart,defs #classDiagram-dependencyEnd,defs #classDiagram-dependencyStart,defs #classDiagram-extensionEnd,defs #classDiagram-extensionStart{fill:var(--md-mermaid-edge-color)!important;stroke:var(--md-mermaid-edge-color)!important}defs #classDiagram-aggregationEnd,defs #classDiagram-aggregationStart{fill:var(--md-mermaid-label-bg-color)!important;stroke:var(--md-mermaid-edge-color)!important}.statediagramTitleText{fill:var(--md-mermaid-label-fg-color)}g.stateGroup rect{fill:var(--md-mermaid-node-bg-color);stroke:var(--md-mermaid-node-fg-color)}g.stateGroup .state-title{fill:var(--md-mermaid-label-fg-color)!important;font-family:var(--md-mermaid-font-family)}g.stateGroup .composit{fill:var(--md-mermaid-label-bg-color)}.nodeLabel,.nodeLabel p{color:var(--md-mermaid-label-fg-color);font-family:var(--md-mermaid-font-family)}a .nodeLabel{text-decoration:underline}.node circle.state-end,.node circle.state-start,.start-state{fill:var(--md-mermaid-edge-color);stroke:none}.end-state-inner,.end-state-outer{fill:var(--md-mermaid-edge-color)}.end-state-inner,.node circle.state-end{stroke:var(--md-mermaid-label-bg-color)}.transition{stroke:var(--md-mermaid-edge-color)}[id^=state-fork] rect,[id^=state-join] rect{fill:var(--md-mermaid-edge-color)!important;stroke:none!important}.statediagram-cluster.statediagram-cluster .inner{fill:var(--md-default-bg-color)}.statediagram-cluster rect{fill:var(--md-mermaid-node-bg-color);stroke:var(--md-mermaid-node-fg-color)}.statediagram-state rect.divider{fill:var(--md-default-fg-color--lightest);stroke:var(--md-default-fg-color--lighter)}defs #statediagram-barbEnd{stroke:var(--md-mermaid-edge-color)}.entityTitleText{fill:var(--md-mermaid-label-fg-color)}.attributeBoxEven,.attributeBoxOdd{fill:var(--md-mermaid-node-bg-color);stroke:var(--md-mermaid-node-fg-color)}.entityBox{fill:var(--md-mermaid-label-bg-color);stroke:var(--md-mermaid-node-fg-color)}.entityLabel{fill:var(--md-mermaid-label-fg-color);font-family:var(--md-mermaid-font-family)}.relationshipLabelBox{fill:var(--md-mermaid-label-bg-color);fill-opacity:1;background-color:var(--md-mermaid-label-bg-color);opacity:1}.relationshipLabel{fill:var(--md-mermaid-label-fg-color)}.relationshipLine{stroke:var(--md-mermaid-edge-color)}defs #ONE_OR_MORE_END *,defs #ONE_OR_MORE_START *,defs #ONLY_ONE_END *,defs #ONLY_ONE_START *,defs #ZERO_OR_MORE_END *,defs #ZERO_OR_MORE_START *,defs #ZERO_OR_ONE_END *,defs #ZERO_OR_ONE_START *{stroke:var(--md-mermaid-edge-color)!important}defs #ZERO_OR_MORE_END circle,defs #ZERO_OR_MORE_START circle{fill:var(--md-mermaid-label-bg-color)}text:not([class]):last-child{fill:var(--md-mermaid-label-fg-color)}.actor{fill:var(--md-mermaid-sequence-actor-bg-color);stroke:var(--md-mermaid-sequence-actor-border-color)}text.actor>tspan{fill:var(--md-mermaid-sequence-actor-fg-color);font-family:var(--md-mermaid-font-family)}line{stroke:var(--md-mermaid-sequence-actor-line-color)}.actor-man circle,.actor-man line{fill:var(--md-mermaid-sequence-actorman-bg-color);stroke:var(--md-mermaid-sequence-actorman-line-color)}.messageLine0,.messageLine1{stroke:var(--md-mermaid-sequence-message-line-color)}.note{fill:var(--md-mermaid-sequence-note-bg-color);stroke:var(--md-mermaid-sequence-note-border-color)}.loopText,.loopText>tspan,.messageText,.noteText>tspan{stroke:none;font-family:var(--md-mermaid-font-family)!important}.messageText{fill:var(--md-mermaid-sequence-message-fg-color)}.loopText,.loopText>tspan{fill:var(--md-mermaid-sequence-loop-fg-color)}.noteText>tspan{fill:var(--md-mermaid-sequence-note-fg-color)}#arrowhead path{fill:var(--md-mermaid-sequence-message-line-color);stroke:none}.loopLine{fill:var(--md-mermaid-sequence-loop-bg-color);stroke:var(--md-mermaid-sequence-loop-border-color)}.labelBox{fill:var(--md-mermaid-sequence-label-bg-color);stroke:none}.labelText,.labelText>span{fill:var(--md-mermaid-sequence-label-fg-color);font-family:var(--md-mermaid-font-family)}.sequenceNumber{fill:var(--md-mermaid-sequence-number-fg-color)}rect.rect{fill:var(--md-mermaid-sequence-box-bg-color);stroke:none}rect.rect+text.text{fill:var(--md-mermaid-sequence-box-fg-color)}defs #sequencenumber{fill:var(--md-mermaid-sequence-number-bg-color)!important}";var Gr,Qa=0;function Ka(){return typeof mermaid=="undefined"||mermaid instanceof Element?Tt("https://unpkg.com/mermaid@11/dist/mermaid.min.js"):I(void 0)}function Wn(e){return e.classList.remove("mermaid"),Gr||(Gr=Ka().pipe(w(()=>mermaid.initialize({startOnLoad:!1,themeCSS:Un,sequence:{actorFontSize:"16px",messageFontSize:"16px",noteFontSize:"16px"}})),m(()=>{}),G(1))),Gr.subscribe(()=>co(this,null,function*(){e.classList.add("mermaid");let t=`__mermaid_${Qa++}`,r=x("div",{class:"mermaid"}),o=e.textContent,{svg:n,fn:i}=yield mermaid.render(t,o),a=r.attachShadow({mode:"closed"});a.innerHTML=n,e.replaceWith(r),i==null||i(a)})),Gr.pipe(m(()=>({ref:e})))}var Dn=x("table");function Vn(e){return e.replaceWith(Dn),Dn.replaceWith(An(e)),I({ref:e})}function Ya(e){let t=e.find(r=>r.checked)||e[0];return O(...e.map(r=>h(r,"change").pipe(m(()=>R(`label[for="${r.id}"]`))))).pipe(Q(R(`label[for="${t.id}"]`)),m(r=>({active:r})))}function Nn(e,{viewport$:t,target$:r}){let o=R(".tabbed-labels",e),n=P(":scope > input",e),i=Kr("prev");e.append(i);let a=Kr("next");return e.append(a),C(()=>{let s=new g,p=s.pipe(Z(),ie(!0));z([s,ge(e),tt(e)]).pipe(W(p),Me(1,me)).subscribe({next([{active:c},l]){let f=Ve(c),{width:u}=ce(c);e.style.setProperty("--md-indicator-x",`${f.x}px`),e.style.setProperty("--md-indicator-width",`${u}px`);let d=pr(o);(f.xd.x+l.width)&&o.scrollTo({left:Math.max(0,f.x-16),behavior:"smooth"})},complete(){e.style.removeProperty("--md-indicator-x"),e.style.removeProperty("--md-indicator-width")}}),z([Ne(o),ge(o)]).pipe(W(p)).subscribe(([c,l])=>{let f=St(o);i.hidden=c.x<16,a.hidden=c.x>f.width-l.width-16}),O(h(i,"click").pipe(m(()=>-1)),h(a,"click").pipe(m(()=>1))).pipe(W(p)).subscribe(c=>{let{width:l}=ce(o);o.scrollBy({left:l*c,behavior:"smooth"})}),r.pipe(W(p),b(c=>n.includes(c))).subscribe(c=>c.click()),o.classList.add("tabbed-labels--linked");for(let c of n){let l=R(`label[for="${c.id}"]`);l.replaceChildren(x("a",{href:`#${l.htmlFor}`,tabIndex:-1},...Array.from(l.childNodes))),h(l.firstElementChild,"click").pipe(W(p),b(f=>!(f.metaKey||f.ctrlKey)),w(f=>{f.preventDefault(),f.stopPropagation()})).subscribe(()=>{history.replaceState({},"",`#${l.htmlFor}`),l.click()})}return B("content.tabs.link")&&s.pipe(Ce(1),re(t)).subscribe(([{active:c},{offset:l}])=>{let f=c.innerText.trim();if(c.hasAttribute("data-md-switching"))c.removeAttribute("data-md-switching");else{let u=e.offsetTop-l.y;for(let y of P("[data-tabs]"))for(let L of P(":scope > input",y)){let X=R(`label[for="${L.id}"]`);if(X!==c&&X.innerText.trim()===f){X.setAttribute("data-md-switching",""),L.click();break}}window.scrollTo({top:e.offsetTop-u});let d=__md_get("__tabs")||[];__md_set("__tabs",[...new Set([f,...d])])}}),s.pipe(W(p)).subscribe(()=>{for(let c of P("audio, video",e))c.pause()}),Ya(n).pipe(w(c=>s.next(c)),_(()=>s.complete()),m(c=>$({ref:e},c)))}).pipe(Ke(se))}function zn(e,{viewport$:t,target$:r,print$:o}){return O(...P(".annotate:not(.highlight)",e).map(n=>Pn(n,{target$:r,print$:o})),...P("pre:not(.mermaid) > code",e).map(n=>jn(n,{target$:r,print$:o})),...P("pre.mermaid",e).map(n=>Wn(n)),...P("table:not([class])",e).map(n=>Vn(n)),...P("details",e).map(n=>Fn(n,{target$:r,print$:o})),...P("[data-tabs]",e).map(n=>Nn(n,{viewport$:t,target$:r})),...P("[title]",e).filter(()=>B("content.tooltips")).map(n=>mt(n,{viewport$:t})))}function Ba(e,{alert$:t}){return t.pipe(v(r=>O(I(!0),I(!1).pipe(Ge(2e3))).pipe(m(o=>({message:r,active:o})))))}function qn(e,t){let r=R(".md-typeset",e);return C(()=>{let o=new g;return o.subscribe(({message:n,active:i})=>{e.classList.toggle("md-dialog--active",i),r.textContent=n}),Ba(e,t).pipe(w(n=>o.next(n)),_(()=>o.complete()),m(n=>$({ref:e},n)))})}var Ga=0;function Ja(e,t){document.body.append(e);let{width:r}=ce(e);e.style.setProperty("--md-tooltip-width",`${r}px`),e.remove();let o=cr(t),n=typeof o!="undefined"?Ne(o):I({x:0,y:0}),i=O(et(t),$t(t)).pipe(K());return z([i,n]).pipe(m(([a,s])=>{let{x:p,y:c}=Ve(t),l=ce(t),f=t.closest("table");return f&&t.parentElement&&(p+=f.offsetLeft+t.parentElement.offsetLeft,c+=f.offsetTop+t.parentElement.offsetTop),{active:a,offset:{x:p-s.x+l.width/2-r/2,y:c-s.y+l.height+8}}}))}function Qn(e){let t=e.title;if(!t.length)return S;let r=`__tooltip_${Ga++}`,o=Rt(r,"inline"),n=R(".md-typeset",o);return n.innerHTML=t,C(()=>{let i=new g;return i.subscribe({next({offset:a}){o.style.setProperty("--md-tooltip-x",`${a.x}px`),o.style.setProperty("--md-tooltip-y",`${a.y}px`)},complete(){o.style.removeProperty("--md-tooltip-x"),o.style.removeProperty("--md-tooltip-y")}}),O(i.pipe(b(({active:a})=>a)),i.pipe(_e(250),b(({active:a})=>!a))).subscribe({next({active:a}){a?(e.insertAdjacentElement("afterend",o),e.setAttribute("aria-describedby",r),e.removeAttribute("title")):(o.remove(),e.removeAttribute("aria-describedby"),e.setAttribute("title",t))},complete(){o.remove(),e.removeAttribute("aria-describedby"),e.setAttribute("title",t)}}),i.pipe(Me(16,me)).subscribe(({active:a})=>{o.classList.toggle("md-tooltip--active",a)}),i.pipe(pt(125,me),b(()=>!!e.offsetParent),m(()=>e.offsetParent.getBoundingClientRect()),m(({x:a})=>a)).subscribe({next(a){a?o.style.setProperty("--md-tooltip-0",`${-a}px`):o.style.removeProperty("--md-tooltip-0")},complete(){o.style.removeProperty("--md-tooltip-0")}}),Ja(o,e).pipe(w(a=>i.next(a)),_(()=>i.complete()),m(a=>$({ref:e},a)))}).pipe(Ke(se))}function Xa({viewport$:e}){if(!B("header.autohide"))return I(!1);let t=e.pipe(m(({offset:{y:n}})=>n),Be(2,1),m(([n,i])=>[nMath.abs(i-n.y)>100),m(([,[n]])=>n),K()),o=ze("search");return z([e,o]).pipe(m(([{offset:n},i])=>n.y>400&&!i),K(),v(n=>n?r:I(!1)),Q(!1))}function Kn(e,t){return C(()=>z([ge(e),Xa(t)])).pipe(m(([{height:r},o])=>({height:r,hidden:o})),K((r,o)=>r.height===o.height&&r.hidden===o.hidden),G(1))}function Yn(e,{header$:t,main$:r}){return C(()=>{let o=new g,n=o.pipe(Z(),ie(!0));o.pipe(ee("active"),He(t)).subscribe(([{active:a},{hidden:s}])=>{e.classList.toggle("md-header--shadow",a&&!s),e.hidden=s});let i=ue(P("[title]",e)).pipe(b(()=>B("content.tooltips")),ne(a=>Qn(a)));return r.subscribe(o),t.pipe(W(n),m(a=>$({ref:e},a)),Re(i.pipe(W(n))))})}function Za(e,{viewport$:t,header$:r}){return mr(e,{viewport$:t,header$:r}).pipe(m(({offset:{y:o}})=>{let{height:n}=ce(e);return{active:o>=n}}),ee("active"))}function Bn(e,t){return C(()=>{let r=new g;r.subscribe({next({active:n}){e.classList.toggle("md-header__title--active",n)},complete(){e.classList.remove("md-header__title--active")}});let o=fe(".md-content h1");return typeof o=="undefined"?S:Za(o,t).pipe(w(n=>r.next(n)),_(()=>r.complete()),m(n=>$({ref:e},n)))})}function Gn(e,{viewport$:t,header$:r}){let o=r.pipe(m(({height:i})=>i),K()),n=o.pipe(v(()=>ge(e).pipe(m(({height:i})=>({top:e.offsetTop,bottom:e.offsetTop+i})),ee("bottom"))));return z([o,n,t]).pipe(m(([i,{top:a,bottom:s},{offset:{y:p},size:{height:c}}])=>(c=Math.max(0,c-Math.max(0,a-p,i)-Math.max(0,c+p-s)),{offset:a-i,height:c,active:a-i<=p})),K((i,a)=>i.offset===a.offset&&i.height===a.height&&i.active===a.active))}function es(e){let t=__md_get("__palette")||{index:e.findIndex(o=>matchMedia(o.getAttribute("data-md-color-media")).matches)},r=Math.max(0,Math.min(t.index,e.length-1));return I(...e).pipe(ne(o=>h(o,"change").pipe(m(()=>o))),Q(e[r]),m(o=>({index:e.indexOf(o),color:{media:o.getAttribute("data-md-color-media"),scheme:o.getAttribute("data-md-color-scheme"),primary:o.getAttribute("data-md-color-primary"),accent:o.getAttribute("data-md-color-accent")}})),G(1))}function Jn(e){let t=P("input",e),r=x("meta",{name:"theme-color"});document.head.appendChild(r);let o=x("meta",{name:"color-scheme"});document.head.appendChild(o);let n=Pt("(prefers-color-scheme: light)");return C(()=>{let i=new g;return i.subscribe(a=>{if(document.body.setAttribute("data-md-color-switching",""),a.color.media==="(prefers-color-scheme)"){let s=matchMedia("(prefers-color-scheme: light)"),p=document.querySelector(s.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");a.color.scheme=p.getAttribute("data-md-color-scheme"),a.color.primary=p.getAttribute("data-md-color-primary"),a.color.accent=p.getAttribute("data-md-color-accent")}for(let[s,p]of Object.entries(a.color))document.body.setAttribute(`data-md-color-${s}`,p);for(let s=0;sa.key==="Enter"),re(i,(a,s)=>s)).subscribe(({index:a})=>{a=(a+1)%t.length,t[a].click(),t[a].focus()}),i.pipe(m(()=>{let a=Se("header"),s=window.getComputedStyle(a);return o.content=s.colorScheme,s.backgroundColor.match(/\d+/g).map(p=>(+p).toString(16).padStart(2,"0")).join("")})).subscribe(a=>r.content=`#${a}`),i.pipe(ve(se)).subscribe(()=>{document.body.removeAttribute("data-md-color-switching")}),es(t).pipe(W(n.pipe(Ce(1))),ct(),w(a=>i.next(a)),_(()=>i.complete()),m(a=>$({ref:e},a)))})}function Xn(e,{progress$:t}){return C(()=>{let r=new g;return r.subscribe(({value:o})=>{e.style.setProperty("--md-progress-value",`${o}`)}),t.pipe(w(o=>r.next({value:o})),_(()=>r.complete()),m(o=>({ref:e,value:o})))})}var Jr=Mt(Br());function ts(e){e.setAttribute("data-md-copying","");let t=e.closest("[data-copy]"),r=t?t.getAttribute("data-copy"):e.innerText;return e.removeAttribute("data-md-copying"),r.trimEnd()}function Zn({alert$:e}){Jr.default.isSupported()&&new j(t=>{new Jr.default("[data-clipboard-target], [data-clipboard-text]",{text:r=>r.getAttribute("data-clipboard-text")||ts(R(r.getAttribute("data-clipboard-target")))}).on("success",r=>t.next(r))}).pipe(w(t=>{t.trigger.focus()}),m(()=>Ee("clipboard.copied"))).subscribe(e)}function ei(e,t){return e.protocol=t.protocol,e.hostname=t.hostname,e}function rs(e,t){let r=new Map;for(let o of P("url",e)){let n=R("loc",o),i=[ei(new URL(n.textContent),t)];r.set(`${i[0]}`,i);for(let a of P("[rel=alternate]",o)){let s=a.getAttribute("href");s!=null&&i.push(ei(new URL(s),t))}}return r}function ur(e){return un(new URL("sitemap.xml",e)).pipe(m(t=>rs(t,new URL(e))),de(()=>I(new Map)))}function os(e,t){if(!(e.target instanceof Element))return S;let r=e.target.closest("a");if(r===null)return S;if(r.target||e.metaKey||e.ctrlKey)return S;let o=new URL(r.href);return o.search=o.hash="",t.has(`${o}`)?(e.preventDefault(),I(new URL(r.href))):S}function ti(e){let t=new Map;for(let r of P(":scope > *",e.head))t.set(r.outerHTML,r);return t}function ri(e){for(let t of P("[href], [src]",e))for(let r of["href","src"]){let o=t.getAttribute(r);if(o&&!/^(?:[a-z]+:)?\/\//i.test(o)){t[r]=t[r];break}}return I(e)}function ns(e){for(let o of["[data-md-component=announce]","[data-md-component=container]","[data-md-component=header-topic]","[data-md-component=outdated]","[data-md-component=logo]","[data-md-component=skip]",...B("navigation.tabs.sticky")?["[data-md-component=tabs]"]:[]]){let n=fe(o),i=fe(o,e);typeof n!="undefined"&&typeof i!="undefined"&&n.replaceWith(i)}let t=ti(document);for(let[o,n]of ti(e))t.has(o)?t.delete(o):document.head.appendChild(n);for(let o of t.values()){let n=o.getAttribute("name");n!=="theme-color"&&n!=="color-scheme"&&o.remove()}let r=Se("container");return We(P("script",r)).pipe(v(o=>{let n=e.createElement("script");if(o.src){for(let i of o.getAttributeNames())n.setAttribute(i,o.getAttribute(i));return o.replaceWith(n),new j(i=>{n.onload=()=>i.complete()})}else return n.textContent=o.textContent,o.replaceWith(n),S}),Z(),ie(document))}function oi({location$:e,viewport$:t,progress$:r}){let o=xe();if(location.protocol==="file:")return S;let n=ur(o.base);I(document).subscribe(ri);let i=h(document.body,"click").pipe(He(n),v(([p,c])=>os(p,c)),pe()),a=h(window,"popstate").pipe(m(ye),pe());i.pipe(re(t)).subscribe(([p,{offset:c}])=>{history.replaceState(c,""),history.pushState(null,"",p)}),O(i,a).subscribe(e);let s=e.pipe(ee("pathname"),v(p=>fn(p,{progress$:r}).pipe(de(()=>(lt(p,!0),S)))),v(ri),v(ns),pe());return O(s.pipe(re(e,(p,c)=>c)),s.pipe(v(()=>e),ee("pathname"),v(()=>e),ee("hash")),e.pipe(K((p,c)=>p.pathname===c.pathname&&p.hash===c.hash),v(()=>i),w(()=>history.back()))).subscribe(p=>{var c,l;history.state!==null||!p.hash?window.scrollTo(0,(l=(c=history.state)==null?void 0:c.y)!=null?l:0):(history.scrollRestoration="auto",pn(p.hash),history.scrollRestoration="manual")}),e.subscribe(()=>{history.scrollRestoration="manual"}),h(window,"beforeunload").subscribe(()=>{history.scrollRestoration="auto"}),t.pipe(ee("offset"),_e(100)).subscribe(({offset:p})=>{history.replaceState(p,"")}),s}var ni=Mt(qr());function ii(e){let t=e.separator.split("|").map(n=>n.replace(/(\(\?[!=<][^)]+\))/g,"").length===0?"\uFFFD":n).join("|"),r=new RegExp(t,"img"),o=(n,i,a)=>`${i}${a}`;return n=>{n=n.replace(/[\s*+\-:~^]+/g," ").trim();let i=new RegExp(`(^|${e.separator}|)(${n.replace(/[|\\{}()[\]^$+*?.-]/g,"\\$&").replace(r,"|")})`,"img");return a=>(0,ni.default)(a).replace(i,o).replace(/<\/mark>(\s+)]*>/img,"$1")}}function jt(e){return e.type===1}function dr(e){return e.type===3}function ai(e,t){let r=yn(e);return O(I(location.protocol!=="file:"),ze("search")).pipe(Ae(o=>o),v(()=>t)).subscribe(({config:o,docs:n})=>r.next({type:0,data:{config:o,docs:n,options:{suggest:B("search.suggest")}}})),r}function si(e){var l;let{selectedVersionSitemap:t,selectedVersionBaseURL:r,currentLocation:o,currentBaseURL:n}=e,i=(l=Xr(n))==null?void 0:l.pathname;if(i===void 0)return;let a=ss(o.pathname,i);if(a===void 0)return;let s=ps(t.keys());if(!t.has(s))return;let p=Xr(a,s);if(!p||!t.has(p.href))return;let c=Xr(a,r);if(c)return c.hash=o.hash,c.search=o.search,c}function Xr(e,t){try{return new URL(e,t)}catch(r){return}}function ss(e,t){if(e.startsWith(t))return e.slice(t.length)}function cs(e,t){let r=Math.min(e.length,t.length),o;for(o=0;oS)),o=r.pipe(m(n=>{let[,i]=t.base.match(/([^/]+)\/?$/);return n.find(({version:a,aliases:s})=>a===i||s.includes(i))||n[0]}));r.pipe(m(n=>new Map(n.map(i=>[`${new URL(`../${i.version}/`,t.base)}`,i]))),v(n=>h(document.body,"click").pipe(b(i=>!i.metaKey&&!i.ctrlKey),re(o),v(([i,a])=>{if(i.target instanceof Element){let s=i.target.closest("a");if(s&&!s.target&&n.has(s.href)){let p=s.href;return!i.target.closest(".md-version")&&n.get(p)===a?S:(i.preventDefault(),I(new URL(p)))}}return S}),v(i=>ur(i).pipe(m(a=>{var s;return(s=si({selectedVersionSitemap:a,selectedVersionBaseURL:i,currentLocation:ye(),currentBaseURL:t.base}))!=null?s:i})))))).subscribe(n=>lt(n,!0)),z([r,o]).subscribe(([n,i])=>{R(".md-header__topic").appendChild(Cn(n,i))}),e.pipe(v(()=>o)).subscribe(n=>{var a;let i=__md_get("__outdated",sessionStorage);if(i===null){i=!0;let s=((a=t.version)==null?void 0:a.default)||"latest";Array.isArray(s)||(s=[s]);e:for(let p of s)for(let c of n.aliases.concat(n.version))if(new RegExp(p,"i").test(c)){i=!1;break e}__md_set("__outdated",i,sessionStorage)}if(i)for(let s of ae("outdated"))s.hidden=!1})}function ls(e,{worker$:t}){let{searchParams:r}=ye();r.has("q")&&(Je("search",!0),e.value=r.get("q"),e.focus(),ze("search").pipe(Ae(i=>!i)).subscribe(()=>{let i=ye();i.searchParams.delete("q"),history.replaceState({},"",`${i}`)}));let o=et(e),n=O(t.pipe(Ae(jt)),h(e,"keyup"),o).pipe(m(()=>e.value),K());return z([n,o]).pipe(m(([i,a])=>({value:i,focus:a})),G(1))}function pi(e,{worker$:t}){let r=new g,o=r.pipe(Z(),ie(!0));z([t.pipe(Ae(jt)),r],(i,a)=>a).pipe(ee("value")).subscribe(({value:i})=>t.next({type:2,data:i})),r.pipe(ee("focus")).subscribe(({focus:i})=>{i&&Je("search",i)}),h(e.form,"reset").pipe(W(o)).subscribe(()=>e.focus());let n=R("header [for=__search]");return h(n,"click").subscribe(()=>e.focus()),ls(e,{worker$:t}).pipe(w(i=>r.next(i)),_(()=>r.complete()),m(i=>$({ref:e},i)),G(1))}function li(e,{worker$:t,query$:r}){let o=new g,n=on(e.parentElement).pipe(b(Boolean)),i=e.parentElement,a=R(":scope > :first-child",e),s=R(":scope > :last-child",e);ze("search").subscribe(l=>s.setAttribute("role",l?"list":"presentation")),o.pipe(re(r),Wr(t.pipe(Ae(jt)))).subscribe(([{items:l},{value:f}])=>{switch(l.length){case 0:a.textContent=f.length?Ee("search.result.none"):Ee("search.result.placeholder");break;case 1:a.textContent=Ee("search.result.one");break;default:let u=sr(l.length);a.textContent=Ee("search.result.other",u)}});let p=o.pipe(w(()=>s.innerHTML=""),v(({items:l})=>O(I(...l.slice(0,10)),I(...l.slice(10)).pipe(Be(4),Vr(n),v(([f])=>f)))),m(Mn),pe());return p.subscribe(l=>s.appendChild(l)),p.pipe(ne(l=>{let f=fe("details",l);return typeof f=="undefined"?S:h(f,"toggle").pipe(W(o),m(()=>f))})).subscribe(l=>{l.open===!1&&l.offsetTop<=i.scrollTop&&i.scrollTo({top:l.offsetTop})}),t.pipe(b(dr),m(({data:l})=>l)).pipe(w(l=>o.next(l)),_(()=>o.complete()),m(l=>$({ref:e},l)))}function ms(e,{query$:t}){return t.pipe(m(({value:r})=>{let o=ye();return o.hash="",r=r.replace(/\s+/g,"+").replace(/&/g,"%26").replace(/=/g,"%3D"),o.search=`q=${r}`,{url:o}}))}function mi(e,t){let r=new g,o=r.pipe(Z(),ie(!0));return r.subscribe(({url:n})=>{e.setAttribute("data-clipboard-text",e.href),e.href=`${n}`}),h(e,"click").pipe(W(o)).subscribe(n=>n.preventDefault()),ms(e,t).pipe(w(n=>r.next(n)),_(()=>r.complete()),m(n=>$({ref:e},n)))}function fi(e,{worker$:t,keyboard$:r}){let o=new g,n=Se("search-query"),i=O(h(n,"keydown"),h(n,"focus")).pipe(ve(se),m(()=>n.value),K());return o.pipe(He(i),m(([{suggest:s},p])=>{let c=p.split(/([\s-]+)/);if(s!=null&&s.length&&c[c.length-1]){let l=s[s.length-1];l.startsWith(c[c.length-1])&&(c[c.length-1]=l)}else c.length=0;return c})).subscribe(s=>e.innerHTML=s.join("").replace(/\s/g," ")),r.pipe(b(({mode:s})=>s==="search")).subscribe(s=>{switch(s.type){case"ArrowRight":e.innerText.length&&n.selectionStart===n.value.length&&(n.value=e.innerText);break}}),t.pipe(b(dr),m(({data:s})=>s)).pipe(w(s=>o.next(s)),_(()=>o.complete()),m(()=>({ref:e})))}function ui(e,{index$:t,keyboard$:r}){let o=xe();try{let n=ai(o.search,t),i=Se("search-query",e),a=Se("search-result",e);h(e,"click").pipe(b(({target:p})=>p instanceof Element&&!!p.closest("a"))).subscribe(()=>Je("search",!1)),r.pipe(b(({mode:p})=>p==="search")).subscribe(p=>{let c=Ie();switch(p.type){case"Enter":if(c===i){let l=new Map;for(let f of P(":first-child [href]",a)){let u=f.firstElementChild;l.set(f,parseFloat(u.getAttribute("data-md-score")))}if(l.size){let[[f]]=[...l].sort(([,u],[,d])=>d-u);f.click()}p.claim()}break;case"Escape":case"Tab":Je("search",!1),i.blur();break;case"ArrowUp":case"ArrowDown":if(typeof c=="undefined")i.focus();else{let l=[i,...P(":not(details) > [href], summary, details[open] [href]",a)],f=Math.max(0,(Math.max(0,l.indexOf(c))+l.length+(p.type==="ArrowUp"?-1:1))%l.length);l[f].focus()}p.claim();break;default:i!==Ie()&&i.focus()}}),r.pipe(b(({mode:p})=>p==="global")).subscribe(p=>{switch(p.type){case"f":case"s":case"/":i.focus(),i.select(),p.claim();break}});let s=pi(i,{worker$:n});return O(s,li(a,{worker$:n,query$:s})).pipe(Re(...ae("search-share",e).map(p=>mi(p,{query$:s})),...ae("search-suggest",e).map(p=>fi(p,{worker$:n,keyboard$:r}))))}catch(n){return e.hidden=!0,Ye}}function di(e,{index$:t,location$:r}){return z([t,r.pipe(Q(ye()),b(o=>!!o.searchParams.get("h")))]).pipe(m(([o,n])=>ii(o.config)(n.searchParams.get("h"))),m(o=>{var a;let n=new Map,i=document.createNodeIterator(e,NodeFilter.SHOW_TEXT);for(let s=i.nextNode();s;s=i.nextNode())if((a=s.parentElement)!=null&&a.offsetHeight){let p=s.textContent,c=o(p);c.length>p.length&&n.set(s,c)}for(let[s,p]of n){let{childNodes:c}=x("span",null,p);s.replaceWith(...Array.from(c))}return{ref:e,nodes:n}}))}function fs(e,{viewport$:t,main$:r}){let o=e.closest(".md-grid"),n=o.offsetTop-o.parentElement.offsetTop;return z([r,t]).pipe(m(([{offset:i,height:a},{offset:{y:s}}])=>(a=a+Math.min(n,Math.max(0,s-i))-n,{height:a,locked:s>=i+n})),K((i,a)=>i.height===a.height&&i.locked===a.locked))}function Zr(e,o){var n=o,{header$:t}=n,r=so(n,["header$"]);let i=R(".md-sidebar__scrollwrap",e),{y:a}=Ve(i);return C(()=>{let s=new g,p=s.pipe(Z(),ie(!0)),c=s.pipe(Me(0,me));return c.pipe(re(t)).subscribe({next([{height:l},{height:f}]){i.style.height=`${l-2*a}px`,e.style.top=`${f}px`},complete(){i.style.height="",e.style.top=""}}),c.pipe(Ae()).subscribe(()=>{for(let l of P(".md-nav__link--active[href]",e)){if(!l.clientHeight)continue;let f=l.closest(".md-sidebar__scrollwrap");if(typeof f!="undefined"){let u=l.offsetTop-f.offsetTop,{height:d}=ce(f);f.scrollTo({top:u-d/2})}}}),ue(P("label[tabindex]",e)).pipe(ne(l=>h(l,"click").pipe(ve(se),m(()=>l),W(p)))).subscribe(l=>{let f=R(`[id="${l.htmlFor}"]`);R(`[aria-labelledby="${l.id}"]`).setAttribute("aria-expanded",`${f.checked}`)}),fs(e,r).pipe(w(l=>s.next(l)),_(()=>s.complete()),m(l=>$({ref:e},l)))})}function hi(e,t){if(typeof t!="undefined"){let r=`https://api.github.com/repos/${e}/${t}`;return st(je(`${r}/releases/latest`).pipe(de(()=>S),m(o=>({version:o.tag_name})),De({})),je(r).pipe(de(()=>S),m(o=>({stars:o.stargazers_count,forks:o.forks_count})),De({}))).pipe(m(([o,n])=>$($({},o),n)))}else{let r=`https://api.github.com/users/${e}`;return je(r).pipe(m(o=>({repositories:o.public_repos})),De({}))}}function bi(e,t){let r=`https://${e}/api/v4/projects/${encodeURIComponent(t)}`;return st(je(`${r}/releases/permalink/latest`).pipe(de(()=>S),m(({tag_name:o})=>({version:o})),De({})),je(r).pipe(de(()=>S),m(({star_count:o,forks_count:n})=>({stars:o,forks:n})),De({}))).pipe(m(([o,n])=>$($({},o),n)))}function vi(e){let t=e.match(/^.+github\.com\/([^/]+)\/?([^/]+)?/i);if(t){let[,r,o]=t;return hi(r,o)}if(t=e.match(/^.+?([^/]*gitlab[^/]+)\/(.+?)\/?$/i),t){let[,r,o]=t;return bi(r,o)}return S}var us;function ds(e){return us||(us=C(()=>{let t=__md_get("__source",sessionStorage);if(t)return I(t);if(ae("consent").length){let o=__md_get("__consent");if(!(o&&o.github))return S}return vi(e.href).pipe(w(o=>__md_set("__source",o,sessionStorage)))}).pipe(de(()=>S),b(t=>Object.keys(t).length>0),m(t=>({facts:t})),G(1)))}function gi(e){let t=R(":scope > :last-child",e);return C(()=>{let r=new g;return r.subscribe(({facts:o})=>{t.appendChild(_n(o)),t.classList.add("md-source__repository--active")}),ds(e).pipe(w(o=>r.next(o)),_(()=>r.complete()),m(o=>$({ref:e},o)))})}function hs(e,{viewport$:t,header$:r}){return ge(document.body).pipe(v(()=>mr(e,{header$:r,viewport$:t})),m(({offset:{y:o}})=>({hidden:o>=10})),ee("hidden"))}function yi(e,t){return C(()=>{let r=new g;return r.subscribe({next({hidden:o}){e.hidden=o},complete(){e.hidden=!1}}),(B("navigation.tabs.sticky")?I({hidden:!1}):hs(e,t)).pipe(w(o=>r.next(o)),_(()=>r.complete()),m(o=>$({ref:e},o)))})}function bs(e,{viewport$:t,header$:r}){let o=new Map,n=P(".md-nav__link",e);for(let s of n){let p=decodeURIComponent(s.hash.substring(1)),c=fe(`[id="${p}"]`);typeof c!="undefined"&&o.set(s,c)}let i=r.pipe(ee("height"),m(({height:s})=>{let p=Se("main"),c=R(":scope > :first-child",p);return s+.8*(c.offsetTop-p.offsetTop)}),pe());return ge(document.body).pipe(ee("height"),v(s=>C(()=>{let p=[];return I([...o].reduce((c,[l,f])=>{for(;p.length&&o.get(p[p.length-1]).tagName>=f.tagName;)p.pop();let u=f.offsetTop;for(;!u&&f.parentElement;)f=f.parentElement,u=f.offsetTop;let d=f.offsetParent;for(;d;d=d.offsetParent)u+=d.offsetTop;return c.set([...p=[...p,l]].reverse(),u)},new Map))}).pipe(m(p=>new Map([...p].sort(([,c],[,l])=>c-l))),He(i),v(([p,c])=>t.pipe(Fr(([l,f],{offset:{y:u},size:d})=>{let y=u+d.height>=Math.floor(s.height);for(;f.length;){let[,L]=f[0];if(L-c=u&&!y)f=[l.pop(),...f];else break}return[l,f]},[[],[...p]]),K((l,f)=>l[0]===f[0]&&l[1]===f[1])))))).pipe(m(([s,p])=>({prev:s.map(([c])=>c),next:p.map(([c])=>c)})),Q({prev:[],next:[]}),Be(2,1),m(([s,p])=>s.prev.length{let i=new g,a=i.pipe(Z(),ie(!0));if(i.subscribe(({prev:s,next:p})=>{for(let[c]of p)c.classList.remove("md-nav__link--passed"),c.classList.remove("md-nav__link--active");for(let[c,[l]]of s.entries())l.classList.add("md-nav__link--passed"),l.classList.toggle("md-nav__link--active",c===s.length-1)}),B("toc.follow")){let s=O(t.pipe(_e(1),m(()=>{})),t.pipe(_e(250),m(()=>"smooth")));i.pipe(b(({prev:p})=>p.length>0),He(o.pipe(ve(se))),re(s)).subscribe(([[{prev:p}],c])=>{let[l]=p[p.length-1];if(l.offsetHeight){let f=cr(l);if(typeof f!="undefined"){let u=l.offsetTop-f.offsetTop,{height:d}=ce(f);f.scrollTo({top:u-d/2,behavior:c})}}})}return B("navigation.tracking")&&t.pipe(W(a),ee("offset"),_e(250),Ce(1),W(n.pipe(Ce(1))),ct({delay:250}),re(i)).subscribe(([,{prev:s}])=>{let p=ye(),c=s[s.length-1];if(c&&c.length){let[l]=c,{hash:f}=new URL(l.href);p.hash!==f&&(p.hash=f,history.replaceState({},"",`${p}`))}else p.hash="",history.replaceState({},"",`${p}`)}),bs(e,{viewport$:t,header$:r}).pipe(w(s=>i.next(s)),_(()=>i.complete()),m(s=>$({ref:e},s)))})}function vs(e,{viewport$:t,main$:r,target$:o}){let n=t.pipe(m(({offset:{y:a}})=>a),Be(2,1),m(([a,s])=>a>s&&s>0),K()),i=r.pipe(m(({active:a})=>a));return z([i,n]).pipe(m(([a,s])=>!(a&&s)),K(),W(o.pipe(Ce(1))),ie(!0),ct({delay:250}),m(a=>({hidden:a})))}function Ei(e,{viewport$:t,header$:r,main$:o,target$:n}){let i=new g,a=i.pipe(Z(),ie(!0));return i.subscribe({next({hidden:s}){e.hidden=s,s?(e.setAttribute("tabindex","-1"),e.blur()):e.removeAttribute("tabindex")},complete(){e.style.top="",e.hidden=!0,e.removeAttribute("tabindex")}}),r.pipe(W(a),ee("height")).subscribe(({height:s})=>{e.style.top=`${s+16}px`}),h(e,"click").subscribe(s=>{s.preventDefault(),window.scrollTo({top:0})}),vs(e,{viewport$:t,main$:o,target$:n}).pipe(w(s=>i.next(s)),_(()=>i.complete()),m(s=>$({ref:e},s)))}function wi({document$:e,viewport$:t}){e.pipe(v(()=>P(".md-ellipsis")),ne(r=>tt(r).pipe(W(e.pipe(Ce(1))),b(o=>o),m(()=>r),Te(1))),b(r=>r.offsetWidth{let o=r.innerText,n=r.closest("a")||r;return n.title=o,B("content.tooltips")?mt(n,{viewport$:t}).pipe(W(e.pipe(Ce(1))),_(()=>n.removeAttribute("title"))):S})).subscribe(),B("content.tooltips")&&e.pipe(v(()=>P(".md-status")),ne(r=>mt(r,{viewport$:t}))).subscribe()}function Ti({document$:e,tablet$:t}){e.pipe(v(()=>P(".md-toggle--indeterminate")),w(r=>{r.indeterminate=!0,r.checked=!1}),ne(r=>h(r,"change").pipe(Dr(()=>r.classList.contains("md-toggle--indeterminate")),m(()=>r))),re(t)).subscribe(([r,o])=>{r.classList.remove("md-toggle--indeterminate"),o&&(r.checked=!1)})}function gs(){return/(iPad|iPhone|iPod)/.test(navigator.userAgent)}function Si({document$:e}){e.pipe(v(()=>P("[data-md-scrollfix]")),w(t=>t.removeAttribute("data-md-scrollfix")),b(gs),ne(t=>h(t,"touchstart").pipe(m(()=>t)))).subscribe(t=>{let r=t.scrollTop;r===0?t.scrollTop=1:r+t.offsetHeight===t.scrollHeight&&(t.scrollTop=r-1)})}function Oi({viewport$:e,tablet$:t}){z([ze("search"),t]).pipe(m(([r,o])=>r&&!o),v(r=>I(r).pipe(Ge(r?400:100))),re(e)).subscribe(([r,{offset:{y:o}}])=>{if(r)document.body.setAttribute("data-md-scrolllock",""),document.body.style.top=`-${o}px`;else{let n=-1*parseInt(document.body.style.top,10);document.body.removeAttribute("data-md-scrolllock"),document.body.style.top="",n&&window.scrollTo(0,n)}})}Object.entries||(Object.entries=function(e){let t=[];for(let r of Object.keys(e))t.push([r,e[r]]);return t});Object.values||(Object.values=function(e){let t=[];for(let r of Object.keys(e))t.push(e[r]);return t});typeof Element!="undefined"&&(Element.prototype.scrollTo||(Element.prototype.scrollTo=function(e,t){typeof e=="object"?(this.scrollLeft=e.left,this.scrollTop=e.top):(this.scrollLeft=e,this.scrollTop=t)}),Element.prototype.replaceWith||(Element.prototype.replaceWith=function(...e){let t=this.parentNode;if(t){e.length===0&&t.removeChild(this);for(let r=e.length-1;r>=0;r--){let o=e[r];typeof o=="string"?o=document.createTextNode(o):o.parentNode&&o.parentNode.removeChild(o),r?t.insertBefore(this.previousSibling,o):t.replaceChild(o,this)}}}));function ys(){return location.protocol==="file:"?Tt(`${new URL("search/search_index.js",eo.base)}`).pipe(m(()=>__index),G(1)):je(new URL("search/search_index.json",eo.base))}document.documentElement.classList.remove("no-js");document.documentElement.classList.add("js");var ot=Go(),Ut=sn(),Lt=ln(Ut),to=an(),Oe=gn(),hr=Pt("(min-width: 960px)"),Mi=Pt("(min-width: 1220px)"),_i=mn(),eo=xe(),Ai=document.forms.namedItem("search")?ys():Ye,ro=new g;Zn({alert$:ro});var oo=new g;B("navigation.instant")&&oi({location$:Ut,viewport$:Oe,progress$:oo}).subscribe(ot);var Li;((Li=eo.version)==null?void 0:Li.provider)==="mike"&&ci({document$:ot});O(Ut,Lt).pipe(Ge(125)).subscribe(()=>{Je("drawer",!1),Je("search",!1)});to.pipe(b(({mode:e})=>e==="global")).subscribe(e=>{switch(e.type){case"p":case",":let t=fe("link[rel=prev]");typeof t!="undefined"&<(t);break;case"n":case".":let r=fe("link[rel=next]");typeof r!="undefined"&<(r);break;case"Enter":let o=Ie();o instanceof HTMLLabelElement&&o.click()}});wi({viewport$:Oe,document$:ot});Ti({document$:ot,tablet$:hr});Si({document$:ot});Oi({viewport$:Oe,tablet$:hr});var rt=Kn(Se("header"),{viewport$:Oe}),Ft=ot.pipe(m(()=>Se("main")),v(e=>Gn(e,{viewport$:Oe,header$:rt})),G(1)),xs=O(...ae("consent").map(e=>En(e,{target$:Lt})),...ae("dialog").map(e=>qn(e,{alert$:ro})),...ae("palette").map(e=>Jn(e)),...ae("progress").map(e=>Xn(e,{progress$:oo})),...ae("search").map(e=>ui(e,{index$:Ai,keyboard$:to})),...ae("source").map(e=>gi(e))),Es=C(()=>O(...ae("announce").map(e=>xn(e)),...ae("content").map(e=>zn(e,{viewport$:Oe,target$:Lt,print$:_i})),...ae("content").map(e=>B("search.highlight")?di(e,{index$:Ai,location$:Ut}):S),...ae("header").map(e=>Yn(e,{viewport$:Oe,header$:rt,main$:Ft})),...ae("header-title").map(e=>Bn(e,{viewport$:Oe,header$:rt})),...ae("sidebar").map(e=>e.getAttribute("data-md-type")==="navigation"?Nr(Mi,()=>Zr(e,{viewport$:Oe,header$:rt,main$:Ft})):Nr(hr,()=>Zr(e,{viewport$:Oe,header$:rt,main$:Ft}))),...ae("tabs").map(e=>yi(e,{viewport$:Oe,header$:rt})),...ae("toc").map(e=>xi(e,{viewport$:Oe,header$:rt,main$:Ft,target$:Lt})),...ae("top").map(e=>Ei(e,{viewport$:Oe,header$:rt,main$:Ft,target$:Lt})))),Ci=ot.pipe(v(()=>Es),Re(xs),G(1));Ci.subscribe();window.document$=ot;window.location$=Ut;window.target$=Lt;window.keyboard$=to;window.viewport$=Oe;window.tablet$=hr;window.screen$=Mi;window.print$=_i;window.alert$=ro;window.progress$=oo;window.component$=Ci;})(); +//# sourceMappingURL=bundle.88dd0f4e.min.js.map + diff --git a/assets/javascripts/bundle.88dd0f4e.min.js.map b/assets/javascripts/bundle.88dd0f4e.min.js.map new file mode 100644 index 000000000..dab2a8754 --- /dev/null +++ b/assets/javascripts/bundle.88dd0f4e.min.js.map @@ -0,0 +1,7 @@ +{ + "version": 3, + "sources": ["node_modules/focus-visible/dist/focus-visible.js", "node_modules/escape-html/index.js", "node_modules/clipboard/dist/clipboard.js", "src/templates/assets/javascripts/bundle.ts", "node_modules/tslib/tslib.es6.mjs", "node_modules/rxjs/src/internal/util/isFunction.ts", "node_modules/rxjs/src/internal/util/createErrorClass.ts", "node_modules/rxjs/src/internal/util/UnsubscriptionError.ts", "node_modules/rxjs/src/internal/util/arrRemove.ts", "node_modules/rxjs/src/internal/Subscription.ts", "node_modules/rxjs/src/internal/config.ts", "node_modules/rxjs/src/internal/scheduler/timeoutProvider.ts", "node_modules/rxjs/src/internal/util/reportUnhandledError.ts", "node_modules/rxjs/src/internal/util/noop.ts", "node_modules/rxjs/src/internal/NotificationFactories.ts", "node_modules/rxjs/src/internal/util/errorContext.ts", "node_modules/rxjs/src/internal/Subscriber.ts", "node_modules/rxjs/src/internal/symbol/observable.ts", "node_modules/rxjs/src/internal/util/identity.ts", "node_modules/rxjs/src/internal/util/pipe.ts", "node_modules/rxjs/src/internal/Observable.ts", "node_modules/rxjs/src/internal/util/lift.ts", "node_modules/rxjs/src/internal/operators/OperatorSubscriber.ts", "node_modules/rxjs/src/internal/scheduler/animationFrameProvider.ts", "node_modules/rxjs/src/internal/util/ObjectUnsubscribedError.ts", "node_modules/rxjs/src/internal/Subject.ts", "node_modules/rxjs/src/internal/BehaviorSubject.ts", "node_modules/rxjs/src/internal/scheduler/dateTimestampProvider.ts", "node_modules/rxjs/src/internal/ReplaySubject.ts", "node_modules/rxjs/src/internal/scheduler/Action.ts", "node_modules/rxjs/src/internal/scheduler/intervalProvider.ts", "node_modules/rxjs/src/internal/scheduler/AsyncAction.ts", "node_modules/rxjs/src/internal/Scheduler.ts", "node_modules/rxjs/src/internal/scheduler/AsyncScheduler.ts", "node_modules/rxjs/src/internal/scheduler/async.ts", "node_modules/rxjs/src/internal/scheduler/QueueAction.ts", "node_modules/rxjs/src/internal/scheduler/QueueScheduler.ts", "node_modules/rxjs/src/internal/scheduler/queue.ts", "node_modules/rxjs/src/internal/scheduler/AnimationFrameAction.ts", "node_modules/rxjs/src/internal/scheduler/AnimationFrameScheduler.ts", "node_modules/rxjs/src/internal/scheduler/animationFrame.ts", "node_modules/rxjs/src/internal/observable/empty.ts", "node_modules/rxjs/src/internal/util/isScheduler.ts", "node_modules/rxjs/src/internal/util/args.ts", "node_modules/rxjs/src/internal/util/isArrayLike.ts", "node_modules/rxjs/src/internal/util/isPromise.ts", "node_modules/rxjs/src/internal/util/isInteropObservable.ts", "node_modules/rxjs/src/internal/util/isAsyncIterable.ts", "node_modules/rxjs/src/internal/util/throwUnobservableError.ts", "node_modules/rxjs/src/internal/symbol/iterator.ts", "node_modules/rxjs/src/internal/util/isIterable.ts", "node_modules/rxjs/src/internal/util/isReadableStreamLike.ts", "node_modules/rxjs/src/internal/observable/innerFrom.ts", "node_modules/rxjs/src/internal/util/executeSchedule.ts", "node_modules/rxjs/src/internal/operators/observeOn.ts", "node_modules/rxjs/src/internal/operators/subscribeOn.ts", "node_modules/rxjs/src/internal/scheduled/scheduleObservable.ts", "node_modules/rxjs/src/internal/scheduled/schedulePromise.ts", "node_modules/rxjs/src/internal/scheduled/scheduleArray.ts", "node_modules/rxjs/src/internal/scheduled/scheduleIterable.ts", "node_modules/rxjs/src/internal/scheduled/scheduleAsyncIterable.ts", "node_modules/rxjs/src/internal/scheduled/scheduleReadableStreamLike.ts", "node_modules/rxjs/src/internal/scheduled/scheduled.ts", "node_modules/rxjs/src/internal/observable/from.ts", "node_modules/rxjs/src/internal/observable/of.ts", "node_modules/rxjs/src/internal/observable/throwError.ts", "node_modules/rxjs/src/internal/util/EmptyError.ts", "node_modules/rxjs/src/internal/util/isDate.ts", "node_modules/rxjs/src/internal/operators/map.ts", "node_modules/rxjs/src/internal/util/mapOneOrManyArgs.ts", "node_modules/rxjs/src/internal/util/argsArgArrayOrObject.ts", "node_modules/rxjs/src/internal/util/createObject.ts", "node_modules/rxjs/src/internal/observable/combineLatest.ts", "node_modules/rxjs/src/internal/operators/mergeInternals.ts", "node_modules/rxjs/src/internal/operators/mergeMap.ts", "node_modules/rxjs/src/internal/operators/mergeAll.ts", "node_modules/rxjs/src/internal/operators/concatAll.ts", "node_modules/rxjs/src/internal/observable/concat.ts", "node_modules/rxjs/src/internal/observable/defer.ts", "node_modules/rxjs/src/internal/observable/fromEvent.ts", "node_modules/rxjs/src/internal/observable/fromEventPattern.ts", "node_modules/rxjs/src/internal/observable/timer.ts", "node_modules/rxjs/src/internal/observable/merge.ts", "node_modules/rxjs/src/internal/observable/never.ts", "node_modules/rxjs/src/internal/util/argsOrArgArray.ts", "node_modules/rxjs/src/internal/operators/filter.ts", "node_modules/rxjs/src/internal/observable/zip.ts", "node_modules/rxjs/src/internal/operators/audit.ts", "node_modules/rxjs/src/internal/operators/auditTime.ts", "node_modules/rxjs/src/internal/operators/bufferCount.ts", "node_modules/rxjs/src/internal/operators/catchError.ts", "node_modules/rxjs/src/internal/operators/scanInternals.ts", "node_modules/rxjs/src/internal/operators/combineLatest.ts", "node_modules/rxjs/src/internal/operators/combineLatestWith.ts", "node_modules/rxjs/src/internal/operators/debounce.ts", "node_modules/rxjs/src/internal/operators/debounceTime.ts", "node_modules/rxjs/src/internal/operators/defaultIfEmpty.ts", "node_modules/rxjs/src/internal/operators/take.ts", "node_modules/rxjs/src/internal/operators/ignoreElements.ts", "node_modules/rxjs/src/internal/operators/mapTo.ts", "node_modules/rxjs/src/internal/operators/delayWhen.ts", "node_modules/rxjs/src/internal/operators/delay.ts", "node_modules/rxjs/src/internal/operators/distinctUntilChanged.ts", "node_modules/rxjs/src/internal/operators/distinctUntilKeyChanged.ts", "node_modules/rxjs/src/internal/operators/throwIfEmpty.ts", "node_modules/rxjs/src/internal/operators/endWith.ts", "node_modules/rxjs/src/internal/operators/finalize.ts", "node_modules/rxjs/src/internal/operators/first.ts", "node_modules/rxjs/src/internal/operators/takeLast.ts", "node_modules/rxjs/src/internal/operators/merge.ts", "node_modules/rxjs/src/internal/operators/mergeWith.ts", "node_modules/rxjs/src/internal/operators/repeat.ts", "node_modules/rxjs/src/internal/operators/scan.ts", "node_modules/rxjs/src/internal/operators/share.ts", "node_modules/rxjs/src/internal/operators/shareReplay.ts", "node_modules/rxjs/src/internal/operators/skip.ts", "node_modules/rxjs/src/internal/operators/skipUntil.ts", "node_modules/rxjs/src/internal/operators/startWith.ts", "node_modules/rxjs/src/internal/operators/switchMap.ts", "node_modules/rxjs/src/internal/operators/takeUntil.ts", "node_modules/rxjs/src/internal/operators/takeWhile.ts", "node_modules/rxjs/src/internal/operators/tap.ts", "node_modules/rxjs/src/internal/operators/throttle.ts", "node_modules/rxjs/src/internal/operators/throttleTime.ts", "node_modules/rxjs/src/internal/operators/withLatestFrom.ts", "node_modules/rxjs/src/internal/operators/zip.ts", "node_modules/rxjs/src/internal/operators/zipWith.ts", "src/templates/assets/javascripts/browser/document/index.ts", "src/templates/assets/javascripts/browser/element/_/index.ts", "src/templates/assets/javascripts/browser/element/focus/index.ts", "src/templates/assets/javascripts/browser/element/hover/index.ts", "src/templates/assets/javascripts/utilities/h/index.ts", "src/templates/assets/javascripts/utilities/round/index.ts", "src/templates/assets/javascripts/browser/script/index.ts", "src/templates/assets/javascripts/browser/element/size/_/index.ts", "src/templates/assets/javascripts/browser/element/size/content/index.ts", "src/templates/assets/javascripts/browser/element/offset/_/index.ts", "src/templates/assets/javascripts/browser/element/offset/content/index.ts", "src/templates/assets/javascripts/browser/element/visibility/index.ts", "src/templates/assets/javascripts/browser/toggle/index.ts", "src/templates/assets/javascripts/browser/keyboard/index.ts", "src/templates/assets/javascripts/browser/location/_/index.ts", "src/templates/assets/javascripts/browser/location/hash/index.ts", "src/templates/assets/javascripts/browser/media/index.ts", "src/templates/assets/javascripts/browser/request/index.ts", "src/templates/assets/javascripts/browser/viewport/offset/index.ts", "src/templates/assets/javascripts/browser/viewport/size/index.ts", "src/templates/assets/javascripts/browser/viewport/_/index.ts", "src/templates/assets/javascripts/browser/viewport/at/index.ts", "src/templates/assets/javascripts/browser/worker/index.ts", "src/templates/assets/javascripts/_/index.ts", "src/templates/assets/javascripts/components/_/index.ts", "src/templates/assets/javascripts/components/announce/index.ts", "src/templates/assets/javascripts/components/consent/index.ts", "src/templates/assets/javascripts/templates/tooltip/index.tsx", "src/templates/assets/javascripts/templates/annotation/index.tsx", "src/templates/assets/javascripts/templates/clipboard/index.tsx", "src/templates/assets/javascripts/templates/search/index.tsx", "src/templates/assets/javascripts/templates/source/index.tsx", "src/templates/assets/javascripts/templates/tabbed/index.tsx", "src/templates/assets/javascripts/templates/table/index.tsx", "src/templates/assets/javascripts/templates/version/index.tsx", "src/templates/assets/javascripts/components/tooltip2/index.ts", "src/templates/assets/javascripts/components/content/annotation/_/index.ts", "src/templates/assets/javascripts/components/content/annotation/list/index.ts", "src/templates/assets/javascripts/components/content/annotation/block/index.ts", "src/templates/assets/javascripts/components/content/code/_/index.ts", "src/templates/assets/javascripts/components/content/details/index.ts", "src/templates/assets/javascripts/components/content/mermaid/index.css", "src/templates/assets/javascripts/components/content/mermaid/index.ts", "src/templates/assets/javascripts/components/content/table/index.ts", "src/templates/assets/javascripts/components/content/tabs/index.ts", "src/templates/assets/javascripts/components/content/_/index.ts", "src/templates/assets/javascripts/components/dialog/index.ts", "src/templates/assets/javascripts/components/tooltip/index.ts", "src/templates/assets/javascripts/components/header/_/index.ts", "src/templates/assets/javascripts/components/header/title/index.ts", "src/templates/assets/javascripts/components/main/index.ts", "src/templates/assets/javascripts/components/palette/index.ts", "src/templates/assets/javascripts/components/progress/index.ts", "src/templates/assets/javascripts/integrations/clipboard/index.ts", "src/templates/assets/javascripts/integrations/sitemap/index.ts", "src/templates/assets/javascripts/integrations/instant/index.ts", "src/templates/assets/javascripts/integrations/search/highlighter/index.ts", "src/templates/assets/javascripts/integrations/search/worker/message/index.ts", "src/templates/assets/javascripts/integrations/search/worker/_/index.ts", "src/templates/assets/javascripts/integrations/version/findurl/index.ts", "src/templates/assets/javascripts/integrations/version/index.ts", "src/templates/assets/javascripts/components/search/query/index.ts", "src/templates/assets/javascripts/components/search/result/index.ts", "src/templates/assets/javascripts/components/search/share/index.ts", "src/templates/assets/javascripts/components/search/suggest/index.ts", "src/templates/assets/javascripts/components/search/_/index.ts", "src/templates/assets/javascripts/components/search/highlight/index.ts", "src/templates/assets/javascripts/components/sidebar/index.ts", "src/templates/assets/javascripts/components/source/facts/github/index.ts", "src/templates/assets/javascripts/components/source/facts/gitlab/index.ts", "src/templates/assets/javascripts/components/source/facts/_/index.ts", "src/templates/assets/javascripts/components/source/_/index.ts", "src/templates/assets/javascripts/components/tabs/index.ts", "src/templates/assets/javascripts/components/toc/index.ts", "src/templates/assets/javascripts/components/top/index.ts", "src/templates/assets/javascripts/patches/ellipsis/index.ts", "src/templates/assets/javascripts/patches/indeterminate/index.ts", "src/templates/assets/javascripts/patches/scrollfix/index.ts", "src/templates/assets/javascripts/patches/scrolllock/index.ts", "src/templates/assets/javascripts/polyfills/index.ts"], + "sourcesContent": ["(function (global, factory) {\n typeof exports === 'object' && typeof module !== 'undefined' ? factory() :\n typeof define === 'function' && define.amd ? define(factory) :\n (factory());\n}(this, (function () { 'use strict';\n\n /**\n * Applies the :focus-visible polyfill at the given scope.\n * A scope in this case is either the top-level Document or a Shadow Root.\n *\n * @param {(Document|ShadowRoot)} scope\n * @see https://github.com/WICG/focus-visible\n */\n function applyFocusVisiblePolyfill(scope) {\n var hadKeyboardEvent = true;\n var hadFocusVisibleRecently = false;\n var hadFocusVisibleRecentlyTimeout = null;\n\n var inputTypesAllowlist = {\n text: true,\n search: true,\n url: true,\n tel: true,\n email: true,\n password: true,\n number: true,\n date: true,\n month: true,\n week: true,\n time: true,\n datetime: true,\n 'datetime-local': true\n };\n\n /**\n * Helper function for legacy browsers and iframes which sometimes focus\n * elements like document, body, and non-interactive SVG.\n * @param {Element} el\n */\n function isValidFocusTarget(el) {\n if (\n el &&\n el !== document &&\n el.nodeName !== 'HTML' &&\n el.nodeName !== 'BODY' &&\n 'classList' in el &&\n 'contains' in el.classList\n ) {\n return true;\n }\n return false;\n }\n\n /**\n * Computes whether the given element should automatically trigger the\n * `focus-visible` class being added, i.e. whether it should always match\n * `:focus-visible` when focused.\n * @param {Element} el\n * @return {boolean}\n */\n function focusTriggersKeyboardModality(el) {\n var type = el.type;\n var tagName = el.tagName;\n\n if (tagName === 'INPUT' && inputTypesAllowlist[type] && !el.readOnly) {\n return true;\n }\n\n if (tagName === 'TEXTAREA' && !el.readOnly) {\n return true;\n }\n\n if (el.isContentEditable) {\n return true;\n }\n\n return false;\n }\n\n /**\n * Add the `focus-visible` class to the given element if it was not added by\n * the author.\n * @param {Element} el\n */\n function addFocusVisibleClass(el) {\n if (el.classList.contains('focus-visible')) {\n return;\n }\n el.classList.add('focus-visible');\n el.setAttribute('data-focus-visible-added', '');\n }\n\n /**\n * Remove the `focus-visible` class from the given element if it was not\n * originally added by the author.\n * @param {Element} el\n */\n function removeFocusVisibleClass(el) {\n if (!el.hasAttribute('data-focus-visible-added')) {\n return;\n }\n el.classList.remove('focus-visible');\n el.removeAttribute('data-focus-visible-added');\n }\n\n /**\n * If the most recent user interaction was via the keyboard;\n * and the key press did not include a meta, alt/option, or control key;\n * then the modality is keyboard. Otherwise, the modality is not keyboard.\n * Apply `focus-visible` to any current active element and keep track\n * of our keyboard modality state with `hadKeyboardEvent`.\n * @param {KeyboardEvent} e\n */\n function onKeyDown(e) {\n if (e.metaKey || e.altKey || e.ctrlKey) {\n return;\n }\n\n if (isValidFocusTarget(scope.activeElement)) {\n addFocusVisibleClass(scope.activeElement);\n }\n\n hadKeyboardEvent = true;\n }\n\n /**\n * If at any point a user clicks with a pointing device, ensure that we change\n * the modality away from keyboard.\n * This avoids the situation where a user presses a key on an already focused\n * element, and then clicks on a different element, focusing it with a\n * pointing device, while we still think we're in keyboard modality.\n * @param {Event} e\n */\n function onPointerDown(e) {\n hadKeyboardEvent = false;\n }\n\n /**\n * On `focus`, add the `focus-visible` class to the target if:\n * - the target received focus as a result of keyboard navigation, or\n * - the event target is an element that will likely require interaction\n * via the keyboard (e.g. a text box)\n * @param {Event} e\n */\n function onFocus(e) {\n // Prevent IE from focusing the document or HTML element.\n if (!isValidFocusTarget(e.target)) {\n return;\n }\n\n if (hadKeyboardEvent || focusTriggersKeyboardModality(e.target)) {\n addFocusVisibleClass(e.target);\n }\n }\n\n /**\n * On `blur`, remove the `focus-visible` class from the target.\n * @param {Event} e\n */\n function onBlur(e) {\n if (!isValidFocusTarget(e.target)) {\n return;\n }\n\n if (\n e.target.classList.contains('focus-visible') ||\n e.target.hasAttribute('data-focus-visible-added')\n ) {\n // To detect a tab/window switch, we look for a blur event followed\n // rapidly by a visibility change.\n // If we don't see a visibility change within 100ms, it's probably a\n // regular focus change.\n hadFocusVisibleRecently = true;\n window.clearTimeout(hadFocusVisibleRecentlyTimeout);\n hadFocusVisibleRecentlyTimeout = window.setTimeout(function() {\n hadFocusVisibleRecently = false;\n }, 100);\n removeFocusVisibleClass(e.target);\n }\n }\n\n /**\n * If the user changes tabs, keep track of whether or not the previously\n * focused element had .focus-visible.\n * @param {Event} e\n */\n function onVisibilityChange(e) {\n if (document.visibilityState === 'hidden') {\n // If the tab becomes active again, the browser will handle calling focus\n // on the element (Safari actually calls it twice).\n // If this tab change caused a blur on an element with focus-visible,\n // re-apply the class when the user switches back to the tab.\n if (hadFocusVisibleRecently) {\n hadKeyboardEvent = true;\n }\n addInitialPointerMoveListeners();\n }\n }\n\n /**\n * Add a group of listeners to detect usage of any pointing devices.\n * These listeners will be added when the polyfill first loads, and anytime\n * the window is blurred, so that they are active when the window regains\n * focus.\n */\n function addInitialPointerMoveListeners() {\n document.addEventListener('mousemove', onInitialPointerMove);\n document.addEventListener('mousedown', onInitialPointerMove);\n document.addEventListener('mouseup', onInitialPointerMove);\n document.addEventListener('pointermove', onInitialPointerMove);\n document.addEventListener('pointerdown', onInitialPointerMove);\n document.addEventListener('pointerup', onInitialPointerMove);\n document.addEventListener('touchmove', onInitialPointerMove);\n document.addEventListener('touchstart', onInitialPointerMove);\n document.addEventListener('touchend', onInitialPointerMove);\n }\n\n function removeInitialPointerMoveListeners() {\n document.removeEventListener('mousemove', onInitialPointerMove);\n document.removeEventListener('mousedown', onInitialPointerMove);\n document.removeEventListener('mouseup', onInitialPointerMove);\n document.removeEventListener('pointermove', onInitialPointerMove);\n document.removeEventListener('pointerdown', onInitialPointerMove);\n document.removeEventListener('pointerup', onInitialPointerMove);\n document.removeEventListener('touchmove', onInitialPointerMove);\n document.removeEventListener('touchstart', onInitialPointerMove);\n document.removeEventListener('touchend', onInitialPointerMove);\n }\n\n /**\n * When the polfyill first loads, assume the user is in keyboard modality.\n * If any event is received from a pointing device (e.g. mouse, pointer,\n * touch), turn off keyboard modality.\n * This accounts for situations where focus enters the page from the URL bar.\n * @param {Event} e\n */\n function onInitialPointerMove(e) {\n // Work around a Safari quirk that fires a mousemove on whenever the\n // window blurs, even if you're tabbing out of the page. \u00AF\\_(\u30C4)_/\u00AF\n if (e.target.nodeName && e.target.nodeName.toLowerCase() === 'html') {\n return;\n }\n\n hadKeyboardEvent = false;\n removeInitialPointerMoveListeners();\n }\n\n // For some kinds of state, we are interested in changes at the global scope\n // only. For example, global pointer input, global key presses and global\n // visibility change should affect the state at every scope:\n document.addEventListener('keydown', onKeyDown, true);\n document.addEventListener('mousedown', onPointerDown, true);\n document.addEventListener('pointerdown', onPointerDown, true);\n document.addEventListener('touchstart', onPointerDown, true);\n document.addEventListener('visibilitychange', onVisibilityChange, true);\n\n addInitialPointerMoveListeners();\n\n // For focus and blur, we specifically care about state changes in the local\n // scope. This is because focus / blur events that originate from within a\n // shadow root are not re-dispatched from the host element if it was already\n // the active element in its own scope:\n scope.addEventListener('focus', onFocus, true);\n scope.addEventListener('blur', onBlur, true);\n\n // We detect that a node is a ShadowRoot by ensuring that it is a\n // DocumentFragment and also has a host property. This check covers native\n // implementation and polyfill implementation transparently. If we only cared\n // about the native implementation, we could just check if the scope was\n // an instance of a ShadowRoot.\n if (scope.nodeType === Node.DOCUMENT_FRAGMENT_NODE && scope.host) {\n // Since a ShadowRoot is a special kind of DocumentFragment, it does not\n // have a root element to add a class to. So, we add this attribute to the\n // host element instead:\n scope.host.setAttribute('data-js-focus-visible', '');\n } else if (scope.nodeType === Node.DOCUMENT_NODE) {\n document.documentElement.classList.add('js-focus-visible');\n document.documentElement.setAttribute('data-js-focus-visible', '');\n }\n }\n\n // It is important to wrap all references to global window and document in\n // these checks to support server-side rendering use cases\n // @see https://github.com/WICG/focus-visible/issues/199\n if (typeof window !== 'undefined' && typeof document !== 'undefined') {\n // Make the polyfill helper globally available. This can be used as a signal\n // to interested libraries that wish to coordinate with the polyfill for e.g.,\n // applying the polyfill to a shadow root:\n window.applyFocusVisiblePolyfill = applyFocusVisiblePolyfill;\n\n // Notify interested libraries of the polyfill's presence, in case the\n // polyfill was loaded lazily:\n var event;\n\n try {\n event = new CustomEvent('focus-visible-polyfill-ready');\n } catch (error) {\n // IE11 does not support using CustomEvent as a constructor directly:\n event = document.createEvent('CustomEvent');\n event.initCustomEvent('focus-visible-polyfill-ready', false, false, {});\n }\n\n window.dispatchEvent(event);\n }\n\n if (typeof document !== 'undefined') {\n // Apply the polyfill to the global document, so that no JavaScript\n // coordination is required to use the polyfill in the top-level document:\n applyFocusVisiblePolyfill(document);\n }\n\n})));\n", "/*!\n * escape-html\n * Copyright(c) 2012-2013 TJ Holowaychuk\n * Copyright(c) 2015 Andreas Lubbe\n * Copyright(c) 2015 Tiancheng \"Timothy\" Gu\n * MIT Licensed\n */\n\n'use strict';\n\n/**\n * Module variables.\n * @private\n */\n\nvar matchHtmlRegExp = /[\"'&<>]/;\n\n/**\n * Module exports.\n * @public\n */\n\nmodule.exports = escapeHtml;\n\n/**\n * Escape special characters in the given string of html.\n *\n * @param {string} string The string to escape for inserting into HTML\n * @return {string}\n * @public\n */\n\nfunction escapeHtml(string) {\n var str = '' + string;\n var match = matchHtmlRegExp.exec(str);\n\n if (!match) {\n return str;\n }\n\n var escape;\n var html = '';\n var index = 0;\n var lastIndex = 0;\n\n for (index = match.index; index < str.length; index++) {\n switch (str.charCodeAt(index)) {\n case 34: // \"\n escape = '"';\n break;\n case 38: // &\n escape = '&';\n break;\n case 39: // '\n escape = ''';\n break;\n case 60: // <\n escape = '<';\n break;\n case 62: // >\n escape = '>';\n break;\n default:\n continue;\n }\n\n if (lastIndex !== index) {\n html += str.substring(lastIndex, index);\n }\n\n lastIndex = index + 1;\n html += escape;\n }\n\n return lastIndex !== index\n ? html + str.substring(lastIndex, index)\n : html;\n}\n", "/*!\n * clipboard.js v2.0.11\n * https://clipboardjs.com/\n *\n * Licensed MIT \u00A9 Zeno Rocha\n */\n(function webpackUniversalModuleDefinition(root, factory) {\n\tif(typeof exports === 'object' && typeof module === 'object')\n\t\tmodule.exports = factory();\n\telse if(typeof define === 'function' && define.amd)\n\t\tdefine([], factory);\n\telse if(typeof exports === 'object')\n\t\texports[\"ClipboardJS\"] = factory();\n\telse\n\t\troot[\"ClipboardJS\"] = factory();\n})(this, function() {\nreturn /******/ (function() { // webpackBootstrap\n/******/ \tvar __webpack_modules__ = ({\n\n/***/ 686:\n/***/ (function(__unused_webpack_module, __webpack_exports__, __webpack_require__) {\n\n\"use strict\";\n\n// EXPORTS\n__webpack_require__.d(__webpack_exports__, {\n \"default\": function() { return /* binding */ clipboard; }\n});\n\n// EXTERNAL MODULE: ./node_modules/tiny-emitter/index.js\nvar tiny_emitter = __webpack_require__(279);\nvar tiny_emitter_default = /*#__PURE__*/__webpack_require__.n(tiny_emitter);\n// EXTERNAL MODULE: ./node_modules/good-listener/src/listen.js\nvar listen = __webpack_require__(370);\nvar listen_default = /*#__PURE__*/__webpack_require__.n(listen);\n// EXTERNAL MODULE: ./node_modules/select/src/select.js\nvar src_select = __webpack_require__(817);\nvar select_default = /*#__PURE__*/__webpack_require__.n(src_select);\n;// CONCATENATED MODULE: ./src/common/command.js\n/**\n * Executes a given operation type.\n * @param {String} type\n * @return {Boolean}\n */\nfunction command(type) {\n try {\n return document.execCommand(type);\n } catch (err) {\n return false;\n }\n}\n;// CONCATENATED MODULE: ./src/actions/cut.js\n\n\n/**\n * Cut action wrapper.\n * @param {String|HTMLElement} target\n * @return {String}\n */\n\nvar ClipboardActionCut = function ClipboardActionCut(target) {\n var selectedText = select_default()(target);\n command('cut');\n return selectedText;\n};\n\n/* harmony default export */ var actions_cut = (ClipboardActionCut);\n;// CONCATENATED MODULE: ./src/common/create-fake-element.js\n/**\n * Creates a fake textarea element with a value.\n * @param {String} value\n * @return {HTMLElement}\n */\nfunction createFakeElement(value) {\n var isRTL = document.documentElement.getAttribute('dir') === 'rtl';\n var fakeElement = document.createElement('textarea'); // Prevent zooming on iOS\n\n fakeElement.style.fontSize = '12pt'; // Reset box model\n\n fakeElement.style.border = '0';\n fakeElement.style.padding = '0';\n fakeElement.style.margin = '0'; // Move element out of screen horizontally\n\n fakeElement.style.position = 'absolute';\n fakeElement.style[isRTL ? 'right' : 'left'] = '-9999px'; // Move element to the same position vertically\n\n var yPosition = window.pageYOffset || document.documentElement.scrollTop;\n fakeElement.style.top = \"\".concat(yPosition, \"px\");\n fakeElement.setAttribute('readonly', '');\n fakeElement.value = value;\n return fakeElement;\n}\n;// CONCATENATED MODULE: ./src/actions/copy.js\n\n\n\n/**\n * Create fake copy action wrapper using a fake element.\n * @param {String} target\n * @param {Object} options\n * @return {String}\n */\n\nvar fakeCopyAction = function fakeCopyAction(value, options) {\n var fakeElement = createFakeElement(value);\n options.container.appendChild(fakeElement);\n var selectedText = select_default()(fakeElement);\n command('copy');\n fakeElement.remove();\n return selectedText;\n};\n/**\n * Copy action wrapper.\n * @param {String|HTMLElement} target\n * @param {Object} options\n * @return {String}\n */\n\n\nvar ClipboardActionCopy = function ClipboardActionCopy(target) {\n var options = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {\n container: document.body\n };\n var selectedText = '';\n\n if (typeof target === 'string') {\n selectedText = fakeCopyAction(target, options);\n } else if (target instanceof HTMLInputElement && !['text', 'search', 'url', 'tel', 'password'].includes(target === null || target === void 0 ? void 0 : target.type)) {\n // If input type doesn't support `setSelectionRange`. Simulate it. https://developer.mozilla.org/en-US/docs/Web/API/HTMLInputElement/setSelectionRange\n selectedText = fakeCopyAction(target.value, options);\n } else {\n selectedText = select_default()(target);\n command('copy');\n }\n\n return selectedText;\n};\n\n/* harmony default export */ var actions_copy = (ClipboardActionCopy);\n;// CONCATENATED MODULE: ./src/actions/default.js\nfunction _typeof(obj) { \"@babel/helpers - typeof\"; if (typeof Symbol === \"function\" && typeof Symbol.iterator === \"symbol\") { _typeof = function _typeof(obj) { return typeof obj; }; } else { _typeof = function _typeof(obj) { return obj && typeof Symbol === \"function\" && obj.constructor === Symbol && obj !== Symbol.prototype ? \"symbol\" : typeof obj; }; } return _typeof(obj); }\n\n\n\n/**\n * Inner function which performs selection from either `text` or `target`\n * properties and then executes copy or cut operations.\n * @param {Object} options\n */\n\nvar ClipboardActionDefault = function ClipboardActionDefault() {\n var options = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};\n // Defines base properties passed from constructor.\n var _options$action = options.action,\n action = _options$action === void 0 ? 'copy' : _options$action,\n container = options.container,\n target = options.target,\n text = options.text; // Sets the `action` to be performed which can be either 'copy' or 'cut'.\n\n if (action !== 'copy' && action !== 'cut') {\n throw new Error('Invalid \"action\" value, use either \"copy\" or \"cut\"');\n } // Sets the `target` property using an element that will be have its content copied.\n\n\n if (target !== undefined) {\n if (target && _typeof(target) === 'object' && target.nodeType === 1) {\n if (action === 'copy' && target.hasAttribute('disabled')) {\n throw new Error('Invalid \"target\" attribute. Please use \"readonly\" instead of \"disabled\" attribute');\n }\n\n if (action === 'cut' && (target.hasAttribute('readonly') || target.hasAttribute('disabled'))) {\n throw new Error('Invalid \"target\" attribute. You can\\'t cut text from elements with \"readonly\" or \"disabled\" attributes');\n }\n } else {\n throw new Error('Invalid \"target\" value, use a valid Element');\n }\n } // Define selection strategy based on `text` property.\n\n\n if (text) {\n return actions_copy(text, {\n container: container\n });\n } // Defines which selection strategy based on `target` property.\n\n\n if (target) {\n return action === 'cut' ? actions_cut(target) : actions_copy(target, {\n container: container\n });\n }\n};\n\n/* harmony default export */ var actions_default = (ClipboardActionDefault);\n;// CONCATENATED MODULE: ./src/clipboard.js\nfunction clipboard_typeof(obj) { \"@babel/helpers - typeof\"; if (typeof Symbol === \"function\" && typeof Symbol.iterator === \"symbol\") { clipboard_typeof = function _typeof(obj) { return typeof obj; }; } else { clipboard_typeof = function _typeof(obj) { return obj && typeof Symbol === \"function\" && obj.constructor === Symbol && obj !== Symbol.prototype ? \"symbol\" : typeof obj; }; } return clipboard_typeof(obj); }\n\nfunction _classCallCheck(instance, Constructor) { if (!(instance instanceof Constructor)) { throw new TypeError(\"Cannot call a class as a function\"); } }\n\nfunction _defineProperties(target, props) { for (var i = 0; i < props.length; i++) { var descriptor = props[i]; descriptor.enumerable = descriptor.enumerable || false; descriptor.configurable = true; if (\"value\" in descriptor) descriptor.writable = true; Object.defineProperty(target, descriptor.key, descriptor); } }\n\nfunction _createClass(Constructor, protoProps, staticProps) { if (protoProps) _defineProperties(Constructor.prototype, protoProps); if (staticProps) _defineProperties(Constructor, staticProps); return Constructor; }\n\nfunction _inherits(subClass, superClass) { if (typeof superClass !== \"function\" && superClass !== null) { throw new TypeError(\"Super expression must either be null or a function\"); } subClass.prototype = Object.create(superClass && superClass.prototype, { constructor: { value: subClass, writable: true, configurable: true } }); if (superClass) _setPrototypeOf(subClass, superClass); }\n\nfunction _setPrototypeOf(o, p) { _setPrototypeOf = Object.setPrototypeOf || function _setPrototypeOf(o, p) { o.__proto__ = p; return o; }; return _setPrototypeOf(o, p); }\n\nfunction _createSuper(Derived) { var hasNativeReflectConstruct = _isNativeReflectConstruct(); return function _createSuperInternal() { var Super = _getPrototypeOf(Derived), result; if (hasNativeReflectConstruct) { var NewTarget = _getPrototypeOf(this).constructor; result = Reflect.construct(Super, arguments, NewTarget); } else { result = Super.apply(this, arguments); } return _possibleConstructorReturn(this, result); }; }\n\nfunction _possibleConstructorReturn(self, call) { if (call && (clipboard_typeof(call) === \"object\" || typeof call === \"function\")) { return call; } return _assertThisInitialized(self); }\n\nfunction _assertThisInitialized(self) { if (self === void 0) { throw new ReferenceError(\"this hasn't been initialised - super() hasn't been called\"); } return self; }\n\nfunction _isNativeReflectConstruct() { if (typeof Reflect === \"undefined\" || !Reflect.construct) return false; if (Reflect.construct.sham) return false; if (typeof Proxy === \"function\") return true; try { Date.prototype.toString.call(Reflect.construct(Date, [], function () {})); return true; } catch (e) { return false; } }\n\nfunction _getPrototypeOf(o) { _getPrototypeOf = Object.setPrototypeOf ? Object.getPrototypeOf : function _getPrototypeOf(o) { return o.__proto__ || Object.getPrototypeOf(o); }; return _getPrototypeOf(o); }\n\n\n\n\n\n\n/**\n * Helper function to retrieve attribute value.\n * @param {String} suffix\n * @param {Element} element\n */\n\nfunction getAttributeValue(suffix, element) {\n var attribute = \"data-clipboard-\".concat(suffix);\n\n if (!element.hasAttribute(attribute)) {\n return;\n }\n\n return element.getAttribute(attribute);\n}\n/**\n * Base class which takes one or more elements, adds event listeners to them,\n * and instantiates a new `ClipboardAction` on each click.\n */\n\n\nvar Clipboard = /*#__PURE__*/function (_Emitter) {\n _inherits(Clipboard, _Emitter);\n\n var _super = _createSuper(Clipboard);\n\n /**\n * @param {String|HTMLElement|HTMLCollection|NodeList} trigger\n * @param {Object} options\n */\n function Clipboard(trigger, options) {\n var _this;\n\n _classCallCheck(this, Clipboard);\n\n _this = _super.call(this);\n\n _this.resolveOptions(options);\n\n _this.listenClick(trigger);\n\n return _this;\n }\n /**\n * Defines if attributes would be resolved using internal setter functions\n * or custom functions that were passed in the constructor.\n * @param {Object} options\n */\n\n\n _createClass(Clipboard, [{\n key: \"resolveOptions\",\n value: function resolveOptions() {\n var options = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};\n this.action = typeof options.action === 'function' ? options.action : this.defaultAction;\n this.target = typeof options.target === 'function' ? options.target : this.defaultTarget;\n this.text = typeof options.text === 'function' ? options.text : this.defaultText;\n this.container = clipboard_typeof(options.container) === 'object' ? options.container : document.body;\n }\n /**\n * Adds a click event listener to the passed trigger.\n * @param {String|HTMLElement|HTMLCollection|NodeList} trigger\n */\n\n }, {\n key: \"listenClick\",\n value: function listenClick(trigger) {\n var _this2 = this;\n\n this.listener = listen_default()(trigger, 'click', function (e) {\n return _this2.onClick(e);\n });\n }\n /**\n * Defines a new `ClipboardAction` on each click event.\n * @param {Event} e\n */\n\n }, {\n key: \"onClick\",\n value: function onClick(e) {\n var trigger = e.delegateTarget || e.currentTarget;\n var action = this.action(trigger) || 'copy';\n var text = actions_default({\n action: action,\n container: this.container,\n target: this.target(trigger),\n text: this.text(trigger)\n }); // Fires an event based on the copy operation result.\n\n this.emit(text ? 'success' : 'error', {\n action: action,\n text: text,\n trigger: trigger,\n clearSelection: function clearSelection() {\n if (trigger) {\n trigger.focus();\n }\n\n window.getSelection().removeAllRanges();\n }\n });\n }\n /**\n * Default `action` lookup function.\n * @param {Element} trigger\n */\n\n }, {\n key: \"defaultAction\",\n value: function defaultAction(trigger) {\n return getAttributeValue('action', trigger);\n }\n /**\n * Default `target` lookup function.\n * @param {Element} trigger\n */\n\n }, {\n key: \"defaultTarget\",\n value: function defaultTarget(trigger) {\n var selector = getAttributeValue('target', trigger);\n\n if (selector) {\n return document.querySelector(selector);\n }\n }\n /**\n * Allow fire programmatically a copy action\n * @param {String|HTMLElement} target\n * @param {Object} options\n * @returns Text copied.\n */\n\n }, {\n key: \"defaultText\",\n\n /**\n * Default `text` lookup function.\n * @param {Element} trigger\n */\n value: function defaultText(trigger) {\n return getAttributeValue('text', trigger);\n }\n /**\n * Destroy lifecycle.\n */\n\n }, {\n key: \"destroy\",\n value: function destroy() {\n this.listener.destroy();\n }\n }], [{\n key: \"copy\",\n value: function copy(target) {\n var options = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {\n container: document.body\n };\n return actions_copy(target, options);\n }\n /**\n * Allow fire programmatically a cut action\n * @param {String|HTMLElement} target\n * @returns Text cutted.\n */\n\n }, {\n key: \"cut\",\n value: function cut(target) {\n return actions_cut(target);\n }\n /**\n * Returns the support of the given action, or all actions if no action is\n * given.\n * @param {String} [action]\n */\n\n }, {\n key: \"isSupported\",\n value: function isSupported() {\n var action = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : ['copy', 'cut'];\n var actions = typeof action === 'string' ? [action] : action;\n var support = !!document.queryCommandSupported;\n actions.forEach(function (action) {\n support = support && !!document.queryCommandSupported(action);\n });\n return support;\n }\n }]);\n\n return Clipboard;\n}((tiny_emitter_default()));\n\n/* harmony default export */ var clipboard = (Clipboard);\n\n/***/ }),\n\n/***/ 828:\n/***/ (function(module) {\n\nvar DOCUMENT_NODE_TYPE = 9;\n\n/**\n * A polyfill for Element.matches()\n */\nif (typeof Element !== 'undefined' && !Element.prototype.matches) {\n var proto = Element.prototype;\n\n proto.matches = proto.matchesSelector ||\n proto.mozMatchesSelector ||\n proto.msMatchesSelector ||\n proto.oMatchesSelector ||\n proto.webkitMatchesSelector;\n}\n\n/**\n * Finds the closest parent that matches a selector.\n *\n * @param {Element} element\n * @param {String} selector\n * @return {Function}\n */\nfunction closest (element, selector) {\n while (element && element.nodeType !== DOCUMENT_NODE_TYPE) {\n if (typeof element.matches === 'function' &&\n element.matches(selector)) {\n return element;\n }\n element = element.parentNode;\n }\n}\n\nmodule.exports = closest;\n\n\n/***/ }),\n\n/***/ 438:\n/***/ (function(module, __unused_webpack_exports, __webpack_require__) {\n\nvar closest = __webpack_require__(828);\n\n/**\n * Delegates event to a selector.\n *\n * @param {Element} element\n * @param {String} selector\n * @param {String} type\n * @param {Function} callback\n * @param {Boolean} useCapture\n * @return {Object}\n */\nfunction _delegate(element, selector, type, callback, useCapture) {\n var listenerFn = listener.apply(this, arguments);\n\n element.addEventListener(type, listenerFn, useCapture);\n\n return {\n destroy: function() {\n element.removeEventListener(type, listenerFn, useCapture);\n }\n }\n}\n\n/**\n * Delegates event to a selector.\n *\n * @param {Element|String|Array} [elements]\n * @param {String} selector\n * @param {String} type\n * @param {Function} callback\n * @param {Boolean} useCapture\n * @return {Object}\n */\nfunction delegate(elements, selector, type, callback, useCapture) {\n // Handle the regular Element usage\n if (typeof elements.addEventListener === 'function') {\n return _delegate.apply(null, arguments);\n }\n\n // Handle Element-less usage, it defaults to global delegation\n if (typeof type === 'function') {\n // Use `document` as the first parameter, then apply arguments\n // This is a short way to .unshift `arguments` without running into deoptimizations\n return _delegate.bind(null, document).apply(null, arguments);\n }\n\n // Handle Selector-based usage\n if (typeof elements === 'string') {\n elements = document.querySelectorAll(elements);\n }\n\n // Handle Array-like based usage\n return Array.prototype.map.call(elements, function (element) {\n return _delegate(element, selector, type, callback, useCapture);\n });\n}\n\n/**\n * Finds closest match and invokes callback.\n *\n * @param {Element} element\n * @param {String} selector\n * @param {String} type\n * @param {Function} callback\n * @return {Function}\n */\nfunction listener(element, selector, type, callback) {\n return function(e) {\n e.delegateTarget = closest(e.target, selector);\n\n if (e.delegateTarget) {\n callback.call(element, e);\n }\n }\n}\n\nmodule.exports = delegate;\n\n\n/***/ }),\n\n/***/ 879:\n/***/ (function(__unused_webpack_module, exports) {\n\n/**\n * Check if argument is a HTML element.\n *\n * @param {Object} value\n * @return {Boolean}\n */\nexports.node = function(value) {\n return value !== undefined\n && value instanceof HTMLElement\n && value.nodeType === 1;\n};\n\n/**\n * Check if argument is a list of HTML elements.\n *\n * @param {Object} value\n * @return {Boolean}\n */\nexports.nodeList = function(value) {\n var type = Object.prototype.toString.call(value);\n\n return value !== undefined\n && (type === '[object NodeList]' || type === '[object HTMLCollection]')\n && ('length' in value)\n && (value.length === 0 || exports.node(value[0]));\n};\n\n/**\n * Check if argument is a string.\n *\n * @param {Object} value\n * @return {Boolean}\n */\nexports.string = function(value) {\n return typeof value === 'string'\n || value instanceof String;\n};\n\n/**\n * Check if argument is a function.\n *\n * @param {Object} value\n * @return {Boolean}\n */\nexports.fn = function(value) {\n var type = Object.prototype.toString.call(value);\n\n return type === '[object Function]';\n};\n\n\n/***/ }),\n\n/***/ 370:\n/***/ (function(module, __unused_webpack_exports, __webpack_require__) {\n\nvar is = __webpack_require__(879);\nvar delegate = __webpack_require__(438);\n\n/**\n * Validates all params and calls the right\n * listener function based on its target type.\n *\n * @param {String|HTMLElement|HTMLCollection|NodeList} target\n * @param {String} type\n * @param {Function} callback\n * @return {Object}\n */\nfunction listen(target, type, callback) {\n if (!target && !type && !callback) {\n throw new Error('Missing required arguments');\n }\n\n if (!is.string(type)) {\n throw new TypeError('Second argument must be a String');\n }\n\n if (!is.fn(callback)) {\n throw new TypeError('Third argument must be a Function');\n }\n\n if (is.node(target)) {\n return listenNode(target, type, callback);\n }\n else if (is.nodeList(target)) {\n return listenNodeList(target, type, callback);\n }\n else if (is.string(target)) {\n return listenSelector(target, type, callback);\n }\n else {\n throw new TypeError('First argument must be a String, HTMLElement, HTMLCollection, or NodeList');\n }\n}\n\n/**\n * Adds an event listener to a HTML element\n * and returns a remove listener function.\n *\n * @param {HTMLElement} node\n * @param {String} type\n * @param {Function} callback\n * @return {Object}\n */\nfunction listenNode(node, type, callback) {\n node.addEventListener(type, callback);\n\n return {\n destroy: function() {\n node.removeEventListener(type, callback);\n }\n }\n}\n\n/**\n * Add an event listener to a list of HTML elements\n * and returns a remove listener function.\n *\n * @param {NodeList|HTMLCollection} nodeList\n * @param {String} type\n * @param {Function} callback\n * @return {Object}\n */\nfunction listenNodeList(nodeList, type, callback) {\n Array.prototype.forEach.call(nodeList, function(node) {\n node.addEventListener(type, callback);\n });\n\n return {\n destroy: function() {\n Array.prototype.forEach.call(nodeList, function(node) {\n node.removeEventListener(type, callback);\n });\n }\n }\n}\n\n/**\n * Add an event listener to a selector\n * and returns a remove listener function.\n *\n * @param {String} selector\n * @param {String} type\n * @param {Function} callback\n * @return {Object}\n */\nfunction listenSelector(selector, type, callback) {\n return delegate(document.body, selector, type, callback);\n}\n\nmodule.exports = listen;\n\n\n/***/ }),\n\n/***/ 817:\n/***/ (function(module) {\n\nfunction select(element) {\n var selectedText;\n\n if (element.nodeName === 'SELECT') {\n element.focus();\n\n selectedText = element.value;\n }\n else if (element.nodeName === 'INPUT' || element.nodeName === 'TEXTAREA') {\n var isReadOnly = element.hasAttribute('readonly');\n\n if (!isReadOnly) {\n element.setAttribute('readonly', '');\n }\n\n element.select();\n element.setSelectionRange(0, element.value.length);\n\n if (!isReadOnly) {\n element.removeAttribute('readonly');\n }\n\n selectedText = element.value;\n }\n else {\n if (element.hasAttribute('contenteditable')) {\n element.focus();\n }\n\n var selection = window.getSelection();\n var range = document.createRange();\n\n range.selectNodeContents(element);\n selection.removeAllRanges();\n selection.addRange(range);\n\n selectedText = selection.toString();\n }\n\n return selectedText;\n}\n\nmodule.exports = select;\n\n\n/***/ }),\n\n/***/ 279:\n/***/ (function(module) {\n\nfunction E () {\n // Keep this empty so it's easier to inherit from\n // (via https://github.com/lipsmack from https://github.com/scottcorgan/tiny-emitter/issues/3)\n}\n\nE.prototype = {\n on: function (name, callback, ctx) {\n var e = this.e || (this.e = {});\n\n (e[name] || (e[name] = [])).push({\n fn: callback,\n ctx: ctx\n });\n\n return this;\n },\n\n once: function (name, callback, ctx) {\n var self = this;\n function listener () {\n self.off(name, listener);\n callback.apply(ctx, arguments);\n };\n\n listener._ = callback\n return this.on(name, listener, ctx);\n },\n\n emit: function (name) {\n var data = [].slice.call(arguments, 1);\n var evtArr = ((this.e || (this.e = {}))[name] || []).slice();\n var i = 0;\n var len = evtArr.length;\n\n for (i; i < len; i++) {\n evtArr[i].fn.apply(evtArr[i].ctx, data);\n }\n\n return this;\n },\n\n off: function (name, callback) {\n var e = this.e || (this.e = {});\n var evts = e[name];\n var liveEvents = [];\n\n if (evts && callback) {\n for (var i = 0, len = evts.length; i < len; i++) {\n if (evts[i].fn !== callback && evts[i].fn._ !== callback)\n liveEvents.push(evts[i]);\n }\n }\n\n // Remove event from queue to prevent memory leak\n // Suggested by https://github.com/lazd\n // Ref: https://github.com/scottcorgan/tiny-emitter/commit/c6ebfaa9bc973b33d110a84a307742b7cf94c953#commitcomment-5024910\n\n (liveEvents.length)\n ? e[name] = liveEvents\n : delete e[name];\n\n return this;\n }\n};\n\nmodule.exports = E;\nmodule.exports.TinyEmitter = E;\n\n\n/***/ })\n\n/******/ \t});\n/************************************************************************/\n/******/ \t// The module cache\n/******/ \tvar __webpack_module_cache__ = {};\n/******/ \t\n/******/ \t// The require function\n/******/ \tfunction __webpack_require__(moduleId) {\n/******/ \t\t// Check if module is in cache\n/******/ \t\tif(__webpack_module_cache__[moduleId]) {\n/******/ \t\t\treturn __webpack_module_cache__[moduleId].exports;\n/******/ \t\t}\n/******/ \t\t// Create a new module (and put it into the cache)\n/******/ \t\tvar module = __webpack_module_cache__[moduleId] = {\n/******/ \t\t\t// no module.id needed\n/******/ \t\t\t// no module.loaded needed\n/******/ \t\t\texports: {}\n/******/ \t\t};\n/******/ \t\n/******/ \t\t// Execute the module function\n/******/ \t\t__webpack_modules__[moduleId](module, module.exports, __webpack_require__);\n/******/ \t\n/******/ \t\t// Return the exports of the module\n/******/ \t\treturn module.exports;\n/******/ \t}\n/******/ \t\n/************************************************************************/\n/******/ \t/* webpack/runtime/compat get default export */\n/******/ \t!function() {\n/******/ \t\t// getDefaultExport function for compatibility with non-harmony modules\n/******/ \t\t__webpack_require__.n = function(module) {\n/******/ \t\t\tvar getter = module && module.__esModule ?\n/******/ \t\t\t\tfunction() { return module['default']; } :\n/******/ \t\t\t\tfunction() { return module; };\n/******/ \t\t\t__webpack_require__.d(getter, { a: getter });\n/******/ \t\t\treturn getter;\n/******/ \t\t};\n/******/ \t}();\n/******/ \t\n/******/ \t/* webpack/runtime/define property getters */\n/******/ \t!function() {\n/******/ \t\t// define getter functions for harmony exports\n/******/ \t\t__webpack_require__.d = function(exports, definition) {\n/******/ \t\t\tfor(var key in definition) {\n/******/ \t\t\t\tif(__webpack_require__.o(definition, key) && !__webpack_require__.o(exports, key)) {\n/******/ \t\t\t\t\tObject.defineProperty(exports, key, { enumerable: true, get: definition[key] });\n/******/ \t\t\t\t}\n/******/ \t\t\t}\n/******/ \t\t};\n/******/ \t}();\n/******/ \t\n/******/ \t/* webpack/runtime/hasOwnProperty shorthand */\n/******/ \t!function() {\n/******/ \t\t__webpack_require__.o = function(obj, prop) { return Object.prototype.hasOwnProperty.call(obj, prop); }\n/******/ \t}();\n/******/ \t\n/************************************************************************/\n/******/ \t// module exports must be returned from runtime so entry inlining is disabled\n/******/ \t// startup\n/******/ \t// Load entry module and return exports\n/******/ \treturn __webpack_require__(686);\n/******/ })()\n.default;\n});", "/*\n * Copyright (c) 2016-2024 Martin Donath \n *\n * Permission is hereby granted, free of charge, to any person obtaining a copy\n * of this software and associated documentation files (the \"Software\"), to\n * deal in the Software without restriction, including without limitation the\n * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or\n * sell copies of the Software, and to permit persons to whom the Software is\n * furnished to do so, subject to the following conditions:\n *\n * The above copyright notice and this permission notice shall be included in\n * all copies or substantial portions of the Software.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n * FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE\n * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING\n * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS\n * IN THE SOFTWARE.\n */\n\nimport \"focus-visible\"\n\nimport {\n EMPTY,\n NEVER,\n Observable,\n Subject,\n defer,\n delay,\n filter,\n map,\n merge,\n mergeWith,\n shareReplay,\n switchMap\n} from \"rxjs\"\n\nimport { configuration, feature } from \"./_\"\nimport {\n at,\n getActiveElement,\n getOptionalElement,\n requestJSON,\n setLocation,\n setToggle,\n watchDocument,\n watchKeyboard,\n watchLocation,\n watchLocationTarget,\n watchMedia,\n watchPrint,\n watchScript,\n watchViewport\n} from \"./browser\"\nimport {\n getComponentElement,\n getComponentElements,\n mountAnnounce,\n mountBackToTop,\n mountConsent,\n mountContent,\n mountDialog,\n mountHeader,\n mountHeaderTitle,\n mountPalette,\n mountProgress,\n mountSearch,\n mountSearchHiglight,\n mountSidebar,\n mountSource,\n mountTableOfContents,\n mountTabs,\n watchHeader,\n watchMain\n} from \"./components\"\nimport {\n SearchIndex,\n setupClipboardJS,\n setupInstantNavigation,\n setupVersionSelector\n} from \"./integrations\"\nimport {\n patchEllipsis,\n patchIndeterminate,\n patchScrollfix,\n patchScrolllock\n} from \"./patches\"\nimport \"./polyfills\"\n\n/* ----------------------------------------------------------------------------\n * Functions - @todo refactor\n * ------------------------------------------------------------------------- */\n\n/**\n * Fetch search index\n *\n * @returns Search index observable\n */\nfunction fetchSearchIndex(): Observable {\n if (location.protocol === \"file:\") {\n return watchScript(\n `${new URL(\"search/search_index.js\", config.base)}`\n )\n .pipe(\n // @ts-ignore - @todo fix typings\n map(() => __index),\n shareReplay(1)\n )\n } else {\n return requestJSON(\n new URL(\"search/search_index.json\", config.base)\n )\n }\n}\n\n/* ----------------------------------------------------------------------------\n * Application\n * ------------------------------------------------------------------------- */\n\n/* Yay, JavaScript is available */\ndocument.documentElement.classList.remove(\"no-js\")\ndocument.documentElement.classList.add(\"js\")\n\n/* Set up navigation observables and subjects */\nconst document$ = watchDocument()\nconst location$ = watchLocation()\nconst target$ = watchLocationTarget(location$)\nconst keyboard$ = watchKeyboard()\n\n/* Set up media observables */\nconst viewport$ = watchViewport()\nconst tablet$ = watchMedia(\"(min-width: 960px)\")\nconst screen$ = watchMedia(\"(min-width: 1220px)\")\nconst print$ = watchPrint()\n\n/* Retrieve search index, if search is enabled */\nconst config = configuration()\nconst index$ = document.forms.namedItem(\"search\")\n ? fetchSearchIndex()\n : NEVER\n\n/* Set up Clipboard.js integration */\nconst alert$ = new Subject()\nsetupClipboardJS({ alert$ })\n\n/* Set up progress indicator */\nconst progress$ = new Subject()\n\n/* Set up instant navigation, if enabled */\nif (feature(\"navigation.instant\"))\n setupInstantNavigation({ location$, viewport$, progress$ })\n .subscribe(document$)\n\n/* Set up version selector */\nif (config.version?.provider === \"mike\")\n setupVersionSelector({ document$ })\n\n/* Always close drawer and search on navigation */\nmerge(location$, target$)\n .pipe(\n delay(125)\n )\n .subscribe(() => {\n setToggle(\"drawer\", false)\n setToggle(\"search\", false)\n })\n\n/* Set up global keyboard handlers */\nkeyboard$\n .pipe(\n filter(({ mode }) => mode === \"global\")\n )\n .subscribe(key => {\n switch (key.type) {\n\n /* Go to previous page */\n case \"p\":\n case \",\":\n const prev = getOptionalElement(\"link[rel=prev]\")\n if (typeof prev !== \"undefined\")\n setLocation(prev)\n break\n\n /* Go to next page */\n case \"n\":\n case \".\":\n const next = getOptionalElement(\"link[rel=next]\")\n if (typeof next !== \"undefined\")\n setLocation(next)\n break\n\n /* Expand navigation, see https://bit.ly/3ZjG5io */\n case \"Enter\":\n const active = getActiveElement()\n if (active instanceof HTMLLabelElement)\n active.click()\n }\n })\n\n/* Set up patches */\npatchEllipsis({ viewport$, document$ })\npatchIndeterminate({ document$, tablet$ })\npatchScrollfix({ document$ })\npatchScrolllock({ viewport$, tablet$ })\n\n/* Set up header and main area observable */\nconst header$ = watchHeader(getComponentElement(\"header\"), { viewport$ })\nconst main$ = document$\n .pipe(\n map(() => getComponentElement(\"main\")),\n switchMap(el => watchMain(el, { viewport$, header$ })),\n shareReplay(1)\n )\n\n/* Set up control component observables */\nconst control$ = merge(\n\n /* Consent */\n ...getComponentElements(\"consent\")\n .map(el => mountConsent(el, { target$ })),\n\n /* Dialog */\n ...getComponentElements(\"dialog\")\n .map(el => mountDialog(el, { alert$ })),\n\n /* Color palette */\n ...getComponentElements(\"palette\")\n .map(el => mountPalette(el)),\n\n /* Progress bar */\n ...getComponentElements(\"progress\")\n .map(el => mountProgress(el, { progress$ })),\n\n /* Search */\n ...getComponentElements(\"search\")\n .map(el => mountSearch(el, { index$, keyboard$ })),\n\n /* Repository information */\n ...getComponentElements(\"source\")\n .map(el => mountSource(el))\n)\n\n/* Set up content component observables */\nconst content$ = defer(() => merge(\n\n /* Announcement bar */\n ...getComponentElements(\"announce\")\n .map(el => mountAnnounce(el)),\n\n /* Content */\n ...getComponentElements(\"content\")\n .map(el => mountContent(el, { viewport$, target$, print$ })),\n\n /* Search highlighting */\n ...getComponentElements(\"content\")\n .map(el => feature(\"search.highlight\")\n ? mountSearchHiglight(el, { index$, location$ })\n : EMPTY\n ),\n\n /* Header */\n ...getComponentElements(\"header\")\n .map(el => mountHeader(el, { viewport$, header$, main$ })),\n\n /* Header title */\n ...getComponentElements(\"header-title\")\n .map(el => mountHeaderTitle(el, { viewport$, header$ })),\n\n /* Sidebar */\n ...getComponentElements(\"sidebar\")\n .map(el => el.getAttribute(\"data-md-type\") === \"navigation\"\n ? at(screen$, () => mountSidebar(el, { viewport$, header$, main$ }))\n : at(tablet$, () => mountSidebar(el, { viewport$, header$, main$ }))\n ),\n\n /* Navigation tabs */\n ...getComponentElements(\"tabs\")\n .map(el => mountTabs(el, { viewport$, header$ })),\n\n /* Table of contents */\n ...getComponentElements(\"toc\")\n .map(el => mountTableOfContents(el, {\n viewport$, header$, main$, target$\n })),\n\n /* Back-to-top button */\n ...getComponentElements(\"top\")\n .map(el => mountBackToTop(el, { viewport$, header$, main$, target$ }))\n))\n\n/* Set up component observables */\nconst component$ = document$\n .pipe(\n switchMap(() => content$),\n mergeWith(control$),\n shareReplay(1)\n )\n\n/* Subscribe to all components */\ncomponent$.subscribe()\n\n/* ----------------------------------------------------------------------------\n * Exports\n * ------------------------------------------------------------------------- */\n\nwindow.document$ = document$ /* Document observable */\nwindow.location$ = location$ /* Location subject */\nwindow.target$ = target$ /* Location target observable */\nwindow.keyboard$ = keyboard$ /* Keyboard observable */\nwindow.viewport$ = viewport$ /* Viewport observable */\nwindow.tablet$ = tablet$ /* Media tablet observable */\nwindow.screen$ = screen$ /* Media screen observable */\nwindow.print$ = print$ /* Media print observable */\nwindow.alert$ = alert$ /* Alert subject */\nwindow.progress$ = progress$ /* Progress indicator subject */\nwindow.component$ = component$ /* Component observable */\n", "/******************************************************************************\nCopyright (c) Microsoft Corporation.\n\nPermission to use, copy, modify, and/or distribute this software for any\npurpose with or without fee is hereby granted.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH\nREGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY\nAND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,\nINDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM\nLOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR\nOTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR\nPERFORMANCE OF THIS SOFTWARE.\n***************************************************************************** */\n/* global Reflect, Promise, SuppressedError, Symbol, Iterator */\n\nvar extendStatics = function(d, b) {\n extendStatics = Object.setPrototypeOf ||\n ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||\n function (d, b) { for (var p in b) if (Object.prototype.hasOwnProperty.call(b, p)) d[p] = b[p]; };\n return extendStatics(d, b);\n};\n\nexport function __extends(d, b) {\n if (typeof b !== \"function\" && b !== null)\n throw new TypeError(\"Class extends value \" + String(b) + \" is not a constructor or null\");\n extendStatics(d, b);\n function __() { this.constructor = d; }\n d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());\n}\n\nexport var __assign = function() {\n __assign = Object.assign || function __assign(t) {\n for (var s, i = 1, n = arguments.length; i < n; i++) {\n s = arguments[i];\n for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p)) t[p] = s[p];\n }\n return t;\n }\n return __assign.apply(this, arguments);\n}\n\nexport function __rest(s, e) {\n var t = {};\n for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)\n t[p] = s[p];\n if (s != null && typeof Object.getOwnPropertySymbols === \"function\")\n for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {\n if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))\n t[p[i]] = s[p[i]];\n }\n return t;\n}\n\nexport function __decorate(decorators, target, key, desc) {\n var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;\n if (typeof Reflect === \"object\" && typeof Reflect.decorate === \"function\") r = Reflect.decorate(decorators, target, key, desc);\n else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;\n return c > 3 && r && Object.defineProperty(target, key, r), r;\n}\n\nexport function __param(paramIndex, decorator) {\n return function (target, key) { decorator(target, key, paramIndex); }\n}\n\nexport function __esDecorate(ctor, descriptorIn, decorators, contextIn, initializers, extraInitializers) {\n function accept(f) { if (f !== void 0 && typeof f !== \"function\") throw new TypeError(\"Function expected\"); return f; }\n var kind = contextIn.kind, key = kind === \"getter\" ? \"get\" : kind === \"setter\" ? \"set\" : \"value\";\n var target = !descriptorIn && ctor ? contextIn[\"static\"] ? ctor : ctor.prototype : null;\n var descriptor = descriptorIn || (target ? Object.getOwnPropertyDescriptor(target, contextIn.name) : {});\n var _, done = false;\n for (var i = decorators.length - 1; i >= 0; i--) {\n var context = {};\n for (var p in contextIn) context[p] = p === \"access\" ? {} : contextIn[p];\n for (var p in contextIn.access) context.access[p] = contextIn.access[p];\n context.addInitializer = function (f) { if (done) throw new TypeError(\"Cannot add initializers after decoration has completed\"); extraInitializers.push(accept(f || null)); };\n var result = (0, decorators[i])(kind === \"accessor\" ? { get: descriptor.get, set: descriptor.set } : descriptor[key], context);\n if (kind === \"accessor\") {\n if (result === void 0) continue;\n if (result === null || typeof result !== \"object\") throw new TypeError(\"Object expected\");\n if (_ = accept(result.get)) descriptor.get = _;\n if (_ = accept(result.set)) descriptor.set = _;\n if (_ = accept(result.init)) initializers.unshift(_);\n }\n else if (_ = accept(result)) {\n if (kind === \"field\") initializers.unshift(_);\n else descriptor[key] = _;\n }\n }\n if (target) Object.defineProperty(target, contextIn.name, descriptor);\n done = true;\n};\n\nexport function __runInitializers(thisArg, initializers, value) {\n var useValue = arguments.length > 2;\n for (var i = 0; i < initializers.length; i++) {\n value = useValue ? initializers[i].call(thisArg, value) : initializers[i].call(thisArg);\n }\n return useValue ? value : void 0;\n};\n\nexport function __propKey(x) {\n return typeof x === \"symbol\" ? x : \"\".concat(x);\n};\n\nexport function __setFunctionName(f, name, prefix) {\n if (typeof name === \"symbol\") name = name.description ? \"[\".concat(name.description, \"]\") : \"\";\n return Object.defineProperty(f, \"name\", { configurable: true, value: prefix ? \"\".concat(prefix, \" \", name) : name });\n};\n\nexport function __metadata(metadataKey, metadataValue) {\n if (typeof Reflect === \"object\" && typeof Reflect.metadata === \"function\") return Reflect.metadata(metadataKey, metadataValue);\n}\n\nexport function __awaiter(thisArg, _arguments, P, generator) {\n function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }\n return new (P || (P = Promise))(function (resolve, reject) {\n function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }\n function rejected(value) { try { step(generator[\"throw\"](value)); } catch (e) { reject(e); } }\n function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }\n step((generator = generator.apply(thisArg, _arguments || [])).next());\n });\n}\n\nexport function __generator(thisArg, body) {\n var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g = Object.create((typeof Iterator === \"function\" ? Iterator : Object).prototype);\n return g.next = verb(0), g[\"throw\"] = verb(1), g[\"return\"] = verb(2), typeof Symbol === \"function\" && (g[Symbol.iterator] = function() { return this; }), g;\n function verb(n) { return function (v) { return step([n, v]); }; }\n function step(op) {\n if (f) throw new TypeError(\"Generator is already executing.\");\n while (g && (g = 0, op[0] && (_ = 0)), _) try {\n if (f = 1, y && (t = op[0] & 2 ? y[\"return\"] : op[0] ? y[\"throw\"] || ((t = y[\"return\"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;\n if (y = 0, t) op = [op[0] & 2, t.value];\n switch (op[0]) {\n case 0: case 1: t = op; break;\n case 4: _.label++; return { value: op[1], done: false };\n case 5: _.label++; y = op[1]; op = [0]; continue;\n case 7: op = _.ops.pop(); _.trys.pop(); continue;\n default:\n if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }\n if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }\n if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }\n if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }\n if (t[2]) _.ops.pop();\n _.trys.pop(); continue;\n }\n op = body.call(thisArg, _);\n } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }\n if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };\n }\n}\n\nexport var __createBinding = Object.create ? (function(o, m, k, k2) {\n if (k2 === undefined) k2 = k;\n var desc = Object.getOwnPropertyDescriptor(m, k);\n if (!desc || (\"get\" in desc ? !m.__esModule : desc.writable || desc.configurable)) {\n desc = { enumerable: true, get: function() { return m[k]; } };\n }\n Object.defineProperty(o, k2, desc);\n}) : (function(o, m, k, k2) {\n if (k2 === undefined) k2 = k;\n o[k2] = m[k];\n});\n\nexport function __exportStar(m, o) {\n for (var p in m) if (p !== \"default\" && !Object.prototype.hasOwnProperty.call(o, p)) __createBinding(o, m, p);\n}\n\nexport function __values(o) {\n var s = typeof Symbol === \"function\" && Symbol.iterator, m = s && o[s], i = 0;\n if (m) return m.call(o);\n if (o && typeof o.length === \"number\") return {\n next: function () {\n if (o && i >= o.length) o = void 0;\n return { value: o && o[i++], done: !o };\n }\n };\n throw new TypeError(s ? \"Object is not iterable.\" : \"Symbol.iterator is not defined.\");\n}\n\nexport function __read(o, n) {\n var m = typeof Symbol === \"function\" && o[Symbol.iterator];\n if (!m) return o;\n var i = m.call(o), r, ar = [], e;\n try {\n while ((n === void 0 || n-- > 0) && !(r = i.next()).done) ar.push(r.value);\n }\n catch (error) { e = { error: error }; }\n finally {\n try {\n if (r && !r.done && (m = i[\"return\"])) m.call(i);\n }\n finally { if (e) throw e.error; }\n }\n return ar;\n}\n\n/** @deprecated */\nexport function __spread() {\n for (var ar = [], i = 0; i < arguments.length; i++)\n ar = ar.concat(__read(arguments[i]));\n return ar;\n}\n\n/** @deprecated */\nexport function __spreadArrays() {\n for (var s = 0, i = 0, il = arguments.length; i < il; i++) s += arguments[i].length;\n for (var r = Array(s), k = 0, i = 0; i < il; i++)\n for (var a = arguments[i], j = 0, jl = a.length; j < jl; j++, k++)\n r[k] = a[j];\n return r;\n}\n\nexport function __spreadArray(to, from, pack) {\n if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {\n if (ar || !(i in from)) {\n if (!ar) ar = Array.prototype.slice.call(from, 0, i);\n ar[i] = from[i];\n }\n }\n return to.concat(ar || Array.prototype.slice.call(from));\n}\n\nexport function __await(v) {\n return this instanceof __await ? (this.v = v, this) : new __await(v);\n}\n\nexport function __asyncGenerator(thisArg, _arguments, generator) {\n if (!Symbol.asyncIterator) throw new TypeError(\"Symbol.asyncIterator is not defined.\");\n var g = generator.apply(thisArg, _arguments || []), i, q = [];\n return i = Object.create((typeof AsyncIterator === \"function\" ? AsyncIterator : Object).prototype), verb(\"next\"), verb(\"throw\"), verb(\"return\", awaitReturn), i[Symbol.asyncIterator] = function () { return this; }, i;\n function awaitReturn(f) { return function (v) { return Promise.resolve(v).then(f, reject); }; }\n function verb(n, f) { if (g[n]) { i[n] = function (v) { return new Promise(function (a, b) { q.push([n, v, a, b]) > 1 || resume(n, v); }); }; if (f) i[n] = f(i[n]); } }\n function resume(n, v) { try { step(g[n](v)); } catch (e) { settle(q[0][3], e); } }\n function step(r) { r.value instanceof __await ? Promise.resolve(r.value.v).then(fulfill, reject) : settle(q[0][2], r); }\n function fulfill(value) { resume(\"next\", value); }\n function reject(value) { resume(\"throw\", value); }\n function settle(f, v) { if (f(v), q.shift(), q.length) resume(q[0][0], q[0][1]); }\n}\n\nexport function __asyncDelegator(o) {\n var i, p;\n return i = {}, verb(\"next\"), verb(\"throw\", function (e) { throw e; }), verb(\"return\"), i[Symbol.iterator] = function () { return this; }, i;\n function verb(n, f) { i[n] = o[n] ? function (v) { return (p = !p) ? { value: __await(o[n](v)), done: false } : f ? f(v) : v; } : f; }\n}\n\nexport function __asyncValues(o) {\n if (!Symbol.asyncIterator) throw new TypeError(\"Symbol.asyncIterator is not defined.\");\n var m = o[Symbol.asyncIterator], i;\n return m ? m.call(o) : (o = typeof __values === \"function\" ? __values(o) : o[Symbol.iterator](), i = {}, verb(\"next\"), verb(\"throw\"), verb(\"return\"), i[Symbol.asyncIterator] = function () { return this; }, i);\n function verb(n) { i[n] = o[n] && function (v) { return new Promise(function (resolve, reject) { v = o[n](v), settle(resolve, reject, v.done, v.value); }); }; }\n function settle(resolve, reject, d, v) { Promise.resolve(v).then(function(v) { resolve({ value: v, done: d }); }, reject); }\n}\n\nexport function __makeTemplateObject(cooked, raw) {\n if (Object.defineProperty) { Object.defineProperty(cooked, \"raw\", { value: raw }); } else { cooked.raw = raw; }\n return cooked;\n};\n\nvar __setModuleDefault = Object.create ? (function(o, v) {\n Object.defineProperty(o, \"default\", { enumerable: true, value: v });\n}) : function(o, v) {\n o[\"default\"] = v;\n};\n\nexport function __importStar(mod) {\n if (mod && mod.__esModule) return mod;\n var result = {};\n if (mod != null) for (var k in mod) if (k !== \"default\" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);\n __setModuleDefault(result, mod);\n return result;\n}\n\nexport function __importDefault(mod) {\n return (mod && mod.__esModule) ? mod : { default: mod };\n}\n\nexport function __classPrivateFieldGet(receiver, state, kind, f) {\n if (kind === \"a\" && !f) throw new TypeError(\"Private accessor was defined without a getter\");\n if (typeof state === \"function\" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError(\"Cannot read private member from an object whose class did not declare it\");\n return kind === \"m\" ? f : kind === \"a\" ? f.call(receiver) : f ? f.value : state.get(receiver);\n}\n\nexport function __classPrivateFieldSet(receiver, state, value, kind, f) {\n if (kind === \"m\") throw new TypeError(\"Private method is not writable\");\n if (kind === \"a\" && !f) throw new TypeError(\"Private accessor was defined without a setter\");\n if (typeof state === \"function\" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError(\"Cannot write private member to an object whose class did not declare it\");\n return (kind === \"a\" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;\n}\n\nexport function __classPrivateFieldIn(state, receiver) {\n if (receiver === null || (typeof receiver !== \"object\" && typeof receiver !== \"function\")) throw new TypeError(\"Cannot use 'in' operator on non-object\");\n return typeof state === \"function\" ? receiver === state : state.has(receiver);\n}\n\nexport function __addDisposableResource(env, value, async) {\n if (value !== null && value !== void 0) {\n if (typeof value !== \"object\" && typeof value !== \"function\") throw new TypeError(\"Object expected.\");\n var dispose, inner;\n if (async) {\n if (!Symbol.asyncDispose) throw new TypeError(\"Symbol.asyncDispose is not defined.\");\n dispose = value[Symbol.asyncDispose];\n }\n if (dispose === void 0) {\n if (!Symbol.dispose) throw new TypeError(\"Symbol.dispose is not defined.\");\n dispose = value[Symbol.dispose];\n if (async) inner = dispose;\n }\n if (typeof dispose !== \"function\") throw new TypeError(\"Object not disposable.\");\n if (inner) dispose = function() { try { inner.call(this); } catch (e) { return Promise.reject(e); } };\n env.stack.push({ value: value, dispose: dispose, async: async });\n }\n else if (async) {\n env.stack.push({ async: true });\n }\n return value;\n}\n\nvar _SuppressedError = typeof SuppressedError === \"function\" ? SuppressedError : function (error, suppressed, message) {\n var e = new Error(message);\n return e.name = \"SuppressedError\", e.error = error, e.suppressed = suppressed, e;\n};\n\nexport function __disposeResources(env) {\n function fail(e) {\n env.error = env.hasError ? new _SuppressedError(e, env.error, \"An error was suppressed during disposal.\") : e;\n env.hasError = true;\n }\n var r, s = 0;\n function next() {\n while (r = env.stack.pop()) {\n try {\n if (!r.async && s === 1) return s = 0, env.stack.push(r), Promise.resolve().then(next);\n if (r.dispose) {\n var result = r.dispose.call(r.value);\n if (r.async) return s |= 2, Promise.resolve(result).then(next, function(e) { fail(e); return next(); });\n }\n else s |= 1;\n }\n catch (e) {\n fail(e);\n }\n }\n if (s === 1) return env.hasError ? Promise.reject(env.error) : Promise.resolve();\n if (env.hasError) throw env.error;\n }\n return next();\n}\n\nexport default {\n __extends,\n __assign,\n __rest,\n __decorate,\n __param,\n __metadata,\n __awaiter,\n __generator,\n __createBinding,\n __exportStar,\n __values,\n __read,\n __spread,\n __spreadArrays,\n __spreadArray,\n __await,\n __asyncGenerator,\n __asyncDelegator,\n __asyncValues,\n __makeTemplateObject,\n __importStar,\n __importDefault,\n __classPrivateFieldGet,\n __classPrivateFieldSet,\n __classPrivateFieldIn,\n __addDisposableResource,\n __disposeResources,\n};\n", "/**\n * Returns true if the object is a function.\n * @param value The value to check\n */\nexport function isFunction(value: any): value is (...args: any[]) => any {\n return typeof value === 'function';\n}\n", "/**\n * Used to create Error subclasses until the community moves away from ES5.\n *\n * This is because compiling from TypeScript down to ES5 has issues with subclassing Errors\n * as well as other built-in types: https://github.com/Microsoft/TypeScript/issues/12123\n *\n * @param createImpl A factory function to create the actual constructor implementation. The returned\n * function should be a named function that calls `_super` internally.\n */\nexport function createErrorClass(createImpl: (_super: any) => any): T {\n const _super = (instance: any) => {\n Error.call(instance);\n instance.stack = new Error().stack;\n };\n\n const ctorFunc = createImpl(_super);\n ctorFunc.prototype = Object.create(Error.prototype);\n ctorFunc.prototype.constructor = ctorFunc;\n return ctorFunc;\n}\n", "import { createErrorClass } from './createErrorClass';\n\nexport interface UnsubscriptionError extends Error {\n readonly errors: any[];\n}\n\nexport interface UnsubscriptionErrorCtor {\n /**\n * @deprecated Internal implementation detail. Do not construct error instances.\n * Cannot be tagged as internal: https://github.com/ReactiveX/rxjs/issues/6269\n */\n new (errors: any[]): UnsubscriptionError;\n}\n\n/**\n * An error thrown when one or more errors have occurred during the\n * `unsubscribe` of a {@link Subscription}.\n */\nexport const UnsubscriptionError: UnsubscriptionErrorCtor = createErrorClass(\n (_super) =>\n function UnsubscriptionErrorImpl(this: any, errors: (Error | string)[]) {\n _super(this);\n this.message = errors\n ? `${errors.length} errors occurred during unsubscription:\n${errors.map((err, i) => `${i + 1}) ${err.toString()}`).join('\\n ')}`\n : '';\n this.name = 'UnsubscriptionError';\n this.errors = errors;\n }\n);\n", "/**\n * Removes an item from an array, mutating it.\n * @param arr The array to remove the item from\n * @param item The item to remove\n */\nexport function arrRemove(arr: T[] | undefined | null, item: T) {\n if (arr) {\n const index = arr.indexOf(item);\n 0 <= index && arr.splice(index, 1);\n }\n}\n", "import { isFunction } from './util/isFunction';\nimport { UnsubscriptionError } from './util/UnsubscriptionError';\nimport { SubscriptionLike, TeardownLogic, Unsubscribable } from './types';\nimport { arrRemove } from './util/arrRemove';\n\n/**\n * Represents a disposable resource, such as the execution of an Observable. A\n * Subscription has one important method, `unsubscribe`, that takes no argument\n * and just disposes the resource held by the subscription.\n *\n * Additionally, subscriptions may be grouped together through the `add()`\n * method, which will attach a child Subscription to the current Subscription.\n * When a Subscription is unsubscribed, all its children (and its grandchildren)\n * will be unsubscribed as well.\n *\n * @class Subscription\n */\nexport class Subscription implements SubscriptionLike {\n /** @nocollapse */\n public static EMPTY = (() => {\n const empty = new Subscription();\n empty.closed = true;\n return empty;\n })();\n\n /**\n * A flag to indicate whether this Subscription has already been unsubscribed.\n */\n public closed = false;\n\n private _parentage: Subscription[] | Subscription | null = null;\n\n /**\n * The list of registered finalizers to execute upon unsubscription. Adding and removing from this\n * list occurs in the {@link #add} and {@link #remove} methods.\n */\n private _finalizers: Exclude[] | null = null;\n\n /**\n * @param initialTeardown A function executed first as part of the finalization\n * process that is kicked off when {@link #unsubscribe} is called.\n */\n constructor(private initialTeardown?: () => void) {}\n\n /**\n * Disposes the resources held by the subscription. May, for instance, cancel\n * an ongoing Observable execution or cancel any other type of work that\n * started when the Subscription was created.\n * @return {void}\n */\n unsubscribe(): void {\n let errors: any[] | undefined;\n\n if (!this.closed) {\n this.closed = true;\n\n // Remove this from it's parents.\n const { _parentage } = this;\n if (_parentage) {\n this._parentage = null;\n if (Array.isArray(_parentage)) {\n for (const parent of _parentage) {\n parent.remove(this);\n }\n } else {\n _parentage.remove(this);\n }\n }\n\n const { initialTeardown: initialFinalizer } = this;\n if (isFunction(initialFinalizer)) {\n try {\n initialFinalizer();\n } catch (e) {\n errors = e instanceof UnsubscriptionError ? e.errors : [e];\n }\n }\n\n const { _finalizers } = this;\n if (_finalizers) {\n this._finalizers = null;\n for (const finalizer of _finalizers) {\n try {\n execFinalizer(finalizer);\n } catch (err) {\n errors = errors ?? [];\n if (err instanceof UnsubscriptionError) {\n errors = [...errors, ...err.errors];\n } else {\n errors.push(err);\n }\n }\n }\n }\n\n if (errors) {\n throw new UnsubscriptionError(errors);\n }\n }\n }\n\n /**\n * Adds a finalizer to this subscription, so that finalization will be unsubscribed/called\n * when this subscription is unsubscribed. If this subscription is already {@link #closed},\n * because it has already been unsubscribed, then whatever finalizer is passed to it\n * will automatically be executed (unless the finalizer itself is also a closed subscription).\n *\n * Closed Subscriptions cannot be added as finalizers to any subscription. Adding a closed\n * subscription to a any subscription will result in no operation. (A noop).\n *\n * Adding a subscription to itself, or adding `null` or `undefined` will not perform any\n * operation at all. (A noop).\n *\n * `Subscription` instances that are added to this instance will automatically remove themselves\n * if they are unsubscribed. Functions and {@link Unsubscribable} objects that you wish to remove\n * will need to be removed manually with {@link #remove}\n *\n * @param teardown The finalization logic to add to this subscription.\n */\n add(teardown: TeardownLogic): void {\n // Only add the finalizer if it's not undefined\n // and don't add a subscription to itself.\n if (teardown && teardown !== this) {\n if (this.closed) {\n // If this subscription is already closed,\n // execute whatever finalizer is handed to it automatically.\n execFinalizer(teardown);\n } else {\n if (teardown instanceof Subscription) {\n // We don't add closed subscriptions, and we don't add the same subscription\n // twice. Subscription unsubscribe is idempotent.\n if (teardown.closed || teardown._hasParent(this)) {\n return;\n }\n teardown._addParent(this);\n }\n (this._finalizers = this._finalizers ?? []).push(teardown);\n }\n }\n }\n\n /**\n * Checks to see if a this subscription already has a particular parent.\n * This will signal that this subscription has already been added to the parent in question.\n * @param parent the parent to check for\n */\n private _hasParent(parent: Subscription) {\n const { _parentage } = this;\n return _parentage === parent || (Array.isArray(_parentage) && _parentage.includes(parent));\n }\n\n /**\n * Adds a parent to this subscription so it can be removed from the parent if it\n * unsubscribes on it's own.\n *\n * NOTE: THIS ASSUMES THAT {@link _hasParent} HAS ALREADY BEEN CHECKED.\n * @param parent The parent subscription to add\n */\n private _addParent(parent: Subscription) {\n const { _parentage } = this;\n this._parentage = Array.isArray(_parentage) ? (_parentage.push(parent), _parentage) : _parentage ? [_parentage, parent] : parent;\n }\n\n /**\n * Called on a child when it is removed via {@link #remove}.\n * @param parent The parent to remove\n */\n private _removeParent(parent: Subscription) {\n const { _parentage } = this;\n if (_parentage === parent) {\n this._parentage = null;\n } else if (Array.isArray(_parentage)) {\n arrRemove(_parentage, parent);\n }\n }\n\n /**\n * Removes a finalizer from this subscription that was previously added with the {@link #add} method.\n *\n * Note that `Subscription` instances, when unsubscribed, will automatically remove themselves\n * from every other `Subscription` they have been added to. This means that using the `remove` method\n * is not a common thing and should be used thoughtfully.\n *\n * If you add the same finalizer instance of a function or an unsubscribable object to a `Subscription` instance\n * more than once, you will need to call `remove` the same number of times to remove all instances.\n *\n * All finalizer instances are removed to free up memory upon unsubscription.\n *\n * @param teardown The finalizer to remove from this subscription\n */\n remove(teardown: Exclude): void {\n const { _finalizers } = this;\n _finalizers && arrRemove(_finalizers, teardown);\n\n if (teardown instanceof Subscription) {\n teardown._removeParent(this);\n }\n }\n}\n\nexport const EMPTY_SUBSCRIPTION = Subscription.EMPTY;\n\nexport function isSubscription(value: any): value is Subscription {\n return (\n value instanceof Subscription ||\n (value && 'closed' in value && isFunction(value.remove) && isFunction(value.add) && isFunction(value.unsubscribe))\n );\n}\n\nfunction execFinalizer(finalizer: Unsubscribable | (() => void)) {\n if (isFunction(finalizer)) {\n finalizer();\n } else {\n finalizer.unsubscribe();\n }\n}\n", "import { Subscriber } from './Subscriber';\nimport { ObservableNotification } from './types';\n\n/**\n * The {@link GlobalConfig} object for RxJS. It is used to configure things\n * like how to react on unhandled errors.\n */\nexport const config: GlobalConfig = {\n onUnhandledError: null,\n onStoppedNotification: null,\n Promise: undefined,\n useDeprecatedSynchronousErrorHandling: false,\n useDeprecatedNextContext: false,\n};\n\n/**\n * The global configuration object for RxJS, used to configure things\n * like how to react on unhandled errors. Accessible via {@link config}\n * object.\n */\nexport interface GlobalConfig {\n /**\n * A registration point for unhandled errors from RxJS. These are errors that\n * cannot were not handled by consuming code in the usual subscription path. For\n * example, if you have this configured, and you subscribe to an observable without\n * providing an error handler, errors from that subscription will end up here. This\n * will _always_ be called asynchronously on another job in the runtime. This is because\n * we do not want errors thrown in this user-configured handler to interfere with the\n * behavior of the library.\n */\n onUnhandledError: ((err: any) => void) | null;\n\n /**\n * A registration point for notifications that cannot be sent to subscribers because they\n * have completed, errored or have been explicitly unsubscribed. By default, next, complete\n * and error notifications sent to stopped subscribers are noops. However, sometimes callers\n * might want a different behavior. For example, with sources that attempt to report errors\n * to stopped subscribers, a caller can configure RxJS to throw an unhandled error instead.\n * This will _always_ be called asynchronously on another job in the runtime. This is because\n * we do not want errors thrown in this user-configured handler to interfere with the\n * behavior of the library.\n */\n onStoppedNotification: ((notification: ObservableNotification, subscriber: Subscriber) => void) | null;\n\n /**\n * The promise constructor used by default for {@link Observable#toPromise toPromise} and {@link Observable#forEach forEach}\n * methods.\n *\n * @deprecated As of version 8, RxJS will no longer support this sort of injection of a\n * Promise constructor. If you need a Promise implementation other than native promises,\n * please polyfill/patch Promise as you see appropriate. Will be removed in v8.\n */\n Promise?: PromiseConstructorLike;\n\n /**\n * If true, turns on synchronous error rethrowing, which is a deprecated behavior\n * in v6 and higher. This behavior enables bad patterns like wrapping a subscribe\n * call in a try/catch block. It also enables producer interference, a nasty bug\n * where a multicast can be broken for all observers by a downstream consumer with\n * an unhandled error. DO NOT USE THIS FLAG UNLESS IT'S NEEDED TO BUY TIME\n * FOR MIGRATION REASONS.\n *\n * @deprecated As of version 8, RxJS will no longer support synchronous throwing\n * of unhandled errors. All errors will be thrown on a separate call stack to prevent bad\n * behaviors described above. Will be removed in v8.\n */\n useDeprecatedSynchronousErrorHandling: boolean;\n\n /**\n * If true, enables an as-of-yet undocumented feature from v5: The ability to access\n * `unsubscribe()` via `this` context in `next` functions created in observers passed\n * to `subscribe`.\n *\n * This is being removed because the performance was severely problematic, and it could also cause\n * issues when types other than POJOs are passed to subscribe as subscribers, as they will likely have\n * their `this` context overwritten.\n *\n * @deprecated As of version 8, RxJS will no longer support altering the\n * context of next functions provided as part of an observer to Subscribe. Instead,\n * you will have access to a subscription or a signal or token that will allow you to do things like\n * unsubscribe and test closed status. Will be removed in v8.\n */\n useDeprecatedNextContext: boolean;\n}\n", "import type { TimerHandle } from './timerHandle';\ntype SetTimeoutFunction = (handler: () => void, timeout?: number, ...args: any[]) => TimerHandle;\ntype ClearTimeoutFunction = (handle: TimerHandle) => void;\n\ninterface TimeoutProvider {\n setTimeout: SetTimeoutFunction;\n clearTimeout: ClearTimeoutFunction;\n delegate:\n | {\n setTimeout: SetTimeoutFunction;\n clearTimeout: ClearTimeoutFunction;\n }\n | undefined;\n}\n\nexport const timeoutProvider: TimeoutProvider = {\n // When accessing the delegate, use the variable rather than `this` so that\n // the functions can be called without being bound to the provider.\n setTimeout(handler: () => void, timeout?: number, ...args) {\n const { delegate } = timeoutProvider;\n if (delegate?.setTimeout) {\n return delegate.setTimeout(handler, timeout, ...args);\n }\n return setTimeout(handler, timeout, ...args);\n },\n clearTimeout(handle) {\n const { delegate } = timeoutProvider;\n return (delegate?.clearTimeout || clearTimeout)(handle as any);\n },\n delegate: undefined,\n};\n", "import { config } from '../config';\nimport { timeoutProvider } from '../scheduler/timeoutProvider';\n\n/**\n * Handles an error on another job either with the user-configured {@link onUnhandledError},\n * or by throwing it on that new job so it can be picked up by `window.onerror`, `process.on('error')`, etc.\n *\n * This should be called whenever there is an error that is out-of-band with the subscription\n * or when an error hits a terminal boundary of the subscription and no error handler was provided.\n *\n * @param err the error to report\n */\nexport function reportUnhandledError(err: any) {\n timeoutProvider.setTimeout(() => {\n const { onUnhandledError } = config;\n if (onUnhandledError) {\n // Execute the user-configured error handler.\n onUnhandledError(err);\n } else {\n // Throw so it is picked up by the runtime's uncaught error mechanism.\n throw err;\n }\n });\n}\n", "/* tslint:disable:no-empty */\nexport function noop() { }\n", "import { CompleteNotification, NextNotification, ErrorNotification } from './types';\n\n/**\n * A completion object optimized for memory use and created to be the\n * same \"shape\" as other notifications in v8.\n * @internal\n */\nexport const COMPLETE_NOTIFICATION = (() => createNotification('C', undefined, undefined) as CompleteNotification)();\n\n/**\n * Internal use only. Creates an optimized error notification that is the same \"shape\"\n * as other notifications.\n * @internal\n */\nexport function errorNotification(error: any): ErrorNotification {\n return createNotification('E', undefined, error) as any;\n}\n\n/**\n * Internal use only. Creates an optimized next notification that is the same \"shape\"\n * as other notifications.\n * @internal\n */\nexport function nextNotification(value: T) {\n return createNotification('N', value, undefined) as NextNotification;\n}\n\n/**\n * Ensures that all notifications created internally have the same \"shape\" in v8.\n *\n * TODO: This is only exported to support a crazy legacy test in `groupBy`.\n * @internal\n */\nexport function createNotification(kind: 'N' | 'E' | 'C', value: any, error: any) {\n return {\n kind,\n value,\n error,\n };\n}\n", "import { config } from '../config';\n\nlet context: { errorThrown: boolean; error: any } | null = null;\n\n/**\n * Handles dealing with errors for super-gross mode. Creates a context, in which\n * any synchronously thrown errors will be passed to {@link captureError}. Which\n * will record the error such that it will be rethrown after the call back is complete.\n * TODO: Remove in v8\n * @param cb An immediately executed function.\n */\nexport function errorContext(cb: () => void) {\n if (config.useDeprecatedSynchronousErrorHandling) {\n const isRoot = !context;\n if (isRoot) {\n context = { errorThrown: false, error: null };\n }\n cb();\n if (isRoot) {\n const { errorThrown, error } = context!;\n context = null;\n if (errorThrown) {\n throw error;\n }\n }\n } else {\n // This is the general non-deprecated path for everyone that\n // isn't crazy enough to use super-gross mode (useDeprecatedSynchronousErrorHandling)\n cb();\n }\n}\n\n/**\n * Captures errors only in super-gross mode.\n * @param err the error to capture\n */\nexport function captureError(err: any) {\n if (config.useDeprecatedSynchronousErrorHandling && context) {\n context.errorThrown = true;\n context.error = err;\n }\n}\n", "import { isFunction } from './util/isFunction';\nimport { Observer, ObservableNotification } from './types';\nimport { isSubscription, Subscription } from './Subscription';\nimport { config } from './config';\nimport { reportUnhandledError } from './util/reportUnhandledError';\nimport { noop } from './util/noop';\nimport { nextNotification, errorNotification, COMPLETE_NOTIFICATION } from './NotificationFactories';\nimport { timeoutProvider } from './scheduler/timeoutProvider';\nimport { captureError } from './util/errorContext';\n\n/**\n * Implements the {@link Observer} interface and extends the\n * {@link Subscription} class. While the {@link Observer} is the public API for\n * consuming the values of an {@link Observable}, all Observers get converted to\n * a Subscriber, in order to provide Subscription-like capabilities such as\n * `unsubscribe`. Subscriber is a common type in RxJS, and crucial for\n * implementing operators, but it is rarely used as a public API.\n *\n * @class Subscriber\n */\nexport class Subscriber extends Subscription implements Observer {\n /**\n * A static factory for a Subscriber, given a (potentially partial) definition\n * of an Observer.\n * @param next The `next` callback of an Observer.\n * @param error The `error` callback of an\n * Observer.\n * @param complete The `complete` callback of an\n * Observer.\n * @return A Subscriber wrapping the (partially defined)\n * Observer represented by the given arguments.\n * @nocollapse\n * @deprecated Do not use. Will be removed in v8. There is no replacement for this\n * method, and there is no reason to be creating instances of `Subscriber` directly.\n * If you have a specific use case, please file an issue.\n */\n static create(next?: (x?: T) => void, error?: (e?: any) => void, complete?: () => void): Subscriber {\n return new SafeSubscriber(next, error, complete);\n }\n\n /** @deprecated Internal implementation detail, do not use directly. Will be made internal in v8. */\n protected isStopped: boolean = false;\n /** @deprecated Internal implementation detail, do not use directly. Will be made internal in v8. */\n protected destination: Subscriber | Observer; // this `any` is the escape hatch to erase extra type param (e.g. R)\n\n /**\n * @deprecated Internal implementation detail, do not use directly. Will be made internal in v8.\n * There is no reason to directly create an instance of Subscriber. This type is exported for typings reasons.\n */\n constructor(destination?: Subscriber | Observer) {\n super();\n if (destination) {\n this.destination = destination;\n // Automatically chain subscriptions together here.\n // if destination is a Subscription, then it is a Subscriber.\n if (isSubscription(destination)) {\n destination.add(this);\n }\n } else {\n this.destination = EMPTY_OBSERVER;\n }\n }\n\n /**\n * The {@link Observer} callback to receive notifications of type `next` from\n * the Observable, with a value. The Observable may call this method 0 or more\n * times.\n * @param {T} [value] The `next` value.\n * @return {void}\n */\n next(value?: T): void {\n if (this.isStopped) {\n handleStoppedNotification(nextNotification(value), this);\n } else {\n this._next(value!);\n }\n }\n\n /**\n * The {@link Observer} callback to receive notifications of type `error` from\n * the Observable, with an attached `Error`. Notifies the Observer that\n * the Observable has experienced an error condition.\n * @param {any} [err] The `error` exception.\n * @return {void}\n */\n error(err?: any): void {\n if (this.isStopped) {\n handleStoppedNotification(errorNotification(err), this);\n } else {\n this.isStopped = true;\n this._error(err);\n }\n }\n\n /**\n * The {@link Observer} callback to receive a valueless notification of type\n * `complete` from the Observable. Notifies the Observer that the Observable\n * has finished sending push-based notifications.\n * @return {void}\n */\n complete(): void {\n if (this.isStopped) {\n handleStoppedNotification(COMPLETE_NOTIFICATION, this);\n } else {\n this.isStopped = true;\n this._complete();\n }\n }\n\n unsubscribe(): void {\n if (!this.closed) {\n this.isStopped = true;\n super.unsubscribe();\n this.destination = null!;\n }\n }\n\n protected _next(value: T): void {\n this.destination.next(value);\n }\n\n protected _error(err: any): void {\n try {\n this.destination.error(err);\n } finally {\n this.unsubscribe();\n }\n }\n\n protected _complete(): void {\n try {\n this.destination.complete();\n } finally {\n this.unsubscribe();\n }\n }\n}\n\n/**\n * This bind is captured here because we want to be able to have\n * compatibility with monoid libraries that tend to use a method named\n * `bind`. In particular, a library called Monio requires this.\n */\nconst _bind = Function.prototype.bind;\n\nfunction bind any>(fn: Fn, thisArg: any): Fn {\n return _bind.call(fn, thisArg);\n}\n\n/**\n * Internal optimization only, DO NOT EXPOSE.\n * @internal\n */\nclass ConsumerObserver implements Observer {\n constructor(private partialObserver: Partial>) {}\n\n next(value: T): void {\n const { partialObserver } = this;\n if (partialObserver.next) {\n try {\n partialObserver.next(value);\n } catch (error) {\n handleUnhandledError(error);\n }\n }\n }\n\n error(err: any): void {\n const { partialObserver } = this;\n if (partialObserver.error) {\n try {\n partialObserver.error(err);\n } catch (error) {\n handleUnhandledError(error);\n }\n } else {\n handleUnhandledError(err);\n }\n }\n\n complete(): void {\n const { partialObserver } = this;\n if (partialObserver.complete) {\n try {\n partialObserver.complete();\n } catch (error) {\n handleUnhandledError(error);\n }\n }\n }\n}\n\nexport class SafeSubscriber extends Subscriber {\n constructor(\n observerOrNext?: Partial> | ((value: T) => void) | null,\n error?: ((e?: any) => void) | null,\n complete?: (() => void) | null\n ) {\n super();\n\n let partialObserver: Partial>;\n if (isFunction(observerOrNext) || !observerOrNext) {\n // The first argument is a function, not an observer. The next\n // two arguments *could* be observers, or they could be empty.\n partialObserver = {\n next: (observerOrNext ?? undefined) as (((value: T) => void) | undefined),\n error: error ?? undefined,\n complete: complete ?? undefined,\n };\n } else {\n // The first argument is a partial observer.\n let context: any;\n if (this && config.useDeprecatedNextContext) {\n // This is a deprecated path that made `this.unsubscribe()` available in\n // next handler functions passed to subscribe. This only exists behind a flag\n // now, as it is *very* slow.\n context = Object.create(observerOrNext);\n context.unsubscribe = () => this.unsubscribe();\n partialObserver = {\n next: observerOrNext.next && bind(observerOrNext.next, context),\n error: observerOrNext.error && bind(observerOrNext.error, context),\n complete: observerOrNext.complete && bind(observerOrNext.complete, context),\n };\n } else {\n // The \"normal\" path. Just use the partial observer directly.\n partialObserver = observerOrNext;\n }\n }\n\n // Wrap the partial observer to ensure it's a full observer, and\n // make sure proper error handling is accounted for.\n this.destination = new ConsumerObserver(partialObserver);\n }\n}\n\nfunction handleUnhandledError(error: any) {\n if (config.useDeprecatedSynchronousErrorHandling) {\n captureError(error);\n } else {\n // Ideal path, we report this as an unhandled error,\n // which is thrown on a new call stack.\n reportUnhandledError(error);\n }\n}\n\n/**\n * An error handler used when no error handler was supplied\n * to the SafeSubscriber -- meaning no error handler was supplied\n * do the `subscribe` call on our observable.\n * @param err The error to handle\n */\nfunction defaultErrorHandler(err: any) {\n throw err;\n}\n\n/**\n * A handler for notifications that cannot be sent to a stopped subscriber.\n * @param notification The notification being sent\n * @param subscriber The stopped subscriber\n */\nfunction handleStoppedNotification(notification: ObservableNotification, subscriber: Subscriber) {\n const { onStoppedNotification } = config;\n onStoppedNotification && timeoutProvider.setTimeout(() => onStoppedNotification(notification, subscriber));\n}\n\n/**\n * The observer used as a stub for subscriptions where the user did not\n * pass any arguments to `subscribe`. Comes with the default error handling\n * behavior.\n */\nexport const EMPTY_OBSERVER: Readonly> & { closed: true } = {\n closed: true,\n next: noop,\n error: defaultErrorHandler,\n complete: noop,\n};\n", "/**\n * Symbol.observable or a string \"@@observable\". Used for interop\n *\n * @deprecated We will no longer be exporting this symbol in upcoming versions of RxJS.\n * Instead polyfill and use Symbol.observable directly *or* use https://www.npmjs.com/package/symbol-observable\n */\nexport const observable: string | symbol = (() => (typeof Symbol === 'function' && Symbol.observable) || '@@observable')();\n", "/**\n * This function takes one parameter and just returns it. Simply put,\n * this is like `(x: T): T => x`.\n *\n * ## Examples\n *\n * This is useful in some cases when using things like `mergeMap`\n *\n * ```ts\n * import { interval, take, map, range, mergeMap, identity } from 'rxjs';\n *\n * const source$ = interval(1000).pipe(take(5));\n *\n * const result$ = source$.pipe(\n * map(i => range(i)),\n * mergeMap(identity) // same as mergeMap(x => x)\n * );\n *\n * result$.subscribe({\n * next: console.log\n * });\n * ```\n *\n * Or when you want to selectively apply an operator\n *\n * ```ts\n * import { interval, take, identity } from 'rxjs';\n *\n * const shouldLimit = () => Math.random() < 0.5;\n *\n * const source$ = interval(1000);\n *\n * const result$ = source$.pipe(shouldLimit() ? take(5) : identity);\n *\n * result$.subscribe({\n * next: console.log\n * });\n * ```\n *\n * @param x Any value that is returned by this function\n * @returns The value passed as the first parameter to this function\n */\nexport function identity(x: T): T {\n return x;\n}\n", "import { identity } from './identity';\nimport { UnaryFunction } from '../types';\n\nexport function pipe(): typeof identity;\nexport function pipe(fn1: UnaryFunction): UnaryFunction;\nexport function pipe(fn1: UnaryFunction, fn2: UnaryFunction): UnaryFunction;\nexport function pipe(fn1: UnaryFunction, fn2: UnaryFunction, fn3: UnaryFunction): UnaryFunction;\nexport function pipe(\n fn1: UnaryFunction,\n fn2: UnaryFunction,\n fn3: UnaryFunction,\n fn4: UnaryFunction\n): UnaryFunction;\nexport function pipe(\n fn1: UnaryFunction,\n fn2: UnaryFunction,\n fn3: UnaryFunction,\n fn4: UnaryFunction,\n fn5: UnaryFunction\n): UnaryFunction;\nexport function pipe(\n fn1: UnaryFunction,\n fn2: UnaryFunction,\n fn3: UnaryFunction,\n fn4: UnaryFunction,\n fn5: UnaryFunction,\n fn6: UnaryFunction\n): UnaryFunction;\nexport function pipe(\n fn1: UnaryFunction,\n fn2: UnaryFunction,\n fn3: UnaryFunction,\n fn4: UnaryFunction,\n fn5: UnaryFunction,\n fn6: UnaryFunction,\n fn7: UnaryFunction\n): UnaryFunction;\nexport function pipe(\n fn1: UnaryFunction,\n fn2: UnaryFunction,\n fn3: UnaryFunction,\n fn4: UnaryFunction,\n fn5: UnaryFunction,\n fn6: UnaryFunction,\n fn7: UnaryFunction,\n fn8: UnaryFunction\n): UnaryFunction;\nexport function pipe(\n fn1: UnaryFunction,\n fn2: UnaryFunction,\n fn3: UnaryFunction,\n fn4: UnaryFunction,\n fn5: UnaryFunction,\n fn6: UnaryFunction,\n fn7: UnaryFunction,\n fn8: UnaryFunction,\n fn9: UnaryFunction\n): UnaryFunction;\nexport function pipe(\n fn1: UnaryFunction,\n fn2: UnaryFunction,\n fn3: UnaryFunction,\n fn4: UnaryFunction,\n fn5: UnaryFunction,\n fn6: UnaryFunction,\n fn7: UnaryFunction,\n fn8: UnaryFunction,\n fn9: UnaryFunction,\n ...fns: UnaryFunction[]\n): UnaryFunction;\n\n/**\n * pipe() can be called on one or more functions, each of which can take one argument (\"UnaryFunction\")\n * and uses it to return a value.\n * It returns a function that takes one argument, passes it to the first UnaryFunction, and then\n * passes the result to the next one, passes that result to the next one, and so on. \n */\nexport function pipe(...fns: Array>): UnaryFunction {\n return pipeFromArray(fns);\n}\n\n/** @internal */\nexport function pipeFromArray(fns: Array>): UnaryFunction {\n if (fns.length === 0) {\n return identity as UnaryFunction;\n }\n\n if (fns.length === 1) {\n return fns[0];\n }\n\n return function piped(input: T): R {\n return fns.reduce((prev: any, fn: UnaryFunction) => fn(prev), input as any);\n };\n}\n", "import { Operator } from './Operator';\nimport { SafeSubscriber, Subscriber } from './Subscriber';\nimport { isSubscription, Subscription } from './Subscription';\nimport { TeardownLogic, OperatorFunction, Subscribable, Observer } from './types';\nimport { observable as Symbol_observable } from './symbol/observable';\nimport { pipeFromArray } from './util/pipe';\nimport { config } from './config';\nimport { isFunction } from './util/isFunction';\nimport { errorContext } from './util/errorContext';\n\n/**\n * A representation of any set of values over any amount of time. This is the most basic building block\n * of RxJS.\n *\n * @class Observable\n */\nexport class Observable implements Subscribable {\n /**\n * @deprecated Internal implementation detail, do not use directly. Will be made internal in v8.\n */\n source: Observable | undefined;\n\n /**\n * @deprecated Internal implementation detail, do not use directly. Will be made internal in v8.\n */\n operator: Operator | undefined;\n\n /**\n * @constructor\n * @param {Function} subscribe the function that is called when the Observable is\n * initially subscribed to. This function is given a Subscriber, to which new values\n * can be `next`ed, or an `error` method can be called to raise an error, or\n * `complete` can be called to notify of a successful completion.\n */\n constructor(subscribe?: (this: Observable, subscriber: Subscriber) => TeardownLogic) {\n if (subscribe) {\n this._subscribe = subscribe;\n }\n }\n\n // HACK: Since TypeScript inherits static properties too, we have to\n // fight against TypeScript here so Subject can have a different static create signature\n /**\n * Creates a new Observable by calling the Observable constructor\n * @owner Observable\n * @method create\n * @param {Function} subscribe? the subscriber function to be passed to the Observable constructor\n * @return {Observable} a new observable\n * @nocollapse\n * @deprecated Use `new Observable()` instead. Will be removed in v8.\n */\n static create: (...args: any[]) => any = (subscribe?: (subscriber: Subscriber) => TeardownLogic) => {\n return new Observable(subscribe);\n };\n\n /**\n * Creates a new Observable, with this Observable instance as the source, and the passed\n * operator defined as the new observable's operator.\n * @method lift\n * @param operator the operator defining the operation to take on the observable\n * @return a new observable with the Operator applied\n * @deprecated Internal implementation detail, do not use directly. Will be made internal in v8.\n * If you have implemented an operator using `lift`, it is recommended that you create an\n * operator by simply returning `new Observable()` directly. See \"Creating new operators from\n * scratch\" section here: https://rxjs.dev/guide/operators\n */\n lift(operator?: Operator): Observable {\n const observable = new Observable();\n observable.source = this;\n observable.operator = operator;\n return observable;\n }\n\n subscribe(observerOrNext?: Partial> | ((value: T) => void)): Subscription;\n /** @deprecated Instead of passing separate callback arguments, use an observer argument. Signatures taking separate callback arguments will be removed in v8. Details: https://rxjs.dev/deprecations/subscribe-arguments */\n subscribe(next?: ((value: T) => void) | null, error?: ((error: any) => void) | null, complete?: (() => void) | null): Subscription;\n /**\n * Invokes an execution of an Observable and registers Observer handlers for notifications it will emit.\n *\n * Use it when you have all these Observables, but still nothing is happening.\n *\n * `subscribe` is not a regular operator, but a method that calls Observable's internal `subscribe` function. It\n * might be for example a function that you passed to Observable's constructor, but most of the time it is\n * a library implementation, which defines what will be emitted by an Observable, and when it be will emitted. This means\n * that calling `subscribe` is actually the moment when Observable starts its work, not when it is created, as it is often\n * the thought.\n *\n * Apart from starting the execution of an Observable, this method allows you to listen for values\n * that an Observable emits, as well as for when it completes or errors. You can achieve this in two\n * of the following ways.\n *\n * The first way is creating an object that implements {@link Observer} interface. It should have methods\n * defined by that interface, but note that it should be just a regular JavaScript object, which you can create\n * yourself in any way you want (ES6 class, classic function constructor, object literal etc.). In particular, do\n * not attempt to use any RxJS implementation details to create Observers - you don't need them. Remember also\n * that your object does not have to implement all methods. If you find yourself creating a method that doesn't\n * do anything, you can simply omit it. Note however, if the `error` method is not provided and an error happens,\n * it will be thrown asynchronously. Errors thrown asynchronously cannot be caught using `try`/`catch`. Instead,\n * use the {@link onUnhandledError} configuration option or use a runtime handler (like `window.onerror` or\n * `process.on('error)`) to be notified of unhandled errors. Because of this, it's recommended that you provide\n * an `error` method to avoid missing thrown errors.\n *\n * The second way is to give up on Observer object altogether and simply provide callback functions in place of its methods.\n * This means you can provide three functions as arguments to `subscribe`, where the first function is equivalent\n * of a `next` method, the second of an `error` method and the third of a `complete` method. Just as in case of an Observer,\n * if you do not need to listen for something, you can omit a function by passing `undefined` or `null`,\n * since `subscribe` recognizes these functions by where they were placed in function call. When it comes\n * to the `error` function, as with an Observer, if not provided, errors emitted by an Observable will be thrown asynchronously.\n *\n * You can, however, subscribe with no parameters at all. This may be the case where you're not interested in terminal events\n * and you also handled emissions internally by using operators (e.g. using `tap`).\n *\n * Whichever style of calling `subscribe` you use, in both cases it returns a Subscription object.\n * This object allows you to call `unsubscribe` on it, which in turn will stop the work that an Observable does and will clean\n * up all resources that an Observable used. Note that cancelling a subscription will not call `complete` callback\n * provided to `subscribe` function, which is reserved for a regular completion signal that comes from an Observable.\n *\n * Remember that callbacks provided to `subscribe` are not guaranteed to be called asynchronously.\n * It is an Observable itself that decides when these functions will be called. For example {@link of}\n * by default emits all its values synchronously. Always check documentation for how given Observable\n * will behave when subscribed and if its default behavior can be modified with a `scheduler`.\n *\n * #### Examples\n *\n * Subscribe with an {@link guide/observer Observer}\n *\n * ```ts\n * import { of } from 'rxjs';\n *\n * const sumObserver = {\n * sum: 0,\n * next(value) {\n * console.log('Adding: ' + value);\n * this.sum = this.sum + value;\n * },\n * error() {\n * // We actually could just remove this method,\n * // since we do not really care about errors right now.\n * },\n * complete() {\n * console.log('Sum equals: ' + this.sum);\n * }\n * };\n *\n * of(1, 2, 3) // Synchronously emits 1, 2, 3 and then completes.\n * .subscribe(sumObserver);\n *\n * // Logs:\n * // 'Adding: 1'\n * // 'Adding: 2'\n * // 'Adding: 3'\n * // 'Sum equals: 6'\n * ```\n *\n * Subscribe with functions ({@link deprecations/subscribe-arguments deprecated})\n *\n * ```ts\n * import { of } from 'rxjs'\n *\n * let sum = 0;\n *\n * of(1, 2, 3).subscribe(\n * value => {\n * console.log('Adding: ' + value);\n * sum = sum + value;\n * },\n * undefined,\n * () => console.log('Sum equals: ' + sum)\n * );\n *\n * // Logs:\n * // 'Adding: 1'\n * // 'Adding: 2'\n * // 'Adding: 3'\n * // 'Sum equals: 6'\n * ```\n *\n * Cancel a subscription\n *\n * ```ts\n * import { interval } from 'rxjs';\n *\n * const subscription = interval(1000).subscribe({\n * next(num) {\n * console.log(num)\n * },\n * complete() {\n * // Will not be called, even when cancelling subscription.\n * console.log('completed!');\n * }\n * });\n *\n * setTimeout(() => {\n * subscription.unsubscribe();\n * console.log('unsubscribed!');\n * }, 2500);\n *\n * // Logs:\n * // 0 after 1s\n * // 1 after 2s\n * // 'unsubscribed!' after 2.5s\n * ```\n *\n * @param {Observer|Function} observerOrNext (optional) Either an observer with methods to be called,\n * or the first of three possible handlers, which is the handler for each value emitted from the subscribed\n * Observable.\n * @param {Function} error (optional) A handler for a terminal event resulting from an error. If no error handler is provided,\n * the error will be thrown asynchronously as unhandled.\n * @param {Function} complete (optional) A handler for a terminal event resulting from successful completion.\n * @return {Subscription} a subscription reference to the registered handlers\n * @method subscribe\n */\n subscribe(\n observerOrNext?: Partial> | ((value: T) => void) | null,\n error?: ((error: any) => void) | null,\n complete?: (() => void) | null\n ): Subscription {\n const subscriber = isSubscriber(observerOrNext) ? observerOrNext : new SafeSubscriber(observerOrNext, error, complete);\n\n errorContext(() => {\n const { operator, source } = this;\n subscriber.add(\n operator\n ? // We're dealing with a subscription in the\n // operator chain to one of our lifted operators.\n operator.call(subscriber, source)\n : source\n ? // If `source` has a value, but `operator` does not, something that\n // had intimate knowledge of our API, like our `Subject`, must have\n // set it. We're going to just call `_subscribe` directly.\n this._subscribe(subscriber)\n : // In all other cases, we're likely wrapping a user-provided initializer\n // function, so we need to catch errors and handle them appropriately.\n this._trySubscribe(subscriber)\n );\n });\n\n return subscriber;\n }\n\n /** @internal */\n protected _trySubscribe(sink: Subscriber): TeardownLogic {\n try {\n return this._subscribe(sink);\n } catch (err) {\n // We don't need to return anything in this case,\n // because it's just going to try to `add()` to a subscription\n // above.\n sink.error(err);\n }\n }\n\n /**\n * Used as a NON-CANCELLABLE means of subscribing to an observable, for use with\n * APIs that expect promises, like `async/await`. You cannot unsubscribe from this.\n *\n * **WARNING**: Only use this with observables you *know* will complete. If the source\n * observable does not complete, you will end up with a promise that is hung up, and\n * potentially all of the state of an async function hanging out in memory. To avoid\n * this situation, look into adding something like {@link timeout}, {@link take},\n * {@link takeWhile}, or {@link takeUntil} amongst others.\n *\n * #### Example\n *\n * ```ts\n * import { interval, take } from 'rxjs';\n *\n * const source$ = interval(1000).pipe(take(4));\n *\n * async function getTotal() {\n * let total = 0;\n *\n * await source$.forEach(value => {\n * total += value;\n * console.log('observable -> ' + value);\n * });\n *\n * return total;\n * }\n *\n * getTotal().then(\n * total => console.log('Total: ' + total)\n * );\n *\n * // Expected:\n * // 'observable -> 0'\n * // 'observable -> 1'\n * // 'observable -> 2'\n * // 'observable -> 3'\n * // 'Total: 6'\n * ```\n *\n * @param next a handler for each value emitted by the observable\n * @return a promise that either resolves on observable completion or\n * rejects with the handled error\n */\n forEach(next: (value: T) => void): Promise;\n\n /**\n * @param next a handler for each value emitted by the observable\n * @param promiseCtor a constructor function used to instantiate the Promise\n * @return a promise that either resolves on observable completion or\n * rejects with the handled error\n * @deprecated Passing a Promise constructor will no longer be available\n * in upcoming versions of RxJS. This is because it adds weight to the library, for very\n * little benefit. If you need this functionality, it is recommended that you either\n * polyfill Promise, or you create an adapter to convert the returned native promise\n * to whatever promise implementation you wanted. Will be removed in v8.\n */\n forEach(next: (value: T) => void, promiseCtor: PromiseConstructorLike): Promise;\n\n forEach(next: (value: T) => void, promiseCtor?: PromiseConstructorLike): Promise {\n promiseCtor = getPromiseCtor(promiseCtor);\n\n return new promiseCtor((resolve, reject) => {\n const subscriber = new SafeSubscriber({\n next: (value) => {\n try {\n next(value);\n } catch (err) {\n reject(err);\n subscriber.unsubscribe();\n }\n },\n error: reject,\n complete: resolve,\n });\n this.subscribe(subscriber);\n }) as Promise;\n }\n\n /** @internal */\n protected _subscribe(subscriber: Subscriber): TeardownLogic {\n return this.source?.subscribe(subscriber);\n }\n\n /**\n * An interop point defined by the es7-observable spec https://github.com/zenparsing/es-observable\n * @method Symbol.observable\n * @return {Observable} this instance of the observable\n */\n [Symbol_observable]() {\n return this;\n }\n\n /* tslint:disable:max-line-length */\n pipe(): Observable;\n pipe(op1: OperatorFunction): Observable;\n pipe(op1: OperatorFunction, op2: OperatorFunction): Observable;\n pipe(op1: OperatorFunction, op2: OperatorFunction, op3: OperatorFunction): Observable;\n pipe(\n op1: OperatorFunction,\n op2: OperatorFunction,\n op3: OperatorFunction,\n op4: OperatorFunction\n ): Observable;\n pipe(\n op1: OperatorFunction,\n op2: OperatorFunction,\n op3: OperatorFunction,\n op4: OperatorFunction,\n op5: OperatorFunction\n ): Observable;\n pipe(\n op1: OperatorFunction,\n op2: OperatorFunction,\n op3: OperatorFunction,\n op4: OperatorFunction,\n op5: OperatorFunction,\n op6: OperatorFunction\n ): Observable;\n pipe(\n op1: OperatorFunction,\n op2: OperatorFunction,\n op3: OperatorFunction,\n op4: OperatorFunction,\n op5: OperatorFunction,\n op6: OperatorFunction,\n op7: OperatorFunction\n ): Observable;\n pipe(\n op1: OperatorFunction,\n op2: OperatorFunction,\n op3: OperatorFunction,\n op4: OperatorFunction,\n op5: OperatorFunction,\n op6: OperatorFunction,\n op7: OperatorFunction,\n op8: OperatorFunction\n ): Observable;\n pipe(\n op1: OperatorFunction,\n op2: OperatorFunction,\n op3: OperatorFunction,\n op4: OperatorFunction,\n op5: OperatorFunction,\n op6: OperatorFunction,\n op7: OperatorFunction,\n op8: OperatorFunction,\n op9: OperatorFunction\n ): Observable;\n pipe(\n op1: OperatorFunction,\n op2: OperatorFunction,\n op3: OperatorFunction,\n op4: OperatorFunction,\n op5: OperatorFunction,\n op6: OperatorFunction,\n op7: OperatorFunction,\n op8: OperatorFunction,\n op9: OperatorFunction,\n ...operations: OperatorFunction[]\n ): Observable;\n /* tslint:enable:max-line-length */\n\n /**\n * Used to stitch together functional operators into a chain.\n * @method pipe\n * @return {Observable} the Observable result of all of the operators having\n * been called in the order they were passed in.\n *\n * ## Example\n *\n * ```ts\n * import { interval, filter, map, scan } from 'rxjs';\n *\n * interval(1000)\n * .pipe(\n * filter(x => x % 2 === 0),\n * map(x => x + x),\n * scan((acc, x) => acc + x)\n * )\n * .subscribe(x => console.log(x));\n * ```\n */\n pipe(...operations: OperatorFunction[]): Observable {\n return pipeFromArray(operations)(this);\n }\n\n /* tslint:disable:max-line-length */\n /** @deprecated Replaced with {@link firstValueFrom} and {@link lastValueFrom}. Will be removed in v8. Details: https://rxjs.dev/deprecations/to-promise */\n toPromise(): Promise;\n /** @deprecated Replaced with {@link firstValueFrom} and {@link lastValueFrom}. Will be removed in v8. Details: https://rxjs.dev/deprecations/to-promise */\n toPromise(PromiseCtor: typeof Promise): Promise;\n /** @deprecated Replaced with {@link firstValueFrom} and {@link lastValueFrom}. Will be removed in v8. Details: https://rxjs.dev/deprecations/to-promise */\n toPromise(PromiseCtor: PromiseConstructorLike): Promise;\n /* tslint:enable:max-line-length */\n\n /**\n * Subscribe to this Observable and get a Promise resolving on\n * `complete` with the last emission (if any).\n *\n * **WARNING**: Only use this with observables you *know* will complete. If the source\n * observable does not complete, you will end up with a promise that is hung up, and\n * potentially all of the state of an async function hanging out in memory. To avoid\n * this situation, look into adding something like {@link timeout}, {@link take},\n * {@link takeWhile}, or {@link takeUntil} amongst others.\n *\n * @method toPromise\n * @param [promiseCtor] a constructor function used to instantiate\n * the Promise\n * @return A Promise that resolves with the last value emit, or\n * rejects on an error. If there were no emissions, Promise\n * resolves with undefined.\n * @deprecated Replaced with {@link firstValueFrom} and {@link lastValueFrom}. Will be removed in v8. Details: https://rxjs.dev/deprecations/to-promise\n */\n toPromise(promiseCtor?: PromiseConstructorLike): Promise {\n promiseCtor = getPromiseCtor(promiseCtor);\n\n return new promiseCtor((resolve, reject) => {\n let value: T | undefined;\n this.subscribe(\n (x: T) => (value = x),\n (err: any) => reject(err),\n () => resolve(value)\n );\n }) as Promise;\n }\n}\n\n/**\n * Decides between a passed promise constructor from consuming code,\n * A default configured promise constructor, and the native promise\n * constructor and returns it. If nothing can be found, it will throw\n * an error.\n * @param promiseCtor The optional promise constructor to passed by consuming code\n */\nfunction getPromiseCtor(promiseCtor: PromiseConstructorLike | undefined) {\n return promiseCtor ?? config.Promise ?? Promise;\n}\n\nfunction isObserver(value: any): value is Observer {\n return value && isFunction(value.next) && isFunction(value.error) && isFunction(value.complete);\n}\n\nfunction isSubscriber(value: any): value is Subscriber {\n return (value && value instanceof Subscriber) || (isObserver(value) && isSubscription(value));\n}\n", "import { Observable } from '../Observable';\nimport { Subscriber } from '../Subscriber';\nimport { OperatorFunction } from '../types';\nimport { isFunction } from './isFunction';\n\n/**\n * Used to determine if an object is an Observable with a lift function.\n */\nexport function hasLift(source: any): source is { lift: InstanceType['lift'] } {\n return isFunction(source?.lift);\n}\n\n/**\n * Creates an `OperatorFunction`. Used to define operators throughout the library in a concise way.\n * @param init The logic to connect the liftedSource to the subscriber at the moment of subscription.\n */\nexport function operate(\n init: (liftedSource: Observable, subscriber: Subscriber) => (() => void) | void\n): OperatorFunction {\n return (source: Observable) => {\n if (hasLift(source)) {\n return source.lift(function (this: Subscriber, liftedSource: Observable) {\n try {\n return init(liftedSource, this);\n } catch (err) {\n this.error(err);\n }\n });\n }\n throw new TypeError('Unable to lift unknown Observable type');\n };\n}\n", "import { Subscriber } from '../Subscriber';\n\n/**\n * Creates an instance of an `OperatorSubscriber`.\n * @param destination The downstream subscriber.\n * @param onNext Handles next values, only called if this subscriber is not stopped or closed. Any\n * error that occurs in this function is caught and sent to the `error` method of this subscriber.\n * @param onError Handles errors from the subscription, any errors that occur in this handler are caught\n * and send to the `destination` error handler.\n * @param onComplete Handles completion notification from the subscription. Any errors that occur in\n * this handler are sent to the `destination` error handler.\n * @param onFinalize Additional teardown logic here. This will only be called on teardown if the\n * subscriber itself is not already closed. This is called after all other teardown logic is executed.\n */\nexport function createOperatorSubscriber(\n destination: Subscriber,\n onNext?: (value: T) => void,\n onComplete?: () => void,\n onError?: (err: any) => void,\n onFinalize?: () => void\n): Subscriber {\n return new OperatorSubscriber(destination, onNext, onComplete, onError, onFinalize);\n}\n\n/**\n * A generic helper for allowing operators to be created with a Subscriber and\n * use closures to capture necessary state from the operator function itself.\n */\nexport class OperatorSubscriber extends Subscriber {\n /**\n * Creates an instance of an `OperatorSubscriber`.\n * @param destination The downstream subscriber.\n * @param onNext Handles next values, only called if this subscriber is not stopped or closed. Any\n * error that occurs in this function is caught and sent to the `error` method of this subscriber.\n * @param onError Handles errors from the subscription, any errors that occur in this handler are caught\n * and send to the `destination` error handler.\n * @param onComplete Handles completion notification from the subscription. Any errors that occur in\n * this handler are sent to the `destination` error handler.\n * @param onFinalize Additional finalization logic here. This will only be called on finalization if the\n * subscriber itself is not already closed. This is called after all other finalization logic is executed.\n * @param shouldUnsubscribe An optional check to see if an unsubscribe call should truly unsubscribe.\n * NOTE: This currently **ONLY** exists to support the strange behavior of {@link groupBy}, where unsubscription\n * to the resulting observable does not actually disconnect from the source if there are active subscriptions\n * to any grouped observable. (DO NOT EXPOSE OR USE EXTERNALLY!!!)\n */\n constructor(\n destination: Subscriber,\n onNext?: (value: T) => void,\n onComplete?: () => void,\n onError?: (err: any) => void,\n private onFinalize?: () => void,\n private shouldUnsubscribe?: () => boolean\n ) {\n // It's important - for performance reasons - that all of this class's\n // members are initialized and that they are always initialized in the same\n // order. This will ensure that all OperatorSubscriber instances have the\n // same hidden class in V8. This, in turn, will help keep the number of\n // hidden classes involved in property accesses within the base class as\n // low as possible. If the number of hidden classes involved exceeds four,\n // the property accesses will become megamorphic and performance penalties\n // will be incurred - i.e. inline caches won't be used.\n //\n // The reasons for ensuring all instances have the same hidden class are\n // further discussed in this blog post from Benedikt Meurer:\n // https://benediktmeurer.de/2018/03/23/impact-of-polymorphism-on-component-based-frameworks-like-react/\n super(destination);\n this._next = onNext\n ? function (this: OperatorSubscriber, value: T) {\n try {\n onNext(value);\n } catch (err) {\n destination.error(err);\n }\n }\n : super._next;\n this._error = onError\n ? function (this: OperatorSubscriber, err: any) {\n try {\n onError(err);\n } catch (err) {\n // Send any errors that occur down stream.\n destination.error(err);\n } finally {\n // Ensure finalization.\n this.unsubscribe();\n }\n }\n : super._error;\n this._complete = onComplete\n ? function (this: OperatorSubscriber) {\n try {\n onComplete();\n } catch (err) {\n // Send any errors that occur down stream.\n destination.error(err);\n } finally {\n // Ensure finalization.\n this.unsubscribe();\n }\n }\n : super._complete;\n }\n\n unsubscribe() {\n if (!this.shouldUnsubscribe || this.shouldUnsubscribe()) {\n const { closed } = this;\n super.unsubscribe();\n // Execute additional teardown if we have any and we didn't already do so.\n !closed && this.onFinalize?.();\n }\n }\n}\n", "import { Subscription } from '../Subscription';\n\ninterface AnimationFrameProvider {\n schedule(callback: FrameRequestCallback): Subscription;\n requestAnimationFrame: typeof requestAnimationFrame;\n cancelAnimationFrame: typeof cancelAnimationFrame;\n delegate:\n | {\n requestAnimationFrame: typeof requestAnimationFrame;\n cancelAnimationFrame: typeof cancelAnimationFrame;\n }\n | undefined;\n}\n\nexport const animationFrameProvider: AnimationFrameProvider = {\n // When accessing the delegate, use the variable rather than `this` so that\n // the functions can be called without being bound to the provider.\n schedule(callback) {\n let request = requestAnimationFrame;\n let cancel: typeof cancelAnimationFrame | undefined = cancelAnimationFrame;\n const { delegate } = animationFrameProvider;\n if (delegate) {\n request = delegate.requestAnimationFrame;\n cancel = delegate.cancelAnimationFrame;\n }\n const handle = request((timestamp) => {\n // Clear the cancel function. The request has been fulfilled, so\n // attempting to cancel the request upon unsubscription would be\n // pointless.\n cancel = undefined;\n callback(timestamp);\n });\n return new Subscription(() => cancel?.(handle));\n },\n requestAnimationFrame(...args) {\n const { delegate } = animationFrameProvider;\n return (delegate?.requestAnimationFrame || requestAnimationFrame)(...args);\n },\n cancelAnimationFrame(...args) {\n const { delegate } = animationFrameProvider;\n return (delegate?.cancelAnimationFrame || cancelAnimationFrame)(...args);\n },\n delegate: undefined,\n};\n", "import { createErrorClass } from './createErrorClass';\n\nexport interface ObjectUnsubscribedError extends Error {}\n\nexport interface ObjectUnsubscribedErrorCtor {\n /**\n * @deprecated Internal implementation detail. Do not construct error instances.\n * Cannot be tagged as internal: https://github.com/ReactiveX/rxjs/issues/6269\n */\n new (): ObjectUnsubscribedError;\n}\n\n/**\n * An error thrown when an action is invalid because the object has been\n * unsubscribed.\n *\n * @see {@link Subject}\n * @see {@link BehaviorSubject}\n *\n * @class ObjectUnsubscribedError\n */\nexport const ObjectUnsubscribedError: ObjectUnsubscribedErrorCtor = createErrorClass(\n (_super) =>\n function ObjectUnsubscribedErrorImpl(this: any) {\n _super(this);\n this.name = 'ObjectUnsubscribedError';\n this.message = 'object unsubscribed';\n }\n);\n", "import { Operator } from './Operator';\nimport { Observable } from './Observable';\nimport { Subscriber } from './Subscriber';\nimport { Subscription, EMPTY_SUBSCRIPTION } from './Subscription';\nimport { Observer, SubscriptionLike, TeardownLogic } from './types';\nimport { ObjectUnsubscribedError } from './util/ObjectUnsubscribedError';\nimport { arrRemove } from './util/arrRemove';\nimport { errorContext } from './util/errorContext';\n\n/**\n * A Subject is a special type of Observable that allows values to be\n * multicasted to many Observers. Subjects are like EventEmitters.\n *\n * Every Subject is an Observable and an Observer. You can subscribe to a\n * Subject, and you can call next to feed values as well as error and complete.\n */\nexport class Subject extends Observable implements SubscriptionLike {\n closed = false;\n\n private currentObservers: Observer[] | null = null;\n\n /** @deprecated Internal implementation detail, do not use directly. Will be made internal in v8. */\n observers: Observer[] = [];\n /** @deprecated Internal implementation detail, do not use directly. Will be made internal in v8. */\n isStopped = false;\n /** @deprecated Internal implementation detail, do not use directly. Will be made internal in v8. */\n hasError = false;\n /** @deprecated Internal implementation detail, do not use directly. Will be made internal in v8. */\n thrownError: any = null;\n\n /**\n * Creates a \"subject\" by basically gluing an observer to an observable.\n *\n * @nocollapse\n * @deprecated Recommended you do not use. Will be removed at some point in the future. Plans for replacement still under discussion.\n */\n static create: (...args: any[]) => any = (destination: Observer, source: Observable): AnonymousSubject => {\n return new AnonymousSubject(destination, source);\n };\n\n constructor() {\n // NOTE: This must be here to obscure Observable's constructor.\n super();\n }\n\n /** @deprecated Internal implementation detail, do not use directly. Will be made internal in v8. */\n lift(operator: Operator): Observable {\n const subject = new AnonymousSubject(this, this);\n subject.operator = operator as any;\n return subject as any;\n }\n\n /** @internal */\n protected _throwIfClosed() {\n if (this.closed) {\n throw new ObjectUnsubscribedError();\n }\n }\n\n next(value: T) {\n errorContext(() => {\n this._throwIfClosed();\n if (!this.isStopped) {\n if (!this.currentObservers) {\n this.currentObservers = Array.from(this.observers);\n }\n for (const observer of this.currentObservers) {\n observer.next(value);\n }\n }\n });\n }\n\n error(err: any) {\n errorContext(() => {\n this._throwIfClosed();\n if (!this.isStopped) {\n this.hasError = this.isStopped = true;\n this.thrownError = err;\n const { observers } = this;\n while (observers.length) {\n observers.shift()!.error(err);\n }\n }\n });\n }\n\n complete() {\n errorContext(() => {\n this._throwIfClosed();\n if (!this.isStopped) {\n this.isStopped = true;\n const { observers } = this;\n while (observers.length) {\n observers.shift()!.complete();\n }\n }\n });\n }\n\n unsubscribe() {\n this.isStopped = this.closed = true;\n this.observers = this.currentObservers = null!;\n }\n\n get observed() {\n return this.observers?.length > 0;\n }\n\n /** @internal */\n protected _trySubscribe(subscriber: Subscriber): TeardownLogic {\n this._throwIfClosed();\n return super._trySubscribe(subscriber);\n }\n\n /** @internal */\n protected _subscribe(subscriber: Subscriber): Subscription {\n this._throwIfClosed();\n this._checkFinalizedStatuses(subscriber);\n return this._innerSubscribe(subscriber);\n }\n\n /** @internal */\n protected _innerSubscribe(subscriber: Subscriber) {\n const { hasError, isStopped, observers } = this;\n if (hasError || isStopped) {\n return EMPTY_SUBSCRIPTION;\n }\n this.currentObservers = null;\n observers.push(subscriber);\n return new Subscription(() => {\n this.currentObservers = null;\n arrRemove(observers, subscriber);\n });\n }\n\n /** @internal */\n protected _checkFinalizedStatuses(subscriber: Subscriber) {\n const { hasError, thrownError, isStopped } = this;\n if (hasError) {\n subscriber.error(thrownError);\n } else if (isStopped) {\n subscriber.complete();\n }\n }\n\n /**\n * Creates a new Observable with this Subject as the source. You can do this\n * to create custom Observer-side logic of the Subject and conceal it from\n * code that uses the Observable.\n * @return {Observable} Observable that the Subject casts to\n */\n asObservable(): Observable {\n const observable: any = new Observable();\n observable.source = this;\n return observable;\n }\n}\n\n/**\n * @class AnonymousSubject\n */\nexport class AnonymousSubject extends Subject {\n constructor(\n /** @deprecated Internal implementation detail, do not use directly. Will be made internal in v8. */\n public destination?: Observer,\n source?: Observable\n ) {\n super();\n this.source = source;\n }\n\n next(value: T) {\n this.destination?.next?.(value);\n }\n\n error(err: any) {\n this.destination?.error?.(err);\n }\n\n complete() {\n this.destination?.complete?.();\n }\n\n /** @internal */\n protected _subscribe(subscriber: Subscriber): Subscription {\n return this.source?.subscribe(subscriber) ?? EMPTY_SUBSCRIPTION;\n }\n}\n", "import { Subject } from './Subject';\nimport { Subscriber } from './Subscriber';\nimport { Subscription } from './Subscription';\n\n/**\n * A variant of Subject that requires an initial value and emits its current\n * value whenever it is subscribed to.\n *\n * @class BehaviorSubject\n */\nexport class BehaviorSubject extends Subject {\n constructor(private _value: T) {\n super();\n }\n\n get value(): T {\n return this.getValue();\n }\n\n /** @internal */\n protected _subscribe(subscriber: Subscriber): Subscription {\n const subscription = super._subscribe(subscriber);\n !subscription.closed && subscriber.next(this._value);\n return subscription;\n }\n\n getValue(): T {\n const { hasError, thrownError, _value } = this;\n if (hasError) {\n throw thrownError;\n }\n this._throwIfClosed();\n return _value;\n }\n\n next(value: T): void {\n super.next((this._value = value));\n }\n}\n", "import { TimestampProvider } from '../types';\n\ninterface DateTimestampProvider extends TimestampProvider {\n delegate: TimestampProvider | undefined;\n}\n\nexport const dateTimestampProvider: DateTimestampProvider = {\n now() {\n // Use the variable rather than `this` so that the function can be called\n // without being bound to the provider.\n return (dateTimestampProvider.delegate || Date).now();\n },\n delegate: undefined,\n};\n", "import { Subject } from './Subject';\nimport { TimestampProvider } from './types';\nimport { Subscriber } from './Subscriber';\nimport { Subscription } from './Subscription';\nimport { dateTimestampProvider } from './scheduler/dateTimestampProvider';\n\n/**\n * A variant of {@link Subject} that \"replays\" old values to new subscribers by emitting them when they first subscribe.\n *\n * `ReplaySubject` has an internal buffer that will store a specified number of values that it has observed. Like `Subject`,\n * `ReplaySubject` \"observes\" values by having them passed to its `next` method. When it observes a value, it will store that\n * value for a time determined by the configuration of the `ReplaySubject`, as passed to its constructor.\n *\n * When a new subscriber subscribes to the `ReplaySubject` instance, it will synchronously emit all values in its buffer in\n * a First-In-First-Out (FIFO) manner. The `ReplaySubject` will also complete, if it has observed completion; and it will\n * error if it has observed an error.\n *\n * There are two main configuration items to be concerned with:\n *\n * 1. `bufferSize` - This will determine how many items are stored in the buffer, defaults to infinite.\n * 2. `windowTime` - The amount of time to hold a value in the buffer before removing it from the buffer.\n *\n * Both configurations may exist simultaneously. So if you would like to buffer a maximum of 3 values, as long as the values\n * are less than 2 seconds old, you could do so with a `new ReplaySubject(3, 2000)`.\n *\n * ### Differences with BehaviorSubject\n *\n * `BehaviorSubject` is similar to `new ReplaySubject(1)`, with a couple of exceptions:\n *\n * 1. `BehaviorSubject` comes \"primed\" with a single value upon construction.\n * 2. `ReplaySubject` will replay values, even after observing an error, where `BehaviorSubject` will not.\n *\n * @see {@link Subject}\n * @see {@link BehaviorSubject}\n * @see {@link shareReplay}\n */\nexport class ReplaySubject extends Subject {\n private _buffer: (T | number)[] = [];\n private _infiniteTimeWindow = true;\n\n /**\n * @param bufferSize The size of the buffer to replay on subscription\n * @param windowTime The amount of time the buffered items will stay buffered\n * @param timestampProvider An object with a `now()` method that provides the current timestamp. This is used to\n * calculate the amount of time something has been buffered.\n */\n constructor(\n private _bufferSize = Infinity,\n private _windowTime = Infinity,\n private _timestampProvider: TimestampProvider = dateTimestampProvider\n ) {\n super();\n this._infiniteTimeWindow = _windowTime === Infinity;\n this._bufferSize = Math.max(1, _bufferSize);\n this._windowTime = Math.max(1, _windowTime);\n }\n\n next(value: T): void {\n const { isStopped, _buffer, _infiniteTimeWindow, _timestampProvider, _windowTime } = this;\n if (!isStopped) {\n _buffer.push(value);\n !_infiniteTimeWindow && _buffer.push(_timestampProvider.now() + _windowTime);\n }\n this._trimBuffer();\n super.next(value);\n }\n\n /** @internal */\n protected _subscribe(subscriber: Subscriber): Subscription {\n this._throwIfClosed();\n this._trimBuffer();\n\n const subscription = this._innerSubscribe(subscriber);\n\n const { _infiniteTimeWindow, _buffer } = this;\n // We use a copy here, so reentrant code does not mutate our array while we're\n // emitting it to a new subscriber.\n const copy = _buffer.slice();\n for (let i = 0; i < copy.length && !subscriber.closed; i += _infiniteTimeWindow ? 1 : 2) {\n subscriber.next(copy[i] as T);\n }\n\n this._checkFinalizedStatuses(subscriber);\n\n return subscription;\n }\n\n private _trimBuffer() {\n const { _bufferSize, _timestampProvider, _buffer, _infiniteTimeWindow } = this;\n // If we don't have an infinite buffer size, and we're over the length,\n // use splice to truncate the old buffer values off. Note that we have to\n // double the size for instances where we're not using an infinite time window\n // because we're storing the values and the timestamps in the same array.\n const adjustedBufferSize = (_infiniteTimeWindow ? 1 : 2) * _bufferSize;\n _bufferSize < Infinity && adjustedBufferSize < _buffer.length && _buffer.splice(0, _buffer.length - adjustedBufferSize);\n\n // Now, if we're not in an infinite time window, remove all values where the time is\n // older than what is allowed.\n if (!_infiniteTimeWindow) {\n const now = _timestampProvider.now();\n let last = 0;\n // Search the array for the first timestamp that isn't expired and\n // truncate the buffer up to that point.\n for (let i = 1; i < _buffer.length && (_buffer[i] as number) <= now; i += 2) {\n last = i;\n }\n last && _buffer.splice(0, last + 1);\n }\n }\n}\n", "import { Scheduler } from '../Scheduler';\nimport { Subscription } from '../Subscription';\nimport { SchedulerAction } from '../types';\n\n/**\n * A unit of work to be executed in a `scheduler`. An action is typically\n * created from within a {@link SchedulerLike} and an RxJS user does not need to concern\n * themselves about creating and manipulating an Action.\n *\n * ```ts\n * class Action extends Subscription {\n * new (scheduler: Scheduler, work: (state?: T) => void);\n * schedule(state?: T, delay: number = 0): Subscription;\n * }\n * ```\n *\n * @class Action\n */\nexport class Action extends Subscription {\n constructor(scheduler: Scheduler, work: (this: SchedulerAction, state?: T) => void) {\n super();\n }\n /**\n * Schedules this action on its parent {@link SchedulerLike} for execution. May be passed\n * some context object, `state`. May happen at some point in the future,\n * according to the `delay` parameter, if specified.\n * @param {T} [state] Some contextual data that the `work` function uses when\n * called by the Scheduler.\n * @param {number} [delay] Time to wait before executing the work, where the\n * time unit is implicit and defined by the Scheduler.\n * @return {void}\n */\n public schedule(state?: T, delay: number = 0): Subscription {\n return this;\n }\n}\n", "import type { TimerHandle } from './timerHandle';\ntype SetIntervalFunction = (handler: () => void, timeout?: number, ...args: any[]) => TimerHandle;\ntype ClearIntervalFunction = (handle: TimerHandle) => void;\n\ninterface IntervalProvider {\n setInterval: SetIntervalFunction;\n clearInterval: ClearIntervalFunction;\n delegate:\n | {\n setInterval: SetIntervalFunction;\n clearInterval: ClearIntervalFunction;\n }\n | undefined;\n}\n\nexport const intervalProvider: IntervalProvider = {\n // When accessing the delegate, use the variable rather than `this` so that\n // the functions can be called without being bound to the provider.\n setInterval(handler: () => void, timeout?: number, ...args) {\n const { delegate } = intervalProvider;\n if (delegate?.setInterval) {\n return delegate.setInterval(handler, timeout, ...args);\n }\n return setInterval(handler, timeout, ...args);\n },\n clearInterval(handle) {\n const { delegate } = intervalProvider;\n return (delegate?.clearInterval || clearInterval)(handle as any);\n },\n delegate: undefined,\n};\n", "import { Action } from './Action';\nimport { SchedulerAction } from '../types';\nimport { Subscription } from '../Subscription';\nimport { AsyncScheduler } from './AsyncScheduler';\nimport { intervalProvider } from './intervalProvider';\nimport { arrRemove } from '../util/arrRemove';\nimport { TimerHandle } from './timerHandle';\n\nexport class AsyncAction extends Action {\n public id: TimerHandle | undefined;\n public state?: T;\n // @ts-ignore: Property has no initializer and is not definitely assigned\n public delay: number;\n protected pending: boolean = false;\n\n constructor(protected scheduler: AsyncScheduler, protected work: (this: SchedulerAction, state?: T) => void) {\n super(scheduler, work);\n }\n\n public schedule(state?: T, delay: number = 0): Subscription {\n if (this.closed) {\n return this;\n }\n\n // Always replace the current state with the new state.\n this.state = state;\n\n const id = this.id;\n const scheduler = this.scheduler;\n\n //\n // Important implementation note:\n //\n // Actions only execute once by default, unless rescheduled from within the\n // scheduled callback. This allows us to implement single and repeat\n // actions via the same code path, without adding API surface area, as well\n // as mimic traditional recursion but across asynchronous boundaries.\n //\n // However, JS runtimes and timers distinguish between intervals achieved by\n // serial `setTimeout` calls vs. a single `setInterval` call. An interval of\n // serial `setTimeout` calls can be individually delayed, which delays\n // scheduling the next `setTimeout`, and so on. `setInterval` attempts to\n // guarantee the interval callback will be invoked more precisely to the\n // interval period, regardless of load.\n //\n // Therefore, we use `setInterval` to schedule single and repeat actions.\n // If the action reschedules itself with the same delay, the interval is not\n // canceled. If the action doesn't reschedule, or reschedules with a\n // different delay, the interval will be canceled after scheduled callback\n // execution.\n //\n if (id != null) {\n this.id = this.recycleAsyncId(scheduler, id, delay);\n }\n\n // Set the pending flag indicating that this action has been scheduled, or\n // has recursively rescheduled itself.\n this.pending = true;\n\n this.delay = delay;\n // If this action has already an async Id, don't request a new one.\n this.id = this.id ?? this.requestAsyncId(scheduler, this.id, delay);\n\n return this;\n }\n\n protected requestAsyncId(scheduler: AsyncScheduler, _id?: TimerHandle, delay: number = 0): TimerHandle {\n return intervalProvider.setInterval(scheduler.flush.bind(scheduler, this), delay);\n }\n\n protected recycleAsyncId(_scheduler: AsyncScheduler, id?: TimerHandle, delay: number | null = 0): TimerHandle | undefined {\n // If this action is rescheduled with the same delay time, don't clear the interval id.\n if (delay != null && this.delay === delay && this.pending === false) {\n return id;\n }\n // Otherwise, if the action's delay time is different from the current delay,\n // or the action has been rescheduled before it's executed, clear the interval id\n if (id != null) {\n intervalProvider.clearInterval(id);\n }\n\n return undefined;\n }\n\n /**\n * Immediately executes this action and the `work` it contains.\n * @return {any}\n */\n public execute(state: T, delay: number): any {\n if (this.closed) {\n return new Error('executing a cancelled action');\n }\n\n this.pending = false;\n const error = this._execute(state, delay);\n if (error) {\n return error;\n } else if (this.pending === false && this.id != null) {\n // Dequeue if the action didn't reschedule itself. Don't call\n // unsubscribe(), because the action could reschedule later.\n // For example:\n // ```\n // scheduler.schedule(function doWork(counter) {\n // /* ... I'm a busy worker bee ... */\n // var originalAction = this;\n // /* wait 100ms before rescheduling the action */\n // setTimeout(function () {\n // originalAction.schedule(counter + 1);\n // }, 100);\n // }, 1000);\n // ```\n this.id = this.recycleAsyncId(this.scheduler, this.id, null);\n }\n }\n\n protected _execute(state: T, _delay: number): any {\n let errored: boolean = false;\n let errorValue: any;\n try {\n this.work(state);\n } catch (e) {\n errored = true;\n // HACK: Since code elsewhere is relying on the \"truthiness\" of the\n // return here, we can't have it return \"\" or 0 or false.\n // TODO: Clean this up when we refactor schedulers mid-version-8 or so.\n errorValue = e ? e : new Error('Scheduled action threw falsy error');\n }\n if (errored) {\n this.unsubscribe();\n return errorValue;\n }\n }\n\n unsubscribe() {\n if (!this.closed) {\n const { id, scheduler } = this;\n const { actions } = scheduler;\n\n this.work = this.state = this.scheduler = null!;\n this.pending = false;\n\n arrRemove(actions, this);\n if (id != null) {\n this.id = this.recycleAsyncId(scheduler, id, null);\n }\n\n this.delay = null!;\n super.unsubscribe();\n }\n }\n}\n", "import { Action } from './scheduler/Action';\nimport { Subscription } from './Subscription';\nimport { SchedulerLike, SchedulerAction } from './types';\nimport { dateTimestampProvider } from './scheduler/dateTimestampProvider';\n\n/**\n * An execution context and a data structure to order tasks and schedule their\n * execution. Provides a notion of (potentially virtual) time, through the\n * `now()` getter method.\n *\n * Each unit of work in a Scheduler is called an `Action`.\n *\n * ```ts\n * class Scheduler {\n * now(): number;\n * schedule(work, delay?, state?): Subscription;\n * }\n * ```\n *\n * @class Scheduler\n * @deprecated Scheduler is an internal implementation detail of RxJS, and\n * should not be used directly. Rather, create your own class and implement\n * {@link SchedulerLike}. Will be made internal in v8.\n */\nexport class Scheduler implements SchedulerLike {\n public static now: () => number = dateTimestampProvider.now;\n\n constructor(private schedulerActionCtor: typeof Action, now: () => number = Scheduler.now) {\n this.now = now;\n }\n\n /**\n * A getter method that returns a number representing the current time\n * (at the time this function was called) according to the scheduler's own\n * internal clock.\n * @return {number} A number that represents the current time. May or may not\n * have a relation to wall-clock time. May or may not refer to a time unit\n * (e.g. milliseconds).\n */\n public now: () => number;\n\n /**\n * Schedules a function, `work`, for execution. May happen at some point in\n * the future, according to the `delay` parameter, if specified. May be passed\n * some context object, `state`, which will be passed to the `work` function.\n *\n * The given arguments will be processed an stored as an Action object in a\n * queue of actions.\n *\n * @param {function(state: ?T): ?Subscription} work A function representing a\n * task, or some unit of work to be executed by the Scheduler.\n * @param {number} [delay] Time to wait before executing the work, where the\n * time unit is implicit and defined by the Scheduler itself.\n * @param {T} [state] Some contextual data that the `work` function uses when\n * called by the Scheduler.\n * @return {Subscription} A subscription in order to be able to unsubscribe\n * the scheduled work.\n */\n public schedule(work: (this: SchedulerAction, state?: T) => void, delay: number = 0, state?: T): Subscription {\n return new this.schedulerActionCtor(this, work).schedule(state, delay);\n }\n}\n", "import { Scheduler } from '../Scheduler';\nimport { Action } from './Action';\nimport { AsyncAction } from './AsyncAction';\nimport { TimerHandle } from './timerHandle';\n\nexport class AsyncScheduler extends Scheduler {\n public actions: Array> = [];\n /**\n * A flag to indicate whether the Scheduler is currently executing a batch of\n * queued actions.\n * @type {boolean}\n * @internal\n */\n public _active: boolean = false;\n /**\n * An internal ID used to track the latest asynchronous task such as those\n * coming from `setTimeout`, `setInterval`, `requestAnimationFrame`, and\n * others.\n * @type {any}\n * @internal\n */\n public _scheduled: TimerHandle | undefined;\n\n constructor(SchedulerAction: typeof Action, now: () => number = Scheduler.now) {\n super(SchedulerAction, now);\n }\n\n public flush(action: AsyncAction): void {\n const { actions } = this;\n\n if (this._active) {\n actions.push(action);\n return;\n }\n\n let error: any;\n this._active = true;\n\n do {\n if ((error = action.execute(action.state, action.delay))) {\n break;\n }\n } while ((action = actions.shift()!)); // exhaust the scheduler queue\n\n this._active = false;\n\n if (error) {\n while ((action = actions.shift()!)) {\n action.unsubscribe();\n }\n throw error;\n }\n }\n}\n", "import { AsyncAction } from './AsyncAction';\nimport { AsyncScheduler } from './AsyncScheduler';\n\n/**\n *\n * Async Scheduler\n *\n * Schedule task as if you used setTimeout(task, duration)\n *\n * `async` scheduler schedules tasks asynchronously, by putting them on the JavaScript\n * event loop queue. It is best used to delay tasks in time or to schedule tasks repeating\n * in intervals.\n *\n * If you just want to \"defer\" task, that is to perform it right after currently\n * executing synchronous code ends (commonly achieved by `setTimeout(deferredTask, 0)`),\n * better choice will be the {@link asapScheduler} scheduler.\n *\n * ## Examples\n * Use async scheduler to delay task\n * ```ts\n * import { asyncScheduler } from 'rxjs';\n *\n * const task = () => console.log('it works!');\n *\n * asyncScheduler.schedule(task, 2000);\n *\n * // After 2 seconds logs:\n * // \"it works!\"\n * ```\n *\n * Use async scheduler to repeat task in intervals\n * ```ts\n * import { asyncScheduler } from 'rxjs';\n *\n * function task(state) {\n * console.log(state);\n * this.schedule(state + 1, 1000); // `this` references currently executing Action,\n * // which we reschedule with new state and delay\n * }\n *\n * asyncScheduler.schedule(task, 3000, 0);\n *\n * // Logs:\n * // 0 after 3s\n * // 1 after 4s\n * // 2 after 5s\n * // 3 after 6s\n * ```\n */\n\nexport const asyncScheduler = new AsyncScheduler(AsyncAction);\n\n/**\n * @deprecated Renamed to {@link asyncScheduler}. Will be removed in v8.\n */\nexport const async = asyncScheduler;\n", "import { AsyncAction } from './AsyncAction';\nimport { Subscription } from '../Subscription';\nimport { QueueScheduler } from './QueueScheduler';\nimport { SchedulerAction } from '../types';\nimport { TimerHandle } from './timerHandle';\n\nexport class QueueAction extends AsyncAction {\n constructor(protected scheduler: QueueScheduler, protected work: (this: SchedulerAction, state?: T) => void) {\n super(scheduler, work);\n }\n\n public schedule(state?: T, delay: number = 0): Subscription {\n if (delay > 0) {\n return super.schedule(state, delay);\n }\n this.delay = delay;\n this.state = state;\n this.scheduler.flush(this);\n return this;\n }\n\n public execute(state: T, delay: number): any {\n return delay > 0 || this.closed ? super.execute(state, delay) : this._execute(state, delay);\n }\n\n protected requestAsyncId(scheduler: QueueScheduler, id?: TimerHandle, delay: number = 0): TimerHandle {\n // If delay exists and is greater than 0, or if the delay is null (the\n // action wasn't rescheduled) but was originally scheduled as an async\n // action, then recycle as an async action.\n\n if ((delay != null && delay > 0) || (delay == null && this.delay > 0)) {\n return super.requestAsyncId(scheduler, id, delay);\n }\n\n // Otherwise flush the scheduler starting with this action.\n scheduler.flush(this);\n\n // HACK: In the past, this was returning `void`. However, `void` isn't a valid\n // `TimerHandle`, and generally the return value here isn't really used. So the\n // compromise is to return `0` which is both \"falsy\" and a valid `TimerHandle`,\n // as opposed to refactoring every other instanceo of `requestAsyncId`.\n return 0;\n }\n}\n", "import { AsyncScheduler } from './AsyncScheduler';\n\nexport class QueueScheduler extends AsyncScheduler {\n}\n", "import { QueueAction } from './QueueAction';\nimport { QueueScheduler } from './QueueScheduler';\n\n/**\n *\n * Queue Scheduler\n *\n * Put every next task on a queue, instead of executing it immediately\n *\n * `queue` scheduler, when used with delay, behaves the same as {@link asyncScheduler} scheduler.\n *\n * When used without delay, it schedules given task synchronously - executes it right when\n * it is scheduled. However when called recursively, that is when inside the scheduled task,\n * another task is scheduled with queue scheduler, instead of executing immediately as well,\n * that task will be put on a queue and wait for current one to finish.\n *\n * This means that when you execute task with `queue` scheduler, you are sure it will end\n * before any other task scheduled with that scheduler will start.\n *\n * ## Examples\n * Schedule recursively first, then do something\n * ```ts\n * import { queueScheduler } from 'rxjs';\n *\n * queueScheduler.schedule(() => {\n * queueScheduler.schedule(() => console.log('second')); // will not happen now, but will be put on a queue\n *\n * console.log('first');\n * });\n *\n * // Logs:\n * // \"first\"\n * // \"second\"\n * ```\n *\n * Reschedule itself recursively\n * ```ts\n * import { queueScheduler } from 'rxjs';\n *\n * queueScheduler.schedule(function(state) {\n * if (state !== 0) {\n * console.log('before', state);\n * this.schedule(state - 1); // `this` references currently executing Action,\n * // which we reschedule with new state\n * console.log('after', state);\n * }\n * }, 0, 3);\n *\n * // In scheduler that runs recursively, you would expect:\n * // \"before\", 3\n * // \"before\", 2\n * // \"before\", 1\n * // \"after\", 1\n * // \"after\", 2\n * // \"after\", 3\n *\n * // But with queue it logs:\n * // \"before\", 3\n * // \"after\", 3\n * // \"before\", 2\n * // \"after\", 2\n * // \"before\", 1\n * // \"after\", 1\n * ```\n */\n\nexport const queueScheduler = new QueueScheduler(QueueAction);\n\n/**\n * @deprecated Renamed to {@link queueScheduler}. Will be removed in v8.\n */\nexport const queue = queueScheduler;\n", "import { AsyncAction } from './AsyncAction';\nimport { AnimationFrameScheduler } from './AnimationFrameScheduler';\nimport { SchedulerAction } from '../types';\nimport { animationFrameProvider } from './animationFrameProvider';\nimport { TimerHandle } from './timerHandle';\n\nexport class AnimationFrameAction extends AsyncAction {\n constructor(protected scheduler: AnimationFrameScheduler, protected work: (this: SchedulerAction, state?: T) => void) {\n super(scheduler, work);\n }\n\n protected requestAsyncId(scheduler: AnimationFrameScheduler, id?: TimerHandle, delay: number = 0): TimerHandle {\n // If delay is greater than 0, request as an async action.\n if (delay !== null && delay > 0) {\n return super.requestAsyncId(scheduler, id, delay);\n }\n // Push the action to the end of the scheduler queue.\n scheduler.actions.push(this);\n // If an animation frame has already been requested, don't request another\n // one. If an animation frame hasn't been requested yet, request one. Return\n // the current animation frame request id.\n return scheduler._scheduled || (scheduler._scheduled = animationFrameProvider.requestAnimationFrame(() => scheduler.flush(undefined)));\n }\n\n protected recycleAsyncId(scheduler: AnimationFrameScheduler, id?: TimerHandle, delay: number = 0): TimerHandle | undefined {\n // If delay exists and is greater than 0, or if the delay is null (the\n // action wasn't rescheduled) but was originally scheduled as an async\n // action, then recycle as an async action.\n if (delay != null ? delay > 0 : this.delay > 0) {\n return super.recycleAsyncId(scheduler, id, delay);\n }\n // If the scheduler queue has no remaining actions with the same async id,\n // cancel the requested animation frame and set the scheduled flag to\n // undefined so the next AnimationFrameAction will request its own.\n const { actions } = scheduler;\n if (id != null && actions[actions.length - 1]?.id !== id) {\n animationFrameProvider.cancelAnimationFrame(id as number);\n scheduler._scheduled = undefined;\n }\n // Return undefined so the action knows to request a new async id if it's rescheduled.\n return undefined;\n }\n}\n", "import { AsyncAction } from './AsyncAction';\nimport { AsyncScheduler } from './AsyncScheduler';\n\nexport class AnimationFrameScheduler extends AsyncScheduler {\n public flush(action?: AsyncAction): void {\n this._active = true;\n // The async id that effects a call to flush is stored in _scheduled.\n // Before executing an action, it's necessary to check the action's async\n // id to determine whether it's supposed to be executed in the current\n // flush.\n // Previous implementations of this method used a count to determine this,\n // but that was unsound, as actions that are unsubscribed - i.e. cancelled -\n // are removed from the actions array and that can shift actions that are\n // scheduled to be executed in a subsequent flush into positions at which\n // they are executed within the current flush.\n const flushId = this._scheduled;\n this._scheduled = undefined;\n\n const { actions } = this;\n let error: any;\n action = action || actions.shift()!;\n\n do {\n if ((error = action.execute(action.state, action.delay))) {\n break;\n }\n } while ((action = actions[0]) && action.id === flushId && actions.shift());\n\n this._active = false;\n\n if (error) {\n while ((action = actions[0]) && action.id === flushId && actions.shift()) {\n action.unsubscribe();\n }\n throw error;\n }\n }\n}\n", "import { AnimationFrameAction } from './AnimationFrameAction';\nimport { AnimationFrameScheduler } from './AnimationFrameScheduler';\n\n/**\n *\n * Animation Frame Scheduler\n *\n * Perform task when `window.requestAnimationFrame` would fire\n *\n * When `animationFrame` scheduler is used with delay, it will fall back to {@link asyncScheduler} scheduler\n * behaviour.\n *\n * Without delay, `animationFrame` scheduler can be used to create smooth browser animations.\n * It makes sure scheduled task will happen just before next browser content repaint,\n * thus performing animations as efficiently as possible.\n *\n * ## Example\n * Schedule div height animation\n * ```ts\n * // html:
\n * import { animationFrameScheduler } from 'rxjs';\n *\n * const div = document.querySelector('div');\n *\n * animationFrameScheduler.schedule(function(height) {\n * div.style.height = height + \"px\";\n *\n * this.schedule(height + 1); // `this` references currently executing Action,\n * // which we reschedule with new state\n * }, 0, 0);\n *\n * // You will see a div element growing in height\n * ```\n */\n\nexport const animationFrameScheduler = new AnimationFrameScheduler(AnimationFrameAction);\n\n/**\n * @deprecated Renamed to {@link animationFrameScheduler}. Will be removed in v8.\n */\nexport const animationFrame = animationFrameScheduler;\n", "import { Observable } from '../Observable';\nimport { SchedulerLike } from '../types';\n\n/**\n * A simple Observable that emits no items to the Observer and immediately\n * emits a complete notification.\n *\n * Just emits 'complete', and nothing else.\n *\n * ![](empty.png)\n *\n * A simple Observable that only emits the complete notification. It can be used\n * for composing with other Observables, such as in a {@link mergeMap}.\n *\n * ## Examples\n *\n * Log complete notification\n *\n * ```ts\n * import { EMPTY } from 'rxjs';\n *\n * EMPTY.subscribe({\n * next: () => console.log('Next'),\n * complete: () => console.log('Complete!')\n * });\n *\n * // Outputs\n * // Complete!\n * ```\n *\n * Emit the number 7, then complete\n *\n * ```ts\n * import { EMPTY, startWith } from 'rxjs';\n *\n * const result = EMPTY.pipe(startWith(7));\n * result.subscribe(x => console.log(x));\n *\n * // Outputs\n * // 7\n * ```\n *\n * Map and flatten only odd numbers to the sequence `'a'`, `'b'`, `'c'`\n *\n * ```ts\n * import { interval, mergeMap, of, EMPTY } from 'rxjs';\n *\n * const interval$ = interval(1000);\n * const result = interval$.pipe(\n * mergeMap(x => x % 2 === 1 ? of('a', 'b', 'c') : EMPTY),\n * );\n * result.subscribe(x => console.log(x));\n *\n * // Results in the following to the console:\n * // x is equal to the count on the interval, e.g. (0, 1, 2, 3, ...)\n * // x will occur every 1000ms\n * // if x % 2 is equal to 1, print a, b, c (each on its own)\n * // if x % 2 is not equal to 1, nothing will be output\n * ```\n *\n * @see {@link Observable}\n * @see {@link NEVER}\n * @see {@link of}\n * @see {@link throwError}\n */\nexport const EMPTY = new Observable((subscriber) => subscriber.complete());\n\n/**\n * @param scheduler A {@link SchedulerLike} to use for scheduling\n * the emission of the complete notification.\n * @deprecated Replaced with the {@link EMPTY} constant or {@link scheduled} (e.g. `scheduled([], scheduler)`). Will be removed in v8.\n */\nexport function empty(scheduler?: SchedulerLike) {\n return scheduler ? emptyScheduled(scheduler) : EMPTY;\n}\n\nfunction emptyScheduled(scheduler: SchedulerLike) {\n return new Observable((subscriber) => scheduler.schedule(() => subscriber.complete()));\n}\n", "import { SchedulerLike } from '../types';\nimport { isFunction } from './isFunction';\n\nexport function isScheduler(value: any): value is SchedulerLike {\n return value && isFunction(value.schedule);\n}\n", "import { SchedulerLike } from '../types';\nimport { isFunction } from './isFunction';\nimport { isScheduler } from './isScheduler';\n\nfunction last(arr: T[]): T | undefined {\n return arr[arr.length - 1];\n}\n\nexport function popResultSelector(args: any[]): ((...args: unknown[]) => unknown) | undefined {\n return isFunction(last(args)) ? args.pop() : undefined;\n}\n\nexport function popScheduler(args: any[]): SchedulerLike | undefined {\n return isScheduler(last(args)) ? args.pop() : undefined;\n}\n\nexport function popNumber(args: any[], defaultValue: number): number {\n return typeof last(args) === 'number' ? args.pop()! : defaultValue;\n}\n", "export const isArrayLike = ((x: any): x is ArrayLike => x && typeof x.length === 'number' && typeof x !== 'function');", "import { isFunction } from \"./isFunction\";\n\n/**\n * Tests to see if the object is \"thennable\".\n * @param value the object to test\n */\nexport function isPromise(value: any): value is PromiseLike {\n return isFunction(value?.then);\n}\n", "import { InteropObservable } from '../types';\nimport { observable as Symbol_observable } from '../symbol/observable';\nimport { isFunction } from './isFunction';\n\n/** Identifies an input as being Observable (but not necessary an Rx Observable) */\nexport function isInteropObservable(input: any): input is InteropObservable {\n return isFunction(input[Symbol_observable]);\n}\n", "import { isFunction } from './isFunction';\n\nexport function isAsyncIterable(obj: any): obj is AsyncIterable {\n return Symbol.asyncIterator && isFunction(obj?.[Symbol.asyncIterator]);\n}\n", "/**\n * Creates the TypeError to throw if an invalid object is passed to `from` or `scheduled`.\n * @param input The object that was passed.\n */\nexport function createInvalidObservableTypeError(input: any) {\n // TODO: We should create error codes that can be looked up, so this can be less verbose.\n return new TypeError(\n `You provided ${\n input !== null && typeof input === 'object' ? 'an invalid object' : `'${input}'`\n } where a stream was expected. You can provide an Observable, Promise, ReadableStream, Array, AsyncIterable, or Iterable.`\n );\n}\n", "export function getSymbolIterator(): symbol {\n if (typeof Symbol !== 'function' || !Symbol.iterator) {\n return '@@iterator' as any;\n }\n\n return Symbol.iterator;\n}\n\nexport const iterator = getSymbolIterator();\n", "import { iterator as Symbol_iterator } from '../symbol/iterator';\nimport { isFunction } from './isFunction';\n\n/** Identifies an input as being an Iterable */\nexport function isIterable(input: any): input is Iterable {\n return isFunction(input?.[Symbol_iterator]);\n}\n", "import { ReadableStreamLike } from '../types';\nimport { isFunction } from './isFunction';\n\nexport async function* readableStreamLikeToAsyncGenerator(readableStream: ReadableStreamLike): AsyncGenerator {\n const reader = readableStream.getReader();\n try {\n while (true) {\n const { value, done } = await reader.read();\n if (done) {\n return;\n }\n yield value!;\n }\n } finally {\n reader.releaseLock();\n }\n}\n\nexport function isReadableStreamLike(obj: any): obj is ReadableStreamLike {\n // We don't want to use instanceof checks because they would return\n // false for instances from another Realm, like an