Skip to content

Commit

Permalink
Merge pull request #11955 from Security-Onion-Solutions/fix/sublime_a…
Browse files Browse the repository at this point in the history
…nalyzer_documentation

Sublime Analyzer Documentation
  • Loading branch information
weslambert authored Dec 6, 2023
2 parents 1438913 + 7f21bee commit fea5a30
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 14 deletions.
30 changes: 16 additions & 14 deletions salt/sensoroni/files/analyzers/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,19 +6,20 @@ Security Onion provides a means for performing data analysis on varying inputs.

The built-in analyzers support the following observable types:

| Name | Domain | Hash | IP | Mail | Other | URI | URL | User Agent |
| ------------------------|--------|-------|-------|-------|-------|-------|-------|-------|
| Alienvault OTX |✓ |✓|✓|✗|✗|✗|✓|✗|
| EmailRep |✗ |✗|✗|✓|✗|✗|✗|✗|
| Greynoise |✗ |✗|✓|✗|✗|✗|✗|✗|
| LocalFile |✓ |✓|✓|✗|✓|✗|✓|✗|
| Malware Hash Registry |✗ |✓|✗|✗|✗|✗|✓|✗|
| Pulsedive |✓ |✓|✓|✗|✗|✓|✓|✓|
| Spamhaus |✗ |✗|✓|✗|✗|✗|✗|✗|
| Urlhaus |✗ |✗|✗|✗|✗|✗|✓|✗|
| Urlscan |✗ |✗|✗|✗|✗|✗|✓|✗|
| Virustotal |✓ |✓|✓|✗|✗|✗|✓|✗|
| WhoisLookup |✓ |✗|✗|✗|✗|✓|✗|✗|
| Name | Domain | EML | Hash | IP | Mail | Other | URI | URL | User Agent |
| ------------------------|--------|-------|-------|-------|-------|-------|-------|-------|-------|
| Alienvault OTX |✓ |✗|✓|✓|✗|✗|✗|✓|✗|
| EmailRep |✗ |✗|✗|✗|✓|✗|✗|✗|✗|
| Greynoise |✗ |✗|✗|✓|✗|✗|✗|✗|✗|
| LocalFile |✓ |✗|✓|✓|✗|✓|✗|✓|✗|
| Malware Hash Registry |✗ |✗|✓|✗|✗|✗|✗|✓|✗|
| Pulsedive |✓ |✗|✓|✓|✗|✗|✓|✓|✓|
| Spamhaus |✗ |✗|✗|✓|✗|✗|✗|✗|✗|
| Sublime Platform |✗ |✓|✗|✗|✗|✗|✗|✗|✗|
| Urlhaus |✗ |✗|✗|✗|✗|✗|✗|✓|✗|
| Urlscan |✗ |✗|✗|✗|✗|✗|✗|✓|✗|
| Virustotal |✓ |✗|✓|✓|✗|✗|✗|✓|✗|
| WhoisLookup |✓ |✗|✗|✗|✗|✗|✓|✗|✗|

## Authentication

Expand All @@ -29,10 +30,11 @@ Many analyzers require authentication, via an API key or similar. The table belo
[AlienVault OTX](https://otx.alienvault.com/api) |✓|
[EmailRep](https://emailrep.io/key) |✓|
[GreyNoise](https://www.greynoise.io/plans/community) |✓|
LocalFile |✗|
[LocalFile](https://github.com/Security-Onion-Solutions/securityonion/tree/fix/sublime_analyzer_documentation/salt/sensoroni/files/analyzers/localfile) |✗|
[Malware Hash Registry](https://hash.cymru.com/docs_whois) |✗|
[Pulsedive](https://pulsedive.com/api/) |✓|
[Spamhaus](https://www.spamhaus.org/dbl/) |✗|
[Sublime Platform](https://sublime.security) |✓|
[Urlhaus](https://urlhaus.abuse.ch/) |✗|
[Urlscan](https://urlscan.io/docs/api/) |✓|
[VirusTotal](https://developers.virustotal.com/reference/overview) |✓|
Expand Down
24 changes: 24 additions & 0 deletions salt/sensoroni/files/analyzers/sublime/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Sublime

## Description
Submit a base64-encoded EML file to Sublime Platform for analysis.

## Configuration Requirements
In SOC, navigate to `Administration`, toggle `Show all configurable settings, including advanced settings.`, and navigate to `sensoroni` -> `analyzers` -> `sublime_platform`.

![image](https://github.com/Security-Onion-Solutions/securityonion/assets/16829864/a914f59d-c09f-40b6-ae8b-d644df236b81)


The following configuration options are available for:

``api_key`` - API key used for communication with the Sublime Platform API (Required)

``base_url`` - URL used for communication with Sublime Platform. If no value is supplied, the default of `https://api.platform.sublimesecurity.com` will be used.

The following options relate to [Live Flow](https://docs.sublimesecurity.com/reference/analyzerawmessageliveflow-1) analysis only:

``live_flow`` - Determines if live flow analysis should be used. Defaults to `False`.

``mailbox_email_address`` - The mailbox address to use for during live flow analysis. (Required for live flow analysis)

``message_source_id`` - The ID of the message source to use during live flow analysis. (Required for live flow analysis)

0 comments on commit fea5a30

Please sign in to comment.