diff --git a/salt/sensoroni/files/analyzers/README.md b/salt/sensoroni/files/analyzers/README.md index 19335a5453..a968fdc579 100644 --- a/salt/sensoroni/files/analyzers/README.md +++ b/salt/sensoroni/files/analyzers/README.md @@ -6,19 +6,20 @@ Security Onion provides a means for performing data analysis on varying inputs. The built-in analyzers support the following observable types: -| Name | Domain | Hash | IP | Mail | Other | URI | URL | User Agent | -| ------------------------|--------|-------|-------|-------|-------|-------|-------|-------| -| Alienvault OTX |✓ |✓|✓|✗|✗|✗|✓|✗| -| EmailRep |✗ |✗|✗|✓|✗|✗|✗|✗| -| Greynoise |✗ |✗|✓|✗|✗|✗|✗|✗| -| LocalFile |✓ |✓|✓|✗|✓|✗|✓|✗| -| Malware Hash Registry |✗ |✓|✗|✗|✗|✗|✓|✗| -| Pulsedive |✓ |✓|✓|✗|✗|✓|✓|✓| -| Spamhaus |✗ |✗|✓|✗|✗|✗|✗|✗| -| Urlhaus |✗ |✗|✗|✗|✗|✗|✓|✗| -| Urlscan |✗ |✗|✗|✗|✗|✗|✓|✗| -| Virustotal |✓ |✓|✓|✗|✗|✗|✓|✗| -| WhoisLookup |✓ |✗|✗|✗|✗|✓|✗|✗| +| Name | Domain | EML | Hash | IP | Mail | Other | URI | URL | User Agent | +| ------------------------|--------|-------|-------|-------|-------|-------|-------|-------|-------| +| Alienvault OTX |✓ |✗|✓|✓|✗|✗|✗|✓|✗| +| EmailRep |✗ |✗|✗|✗|✓|✗|✗|✗|✗| +| Greynoise |✗ |✗|✗|✓|✗|✗|✗|✗|✗| +| LocalFile |✓ |✗|✓|✓|✗|✓|✗|✓|✗| +| Malware Hash Registry |✗ |✗|✓|✗|✗|✗|✗|✓|✗| +| Pulsedive |✓ |✗|✓|✓|✗|✗|✓|✓|✓| +| Spamhaus |✗ |✗|✗|✓|✗|✗|✗|✗|✗| +| Sublime Platform |✗ |✓|✗|✗|✗|✗|✗|✗|✗| +| Urlhaus |✗ |✗|✗|✗|✗|✗|✗|✓|✗| +| Urlscan |✗ |✗|✗|✗|✗|✗|✗|✓|✗| +| Virustotal |✓ |✗|✓|✓|✗|✗|✗|✓|✗| +| WhoisLookup |✓ |✗|✗|✗|✗|✗|✓|✗|✗| ## Authentication @@ -29,10 +30,11 @@ Many analyzers require authentication, via an API key or similar. The table belo [AlienVault OTX](https://otx.alienvault.com/api) |✓| [EmailRep](https://emailrep.io/key) |✓| [GreyNoise](https://www.greynoise.io/plans/community) |✓| -LocalFile |✗| +[LocalFile](https://github.com/Security-Onion-Solutions/securityonion/tree/fix/sublime_analyzer_documentation/salt/sensoroni/files/analyzers/localfile) |✗| [Malware Hash Registry](https://hash.cymru.com/docs_whois) |✗| [Pulsedive](https://pulsedive.com/api/) |✓| [Spamhaus](https://www.spamhaus.org/dbl/) |✗| +[Sublime Platform](https://sublime.security) |✓| [Urlhaus](https://urlhaus.abuse.ch/) |✗| [Urlscan](https://urlscan.io/docs/api/) |✓| [VirusTotal](https://developers.virustotal.com/reference/overview) |✓| diff --git a/salt/sensoroni/files/analyzers/sublime/README.md b/salt/sensoroni/files/analyzers/sublime/README.md new file mode 100644 index 0000000000..77894a2b1a --- /dev/null +++ b/salt/sensoroni/files/analyzers/sublime/README.md @@ -0,0 +1,24 @@ +# Sublime + +## Description +Submit a base64-encoded EML file to Sublime Platform for analysis. + +## Configuration Requirements +In SOC, navigate to `Administration`, toggle `Show all configurable settings, including advanced settings.`, and navigate to `sensoroni` -> `analyzers` -> `sublime_platform`. + +![image](https://github.com/Security-Onion-Solutions/securityonion/assets/16829864/a914f59d-c09f-40b6-ae8b-d644df236b81) + + +The following configuration options are available for: + +``api_key`` - API key used for communication with the Sublime Platform API (Required) + +``base_url`` - URL used for communication with Sublime Platform. If no value is supplied, the default of `https://api.platform.sublimesecurity.com` will be used. + +The following options relate to [Live Flow](https://docs.sublimesecurity.com/reference/analyzerawmessageliveflow-1) analysis only: + +``live_flow`` - Determines if live flow analysis should be used. Defaults to `False`. + +``mailbox_email_address`` - The mailbox address to use for during live flow analysis. (Required for live flow analysis) + +``message_source_id`` - The ID of the message source to use during live flow analysis. (Required for live flow analysis)