From e6a2e49d37eb9b4ac7feb921e3a582b586f8c162 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 6 Dec 2023 12:57:59 -0500 Subject: [PATCH 1/3] Add Sublime Platform --- salt/sensoroni/files/analyzers/README.md | 28 +++++++++++++----------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/salt/sensoroni/files/analyzers/README.md b/salt/sensoroni/files/analyzers/README.md index 19335a5453..2af8cf2408 100644 --- a/salt/sensoroni/files/analyzers/README.md +++ b/salt/sensoroni/files/analyzers/README.md @@ -6,19 +6,20 @@ Security Onion provides a means for performing data analysis on varying inputs. The built-in analyzers support the following observable types: -| Name | Domain | Hash | IP | Mail | Other | URI | URL | User Agent | -| ------------------------|--------|-------|-------|-------|-------|-------|-------|-------| -| Alienvault OTX |✓ |✓|✓|✗|✗|✗|✓|✗| -| EmailRep |✗ |✗|✗|✓|✗|✗|✗|✗| -| Greynoise |✗ |✗|✓|✗|✗|✗|✗|✗| -| LocalFile |✓ |✓|✓|✗|✓|✗|✓|✗| -| Malware Hash Registry |✗ |✓|✗|✗|✗|✗|✓|✗| -| Pulsedive |✓ |✓|✓|✗|✗|✓|✓|✓| -| Spamhaus |✗ |✗|✓|✗|✗|✗|✗|✗| -| Urlhaus |✗ |✗|✗|✗|✗|✗|✓|✗| -| Urlscan |✗ |✗|✗|✗|✗|✗|✓|✗| -| Virustotal |✓ |✓|✓|✗|✗|✗|✓|✗| -| WhoisLookup |✓ |✗|✗|✗|✗|✓|✗|✗| +| Name | Domain | EML | Hash | IP | Mail | Other | URI | URL | User Agent | +| ------------------------|--------|-------|-------|-------|-------|-------|-------|-------|-------| +| Alienvault OTX |✓ |✗|✓|✓|✗|✗|✗|✓|✗| +| EmailRep |✗ |✗|✗|✗|✓|✗|✗|✗|✗| +| Greynoise |✗ |✗|✗|✓|✗|✗|✗|✗|✗| +| LocalFile |✓ |✗|✓|✓|✗|✓|✗|✓|✗| +| Malware Hash Registry |✗ |✗|✓|✗|✗|✗|✗|✓|✗| +| Pulsedive |✓ |✗|✓|✓|✗|✗|✓|✓|✓| +| Spamhaus |✗ |✗|✗|✓|✗|✗|✗|✗|✗| +| Sublime Platform |✗ |✓|✗|✗|✗|✗|✗|✗|✗| +| Urlhaus |✗ |✗|✗|✗|✗|✗|✗|✓|✗| +| Urlscan |✗ |✗|✗|✗|✗|✗|✗|✓|✗| +| Virustotal |✓ |✗|✓|✓|✗|✗|✗|✓|✗| +| WhoisLookup |✓ |✗|✗|✗|✗|✗|✓|✗|✗| ## Authentication @@ -33,6 +34,7 @@ LocalFile |✗| [Malware Hash Registry](https://hash.cymru.com/docs_whois) |✗| [Pulsedive](https://pulsedive.com/api/) |✓| [Spamhaus](https://www.spamhaus.org/dbl/) |✗| +[Sublime Platform](https://sublime.security) |✓| [Urlhaus](https://urlhaus.abuse.ch/) |✗| [Urlscan](https://urlscan.io/docs/api/) |✓| [VirusTotal](https://developers.virustotal.com/reference/overview) |✓| From ade3a46a9a9a0ce9a869b3c19fffe03e4c522c82 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 6 Dec 2023 12:58:44 -0500 Subject: [PATCH 2/3] Add LocalFile link --- salt/sensoroni/files/analyzers/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/sensoroni/files/analyzers/README.md b/salt/sensoroni/files/analyzers/README.md index 2af8cf2408..a968fdc579 100644 --- a/salt/sensoroni/files/analyzers/README.md +++ b/salt/sensoroni/files/analyzers/README.md @@ -30,7 +30,7 @@ Many analyzers require authentication, via an API key or similar. The table belo [AlienVault OTX](https://otx.alienvault.com/api) |✓| [EmailRep](https://emailrep.io/key) |✓| [GreyNoise](https://www.greynoise.io/plans/community) |✓| -LocalFile |✗| +[LocalFile](https://github.com/Security-Onion-Solutions/securityonion/tree/fix/sublime_analyzer_documentation/salt/sensoroni/files/analyzers/localfile) |✗| [Malware Hash Registry](https://hash.cymru.com/docs_whois) |✗| [Pulsedive](https://pulsedive.com/api/) |✓| [Spamhaus](https://www.spamhaus.org/dbl/) |✗| From 7f21bee0d443640ea74db38718336a305ae5962b Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 6 Dec 2023 13:14:17 -0500 Subject: [PATCH 3/3] Add README --- .../files/analyzers/sublime/README.md | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 salt/sensoroni/files/analyzers/sublime/README.md diff --git a/salt/sensoroni/files/analyzers/sublime/README.md b/salt/sensoroni/files/analyzers/sublime/README.md new file mode 100644 index 0000000000..77894a2b1a --- /dev/null +++ b/salt/sensoroni/files/analyzers/sublime/README.md @@ -0,0 +1,24 @@ +# Sublime + +## Description +Submit a base64-encoded EML file to Sublime Platform for analysis. + +## Configuration Requirements +In SOC, navigate to `Administration`, toggle `Show all configurable settings, including advanced settings.`, and navigate to `sensoroni` -> `analyzers` -> `sublime_platform`. + +![image](https://github.com/Security-Onion-Solutions/securityonion/assets/16829864/a914f59d-c09f-40b6-ae8b-d644df236b81) + + +The following configuration options are available for: + +``api_key`` - API key used for communication with the Sublime Platform API (Required) + +``base_url`` - URL used for communication with Sublime Platform. If no value is supplied, the default of `https://api.platform.sublimesecurity.com` will be used. + +The following options relate to [Live Flow](https://docs.sublimesecurity.com/reference/analyzerawmessageliveflow-1) analysis only: + +``live_flow`` - Determines if live flow analysis should be used. Defaults to `False`. + +``mailbox_email_address`` - The mailbox address to use for during live flow analysis. (Required for live flow analysis) + +``message_source_id`` - The ID of the message source to use during live flow analysis. (Required for live flow analysis)