Observable Extractor improvement by jeffrey-e · Pull Request #1 · TheHive-Project/cortexutils

jeffrey-e · 2019-02-19T18:19:38Z

This PR contains support for full text regex parsing in order to find basic observables throughout multiline text bodies.

Current support:

ip
mail (sub matches: domain)
url (sub matches: domain, fqdn, uri_path)

This PR is related to: TheHive-Project/Cortex-Analyzers#399

kx499-zz · 2019-02-25T02:59:00Z

This is awesome! I was actually looking to do the same thing for a spam email workflow. My take on it is that you don't want to always so a full text regex on all fields. I was thinking if you could make it an option on check_iterable and check_string. Something like an addotional param on those functions like ft=False. So it doesn't break existing stuff and you call it either on the entire analyzer output or just a field like body or something. Just my thoughts

nadouani · 2019-04-02T08:25:39Z

@gekkeharry13 Sorry for the delay, this will be merged into the new cortexutils 2.0.0 version that was under construction for Cortex 3.0.0 release.

iwitz · 2019-10-03T15:14:53Z

There is an error at line 179 :
self.regexpack = self.ftregex + self.asregex
should be
self.regexpack = self.ftregex
Since self.asregex is not defined.

jeffrey-e · 2020-01-20T16:18:04Z

Patched the error @iwitz and @nadouani

cortexutils/extractor.py

nadouani · 2020-01-21T10:31:24Z

This PR is a bit outdated, and needs to resolve conflicts.

Jeffrey Everling added 2 commits February 19, 2019 13:18

Adding full text regex support

2c96d71

Fixed some issues

b7202f6

jeffrey-e mentioned this pull request Feb 19, 2019

Added enhanced support for "Auto extraction" with observables for the emlparser analyzer TheHive-Project/Cortex-Analyzers#399

Closed

nadouani added this to the 2.0.0 milestone Apr 2, 2019

nadouani changed the base branch from master to develop April 4, 2019 08:38

nadouani removed this from the 2.0.0 milestone Apr 4, 2019

nadouani self-requested a review April 4, 2019 10:30

kx499-zz mentioned this pull request Jun 25, 2019

Observable parsing/extraction updates #4

Open

Removed "+ self.asregex" as mentioned

0e40bc8

nadouani reviewed Jan 21, 2020

View reviewed changes

cortexutils/extractor.py Show resolved Hide resolved

cortexutils/extractor.py Show resolved Hide resolved

cortexutils/extractor.py Show resolved Hide resolved

cortexutils/extractor.py Outdated Show resolved Hide resolved

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Observable Extractor improvement#1

Observable Extractor improvement#1
jeffrey-e wants to merge 3 commits intoTheHive-Project:developfrom
jeffrey-e:extractor-improvement

jeffrey-e commented Feb 19, 2019

Uh oh!

kx499-zz commented Feb 25, 2019

Uh oh!

nadouani commented Apr 2, 2019

Uh oh!

iwitz commented Oct 3, 2019

Uh oh!

jeffrey-e commented Jan 20, 2020

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

nadouani commented Jan 21, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

jeffrey-e commented Feb 19, 2019

Uh oh!

kx499-zz commented Feb 25, 2019

Uh oh!

nadouani commented Apr 2, 2019

Uh oh!

iwitz commented Oct 3, 2019

Uh oh!

jeffrey-e commented Jan 20, 2020

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

nadouani commented Jan 21, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants