Skip to content

Onyphe#

ONYPHE_ASM#

Author: Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack
License: AGPL-V3
Version: 1.1
Supported observables types:
- ip
- domain
- fqdn
- hash
Registration required: True
Subscription required: True
Free subscription: True
Third party service: https://www.onyphe.io

Description#

Manage an attack surface from The Hive using ONYPHE riskscan category

Configuration#

key Define the API key to use to connect the service
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
time_filter Specify ONYPHE time filter to be used for searches (see https://www.onyphe.io/docs/onyphe-query-language)
Default value if not configured -since:1M
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
fields_filter [!!Advanced!!] Modify ONYPHE fields to return in raw data (see https://www.onyphe.io/docs/onyphe-query-language)
Default value if not configured ip,port,protocol,tag,tls,cpe,cve,hostname,domain,alternativeip,forward,url,organization,transport,organization,device.class,device.product,device.productvendor,device.productversion,product,productvendor,productversion
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
auto_import Automatically import artifacts as observables (risks, cves, assets, ...)
Default value if not configured True
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True

Templates samples for TheHive#

ONYPHE ASM report sample (IPs obscured) with click to expand accordion.

ONYPHE ASM mini report showing no. of risks

ONYPHE_Summary_API#

Author: Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack
License: AGPL-V3
Version: 1.2
Supported observables types:
- ip
- domain
- fqdn
Registration required: True
Subscription required: True
Free subscription: True
Third party service: https://www.onyphe.io

Description#

Retrieve summary information Onyphe has for given ip, domain, or fqdn.

Configuration#

key Define the API key to use to connect the service
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
verbose_taxonomies Set true if you want detailed taxonomies for port, subnet, geoloc, domain
Default value if not configured False
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True

Templates samples for TheHive#

Onyphe_Summary long report sample

Onyphe_Summary mini report sample

Author: Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack
License: AGPL-V3
Version: 1.1
Supported observables types:
- ip
- domain
- fqdn
- hash
Registration required: True
Subscription required: True
Free subscription: True
Third party service: https://www.onyphe.io

Description#

Retrieve results from ONYPHE Search API for a given ip, domain, fqdn or hash (sha256 TLS fingerprint) from specified category

Configuration#

key Define the API key to use to connect the service
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
category Specify ONYPHE category to be used for search API (default datascan)
Default value if not configured datascan
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
time_filter Specify ONYPHE time filter to be used for searches (see https://www.onyphe.io/docs/onyphe-query-language)
Default value if not configured -since:1M
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
auto_import Automatically import artifacts as observables (risks, cves, assets, ...)
Default value if not configured False
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True

Templates samples for TheHive#

ONYPHE Search report sample (IPs obscured)

ONYPHE Search mini report showing no. of open ports

ONYPHE_Ctiscan#

Author: James Atack
License: AGPL-V3
Version: 1.0
Supported observables types:
- ip
- domain
- fqdn
- hash
- autonomous-system
- other
Registration required: True
Subscription required: True
Free subscription: True
Third party service: https://www.onyphe.io

Description#

Query ONYPHE Ctiscan threat hunting data for open services (takes ip, domain, fqdn, autonomous-system or hash.)

Configuration#

key Define the API key to use to connect the service
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
time_filter Specify ONYPHE time function to be used for searches (see https://www.onyphe.io/docs/onyphe-query-language)
Default value if not configured -since:1w
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
return_other_artifacts Analyzer will create ':' artifacts of type 'other' for each open service, with tags for technologies and protocols
Default value if not configured True
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True
auto_import Automatically import artifacts as observables
Default value if not configured False
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True

Templates samples for TheHive#

ONYPHE Ctiscan report sample (IPs obscured)

ONYPHE Ctiscan mini report showing imported observables for open services

ONYPHE_Vulnscan#

Author: Pierre Baudry, Adrien Barchapt, Andrea Garavaglia, Davide Arcuri, James Atack
License: AGPL-V3
Version: 1.1
Supported observables types:
- ip
- domain
- fqdn
- hash
Registration required: True
Subscription required: True
Free subscription: True
Third party service: https://www.onyphe.io

Description#

Retrieve vulnerability data from ONYPHE vulnscan category for a given ip, domain, fqdn or hash (sha256 TLS fingerprint)

Configuration#

key Define the API key to use to connect the service
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
time_filter Specify ONYPHE time filter to be used for searches (see https://www.onyphe.io/docs/onyphe-query-language)
Default value if not configured -since:1M
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
only_vulnerable Only return results where a CVE exists (-exists:cve)
Default value if not configured True
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True
auto_import Automatically import artifacts as observables (risks, cves, assets, ...)
Default value if not configured False
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True

Templates samples for TheHive#

ONYPHE Vulnscan report sample (IPs obscured)

ONYPHE Vulnscan mini report showing no. of CVEs