OrionMalware#
README
Orion Malware Analyzer for The Hive Cortex#
This analyzer can call an Orion Malware API service on several datatypes:
- file
- hash
Analysis will return a report with a risk level and qualitative information about the detection.
You can also install the custom analyzer template long.html to have a nicer display of the report.
By analyzing a file observable, this file will be uploaded to Orion Malware server, and analyzed using default workflow for your apikey user
By analyzing a hash observable, Orion Malware will return you a report from previous matching hashes from files analyzed on this Orion Malware server.
Extracted Observables#
Orion Malware analyzer extract hostnames, domains and IP addresses, reported are added to the extracted Observables, ready to be imported and actioned in TheHive.
OrionMalware#
Author: Airbus Defence and Space Cyber
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
- hash
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://cyber.airbus.com/fr/produits/orion-malware
Description#
Use OrionMalware API to analyze a File or find a hash match.
Configuration#
| apikey | OrionMalware API key |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| url | OrionMalware API Base url. ex: https://my-omw-appliance.com |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| force | Force re-analyze for this file even if OrionMalware found a matching existing report. |
|---|---|
| Default value if not configured | False |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | True |
| safe | Orion Malware mapping from 'Safe' Risk to theHive severity level: default 'safe'. |
|---|---|
| Default value if not configured | safe |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| low | Orion Malware mapping from 'Low' Risk to theHive severity level: default 'info'. |
|---|---|
| Default value if not configured | info |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| medium | Orion Malware mapping from 'Medium' Risk to theHive severity level: default 'suspicious'. |
|---|---|
| Default value if not configured | suspicious |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| high | Orion Malware mapping from 'High' Risk to theHive severity level: default 'malicious'. |
|---|---|
| Default value if not configured | malicious |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| severe | Orion Malware mapping from 'Severe' Risk to theHive severity level: default 'malicious'. |
|---|---|
| Default value if not configured | malicious |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
Templates samples for TheHive#
No template samples to display.