Merge branch 'release/3.4.4'

.github/workflows/build.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: [ ubuntu-latest ]
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Build analyzers
@@ -32,7 +32,7 @@ jobs:
     runs-on: [ ubuntu-latest ]
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Build responders
@@ -49,13 +49,13 @@ jobs:
     if: always()
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Build catalog
         uses: docker://thehiveproject/neurons-build-catalogs
       - name: Build report-templates zip package
         uses: docker://thehiveproject/neurons-build-report-templates
       - name: Save Artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: catalog
           path: |
@@ -80,13 +80,13 @@ jobs:
     needs: [build_analyzers, build_responders ]
     if: startsWith(github.ref, 'refs/tags/') && always()
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Prepare documentation files
         uses: docker://thehiveproject/doc-builder
         with:
           args: --type Cortex-Neurons
       - name: Set up Python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v5
         with:
           python-version: "3.x"
           architecture: x64

CHANGELOG.md

@@ -1,17 +1,26 @@
 # Changelog
 
-## [3.4.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.2) (2025-01-16)
+## [3.4.4](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.4) (2025-02-07)
+
+[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.4.3...3.4.4)
+
+**Closed issues:**
+
+- \[FR\] - Feedback for the MSEntraID Responder [\#1302](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1302)
+- \[Bug\] Elasticsearch analyzer does not work with index that has no @timestamp field [\#1290](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1290)
+
+## [3.4.3](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.3) (2025-01-16)
 
 [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.4.2...3.4.3)
 
 **Closed issues:**
 
-- \[FR\] Crowdstrike Falcon: support custom base URL [\#1306](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1309)
+- \[FR\] Crowdstrike Falcon: support custom base URL [\#1309](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1309)
 
 **Merged pull requests:**
 
-- Crowdstrike Falcon - Custom Base URL support [\#1310](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1310) ([nusantara-self](https://github.com/nusantara-self))
 - utils improvements [\#1311](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1311) ([nusantara-self](https://github.com/nusantara-self))
+- Crowdstrike Falcon - Custom Base URL support [\#1310](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1310) ([nusantara-self](https://github.com/nusantara-self))
 
 ## [3.4.2](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.4.2) (2024-12-26)
 

analyzers/AnyRun/anyrun_analyzer.py

@@ -85,7 +85,7 @@ def run(self):
                     if status_code == 200:
                         task_id = response.json()["data"]["taskid"]
                     elif status_code == 201:
-                        task_id = response.json()["taskid"]
+                        task_id = response.json()["data"]["taskid"]
                     elif status_code == 429:
                         # it not support parallel runs, so we wait and resubmit later
                         time.sleep(60)

analyzers/Cluster25/requirements.txt

@@ -1,2 +1,2 @@
-requests~=2.31.0
-cortexutils~=2.2.0
+requests
+cortexutils

analyzers/DShield/DShield_lookup.py

@@ -83,12 +83,19 @@ def run(self):
                 results['firstseen'] = info['mindate'] if isinstance(info['mindate'], str) else 'None'
                 results['updated'] = info['updated'] if isinstance(info['updated'], str) else 'None'
                 results['comment'] = info['comment'] if isinstance(info['comment'], str) else 'None'
-                results['asabusecontact'] = info['asabusecontact'] if isinstance(info['asabusecontact'], str) else 'Unknown'
-                results['as'] = info['as']
-                results['asname'] = info['asname']
-                results['ascountry'] = info['ascountry']
-                results['assize'] = info['assize']
-                results['network'] = info['network']
+                if 'asabusecontact' in info:                    
+                    results['asabusecontact'] = info['asabusecontact'] if isinstance(info['asabusecontact'], str) else 'Unknown'
+                if 'as' in info:
+                    results['as'] = info['as']
+                if 'asname' in info:
+                    results['asname'] = info['asname']
+                if 'ascountry' in info:
+                    results['ascountry'] = info['ascountry']
+                if 'assize' in info:
+                    results['assize'] = info['assize']
+                if 'network' in info:
+                    results['network'] = info['network']
+
                 results['threatfeedscount'] = 0
                 if 'threatfeeds' not in info:
                     results['threatfeeds'] = ''

analyzers/Elasticsearch/ElasticSearch.json → analyzers/Elasticsearch/Elasticsearch_Analysis.json

@@ -92,4 +92,4 @@
         "required": false
       }
     ]
-  }
+  }

analyzers/Elasticsearch/elk.py

@@ -195,8 +195,24 @@ def run(self):
                     info['querystring'] += '"'
                 #loop to get hits from each index
                 for index in self.index:
+                    body = {
+                        "sort": [
+                            {
+                                "@timestamp": {
+                                    "order": "desc",
+                                    "unmapped_type" : "date"
+                                }
+                            }
+                        ],
+                        "query": {
+                            "multi_match": {
+                                "query": self.data,
+                                "fields": self.fields
+                            }
+                        }
+                    }
                     #search elastic for fields in each index
-                    res = es.search(size=self.size,index=index,body={'sort':[{"@timestamp":{"order":"desc"}}],'query':{'multi_match':{'query':self.data, 'fields':self.fields}}})
+                    res = es.search(size=self.size,index=index,body=body)
                     #if relation is gte then more logs exist than we will display
                     if res['hits']['total']['relation'] == 'gte' or res['hits']['total']['relation'] == 'gt':
                         total = 'gte'

responders/Shuffle/shuffle.json

@@ -5,7 +5,7 @@
   "url": "https://github.com/frikky/shuffle",
   "license": "AGPL-V3",
   "description": "Execute a workflow in Shuffle",
-  "dataTypeList": ["thehive:case", "thehive:alert"],
+  "dataTypeList": ["thehive:case", "thehive:alert", "thehive:case_artifact", "thehive:task", "thehive:case_task_log"],
   "command": "Shuffle/shuffle.py",
   "baseConfig": "Shuffle",
   "configurationItems": [

thehive-templates/Elasticsearch/long.html → thehive-templates/Elasticsearch_Analysis_1_0/long.html

@@ -185,4 +185,4 @@ <h3>{{content.info.hitcount}} Hit(s)</h3>
     <div class="panel-body">
         {{content.errorMessage}}
     </div>
-</div>
+</div>

thehive-templates/Elasticsearch/short.html → thehive-templates/Elasticsearch_Analysis_1_0/short.html

@@ -1,3 +1,3 @@
 <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
     {{t.namespace}}:{{t.predicate}}="{{t.value}}"
-</span>
+</span>