Merge branch 'release/3.6.1'

nusantara-self · nusantara-self · commit 1e20808cbe6c · 2025-10-07T10:11:31.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,16 @@
 # Changelog
 
+## [3.6.0](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.6.0) (2025-10-06)
+
+[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.5.26...3.6.0)
+
+**Merged pull requests:**
+
+- Update requirements.txt [\#1385](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1385) ([vpiserchia](https://github.com/vpiserchia))
+- Add Slack responder to sync created channels into task [\#1384](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1384) ([nusantara-self](https://github.com/nusantara-self))
+- CI - Add trivy scans & manual full rebuild [\#1383](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1383) ([nusantara-self](https://github.com/nusantara-self))
+- Update Velociraptor Responder [\#986](https://github.com/TheHive-Project/Cortex-Analyzers/pull/986) ([weslambert](https://github.com/weslambert))
+
 ## [3.5.26](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.5.26) (2025-09-09)
 
 [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.5.25...3.5.26)
@@ -9,6 +20,8 @@
 - Analyzer Capa - Fixes [\#1382](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1382) ([nusantara-self](https://github.com/nusantara-self))
 - Proofpoint - Fix a typo in folder and neurons name [\#1381](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1381) ([nusantara-self](https://github.com/nusantara-self))
 - CI - Build Improvements [\#1380](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1380) ([nusantara-self](https://github.com/nusantara-self))
+- Add CIRCL AIL Onion-Lookup Analyzer [\#1379](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1379) ([nusantara-self](https://github.com/nusantara-self))
+- Neurons description improvements [\#1378](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1378) ([nusantara-self](https://github.com/nusantara-self))
 
 ## [3.5.25](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.5.25) (2025-08-25)
 
diff --git a/responders/Slack/README.md b/responders/Slack/README.md
@@ -18,14 +18,18 @@ This directory contains two Slack responders for TheHive integration:
 - Invites default participants by email
 - Sets channel visibility (private or public)
 - Posts case summary and/or case description (optional)
+- **Automatically tags the case** with `slack:<channel_name>` for easy tracking
 
-### Slack_SyncChannel  
-- Retrieves all conversation history from channels with format `#case-CASEID`
+### Slack_SyncChannel
+- **Syncs all Slack channels tagged with `slack:` prefix** on the case
+- Retrieves all conversation history from tagged channels
+- **Fallback**: If no tags found, uses default format `#case-CASEID`
 - Creates TheHive tasks in "Communication" category with individual task logs for each message
 - Downloads and attaches file attachments (images, documents) to task logs
 - Chronologically ordered messages with timestamps and usernames
 - Prevents duplicate syncing by tracking message timestamps
 - Converts Slack user IDs to readable usernames for better readability
+- **Multi-channel support**: Syncs multiple channels if multiple `slack:` tags exist
 
 ## Preview
 
@@ -85,5 +89,26 @@ This directory contains two Slack responders for TheHive integration:
 
 ## 2. Enable and configure the Responders
 
-Log into your Cortex instance, go to Organization > Responders and enable the desired JIRA responders with the appropriate configuration & API keys.
+Log into your Cortex instance, go to Organization > Responders and enable the desired Slack responders with the appropriate configuration & API keys.
 
+---
+
+## Privacy & Security Considerations
+
+### Channel Tagging
+When `Slack_CreateChannel` runs, it automatically adds a `slack:<channel_name>` tag to the case. This tag:
+- Makes it easy to identify which Slack channel(s) are associated with a case
+- Enables `Slack_SyncChannel` to reliably find channels without reconstructing names
+- Can be manually added to sync additional channels (see warning below)
+
+### Multi-Channel Syncing
+`Slack_SyncChannel` will sync **all** channels that have `slack:` tags on the case:
+- Each channel creates its own separate task in TheHive
+- Partial failures are handled gracefully (some channels may sync, others may fail)
+- Failed channels are reported in the responder output
+
+### Access Control Warning ⚠️
+- The bot can only read channels it has been **invited to**
+- Syncing brings Slack conversations into TheHive: ensure case permissions align with channel access
+- Private Slack channels synced to non-private TheHive cases may expose sensitive information
+- Consider your organization's data governance policies before syncing channels
diff --git a/responders/Slack/slack.py b/responders/Slack/slack.py
@@ -69,6 +69,7 @@ def run(self):
                 .lower()
             )
             channel_name = channel_name[:80]
+            self.channel_name = channel_name
 
             headers = {
                 "Authorization": f"Bearer {self.slack_token}",
@@ -192,49 +193,72 @@ def format_tlp(level):
             case_id = self.get_param("data.caseId")
             case_unique_id = self.get_param("data.id")
 
-            # Channel name format: case-CASEID
-            channel_name = (
-                f"{self.channel_prefix}{case_id}".replace(" ", "-")
-                .replace(".", "")
-                .replace(",", "")
-                .lower()
-            )
-            channel_name = channel_name[:80]
+            # Collect all channel names from tags
+            channel_names = []
+            case_tags = self.get_param("data.tags", [])
+            for tag in case_tags:
+                if tag.startswith("slack:"):
+                    channel_names.append(tag[6:])  # Remove "slack:" prefix
+
+            # Fallback to reconstructing channel name if no tags found
+            if not channel_names:
+                channel_name = (
+                    f"{self.channel_prefix}{case_id}".replace(" ", "-")
+                    .replace(".", "")
+                    .replace(",", "")
+                    .lower()
+                )
+                channel_name = channel_name[:80]
+                channel_names.append(channel_name)
 
             headers = {
                 "Authorization": f"Bearer {self.slack_token}",
                 "Content-Type": "application/json",
             }
 
-            # Find the channel
-            channel_id = self.find_existing_channel(channel_name, headers)
-            if not channel_id:
-                self.error(
-                    f"Channel '{channel_name}' not found. Create the channel first."
-                )
+            # Sync all channels
+            synced_channels = []
+            errors = []
 
-            # Get channel conversation history
-            conversation_data = self.get_channel_conversations(channel_id, headers)
+            for channel_name in channel_names:
+                try:
+                    # Find the channel
+                    channel_id = self.find_existing_channel(channel_name, headers)
+                    if not channel_id:
+                        errors.append(f"Channel '{channel_name}' not found")
+                        continue
+
+                    # Get channel conversation history
+                    conversation_data = self.get_channel_conversations(channel_id, headers)
+
+                    # Create or update TheHive task with conversation data
+                    task_id, action = self.create_or_update_thehive_task(
+                        case_unique_id, channel_name, conversation_data
+                    )
 
-            # Create or update TheHive task with conversation data
-            task_id, action = self.create_or_update_thehive_task(
-                case_unique_id, channel_name, conversation_data
-            )
+                    synced_channels.append({
+                        "channel_name": channel_name,
+                        "channel_id": channel_id,
+                        "task_id": task_id,
+                        "action": action
+                    })
+
+                except Exception as e:
+                    errors.append(f"Error syncing '{channel_name}': {str(e)}")
+
+            # Build report
+            if not synced_channels and errors:
+                self.error(f"Failed to sync channels: {', '.join(errors)}")
 
-            # Include debug info in the main report
             report_data = {
-                "channel_name": channel_name,
-                "channel_id": channel_id,
-                "task_id": task_id,
-                "action": action,
-                "message": f"Slack channel `{channel_name}` conversation {action} in TheHive task {task_id}.",
+                "synced_channels": synced_channels,
+                "total_synced": len(synced_channels),
+                "message": f"Synced {len(synced_channels)} channel(s)"
             }
-            
-            # Add debug info if we have it
-            if hasattr(self, '_last_debug_info'):
-                report_data["debug_info"] = self._last_debug_info
-                delattr(self, '_last_debug_info')
-            
+
+            if errors:
+                report_data["errors"] = errors
+
             self.report(report_data)
 
     def get_channel_conversations(self, channel_id, headers):
@@ -705,6 +729,17 @@ def create_or_update_thehive_task(self, case_id, channel_name, conversations):
 
             except Exception as e:
                 self.error(f"Failed to create task: {str(e)}")
+                
+    def operations(self, raw):
+        artifacts = []
+        # AddTagToArtifact ({ "type": "AddTagToArtifact", "tag": "tag to add" }): add a tag to the artifact related to the object
+        # AddTagToCase ({ "type": "AddTagToCase", "tag": "tag to add" }): add a tag to the case related to the object
+        # MarkAlertAsRead: mark the alert related to the object as read
+        # AddCustomFields ({"name": "key", "value": "value", "tpe": "type"): add a custom field to the case related to the object
+        if self.service == "createchannel":
+            if hasattr(self, 'channel_name'):
+                artifacts.append(self.build_operation("AddTagToCase", tag=f"slack:{self.channel_name}"))
+        return artifacts
 
 
 if __name__ == "__main__":
diff --git a/responders/Velociraptor/README.md b/responders/Velociraptor/README.md
@@ -2,11 +2,21 @@
 This responder can be used to run a flow for a Velociraptor artifact.  This could include gathering data, or performing initial response, as the artifact (or artifact "pack") could encompass any number of actions.  The responder can be run on an observable type of `ip`, `fqdn`, or `other`, and will look for a matching client via the Velociraptor server.  If a client match is found for the last seen IP, or the hostname, the responder will kick off the flow, the results will be returned, and the client ID will be added as a tag to the case and the observable.
 
 #### Requirements
-The following options are required in the Velociraptor Responder configuration:   
-
-- `velociraptor_client_config`: The path to the Velociraptor API client config.  
-(See the following for generating an API client config: https://www.velocidex.com/docs/user-interface/api/, and ensure the appropriate ACLs are granted to the API user).  
-- `velociraptor_artifact`: The name artifact you which to collect (as you would see it in the Velociraptor GUI).
-- `upload_flow_results`: Upload flow results to TheHive case (bool).
-- `thehive_url`: URL of your TheHive installation (e.g. 'http://127.0.0.1:9000').
-- `thehive_apikey`: TheHive API key used to add flow results/file(s) to a case.
+The following options are required in the Velociraptor Responder configuration:
+
+**API Client Configuration** (choose one):
+- `velociraptor_client_config`: The path to the Velociraptor API client config file.
+- `velociraptor_client_config_content_base64`: Base64-encoded API client config (recommended for SaaS/containerized deployments).
+
+To generate an API client config, see: https://www.velocidex.com/docs/user-interface/api/
+Ensure the appropriate ACLs are granted to the API user.
+
+For SaaS deployments, encode your API client config:
+```bash
+cat api_client.yaml | base64
+```
+Then paste the output into the `velociraptor_client_config_content_base64` parameter.
+
+**Other Parameters**:
+- `velociraptor_artifact`: The name of the artifact you wish to collect (as you would see it in the Velociraptor GUI). **Required**.
+- `query_max_duration`: Max query duration in seconds (default: 600). **Optional**.
diff --git a/responders/Velociraptor/requirements.txt b/responders/Velociraptor/requirements.txt
@@ -1,5 +1,4 @@
 cortexutils
 cryptography
 grpcio-tools
-pyvelociraptor
-thehive4py~=1.8.1
+pyvelociraptor
diff --git a/responders/Velociraptor/velociraptor_flow.json b/responders/Velociraptor/velociraptor_flow.json
@@ -14,8 +14,14 @@
       "description": "Path to API client config file",
       "type": "string",
       "multi": false,
-      "required": true,
-      "defaultValue": ""
+      "required": false
+    },
+    {
+      "name": "velociraptor_client_config_content_base64",
+      "description": "Base64-encoded API client config file (YAML format). Recommended for SaaS/containerized deployments to preserve multiline YAML structure. Generate with: cat api_client.yaml | base64",
+      "type": "string",
+      "multi": false,
+      "required": false
     },
     {
       "name": "velociraptor_artifact",
diff --git a/responders/Velociraptor/velociraptor_flow.py b/responders/Velociraptor/velociraptor_flow.py
@@ -6,8 +6,7 @@
 import os
 import time
 import yaml
-from thehive4py.api import TheHiveApi
-from thehive4py.models import Case, CaseObservable
+import base64
 import pyvelociraptor
 from pyvelociraptor import api_pb2
 from pyvelociraptor import api_pb2_grpc
@@ -16,8 +15,24 @@
 class Velociraptor(Responder):
   def __init__(self):
     Responder.__init__(self)
-    self.configpath = self.get_param('config.velociraptor_client_config', None, "File path missing!")
-    self.config = yaml.load(open(self.configpath).read(), Loader=yaml.FullLoader)
+    self.configpath = self.get_param('config.velociraptor_client_config', None)
+    self.config_content_base64 = self.get_param('config.velociraptor_client_config_content_base64', None)
+
+    # Validate that at least one config parameter is provided
+    if not self.configpath and not self.config_content_base64:
+      self.error("Either velociraptor_client_config, or velociraptor_client_config_content_base64 must be provided!")
+
+    # Load config from content or file
+    if self.config_content_base64:
+      # Decode base64 content (preserves newlines)
+      try:
+        decoded_content = base64.b64decode(self.config_content_base64).decode('utf-8')
+        self.config = yaml.load(decoded_content, Loader=yaml.FullLoader)
+      except Exception as e:
+        self.error(f"Failed to decode base64 config: {str(e)}")
+    else:
+      self.config = yaml.load(open(self.configpath).read(), Loader=yaml.FullLoader)
+
     self.artifact = self.get_param('config.velociraptor_artifact', None, 'Artifact missing!')
     self.artifact_args = self.get_param('config.velociraptor_artifact_args', None)
     self.observable_type = self.get_param('data.dataType', None, "Data type is empty")
