fixes analyzer mappings

api_app/analyzers_manager/migrations/0124_data_mapping.py

@@ -22,10 +22,10 @@ def migrate_maxmind(apps, schema_editor):
     if not ac:
         return
     ac.mapping_data_model = {
-        "country_code": "country.iso_code",
-        "registered_country_code": "registered_country_code.iso_code",
-        "asn": "autonomous_system_number",
-        "isp": "autonomous_system_organization",
+        "country.iso_code": "country_code",
+        "registered_country_code.iso_code": "registered_country_code",
+        "autonomous_system_number": "asn",
+        "autonomous_system_organization": "isp",
     }
     ac.save()
 
@@ -36,11 +36,11 @@ def migrate_abuse_ipdb(apps, schema_editor):
     if not ac:
         return
     ac.mapping_data_model = {
-        "country_code": "data.countryCode",
-        "external_references": "permalink",
-        "resolutions": "data.hostnames",
-        "isp": "data.isp",
-        "tags": "categories_found",
+        "data.countryCode": "country_code",
+        "permalink": "external_references",
+        "data.hostnames": "resolutions",
+        "data.isp": "isp",
+        "categories_found": "tags",
     }
     ac.save()
 
@@ -68,6 +68,30 @@ def migrate_circl_passive_ssl(apps, schema_editor):
     ac.save()
 
 
+def migrate_crowdsec(apps, schema_editor):
+    AnalyzerConfig = apps.get_model("analyzers_manager", "AnalyzerConfig")
+    ac = AnalyzerConfig.objects.filter(name="Crowdsec").first()
+    if not ac:
+        return
+    ac.mapping_data_model = {
+        "references.references": "external_references",
+        "link": "external_references",
+    }
+    ac.save()
+
+
+def migrate_greynoise_community(apps, schema_editor):
+    AnalyzerConfig = apps.get_model("analyzers_manager", "AnalyzerConfig")
+    ac = AnalyzerConfig.objects.filter(name="GreyNoiseCommunity").first()
+    if not ac:
+        return
+    ac.mapping_data_model = {
+        "name": "org_name",
+        "link": "external_references",
+    }
+    ac.save()
+
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -80,4 +104,6 @@ class Migration(migrations.Migration):
         migrations.RunPython(migrate_urlhaus, migrations.RunPython.noop),
         migrations.RunPython(migrate_bgp_ranking, migrations.RunPython.noop),
         migrations.RunPython(migrate_circl_passive_ssl, migrations.RunPython.noop),
+        migrations.RunPython(migrate_crowdsec, migrations.RunPython.noop),
+        migrations.RunPython(migrate_greynoise_community, migrations.RunPython.noop),
     ]

api_app/analyzers_manager/observable_analyzers/crowdsec.py

@@ -33,25 +33,14 @@ def run(self):
 
     def _do_create_data_model(self):
         return super()._do_create_data_model() and not self.report.report.get(
-            "not_fount", False
+            "not_found", False
         )
 
     def _update_data_model(self, data_model):
         from api_app.analyzers_manager.models import AnalyzerReport
 
         self.report: AnalyzerReport
         super()._update_data_model(data_model)
-        external_refs = []
-        link = self.report.report.get("link", None)
-        if link:
-            external_refs.append(link)
-        references = self.report.report.get("references", [])
-        for reference in references:
-            refs = reference.get("references", [])
-            external_refs.extend(refs)
-        external_references = getattr(data_model, "external_references")
-        external_references.set(external_refs)
-
         highest_total_score = max(
             [
                 values["total"]

api_app/analyzers_manager/observable_analyzers/greynoiseintel.py

@@ -70,10 +70,48 @@ def run(self):
         return response
 
     def _do_create_data_model(self):
-        return super()._do_create_data_model() and not self.report.report.get(
-            "not_fount", False
+        return super()._do_create_data_model() and (
+            self.report.report.get("riot", False)
+            or self.report.report.get("noise", False)
         )
 
+    def _update_data_model(self, data_model):
+        from api_app.analyzers_manager.models import AnalyzerReport
+
+        super()._update_data_model(data_model)
+        classification = self.report.report.get("classification", None)
+        riot = self.report.report.get("riot", None)
+        noise = self.report.report.get("noise", None)
+        if classification:
+            classification.lower()
+            self.report: AnalyzerReport
+            if (
+                classification
+                == self.report.data_model_class.EVALUATIONS.MALICIOUS.value
+            ):
+                if not noise:
+                    logger.error("malicious IP is not a noise!?! How is this possible")
+                data_model.evaluation = (
+                    self.report.data_model_class.EVALUATIONS.MALICIOUS.value
+                )
+            elif classification == "unknown":
+                if riot:
+                    data_model.evaluation = (
+                        self.report.data_model_class.EVALUATIONS.INFO.value
+                    )
+                elif noise:
+                    data_model.evaluation = (
+                        self.report.data_model_class.EVALUATIONS.MALICIOUS.value
+                    )
+            elif classification == "benign":
+                data_model.evaluation = (
+                    self.report.data_model_class.EVALUATIONS.FALSE_POSITIVE.value
+                )
+            else:
+                logger.error(
+                    f"there should not be other types of classification. Classification found: {classification}"
+                )
+
     @classmethod
     def _monkeypatch(cls):
         patches = [