TheHive-Project
diff --git a/‎analyzers/Watcher/README.md‎
Lines changed: 101 additions & 37 deletions b/‎analyzers/Watcher/README.md‎
Lines changed: 101 additions & 37 deletions
diff --git a/‎analyzers/Watcher/Watcher_Check.json‎
Lines changed: 25 additions & 0 deletions b/‎analyzers/Watcher/Watcher_Check.json‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎analyzers/Watcher/Watcher_CheckDomain.json‎
Lines changed: 0 additions & 26 deletions b/‎analyzers/Watcher/Watcher_CheckDomain.json‎
Lines changed: 0 additions & 26 deletions
@@ -1,69 +1,133 @@
-# [Watcher](https://github.com/thalesgroup-cert/Watcher)
+# [Watcher](https://github.com/thalesgroup-cert/Watcher) Analyzer
 
-## Watcher Check Domain Analyzer
+## Watcher Analyzer
 
 ### Description
-The Watcher Check Domain Analyzer is an Analyzer for TheHive/Cortex that checks if a given domain is already being monitored in the Watcher website monitoring system.
+Watcher Analyzer for TheHive/Cortex enables comprehensive domain presence checking across both Watcher modules:
+- **Legitimate Domain Module** (`/api/common/legitimate_domains/`) - Check legitimate/repurchased domains
+- **Website Monitoring Module** (`/api/site_monitoring/site/`) - Check monitored suspicious/malicious domains
+
+The analyzer checks both modules simultaneously and provides a unified result.
+
+---
 
 ### Features
-- **Check if a domain is monitored**: Verifies whether a specific domain is already being monitored in the Watcher system.
+
+#### Watcher_Check
+Check if a domain is monitored in one or both Watcher modules and retrieve a unified status and details:
+
+**From Legitimate Domain Module:**
+- Domain name
+- Ticket ID
+- Repurchased status (Yes/No)
+- Contact email
+- Creation/update timestamps
+
+**From Website Monitoring Module:**
+- Domain name
+- Ticket ID
+- Legitimacy score (2-6)
+- IP addresses (primary, secondary)
+- MX records
+- Mail server IP
+- Takedown request status
+- Legal team notification status
+- Blocking request status
+- Creation/update timestamps
+
+---
 
 ### Prerequisites
 - Access to the Watcher API
 - A valid API key for Watcher
 - A functional instance of Cortex and TheHive
 
+---
+
 ### Installation
-- Add the configuration files for this analyzer to your Cortex configuration.
+
+Add the configuration file to the Cortex configurations.
+
+---
 
 ### Configuration
-In Cortex, configure the following parameters for the Analyzer:
 
-| Parameter          | Description                                                        | Required | Default Value |
-|--------------------|--------------------------------------------------------------------|----------|----------------|
-| `watcher_url`      | URL of Watcher (e.g. `https://example.watcher.local:9002`)         | Yes      | -              |
-| `watcher_api_key`  | API key for authenticating                                         | Yes      | -              |
+Configure the following parameters in Cortex:
 
-### Usage
-When a domain artifact is submitted to this analyzer, it will:
-1. Query the Watcher API to check if the domain is already monitored.
-2. Return a report with either the monitoring status of the domain or an indication that it is not yet monitored.
+| Parameter         | Description                                                        | Type   | Required |
+|-------------------|--------------------------------------------------------------------|--------|----------|
+| `watcher_url`     | Base URL of Watcher instance (e.g., `https://watcher.local:9002`) | String | Yes      |
+| `watcher_api_key` | API authentication token for Watcher                               | String | Yes      |
 
-### Example JSON Response
-#### Domain is already monitored
+**Example Configuration:**
 ```json
 {
-  "status": "Monitored",
-  "Message": "Domain 'example.com' is already monitored in Watcher.",
-  "ticket_id": "12345"
+  "watcher_url": "https://watcher.example.com:9002",
+  "watcher_api_key": "your-api-token-here"
 }
 ```
 
-#### Domain is not monitored
-```json
-{
-  "status": "Not Monitored",
-  "Message": "Domain 'example.com' is not monitored in Watcher. You can add it using the Watcher responder."
-}
+---
+
+### Usage
+
+#### Check Domain Presence
+1. In TheHive, create a domain observable: `example.com`
+2. Run analyzer: **Watcher_Check**
+3. View results with one of four possible taxonomies:
+   - `Watcher:Check = FoundOnBoth` (green) - Domain found in both modules
+   - `Watcher:Check = FoundOnLegitDomain` (green) - Domain found in Legitimate Domain only
+   - `Watcher:Check = FoundOnWebsiteMonitoring` (green) - Domain found in Website Monitoring only
+   - `Watcher:Check = NotFound` (blue) - Domain not found in any module
+
+---
+
+### API Endpoints Used
+
+#### Legitimate Domain Module
 ```
+GET /api/common/legitimate_domains/?search={domain}
+```
+
+#### Website Monitoring Module
+```
+GET /api/site_monitoring/site/
+```
+
+---
+
+### Taxonomies
+
+The analyzer uses a unified taxonomy system:
+
+| Analyzer        | Namespace | Predicate | Values                                                                                    | Colors              |
+|-----------------|-----------|-----------|-------------------------------------------------------------------------------------------|---------------------|
+| **Watcher_Check** | Watcher   | Check     | FoundOnBoth / FoundOnLegitDomain / FoundOnWebsiteMonitoring / NotFound | safe / safe / safe / info |
+
+**Examples in TheHive:**
+- `Watcher:Check = "MonitoredOnBoth"` (Green badge) - Found in both modules
+- `Watcher:Check = "MonitoredOnLegitDomain"` (Green badge) - Found in Legitimate Domain only
+- `Watcher:Check = "MonitoredOnWebsiteMonitoring"` (Green badge) - Found in Website Monitoring only
+- `Watcher:Check = "None"` (Blue badge) - Not found in any module
+
+---
+
+### Best Practices
 
-### Template Setup in TheHive
+1. **Single analyzer approach** - One analyzer checks both modules simultaneously
+2. **Use results** to trigger appropriate responders based on the status
+3. **Template files** provide rich visual feedback in TheHive interface with detailed information from both modules when available
 
-To customize the display of analyzer results in TheHive, you can use **analyzer templates**. 
+---
 
-Follow these steps to install the templates for the `Watcher_CheckDomain` analyzer:
+### Support
 
-1. Navigate to **TheHive** web interface  
-2. Go to **Admin** > **Entities Management** > **Analyzer templates**  
-3. Click on **Import templates**  
-4. Browse to the template directory  
-5. Select both `short.html` and `long.html` files  
-6. Click **Import**  
-7. Make sure the templates are correctly associated with the `Watcher_CheckDomain` analyzer
+For issues, questions, or feature requests:
+- **GitHub Issues**: [Watcher Repository](https://github.com/thalesgroup-cert/Watcher/issues)
 
-Once done, TheHive will use these templates to display the analyzer output with better readability and style.
+---
 
-### Author
+### Authors
 
 **Thales Group CERT** - [thalesgroup-cert on GitHub](https://github.com/thalesgroup-cert)  
 **Ygal NEZRI** - [@ygalnezri](https://github.com/ygalnezri)
@@ -0,0 +1,25 @@
+{
+  "name": "Watcher_Check",
+  "version": "1.0",
+  "author": "THA-CERT // YNE",
+  "url": "https://github.com/thalesgroup-cert/Watcher",
+  "license": "AGPL-V3",
+  "description": "Check if a domain is monitored in Watcher (Legitimate Domain and/or Website Monitoring modules) and retrieve all details.",
+  "dataTypeList": ["domain"],
+  "command": "Watcher/watcher.py",
+  "baseConfig": "Watcher",
+  "configurationItems": [
+    {
+      "name": "watcher_url",
+      "description": "URL of Watcher instance.",
+      "type": "string",
+      "required": true
+    },
+    {
+      "name": "watcher_api_key",
+      "description": "API key for authenticating requests to Watcher",
+      "type": "string",
+      "required": true
+    }
+  ]
+}