def _misp_sighting_list_function(self, event, *args, **kwargs):
"""Function: Return a list of sightings associated with a given event"""
try:
API_KEY, URL, VERIFY_CERT = common.validate(self.options)
# Get the function parameters:
event_id = int(kwargs.get("misp_event_id")) # text
log = logging.getLogger(__name__)
log.info("event_id: %s", event_id)
yield StatusMessage("Setting up connection to MISP")
proxies = common.get_proxies(self.opts, self.options)
misp_client = misp_helper.get_misp_client(URL,
API_KEY,
VERIFY_CERT,
proxies=proxies)
yield StatusMessage("Getting sighted list")
sighting_list_result = misp_helper.get_misp_sighting_list(
misp_client, event_id)
yield StatusMessage("Finished getting sighting list")
results = {"success": True, "content": sighting_list_result}
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _misp_create_tag_function(self, event, *args, **kwargs):
"""Function: Creates a Tag"""
try:
# Get the function parameters:
misp_tag_type = self.get_select_param(kwargs.get(
"misp_tag_type")) # select, values: "Event", "Attribute"
misp_tag_name = kwargs.get("misp_tag_name") # text
misp_attribute_value = kwargs.get("misp_attribute_value") # text
misp_event_id = kwargs.get("misp_event_id") # number
# ensure misp_event_id is an integer so we can get an event by it's index
if not isinstance(misp_event_id, int):
raise IntegrationError(
u"Unexpected input type for MISP Event ID. Expected and integer, received {}"
.format(type(misp_event_id)))
API_KEY, URL, VERIFY_CERT = common.validate(self.options)
log = logging.getLogger(__name__)
log.info("misp_tag_type: %s", misp_tag_type)
log.info("misp_tag_name: %s", misp_tag_name)
log.info("misp_attribute_value: %s", misp_attribute_value)
log.info("misp_event_id: %s", misp_event_id)
if sys.version_info.major < 3:
raise FunctionError(
"Tagging is only supported when using Python 3")
yield StatusMessage("Setting up connection to MISP")
proxies = common.get_proxies(self.opts, self.options)
misp_client = misp_helper.get_misp_client(URL,
API_KEY,
VERIFY_CERT,
proxies=proxies)
yield StatusMessage(u"Tagging {} with {}".format(
misp_tag_type, misp_tag_name))
tag_result = misp_helper.create_tag(misp_client,
misp_attribute_value,
misp_tag_type, misp_tag_name,
misp_event_id)
if 'errors' in tag_result:
raise IntegrationError(u"Unable to save the tag. {}".format(
tag_result['errors'][1]['errors']))
log.debug(tag_result)
yield StatusMessage("Tag has been created")
response_results = {"success": True}
# Produce a FunctionResult with the results
yield FunctionResult(response_results)
except Exception:
yield FunctionError()
def _misp_search_attribute_function(self, event, *args, **kwargs):
"""Function: Search to see if an attribute exists for a given artifact value"""
try:
API_KEY, URL, VERIFY_CERT = common.validate(self.options)
# Get the function parameters:
search_attribute = kwargs.get("misp_attribute_value") # text
log = logging.getLogger(__name__)
log.info("search_attribute: %s", search_attribute)
yield StatusMessage("Setting up connection to MISP")
proxies = common.get_proxies(self.opts, self.options)
misp_client = misp_helper.get_misp_client(URL,
API_KEY,
VERIFY_CERT,
proxies=proxies)
yield StatusMessage(
u"Searching for attribute - {}".format(search_attribute))
results = {}
search_results = misp_helper.search_misp_attribute(
misp_client, search_attribute)
log.debug(search_results)
if search_results['search_status']:
results['success'] = True
results['content'] = search_results['search_results']
misp_tags = misp_helper.get_misp_attribute_tags(
misp_client, search_results['search_results'])
results['tags'] = misp_tags
else:
results['success'] = False
yield StatusMessage("Attribute search complete.")
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _misp_create_attribute_function(self, event, *args, **kwargs):
"""Function: """
try:
API_KEY, URL, VERIFY_CERT = common.validate(self.options)
# Get the function parameters:
misp_event_id = kwargs.get("misp_event_id") # number
misp_attribute_value = kwargs.get("misp_attribute_value") # text
misp_attribute_type = kwargs.get("misp_attribute_type") # text
# ensure misp_event_id is an integer so we can get an event by it's index
if not isinstance(misp_event_id, int):
raise IntegrationError(u"Unexpected input type for MISP Event ID. Expected and integer, received {}".format(type(misp_event_id)))
log = logging.getLogger(__name__)
log.info("misp_event_id: %s", misp_event_id)
log.info("misp_attribute_value: %s", misp_attribute_value)
log.info("misp_attribute_type: %s", misp_attribute_type)
yield StatusMessage("Setting up connection to MISP")
proxies = common.get_proxies(self.opts, self.options)
misp_client = misp_helper.get_misp_client(URL, API_KEY, VERIFY_CERT, proxies=proxies)
yield StatusMessage(u"Creating new misp attribute {} {}".format(misp_attribute_type, misp_attribute_value))
attribute = misp_helper.create_misp_attribute(misp_client, misp_event_id, misp_attribute_type, misp_attribute_value)
log.debug(attribute)
yield StatusMessage("Attribute has been created")
results = { "success": True,
"content": attribute
}
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _misp_create_event_function(self, event, *args, **kwargs):
"""Function: create a MISP event from an incident """
try:
API_KEY, URL, VERIFY_CERT = common.validate(self.options)
# Get the function parameters:
misp_event_name = kwargs.get("misp_event_name") # text
misp_distribution = kwargs.get("misp_distribution") # number
misp_analysis_level = kwargs.get("misp_analysis_level") # number
misp_threat_level = kwargs.get("misp_threat_level") # number
log = logging.getLogger(__name__)
log.info("misp_event_name: %s", misp_event_name)
log.info("misp_distribution: %s", misp_distribution)
log.info("misp_analysis_level: %s", misp_analysis_level)
log.info("misp_threat_level: %s", misp_threat_level)
yield StatusMessage("Setting up connection to MISP")
proxies = common.get_proxies(self.opts, self.options)
misp_client = misp_helper.get_misp_client(URL, API_KEY, VERIFY_CERT, proxies=proxies)
yield StatusMessage(u"Creating event {}".format(misp_event_name))
event = misp_helper.create_misp_event(misp_client, misp_distribution, misp_threat_level, misp_analysis_level, misp_event_name)
log.debug(event)
yield StatusMessage("Event has been created")
results = {
"success": True,
"content": event
}
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _misp_create_sighting_function(self, event, *args, **kwargs):
"""Function: """
try:
API_KEY, URL, VERIFY_CERT = common.validate(self.options)
# Get the function parameters:
misp_sighting = kwargs.get("misp_sighting") # text
log = logging.getLogger(__name__)
log.info("misp_sighting: %s", misp_sighting)
yield StatusMessage("Setting up connection to MISP")
proxies = common.get_proxies(self.opts, self.options)
misp_client = misp_helper.get_misp_client(URL,
API_KEY,
VERIFY_CERT,
proxies=proxies)
yield StatusMessage(u"Marking {} as sighted".format(misp_sighting))
sighting = misp_helper.create_misp_sighting(
misp_client, misp_sighting)
log.debug(sighting)
yield StatusMessage("Sighting has been created")
results = {"success": True, "content": sighting}
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()