def do_transform(self, request, response, config):
response += check_update(config)
link_label = 'Search result'
if 'properties.mispevent' in request.entity.fields:
conn = MISPConnection(config, request.parameters)
# if event_id
try:
if request.entity.value == '0':
return response
eventid = int(request.entity.value)
events_json = conn.misp.search(controller='events',
eventid=eventid,
with_attachments=False)
for e in events_json:
response += event_to_entity(
e,
link_label=link_label,
link_direction=LinkDirection.OutputToInput)
return response
except ValueError:
pass
# if event_info string as value
events_json = conn.misp.search(controller='events',
eventinfo=request.entity.value,
with_attachments=False)
for e in events_json:
response += event_to_entity(
e,
link_label=link_label,
link_direction=LinkDirection.OutputToInput)
return response
# From galaxy or Hashtag
if 'properties.mispgalaxy' in request.entity.fields or 'properties.temp' in request.entity.fields or 'twitter.hashtag' in request.entity.fields:
if request.entity.value == '-':
return response
# First search in galaxies
keyword = get_entity_property(request.entity, 'Temp')
if not keyword:
keyword = request.entity.value
# assume the user is searching for a cluster based on a substring.
# Search in the list for those that match and return galaxy entities'
potential_clusters = search_galaxy_cluster(keyword)
# LATER check if duplicates are possible
if potential_clusters:
for potential_cluster in potential_clusters:
new_entity = galaxycluster_to_entity(potential_cluster,
link_label=link_label)
# LATER support the type_filter - unfortunately this is not possible, we need Canari to tell us the original entity type
if isinstance(new_entity, MISPGalaxy):
response += new_entity
# from Hashtag search also in tags
if 'properties.temp' in request.entity.fields or 'twitter.hashtag' in request.entity.fields:
keyword = get_entity_property(request.entity, 'Temp')
if not keyword:
keyword = request.entity.value
conn = MISPConnection(config, request.parameters)
result = conn.misp.direct_call('tags/search',
{'name': keyword})
for t in result:
# skip misp-galaxies as we have processed them earlier on
if t['Tag']['name'].startswith('misp-galaxy'):
continue
# In this case we do not filter away those we add as notes, as people might want to pivot on it explicitly.
response += Hashtag(t['Tag']['name'],
link_label=link_label,
bookmark=Bookmark.Green)
return response
# for all other normal entities
conn = MISPConnection(config, request.parameters)
events_json = conn.misp.search(controller='events',
value=request.entity.value,
with_attachments=False)
# we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
for e in events_json:
# find the value as attribute
attr = get_attribute_in_event(e,
request.entity.value,
substring=True)
if attr:
for item in attribute_to_entity(attr, only_self=True):
response += item
# find the value as object, and return the object
if 'Object' in e['Event']:
for o in e['Event']['Object']:
if get_attribute_in_object(
o,
attribute_value=request.entity.value,
substring=True).get('value'):
response += conn.object_to_entity(
o, link_label=link_label)
return response
def do_transform(self, request, response, config):
maltego_misp_galaxy = request.entity
if maltego_misp_galaxy.uuid:
current_cluster = get_galaxy_cluster(uuid=maltego_misp_galaxy.uuid)
elif maltego_misp_galaxy.tag_name:
current_cluster = get_galaxy_cluster(
tag=maltego_misp_galaxy.tag_name)
elif maltego_misp_galaxy.name:
current_cluster = get_galaxy_cluster(tag=maltego_misp_galaxy.name)
if not current_cluster:
# maybe the user is searching for a cluster based on a substring.
# Search in the list for those that match and return galaxy entities
potential_clusters = search_galaxy_cluster(
maltego_misp_galaxy.name)
# TODO check if duplicates are possible
if potential_clusters:
for potential_cluster in potential_clusters:
response += galaxycluster_to_entity(
potential_cluster, link_label='Search result')
return response
if not current_cluster:
response += UIMessage(
"Galaxy Cluster UUID not in local mapping. Please update local cache; non-public UUID are not supported yet.",
type=UIMessageType.Inform)
return response
c = current_cluster
# update existing object
galaxy_cluster = get_galaxy_cluster(c['uuid'])
icon_url = None
if 'icon' in galaxy_cluster: # map the 'icon' name from the cluster to the icon filename of the intelligence-icons repository
try:
icon_url = mapping_galaxy_icon[galaxy_cluster['icon']]
except Exception:
# it's not in our mapping, just ignore and leave the default Galaxy icon
pass
if c['meta'].get('synonyms'):
synonyms = ', '.join(c['meta']['synonyms'])
else:
synonyms = ''
request.entity.name = '{}\n{}'.format(c['type'], c['value'])
request.entity.uuid = c['uuid']
request.entity.description = c.get('description')
request.entity.cluster_type = c.get('type')
request.entity.cluster_value = c.get('value')
request.entity.synonyms = synonyms
request.entity.tag_name = c['tag_name']
request.entity.icon_url = icon_url
# response += request.entity
# find related objects
if 'related' in current_cluster:
for related in current_cluster['related']:
related_cluster = get_galaxy_cluster(related['dest-uuid'])
if related_cluster:
response += galaxycluster_to_entity(
related_cluster, link_label=related['type'])
# find objects that are relating to this one
for related in get_galaxies_relating(current_cluster['uuid']):
related_link_label = ''
for rel_in_rel in related['related']:
if rel_in_rel['dest-uuid'] == current_cluster['uuid']:
related_link_label = rel_in_rel['type']
break
response += galaxycluster_to_entity(
related,
link_label=related_link_label,
link_direction=LinkDirection.OutputToInput)
return response