def submit_tf_update(misp: ExpandedPyMISP, attributes: list) -> MISPEvent: """ create/update abuse.ch MISP-Event and append the new attributes """ eventinfo = event_info_template.format( datetime.now().strftime(info_dateformat)) # logging.debug(eventinfo) events = misp.search(controller='events', eventinfo=eventinfo, org=1, pythonify=True) if events: # current event exists already event = events[0] else: # create a new event event = MISPEvent() event.distribution = event_distribution event.threat_level_id = event_threat_level event.analysis = 2 event.info = eventinfo for tag in tagging: event.add_tag(tag) event = misp.add_event(event, pythonify=True) for att in attributes: event.add_attribute(**att) event.published = autopublish return misp.update_event(event)
def create_daily_event(self): today = datetime.date.today() # [0-3] distribution = 0 info = "Daily AIL-leaks {}".format(today) # [0-2] analysis = 0 # [1-4] threat = 3 published = False org_id = None orgc_id = None sharing_group_id = None date = None event = MISPEvent() event.distribution = distribution event.info = info event.analysis = analysis event.threat = threat event.published = published event.add_tag('infoleak:output-format="ail-daily"') existing_event = self.pymisp.add_event(event) return existing_event
def generate_MISP_Event(deduplicated_observations, conf, tags, attr_tags): dt = datetime.now() event = MISPEvent() event.info = dt.strftime("%Y%m%d ") + 'TIE' event.publish_timestamp = dt.strftime("%s") event.timestamp = dt.strftime("%s") event['timestamp'] = dt.strftime("%s") event.analysis = 2 event.published = conf.event_published orgc = MISPOrganisation() orgc.from_json(json.dumps({'name': conf.org_name, 'uuid': conf.org_uuid})) event.orgc = orgc event.threat_level_id = conf.event_base_thread_level event.date = dt event['uuid'] = str(uuid.uuid1()) if len(tags) > 0: event['Tag'] = tags attr_hashes = [] for key, attr in deduplicated_observations.items(): misp_attr = MISPAttribute() misp_attr.timestamp = dt.strftime("%s") misp_attr['timestamp'] = dt.strftime("%s") misp_attr.type = get_Attribute_Type(attr) misp_attr.value = get_MISP_Fitted_Value(attr["value"], misp_attr.type) if 'c2-server' in attr['categories'] and attr_tags.c2tags: misp_attr['Tag'] = attr_tags.c2tags if 'malware' in attr['categories'] and attr_tags.malwaretags: misp_attr['Tag'] = attr_tags.malwaretags if 'espionage' in attr['categories'] and attr_tags.espionagetags: misp_attr['Tag'] = attr_tags.espionagetags if 'bot' in attr['categories'] and attr_tags.bottags: misp_attr['Tag'] = attr_tags.bottags if 'whitelist' in attr['categories'] and attr_tags.whitelisttags: misp_attr['Tag'] = attr_tags.whitelisttags if 'cybercrime' in attr['categories'] and attr_tags.cybercrimetags: misp_attr['Tag'] = attr_tags.cybercrimetags if 'phishing' in attr['categories'] and attr_tags.phishingtags: misp_attr['Tag'] = attr_tags.phishingtags misp_attr.category = get_Attribute_Category(attr) if conf.attr_to_ids and attr[ 'min_confidence'] >= conf.attr_to_ids_threshold: misp_attr.to_ids = True else: misp_attr.to_ids = False misp_attr['comment'] = 'categories: ' + str(attr['categories']) + ' actors: ' + str(attr['actors']) + \ ' families: ' + str(attr['families']) + ' sources: ' + str(attr['sources']) + \ ' severity: ' + str(attr['max_severity']) + \ ' confidence: ' + str(attr['max_confidence']) misp_attr.edited = False event.add_attribute(**(misp_attr.to_dict())) attr_hashes.append([ hashlib.md5(attr['value'].encode("utf-8")).hexdigest(), event['uuid'] ]) event.edited = False return event, attr_hashes
def create_misp_event(misp_instance, isight_report_instance): # No MISP event for this iSight report ID exists yet. # Alas, create a new MISP event. # Convert the publication date of the iSight report into a datetime object. if isight_report_instance.publishDate: date = datetime.datetime.fromtimestamp( isight_report_instance.publishDate) else: # If iSight doesn't provide a date, use today's date. date = datetime.datetime.now(datetime.timezone.utc) # Create a MISP event from the FireEye iSight report with the following parameters. print('****create new event*****') event = MISPEvent() event.distribution = 1 # This community only if isight_report_instance.riskRating == 'CRITICAL' or isight_report_instance.riskRating == 'Critical': event.threat_level_id = 1 # High elif isight_report_instance.riskRating == 'HIGH' or isight_report_instance.riskRating == 'High': event.threat_level_id = 1 # High elif isight_report_instance.riskRating == 'MEDIUM' or isight_report_instance.riskRating == 'Medium': event.threat_level_id = 2 # Medium elif isight_report_instance.riskRating == 'LOW' or isight_report_instance.riskRating == 'Low': event.threat_level_id = 3 # Low else: event.threat_level_id = 4 # Unknown event.analysis = 2 # Completed event.info = "iSIGHT: " + isight_report_instance.title event.date = date # Push the event to the MISP server. my_event = misp_instance.add_event(event, pythonify=True) print("#######Push event to MISP server####", my_event) PySilo_settings.logger.debug('Created MISP event %s for iSight report %s', event, isight_report_instance.reportId) # Add default tags to the event. misp_instance.tag(my_event, 'Source:SILOBREAKER') #misp_instance.tag(my_event, 'basf:source="iSight"') misp_instance.tag(my_event, 'CTI feed: SILOBREAKER') misp_instance.tag(my_event, 'tlp:amber') misp_instance.tag(my_event, 'report id', isight_report_instance.Id) # Use some iSight ThreatScapes for event tagging. Reports can have multiple ThreatScapes. #if 'Cyber Espionage' in isight_report_instance.ThreatScape: # VERIS distinguishes between external, internal or partner actors. This difference is not yet implemented in # MISP. External would be most likely. #misp_instance.tag(my_event, 'veris:actor:external:motive="Espionage"') #misp_instance.tag(my_event, 'veris:actor:motive="Espionage"') #if 'Hacktivism' in isight_report_instance.ThreatScape: #misp_instance.tag(my_event, 'veris:actor:external:variety="Activist"') #if 'Critical Infrastructure' in isight_report_instance.ThreatScape: # misp_instance.tag(my_event, 'basf:technology="OT"') #if 'Cyber Physical' in isight_report_instance.ThreatScape: #misp_instance.tag(my_event, 'basf:technology="OT"') #if 'Cyber Crime' in isight_report_instance.ThreatScape: #misp_instance.tag(my_event, 'veris:actor:external:variety="Organized crime"') update_misp_event(misp_instance, my_event, isight_report_instance)
def misp_event_create(event_info, internal_reference, phish_artefacts): event = MISPEvent() event.distribution = misp_distribution if (sharing_group_id >= 1 and misp_distribution == 4): event.sharing_group_id = sharing_group_id event.threat_level_id = misp_threat_level_id event.analysis = misp_analysis event.info = event_info event = pymisp.add_event(event, pythonify=True) if hasattr(event, 'uuid'): attribute = pymisp.add_attribute(event.uuid, { 'type': 'text', 'value': internal_reference, 'category': 'Internal reference', 'distribution': "0" }, pythonify=True) if (attribute.value == internal_reference): # Creating Object print("Creating Objects...") misp_create_objects(event, phish_artefacts) for misp_tag in misp_tags: pymisp.tag(event.uuid, misp_tag) pymisp.update_event(event) else: return ("") if (auto_publish): print("Publishing MISP Event") pymisp.publish(event) return (event)
def add_event(self): try: event = MISPEvent() event.distribution = 0 # ATD Threat mapping to MISP Threat Level atd_threat_level = self.query['Summary']['Verdict']['Severity'] if not atd_threat_level: pass else: if atd_threat_level == '3': event.threat_level_id = 1 elif atd_threat_level == '4': event.threat_level_id = 2 elif atd_threat_level == '5': event.threat_level_id = 3 else: event.threat_level_id = 0 event.analysis = 0 # initial event.info = "ATD Analysis Report - {0}".format(self.mainfile) event.attributes = self.attributes event.Tag = 'ATD:Report' event = self.misp.add_event(event, pythonify=True) self.evenid = event.id print('SUCCESS: New MISP Event got created with ID: {}'.format(str(event.id))) except Exception as e: exc_type, exc_obj, exc_tb = sys.exc_info() print("ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}" .format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno, error=str(e)))
def create_simple_event(): event = MISPEvent() event.info = 'This is a super simple test' event.distribution = Distribution.your_organisation_only event.threat_level_id = ThreatLevel.low event.analysis = Analysis.completed event.add_attribute('text', str(uuid.uuid4())) return event
def create_simple_event(self, force_timestamps=False): mispevent = MISPEvent(force_timestamps=force_timestamps) mispevent.info = 'This is a super simple test' mispevent.distribution = Distribution.your_organisation_only mispevent.threat_level_id = ThreatLevel.low mispevent.analysis = Analysis.completed mispevent.add_attribute('text', str(uuid4())) return mispevent
def environment(self): first_event = MISPEvent() first_event.info = 'First event - org only - low - completed' first_event.distribution = Distribution.your_organisation_only first_event.threat_level_id = ThreatLevel.low first_event.analysis = Analysis.completed first_event.set_date("2017-12-31") first_event.add_attribute('text', str(uuid4())) first_event.attributes[0].add_tag('admin_only') first_event.attributes[0].add_tag('tlp:white___test') first_event.add_attribute('text', str(uuid4())) first_event.attributes[1].add_tag('unique___test') second_event = MISPEvent() second_event.info = 'Second event - org only - medium - ongoing' second_event.distribution = Distribution.your_organisation_only second_event.threat_level_id = ThreatLevel.medium second_event.analysis = Analysis.ongoing second_event.set_date("Aug 18 2018") second_event.add_attribute('text', str(uuid4())) second_event.attributes[0].add_tag('tlp:white___test') second_event.add_attribute('ip-dst', '1.1.1.1') # Same value as in first event. second_event.add_attribute('text', first_event.attributes[0].value) third_event = MISPEvent() third_event.info = 'Third event - all orgs - high - initial' third_event.distribution = Distribution.all_communities third_event.threat_level_id = ThreatLevel.high third_event.analysis = Analysis.initial third_event.set_date("Jun 25 2018") third_event.add_tag('tlp:white___test') third_event.add_attribute('text', str(uuid4())) third_event.attributes[0].add_tag('tlp:amber___test') third_event.attributes[0].add_tag('foo_double___test') third_event.add_attribute('ip-src', '8.8.8.8') third_event.attributes[1].add_tag('tlp:amber___test') third_event.add_attribute('ip-dst', '9.9.9.9') # Create first and third event as admin # usr won't be able to see the first one first = self.admin_misp_connector.add_event(first_event) third = self.admin_misp_connector.add_event(third_event) # Create second event as user second = self.user_misp_connector.add_event(second_event) return first, second, third
def create_misp_event(misp_client, misp_distribution, misp_threat_level, misp_analysis_level, misp_event_name): misp_event = MISPEvent() misp_event.distribution = misp_distribution misp_event.threat_level_id = misp_threat_level misp_event.analysis = misp_analysis_level misp_event.info = misp_event_name event_response = misp_client.add_event(misp_event) return event_response
def save(self): site_id = self.validated_data['id'] site = Site.objects.get(pk=site_id) # Check if there is already an Event if DnsTwisted.objects.filter(domain_name=site.domain_name): dns_twisted = DnsTwisted.objects.get(domain_name=site.domain_name) if site.misp_event_id is None: site.misp_event_id = dns_twisted.misp_event_id # Save the case id in database Site.objects.filter(pk=site.pk).update( misp_event_id=dns_twisted.misp_event_id) # Test MISP instance connection try: requests.get(settings.MISP_URL, verify=settings.MISP_VERIFY_SSL) except requests.exceptions.SSLError as e: print(str(timezone.now()) + " - ", e) raise AuthenticationFailed("SSL Error: " + settings.MISP_URL) except requests.exceptions.RequestException as e: print(str(timezone.now()) + " - ", e) raise NotFound("Not Found: " + settings.MISP_URL) misp_api = ExpandedPyMISP(settings.MISP_URL, settings.MISP_KEY, settings.MISP_VERIFY_SSL) if site.misp_event_id is not None: # If the event already exist, then we update IOCs update_attributes(misp_api, site) else: # If the event does not exist, then we create it # Prepare MISP Event event = MISPEvent() event.distribution = 0 event.threat_level_id = 2 event.analysis = 0 event.info = "Suspicious domain name " + site.domain_name event.tags = create_misp_tags(misp_api) # Create MISP Event print(str(timezone.now()) + " - " + 'Create MISP Event') print('-----------------------------') event = misp_api.add_event(event, pythonify=True) # Store Event Id in database Site.objects.filter(pk=site.pk).update(misp_event_id=event.id) if DnsTwisted.objects.filter(domain_name=site.domain_name): DnsTwisted.objects.filter(domain_name=site.domain_name).update( misp_event_id=event.id) # Create MISP Attributes create_attributes(misp_api, event.id, site)
def make_new_event(misp): LOGGER.info('Creating new fixed event...') event = MISPEvent() timestamp = datetime.utcnow() event_date = timestamp.strftime('%Y-%m-%d') event.info = MISP_EVENT_TITLE event.analysis = Analysis.completed event.distribution = Distribution.your_organisation_only event.threat_level_id = ThreatLevel.low event.add_tag('type:OSINT') event.add_tag('tlp:white') LOGGER.info('Saving event...') time.sleep(1) return misp.add_event(event, pythonify=True)
def _create_new_event(self, org_uuid) -> MISPEvent: """ Creates new MISP event. """ misp_event = MISPEvent() # TODO turn on correct organization assignment # misp_event.orgc = self.misp_inst.get_organisation(org_uuid, pythonify=True) # completed misp_event.analysis = 2 # low misp_event.threat_level_id = 3 # TODO use sharing group instead misp_event.distribution = 1 # misp_event.distribution = 4 # misp_event.sharing_group_id = 2 misp_event.uuid = self.uuid_generator.get_misp_event_uuid(org_uuid) misp_event.add_tag("rsit:test") misp_event.add_tag("tlp:amber") misp_event.info = "CTI - IntelMQ feed" return self.misp_inst.add_event(misp_event, pythonify=True)
def inserta_misp(nombre_evento, full_tweet, fverbose): #Instancio evento MISP event = MISPEvent() #Nombre del evento. Se cambiara por cada tweet recibido event.info = nombre_evento # Required #Valores por defecto event.distribution = 0 # Optional, defaults to MISP.default_event_distribution in MISP config event.threat_level_id = 2 # Optional, defaults to MISP.default_event_threat_level in MISP config event.analysis = 1 # Optional, defaults to 0 (initial analysis) #Inserto el tweet completo #event.add_attribute('External analysis', full_tweet) event.add_attribute('text', full_tweet) event.add_tag('tlp:white') add_tweet_atributes(event, full_tweet, fverbose) #Inserto el evento MISP event = misp.add_event(event, pythonify=True)
def create_event(FEED, type): #'uuid', 'info', 'threat_level_id', 'analysis', 'timestamp','publish_timestamp', 'published', 'date', 'extends_uuid'} event = MISPEvent() event.info = f"[{datetime.now().date().isoformat()}] RST Cloud Daily {type} feed" event.analysis = 2 # 0=initial; 1=ongoing; 2=completed event.threat_level_id = 2 #1 = high ; 2 = medium; 3 = low; 4 = undefined event.add_tag('tlp:white') # add to the database and publish event = misp.add_event(event) if PUBLISH: misp.publish(event) # add attributes to the newly created event for entry in FEED: if type == 'Domain': misp.add_attribute( event, domain_attribute('Network activity', 'domain', entry)) if type == 'IP': misp.add_attribute( event, ip_attribute('Network activity', 'ip-dst', entry))
def createEvent(eventName): mt = MaltegoTransform() mt.addUIMessage("[Info] Creating event with the name %s" % eventName) mispevent = MISPEvent() mispevent.analysis = MISP_ANALYSIS mispevent.date = datetime.now() mispevent.distribution = MISP_DISTRIBUTION mispevent.info = eventName mispevent.threat_level_id = MISP_THREAT mispevent.published = MISP_EVENT_PUBLISH event = misp.add_event(mispevent) eid = event['Event']['id'] einfo = event['Event']['info'] eorgc = event['Event']['orgc_id'] me = MaltegoEntity('maltego.MISPEvent', eid) me.addAdditionalFields('EventLink', 'EventLink', False, BASE_URL + '/events/view/' + eid) me.addAdditionalFields('Org', 'Org', False, eorgc) me.addAdditionalFields('notes', 'notes', False, eorgc + ": " + einfo) mt.addEntityToMessage(me) returnSuccess("event", eid, None, mt)
def make_new_event(misp): LOGGER.info('Creating new fixed event...') event = MISPEvent() event_date = datetime.now().strftime('%Y-%m-%d') event_title = '{0} {1}'.format(MISP_EVENT_TITLE, event_date) event.info = event_title event.analysis = Analysis.completed event.distribution = Distribution.your_organisation_only event.threat_level_id = ThreatLevel.low event.add_tag('type:OSINT') event.add_tag('tlp:white') LOGGER.info('Saving event...') time.sleep(1) try: new_event = misp.add_event(event, pythonify=True) return new_event except Exception as ex: LOGGER.error('Failed to make MISP event: {0}'.format(str(ex))) return False
def create_full_event( self, info, distribution: MISPDistribution = MISPDistribution.ORGANIZATION, threat_level: MISPThreatLevel = MISPThreatLevel.MEDIUM, analysis: MISPAnalysis = MISPAnalysis.INITIAL, attributes: list = None, tags: list = None): new_event = MISPEvent() new_event.distribution = distribution.value new_event.threat_level_id = threat_level.value new_event.analysis = analysis.value new_event.info = info if attributes is not None: new_event.Attribute = list() if tags is not None: new_event.Tag = list() event = self.misp_api.add_event(new_event) self.misp_api.get_all_tags() print(event.to_json()) return event
"The distribution setting used for the attributes and for the newly created event, if relevant. [0-3]." ) parser.add_argument( "-i", "--info", help="Used to populate the event info field if no event ID supplied.") parser.add_argument( "-a", "--analysis", type=int, help= "The analysis level of the newly created event, if applicable. [0-2]") parser.add_argument( "-t", "--threat", type=int, help= "The threat level ID of the newly created event, if applicable. [1-4]") args = parser.parse_args() misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert) event = MISPEvent() event.distribution = args.distrib event.threat_level_id = args.threat event.analysis = args.analysis event.info = args.info event = misp.add_event(event, pythonify=True) print(event)
def misp_check_for_previous_events(misp_instance, isight_alert): """ Default: no previous event detected check for: alert_id | ['alert']['id'] :param misp_instance: :type misp_instance: :param isight_alert: :type isight_alert: :return: event id if an event is there false if no event is present :rtype: """ event = False if misp_instance is None: PySight_settings.logger.error("No misp instance given") return False # Based on alert id if isight_alert.reportId: result = misp_instance.search_all(isight_alert.reportId) PySight_settings.logger.debug("searched in MISP for %s result: %s", isight_alert.reportId, result) event = check_misp_all_result(result) # Based on Alert Url if isight_alert.reportLink and not event: from urllib import quote result = misp_instance.search_all(quote(isight_alert.reportLink)) PySight_settings.logger.debug("searching in MISP for %s result: %s", isight_alert.reportLink, result) event = check_misp_all_result(result) # if one of the above returns a value: previous_event = event # this looks hacky but it to avoid exceptions if there is no ['message within the result'] if previous_event is not '' and previous_event is not False and previous_event is not None: PySight_settings.logger.debug("Will append my data to: %s", previous_event) event = misp_instance.get(str(previous_event)) # not get_event! else: PySight_settings.logger.debug("Will create a new event for it") event = MISPEvent() if isight_alert.publishDate: new_date = time.strftime('%Y-%m-%d', time.localtime(float(isight_alert.publishDate))) PySight_settings.logger.debug("Date will be %s title: %s ID %s", new_date, isight_alert.title, isight_alert.reportId) try: event.distribution = 0 event.threat_level_id = 2 event.analysis = 0 event.info = isight_alert.title + " pySightSight " + isight_alert.reportId event.set_date(new_date) except Exception: import sys print("Unexpected error:", sys.exc_info()[0]) else: event.distribution = 0 event.threat_level_id = 2 event.analysis = 0 event.info = isight_alert.title + " pySightSight " + isight_alert.reportId if not event: PySight_settings.logger.error("Something went really wrong") event.distribution = 0 event.threat_level_id = 2 event.analysis = 0 event.info = isight_alert.title + " pySightSight " + isight_alert.reportId return event
if result_uuid: # if event exists, get from feed event = MISPEvent() event.uuid = result_uuid event.from_dict(**loadEvent(result_uuid)) print("Checking for updated values in Event: " + event.uuid + " " + event.info) if event.info != EVENT_NAME: # information on event info is the same? print("Event name changed, updading... old:" + event.info + " new:" + EVENT_NAME) event.info = EVENT_NAME event_changed = 1 event.timestamp = now else: # event does not exist, generate a new one event = MISPEvent() event.info = EVENT_NAME event.analysis = 0 # events are created with Threat level Undefined and Analysis Initial event.threat_level_id = 4 event.published = 0 # events are created unpublished event.orgc = MISPOrganisation() event.orgc.uuid = org_uuid event.orgc.name = org_name event_changed = 1 event.add_attribute("AS", str(ASN)) # each event has always one ASN print("Creating new Event: " + event.uuid + " " + event.info) # if event has attributes iterate them and see what changed blocks = [] for att in event['Attribute']: if att['type'] == 'AS': print("Attribute ASN found: " + att['value']) if att['type'] == 'ip-dst': blocks.append(att['value'])
def make_new_event(misp, pulse): LOGGER.info('Creating new event...') event = MISPEvent() title = pulse['name'] author = pulse['author_name'] adversary = pulse['adversary'] description = pulse['description'] malware_families = pulse['malware_families'] references = pulse['references'] tlp = pulse['tlp'] try: timestamp = dateparser.parse(pulse['created']) except Exception as ex: LOGGER.error('Cannot parse pulse creation date: {0}'.format(str(ex))) timestamp = datetime.utcnow() event_date = timestamp.strftime('%Y-%m-%d') event.info = title event.analysis = Analysis.completed event.distribution = Distribution.your_organisation_only event.threat_level_id = ThreatLevel.low event.add_tag('otx-author:{0}'.format(author)) if adversary: adversary_list = [] tag_list = [] if ',' in adversary: adversary_list = [s.strip() for s in adversary.split(',')] else: adversary_list.append(adversary) print(adversary_list) for adversary in adversary_list: galaxy_tags = get_tags(misp, adversary) if galaxy_tags: for galaxy_tag in galaxy_tags: LOGGER.info('Adding threat actor galaxy tag: "{0}"'.format(galaxy_tag)) tag_list.append(galaxy_tag) else: LOGGER.info('Adding default threat actor galaxy tag: misp-galaxy:threat-actor="{0}"'.format(adversary)) tag_list.append('misp-galaxy:threat-actor="{0}"'.format(adversary)) for tag in tag_list: event.add_tag(tag) if description: LOGGER.info('Adding external analysis attribute.') event.add_attribute('comment', description, category='External analysis') if malware_families: for malware_family in malware_families: if malware_family: galaxy_tags = get_tags(misp, malware_family) if galaxy_tags: for tag in galaxy_tags: LOGGER.info('Adding malware galaxy tag: {0}'.format(tag)) event.add_tag(tag) else: LOGGER.info('Adding default malware galaxy tag: misp-galaxy:tool="{0}"'.format(malware_family)) event.add_tag('misp-galaxy:tool="{0}"'.format(malware_family)) if references: event.add_tag('type:OSINT') for reference in references: if is_valid_domain(reference): reference = 'https://{0}'.format(reference) if is_valid_url(reference): LOGGER.info('Adding attribute for reference: {0}'.format(reference)) event.add_attribute('link', reference, category='External analysis') if tlp: LOGGER.info('Adding TLP tag: tlp:{0}'.format(tlp)) event.add_tag('tlp:{0}'.format(tlp)) LOGGER.info('Saving event...') time.sleep(1) return misp.add_event(event, pythonify=True)
responseVap = requests.request("GET", urlVap, headers=headers) jsonDataVap = json.loads(responseVap.text) for alert in jsonDataVap["users"]: orgc = MISPOrganisation() orgc.name = 'Proofpoint' orgc.id = '#{ORGC.ID}' # organisation id orgc.uuid = '#{ORGC.UUID}' # organisation uuid # initialize and set MISPEvent() event = MISPEvent() event.Orgc = orgc event.info = 'Very Attacked Person ' + jsonDataVap["interval"] event.distribution = 0 # Optional, defaults to MISP.default_event_distribution in MISP config event.threat_level_id = 2 # setting this to 0 breaks the integration event.analysis = 0 # Optional, defaults to 0 (initial analysis) totalVapUsers = event.add_attribute('counter', jsonDataVap["totalVapUsers"], comment="Total VAP Users") averageAttackIndex = event.add_attribute('counter', jsonDataVap["averageAttackIndex"], comment="Average Attack Count") vapAttackIndexThreshold = event.add_attribute( 'counter', jsonDataVap["vapAttackIndexThreshold"], comment="Attack Threshold") emails = event.add_attribute('email-dst',
def create_event(misp): event = MISPEvent() event.distribution = 0 event.threat_level_id = 1 event.analysis = 0 return event
#!/usr/bin/env python3 # -*- coding: utf-8 -*- from pymisp import ExpandedPyMISP, MISPEvent from pymisp import MISPObject from keys import misp_url, misp_key, misp_verifycert from datetime import date misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert) event = MISPEvent() event.info = 'IoT malware' # Event Title event.distribution = 1 # 0 = Your Organisation Only, 1 = Community event.threat_level_id = 2 # 1 = High, 2 = Medium, 3 = Low event.analysis = 2 # 0 (initial analysis), 1 (On-Going), 2 (Complete) event.add_tag('malware_classification:malware-category="Botnet"') event.add_tag('tlp:amber') d = date.today() event.set_date(d) attribute_second = event.add_attribute('url', 'http://1.2.3.4/example', disable_correlation=False, comment="Botnet example text", to_ids=False) event = misp.add_event(event, pythonify=True) # Publish event
def misp_send(self, strMISPEventID, strInput, strInfo, strUsername): # Establish communication with MISP # event = MISPEvent() # event.info = 'Test event' # event.analysis = 0 # event.distribution = 3 # event.threat_level_id = 2 # event.add_attribute('md5', '678ff97bf16d8e1c95679c4681834c41') # #<add more attributes> # self.misp.add_event(event) # exit() try: objects = [] #get comments and tags from string input str_comment, tags = self.get_comm_and_tags(strInput) print(tags) if tags == None: self.misp_logger.info('Irate not in Tags: %s equals None' % tags) response = None return response #setup misp objects mispobj_email = MISPObject(name="email") mispobj_file = MISPObject(name="file") mispobj_files = {} mispobj_domainip = MISPObject(name="domain-ip") url_no = 0 file_no = 0 mispobj_urls = {} #process input for line in strInput.splitlines(): if ("domain:" in line.lower() ): #Catch domain and add to domain/IP object mispobj_domainip = MISPObject(name="domain-ip") vals = line.split(":", 1) mispobj_domainip.add_attribute("domain", value=vals[1].strip(), comment=str_comment) objects.append(mispobj_domainip) elif ("ip:" in line.lower()) or ("ip-dst:" in line.lower( )) or ("ip-src:" in line.lower()): #Catch IP and add to domain/IP object if "domain:" in strInput.splitlines(): mispobj_domainip = MISPObject(name="domain-ip") vals = line.split(":", 1) mispobj_domainip.add_attribute("ip", value=vals[1].strip(), comment=str_comment) objects.append(mispobj_domainip) else: mispobj_network_connection = MISPObject( name="network-connection") vals = line.split(":", 1) if ("ip:" in line.lower()) or ("ip-dst:" in line.lower()): mispobj_network_connection.add_attribute( "ip-dst", type="ip-dst", value=vals[1].strip(), comment=str_comment) else: mispobj_network_connection.add_attribute( "ip-src", type="ip-src", value=vals[1].strip(), comment=str_comment) objects.append(mispobj_network_connection) elif ("source-email:" in line.lower()) or ("email-source" in line.lower()) or ( "from:" in line.lower() ): #Catch email and add to email object vals = line.split(":", 1) mispobj_email.add_attribute("from", value=vals[1].strip(), comment=str_comment) elif ("url:" in line.lower()) or ( ('kit:' in line.lower() or ('creds:' in line.lower())) and (('hxxp' in line.lower()) or ('http' in line.lower())) ): #Catch URL and add to URL object vals = line.split(":", 1) url = vals[1].strip() url = refang(url) parsed = urlparse(url) mispobj_url = MISPObject(name="url") mispobj_url.add_attribute("url", value=parsed.geturl(), category="Payload delivery", comment=str_comment) if parsed.hostname: mispobj_url.add_attribute("host", value=parsed.hostname, comment=str_comment) if parsed.scheme: mispobj_url.add_attribute("scheme", value=parsed.scheme, comment=str_comment) if parsed.port: mispobj_url.add_attribute("port", value=parsed.port, comment=str_comment) mispobj_urls[url_no] = mispobj_url url_no += 1 #Catch different hashes and add to file object elif ("sha1:" in line.lower()) or ("SHA1:" in line): vals = line.split(":", 1) mispobj_file.add_attribute("sha1", value=vals[1].strip(), comment=str_comment) elif ("sha256:" in line.lower()) or ("SHA256:" in line): vals = line.split(":", 1) mispobj_file.add_attribute("sha256", value=vals[1].strip(), comment=str_comment) elif ("md5:" in line.lower()) or ("MD5:" in line): vals = line.split(":", 1) mispobj_file.add_attribute("md5", value=vals[1].strip(), comment=str_comment) elif ( "subject:" in line.lower() ): #or ("subject:" in line): #Catch subject and add to email object self.misp_logger.info('adding subject') vals = line.split(":", 1) mispobj_email.add_attribute("subject", value=vals[1].strip(), comment=str_comment) elif ("hash|filename:" in line.lower() ): #catch hash|filename pair and add to file object vals = line.split(":", 1) val = vals[1].split("|") l_hash = val[0] l_filename = val[1] l_mispobj_file = MISPObject(name="file") if len(re.findall(r"\b[a-fA-F\d]{32}\b", l_hash)) > 0: l_mispobj_file.add_attribute("md5", value=l_hash.strip(), comment=str_comment) l_mispobj_file.add_attribute("filename", value=l_filename.strip(), comment=str_comment) mispobj_files[file_no] = l_mispobj_file elif len(re.findall(r'\b[0-9a-f]{40}\b', l_hash)) > 0: l_mispobj_file.add_attribute("sha1", value=l_hash.strip(), comment=str_comment) l_mispobj_file.add_attribute("filename", value=l_filename.strip(), comment=str_comment) mispobj_files[file_no] = l_mispobj_file elif len(re.findall(r'\b[A-Fa-f0-9]{64}\b', l_hash)) > 0: l_mispobj_file.add_attribute("sha256", value=l_hash.strip(), comment=str_comment) l_mispobj_file.add_attribute("filename", value=l_filename.strip(), comment=str_comment) mispobj_files[file_no] = l_mispobj_file file_no += 1 #add all misp objects to List to be processed and submitted to MISP server as one. if len(mispobj_file.attributes) > 0: objects.append(mispobj_file) if len(mispobj_email.attributes) > 0: objects.append(mispobj_email) for u_key, u_value in mispobj_urls.items(): if len(u_value.attributes) > 0: objects.append(u_value) for f_key, f_value in mispobj_files.items(): if len(f_value.attributes) > 0: objects.append(f_value) # Update timestamp and event except Exception as e: error = traceback.format_exc() response = "Error occured when converting string to misp objects:\n %s" % error self.misp_logger.error(response) return response if self.check_object_length(objects) != True: self.misp_logger.error( 'Input from %s did not contain accepted tags.\n Input: \n%s' % (strUsername, strInput)) return "Error in the tags you entered. Please see the guide for accepted tags." try: # self.misp_logger.error(dir(self.misp)) misp_event = MISPEvent() misp_event.info = strInfo misp_event.distribution = 0 misp_event.analysis = 2 misp_event.threat_level_id = 3 # event.add_attribute('md5', '678ff97bf16d8e1c95679c4681834c41') #event = self.misp.new_event(info=strInfo, distribution='0', analysis='2', threat_level_id='3', published=False) #misp_event = MISPEvent() #misp_event.load(event) add = self.misp.add_event(misp_event) self.misp_logger.info("Added event %s" % add) a, b = self.submit_to_misp(self.misp, misp_event, objects) for tag in tags: self.misp.tag(misp_event.uuid, tag) #self.misp.add_internal_comment(misp_event.id, reference="Author: " + strUsername, comment=str_comment) ccc = self.misp.publish(misp_event, alert=False) self.misp_logger.info(ccc) misp_event = self.misp.get_event(misp_event) response = misp_event #for response in misp_event: if ('errors' in response and response['errors'] != None): return ("Submission error: " + repr(response['errors'])) else: if response['Event']['RelatedEvent']: e_related = "" for each in response['Event']['RelatedEvent']: e_related = e_related + each['Event']['id'] + ", " return "Created ID: " + str( response['Event'] ['id']) + "\nRelated Events: " + ''.join(e_related) else: return "Created ID: " + str(response['Event']['id']) except Exception as e: error = traceback.format_exc() response = "Error occured when submitting to misp:\n %s" % error self.misp_logger.error(response) return response
def run(self, results): """Run analysis. @return: MISP results dict. """ url = self.options.get("url", "") apikey = self.options.get("apikey", "") if not url or not apikey: log.error("MISP URL or API key not configured.") return self.misp = PyMISP(url, apikey, False, "json") self.threads = self.options.get("threads", "") if not self.threads: self.threads = 5 self.iocs = deque() self.misper = dict() try: if self.options.get("upload_iocs", False) and results.get("malscore", 0) >= self.options.get("min_malscore", 0): distribution = int(self.options.get("distribution", 0)) threat_level_id = int(self.options.get("threat_level_id", 4)) analysis = int(self.options.get("analysis", 0)) tag = self.options.get("tag") or "CAPEv2" info = self.options.get("title", "") upload_sample = self.options.get("upload_sample") malfamily = "" if results.get("detections", ""): malfamily = results["detections"] response = self.misp.search("attributes", value=results["target"]["file"]["sha256"], return_format="json", pythonify=True) if response: event = self.misp.get_event(response[0].event_id, pythonify=True) else: event = MISPEvent() event.distribution = distribution event.threat_level_id = threat_level_id event.analysis = analysis event.info = "{} {} - {}".format(info, malfamily, results.get("info", {}).get("id")) event = self.misp.add_event(event, pythonify=True) # Add a specific tag to flag Cuckoo's event if tag: self.misp.tag(event, tag) # malpedia galaxy if malpedia_json: self.malpedia(results, event, malfamily) # ToDo? self.signature(results, event) self.sample_hashes(results, event) self.all_network(results, event) self.dropped_files(results, event) if upload_sample: target = results.get("target", {}) f = target.get("file", {}) if target.get("category") == "file" and f: with open(f["path"], "rb") as f: event.add_attribute( "malware-sample", value=os.path.basename(f["path"]), data=BytesIO(f.read()), expand="binary", comment="Sample run", ) if results.get("target", {}).get("url", "") and results["target"]["url"] not in whitelist: event.add_attribute("url", results["target"]["url"]) # ToDo migth be outdated! # if self.options.get("ids_files", False) and "suricata" in results.keys(): # for surifile in results["suricata"]["files"]: # if "file_info" in surifile.keys(): # self.misper["iocs"].append({"md5": surifile["file_info"]["md5"]}) # self.misper["iocs"].append({"sha1": surifile["file_info"]["sha1"]}) # self.misper["iocs"].append({"sha256": surifile["file_info"]["sha256"]}) if self.options.get("mutexes", False) and "behavior" in results and "summary" in results["behavior"]: if "mutexes" in results.get("behavior", {}).get("summary", {}): for mutex in results["behavior"]["summary"]["mutexes"]: if mutex not in whitelist: event.add_attribute("mutex", mutex) if self.options.get("registry", False) and "behavior" in results and "summary" in results["behavior"]: if "read_keys" in results["behavior"].get("summary", {}): for regkey in results["behavior"]["summary"]["read_keys"]: event.add_attribute("regkey", regkey) event.run_expansions() self.misp.update_event(event) # Make event public if self.options.get("published", True): self.misp.publish(event) except Exception as e: log.error("Failed to generate JSON report: %s" % e, exc_info=True)
def create_misp_event(misp_instance, isight_report_instance, event_tags): # No MISP event for this iSight report ID exists yet. # Alas, create a new MISP event. # Convert the publication date of the iSight report into a datetime object. if isight_report_instance.publishDate: date = datetime.datetime.fromtimestamp( isight_report_instance.publishDate) else: # If iSight doesn't provide a date, use today's date. date = datetime.datetime.now(datetime.timezone.utc) # Create a MISP event from the FireEye iSight report with the following parameters. event = MISPEvent() event.distribution = 1 # This community only if isight_report_instance.riskRating == 'CRITICAL' or isight_report_instance.riskRating == 'Critical': event.threat_level_id = 1 # High elif isight_report_instance.riskRating == 'HIGH' or isight_report_instance.riskRating == 'High': event.threat_level_id = 1 # High elif isight_report_instance.riskRating == 'MEDIUM' or isight_report_instance.riskRating == 'Medium': event.threat_level_id = 2 # Medium elif isight_report_instance.riskRating == 'LOW' or isight_report_instance.riskRating == 'Low': event.threat_level_id = 3 # Low else: event.threat_level_id = 4 # Unknown event.analysis = 2 # Completed event.info = "iSIGHT: " + isight_report_instance.title event.date = date # Push the event to the MISP server. my_event = misp_instance.add_event(event, pythonify=True) PySight_settings.logger.debug('Created MISP event %s for iSight report %s', event, isight_report_instance.reportId) # Add the event ID to the global list of newly created events. global new_events new_events.append(my_event['id']) # Add default tags to the event. if event_tags: for event_tag in event_tags: misp_instance.tag(my_event, event_tag) # Use some iSight ThreatScapes for event tagging. Reports can have multiple ThreatScapes. if 'Cyber Espionage' in isight_report_instance.ThreatScape: # VERIS distinguishes between external, internal or partner actors. This difference is not yet implemented in # MISP. External would be most likely. #misp_instance.tag(my_event, 'veris:actor:external:motive="Espionage"') misp_instance.tag(my_event, 'veris:actor:motive="Espionage"') if 'Hacktivism' in isight_report_instance.ThreatScape: misp_instance.tag(my_event, 'veris:actor:external:variety="Activist"') if 'Critical Infrastructure' in isight_report_instance.ThreatScape: misp_instance.tag(my_event, 'basf:technology="OT"') if 'Cyber Physical' in isight_report_instance.ThreatScape: misp_instance.tag(my_event, 'basf:technology="OT"') if 'Cyber Crime' in isight_report_instance.ThreatScape: misp_instance.tag(my_event, 'veris:actor:external:variety="Organized crime"') # Add the iSight report ID and web link as attributes. if isight_report_instance.reportId: misp_instance.add_attribute(my_event, { 'category': 'External analysis', 'type': 'text', 'to_ids': False, 'value': isight_report_instance.reportId }, pythonify=True) if isight_report_instance.webLink: misp_instance.add_attribute(my_event, { 'category': 'External analysis', 'type': 'link', 'to_ids': False, 'value': isight_report_instance.webLink }, pythonify=True) # Put the ThreatScape into an Attribution attribute, but disable correlation. if isight_report_instance.ThreatScape: misp_instance.add_attribute(my_event, { 'category': 'Attribution', 'type': 'text', 'to_ids': False, 'value': isight_report_instance.ThreatScape, 'disable_correlation': True }, pythonify=True) # Add specific attributes from this iSight report. update_misp_event(misp_instance, my_event, isight_report_instance)
def save(self): alert_id = self.validated_data['id'] alert = Alert.objects.get(pk=alert_id) dns_twisted = DnsTwisted.objects.get(pk=alert.dns_twisted.pk) # Getting IOCs related to the new twisted domain if Site.objects.filter(domain_name=dns_twisted.domain_name): already_in_monitoring = True site = Site.objects.get(domain_name=dns_twisted.domain_name) # Store Event Id in database DnsTwisted.objects.filter(pk=dns_twisted.pk).update(misp_event_id=site.misp_event_id) else: already_in_monitoring = False site = Site.objects.create(domain_name=dns_twisted.domain_name, rtir=-999999999) monitoring_init(site) site = Site.objects.get(pk=site.pk) # We now hav the IOCs related to the domain, we can remove it from monitoring if not already_in_monitoring: Site.objects.filter(pk=site.pk).delete() if site.misp_event_id is None: site.misp_event_id = dns_twisted.misp_event_id # Test MISP instance connection try: requests.get(settings.MISP_URL, verify=settings.MISP_VERIFY_SSL) except requests.exceptions.SSLError as e: print(str(timezone.now()) + " - ", e) raise AuthenticationFailed("SSL Error: " + settings.MISP_URL) except requests.exceptions.RequestException as e: print(str(timezone.now()) + " - ", e) raise NotFound("Not Found: " + settings.MISP_URL) misp_api = ExpandedPyMISP(settings.MISP_URL, settings.MISP_KEY, settings.MISP_VERIFY_SSL) if site.misp_event_id is not None: # If the event already exist, then we update IOCs update_attributes(misp_api, site) else: # If the event does not exist, then we create it # Prepare MISP Event event = MISPEvent() event.distribution = 0 event.threat_level_id = 2 event.analysis = 0 event.info = "Suspicious domain name " + site.domain_name event.tags = create_misp_tags(misp_api) # Create MISP Event print(str(timezone.now()) + " - " + 'Create MISP Event') print('-----------------------------') event = misp_api.add_event(event, pythonify=True) # Store Event Id in database DnsTwisted.objects.filter(pk=dns_twisted.pk).update(misp_event_id=event.id) if Site.objects.filter(domain_name=dns_twisted.domain_name): Site.objects.filter(pk=site.pk).update(misp_event_id=event.id) # Create MISP Attributes create_attributes(misp_api, event.id, site)
def misp_add_event(self, query): # Parse out all data from json mainfile = query['Summary']['Subject']['Name'] # Set Distribution = Organization Only distribution=self.parameters.misp_distribution # Set Threat level = getting the threat level from ATD threat_level_id=query['Summary']['Verdict']['Severity'] # Set Analysis status = completed analysis_status=2 # Creat Event object in MISP misp_event = MISPEvent() misp_event.info = "McAfee ATD Sandbox Analysis Report - " + mainfile misp_event.distribution = distribution misp_event.threat_level_id = atd_to_misp_confidence(threat_level_id) misp_event.analysis = analysis_status # Add main Information to MISP atdip = query['Summary']['ATD IP'] if not atdip: pass else: self.misp_add_attribute(misp_event, "comment", "ATD IP " + atdip) dstip = query['Summary']['Dst IP'] if not dstip: pass else: self.misp_add_attribute(misp_event, "ip-dst", dstip) taskid = query['Summary']['TaskId'] if not taskid: pass else: self.misp_add_attribute(misp_event, "comment", "ATD TaskID: " + taskid) size = query['Summary']['Subject']['size'] if not size: pass else: self.misp_add_attribute(misp_event, "comment", "File size is " + size) verdict = query['Summary']['Verdict']['Description'] if not verdict: pass else: self.misp_add_attribute(misp_event, "comment", verdict) # Add file object to MISP Event self.misp_add_fileObject (misp_event, mainfile, query['Summary']['Subject']['md5'], query['Summary']['Subject']['sha-1'], query['Summary']['Subject']['sha-256'] ) # Add process information to MISP try: for processes in query['Summary']['Processes']: name = processes['Name'] md5 = processes['Md5'] sha1 = processes['Sha1'] sha256 = processes['Sha256'] if not name: pass else: self.misp_add_attribute(misp_event, "filename", name) if not md5: pass else: self.misp_add_attribute(misp_event, "md5", md5) if not sha1: pass else: self.misp_add_attribute(misp_event, "sha1", sha1) if not sha256: pass else: self.misp_add_attribute(misp_event, "sha256", sha256) except: pass # Add files information to MISP try: for files in query['Summary']['Files']: # Evaluate attributes name = files['Name'] md5 = files['Md5'] sha1 = files['Sha1'] sha256 = files['Sha256'] # Add attributes as FileObject to event self.misp_add_fileObject (misp_event, name, md5, sha1, sha256) except: pass # Add URL information to MISP try: for url in query['Summary']['Urls']: url = url['Url'] if not url: pass else: self.misp_add_attribute(misp_event, "url", url) except: pass # Add ips information to MISP try: for ips in query['Summary']['Ips']: ipv4 = ips['Ipv4'] port = ips['Port'] if not ipv4: pass else: self.misp_add_attribute(misp_event, "ip-dst", ipv4) if not port: pass else: self.misp_add_attribute(misp_event, "url", ipv4 + ":" + port) except: pass # Add stats Information to MISP try: for stats in query['Summary']['Stats']: category = stats['Category'] if not category: pass else: self.misp_add_attribute(misp_event, "comment", category) except: pass # Add behaviour information to MISP try: for behave in query['Summary']['Behavior']: behave = behave['Analysis'] if not category: pass else: self.misp_add_attribute(misp_event, "comment", behave) except: pass # Add Confidence level from ATD to MISP self.misp_add_tag(misp_event, str(atd_to_veris_confidence(threat_level_id))) # Add TLP info to MISP self.misp_add_tag(misp_event, str("tlp:amber")) self.misp_add_tag(misp_event, str("McAfee ATD Analysis")) # Add tag to event self.misp_add_tag(misp_event, str("cssa:origin=\"sandbox\"")) self.misp_add_tag(misp_event, str("cssa:sharing-class=\"unvetted\"")) # Add actual event to MISP instance # Moved to calling routine # misp_event = self.misp.add_event(misp_event) return misp_event