def do_transform(self, request, response, config): maltego_misp_event = request.entity # print(dir(maltego_misp_event)) misp = get_misp_connection(config) event_json = misp.get_event( maltego_misp_event.id) # FIXME get it without attachments # print(json.dumps(event_json, sort_keys=True, indent=4)) if not event_json.get('Event'): return response for e in event_json['Event']['RelatedEvent']: response += event_to_entity(e) for a in event_json['Event']["Attribute"]: for entity in attribute_to_entity(a): if entity: response += entity for o in event_json['Event']['Object']: # LATER unfortunately we cannot automatically expand the objects response += object_to_entity(o) for g in event_json['Event']['Galaxy']: for c in g['GalaxyCluster']: response += galaxycluster_to_entity(c) if 'Tag' in event_json['Event']: for t in event_json['Event']['Tag']: # ignore all misp-galaxies if t['name'].startswith('misp-galaxy'): continue response += Hashtag(t['name']) return response
def do_transform(self, request, response, config): maltego_misp_event = request.entity misp = get_misp_connection(config) event_json = misp.get_event(maltego_misp_event.id) # FIXME get it without attachments # FIXME use search + includeAttachments:0, eventid: as request body if not event_json.get('Event'): return response response += event_to_entity(event_json) event_tags = [] if 'Tag' in event_json['Event']: for t in event_json['Event']['Tag']: event_tags.append(t['name']) # ignore all misp-galaxies if t['name'].startswith('misp-galaxy'): continue # ignore all those we add as notes if tag_matches_note_prefix(t['name']): continue response += Hashtag(t['name']) for g in event_json['Event']['Galaxy']: for c in g['GalaxyCluster']: response += galaxycluster_to_entity(c) # for e in event_json['Event']['RelatedEvent']: # response += event_to_entity(e, link_style=LinkStyle.DashDot) for a in event_json['Event']["Attribute"]: for entity in attribute_to_entity(a, event_tags=event_tags): if entity: response += entity for o in event_json['Event']['Object']: # LATER unfortunately we cannot automatically expand the objects response += object_to_entity(o) return response
def attribute_to_entity(a, link_label=None, event_tags=[], only_self=False): # prepare some attributes to a better form a['data'] = None # empty the file content as we really don't need this here if a['type'] == 'malware-sample': a['type'] = 'filename|md5' if a['type'] == 'regkey|value': # LATER regkey|value => needs to be a special non-combined object a['type'] = 'regkey' combined_tags = event_tags if 'Galaxy' in a and not only_self: for g in a['Galaxy']: for c in g['GalaxyCluster']: yield galaxycluster_to_entity(c) # complement the event tags with the attribute tags. if 'Tag' in a and not only_self: for t in a['Tag']: combined_tags.append(t['name']) # ignore all misp-galaxies if t['name'].startswith('misp-galaxy'): continue # ignore all those we add as notes if tag_matches_note_prefix(t['name']): continue yield Hashtag(t['name'], bookmark=Bookmark.Green) notes = convert_tags_to_note(combined_tags) # special cases if a['type'] in ('url', 'uri'): yield(URL(url=a['value'], short_title=a['value'], link_label=link_label, notes=notes, bookmark=Bookmark.Green)) return # attribute is from an object, and a relation gives better understanding of the type of attribute if a.get('object_relation') and mapping_misp_to_maltego.get(a['object_relation']): entity_obj = mapping_misp_to_maltego[a['object_relation']][0] yield entity_obj(a['value'], labels=[Label('comment', a.get('comment'))], link_label=link_label, notes=notes, bookmark=Bookmark.Green) # combined attributes elif '|' in a['type']: t_1, t_2 = a['type'].split('|') v_1, v_2 = a['value'].split('|') if t_1 in mapping_misp_to_maltego: entity_obj = mapping_misp_to_maltego[t_1][0] labels = [Label('comment', a.get('comment'))] if entity_obj == File: labels.append(Label('hash', v_2)) yield entity_obj_to_entity(entity_obj, v_1, t_1, labels=labels, link_label=link_label, notes=notes, bookmark=Bookmark.Green) # LATER change the comment to include the second part of the regkey if t_2 in mapping_misp_to_maltego: entity_obj = mapping_misp_to_maltego[t_2][0] labels = [Label('comment', a.get('comment'))] if entity_obj == Hash: labels.append(Label('filename', v_1)) yield entity_obj_to_entity(entity_obj, v_2, t_2, labels=labels, link_label=link_label, notes=notes, bookmark=Bookmark.Green) # LATER change the comment to include the first part of the regkey # normal attributes elif a['type'] in mapping_misp_to_maltego: entity_obj = mapping_misp_to_maltego[a['type']][0] yield entity_obj_to_entity(entity_obj, a['value'], a['type'], labels=[Label('comment', a.get('comment'))], link_label=link_label, notes=notes, bookmark=Bookmark.Green)
def gen_response_tags(self, gen_response=True): self.event_tags = [] if 'Tag' in self.event_json['Event']: for t in self.event_json['Event']['Tag']: self.event_tags.append(t['name']) # ignore all misp-galaxies if t['name'].startswith('misp-galaxy'): continue # ignore all those we add as notes if tag_matches_note_prefix(t['name']): continue if gen_response: self.response += Hashtag(t['name'])
def do_transform(self, request, response, config): tweet = request.entity try: _body = { 'query': { 'match': { 'id': tweet.id } }, 'size': request.limits.hard } res = es.search(index="twinttweets", body=_body) for hit in res['hits']['hits']: tweet = hit['_source'] hashtags = tweet['hashtags'] for h in hashtags: r = Hashtag() r.value = h response += r except UnicodeEncodeError: pass return response
def do_transform(self, request, response, config): maltego_misp_event = request.entity misp = get_misp_connection(config) event_json = misp.get_event(maltego_misp_event.id) event_tags = [] if 'Tag' in event_json['Event']: for t in event_json['Event']['Tag']: event_tags.append(t['name']) # ignore all misp-galaxies if t['name'].startswith('misp-galaxy'): continue response += Hashtag(t['name']) for g in event_json['Event']['Galaxy']: for c in g['GalaxyCluster']: response += galaxycluster_to_entity(c) return response
def do_transform(self, request, response, config): response += check_update(config) link_label = 'Search result' if 'properties.mispevent' in request.entity.fields: conn = MISPConnection(config, request.parameters) # if event_id try: if request.entity.value == '0': return response eventid = int(request.entity.value) events_json = conn.misp.search(controller='events', eventid=eventid, with_attachments=False) for e in events_json: response += event_to_entity( e, link_label=link_label, link_direction=LinkDirection.OutputToInput) return response except ValueError: pass # if event_info string as value events_json = conn.misp.search(controller='events', eventinfo=request.entity.value, with_attachments=False) for e in events_json: response += event_to_entity( e, link_label=link_label, link_direction=LinkDirection.OutputToInput) return response # From galaxy or Hashtag if 'properties.mispgalaxy' in request.entity.fields or 'properties.temp' in request.entity.fields or 'twitter.hashtag' in request.entity.fields: if request.entity.value == '-': return response # First search in galaxies keyword = get_entity_property(request.entity, 'Temp') if not keyword: keyword = request.entity.value # assume the user is searching for a cluster based on a substring. # Search in the list for those that match and return galaxy entities' potential_clusters = search_galaxy_cluster(keyword) # LATER check if duplicates are possible if potential_clusters: for potential_cluster in potential_clusters: new_entity = galaxycluster_to_entity(potential_cluster, link_label=link_label) # LATER support the type_filter - unfortunately this is not possible, we need Canari to tell us the original entity type if isinstance(new_entity, MISPGalaxy): response += new_entity # from Hashtag search also in tags if 'properties.temp' in request.entity.fields or 'twitter.hashtag' in request.entity.fields: keyword = get_entity_property(request.entity, 'Temp') if not keyword: keyword = request.entity.value conn = MISPConnection(config, request.parameters) result = conn.misp.direct_call('tags/search', {'name': keyword}) for t in result: # skip misp-galaxies as we have processed them earlier on if t['Tag']['name'].startswith('misp-galaxy'): continue # In this case we do not filter away those we add as notes, as people might want to pivot on it explicitly. response += Hashtag(t['Tag']['name'], link_label=link_label, bookmark=Bookmark.Green) return response # for all other normal entities conn = MISPConnection(config, request.parameters) events_json = conn.misp.search(controller='events', value=request.entity.value, with_attachments=False) # we need to do really rebuild the Entity from scratch as request.entity is of type Unknown for e in events_json: # find the value as attribute attr = get_attribute_in_event(e, request.entity.value, substring=True) if attr: for item in attribute_to_entity(attr, only_self=True): response += item # find the value as object, and return the object if 'Object' in e['Event']: for o in e['Event']['Object']: if get_attribute_in_object( o, attribute_value=request.entity.value, substring=True).get('value'): response += conn.object_to_entity( o, link_label=link_label) return response