def do_transform(self, request, response, config): maltego_misp_event = request.entity misp = get_misp_connection(config) event_json = misp.get_event(maltego_misp_event.id) # FIXME get it without attachments # FIXME use search + includeAttachments:0, eventid: as request body if not event_json.get('Event'): return response response += event_to_entity(event_json) event_tags = [] if 'Tag' in event_json['Event']: for t in event_json['Event']['Tag']: event_tags.append(t['name']) # ignore all misp-galaxies if t['name'].startswith('misp-galaxy'): continue # ignore all those we add as notes if tag_matches_note_prefix(t['name']): continue response += Hashtag(t['name']) for g in event_json['Event']['Galaxy']: for c in g['GalaxyCluster']: response += galaxycluster_to_entity(c) for a in event_json['Event']["Attribute"]: for entity in attribute_to_entity(a, event_tags=event_tags): if entity: response += entity for o in event_json['Event']['Object']: response += object_to_entity(o) return response
def do_transform(self, request, response, config): response += check_update(config) maltego_misp_attribute = request.entity # skip MISP Events (value = int) try: int(maltego_misp_attribute.value) return response except Exception: pass # Check if valid MISP ID is specified if not 'EventID' in maltego_misp_attribute.fields: response += UIMessage("Error: Add MISP EventID Property 'EventID' to Maltego Entity!", type=UIMessageType.Fatal) return response elif int(maltego_misp_attribute.fields['EventID'].value) == 0: response += UIMessage("Error: Enter MISP EventID to Property 'EventID' of Maltego Entity!", type=UIMessageType.Fatal) return response eventID = maltego_misp_attribute.fields['EventID'].value misp = get_misp_connection(config, request.parameters) JSON_resp = misp.freetext(eventID, maltego_misp_attribute.value, adhereToWarninglists=True, distribution=0, returnMetaAttributes=False, pythonify=True,) if 'errors' in JSON_resp: if JSON_resp['errors'][0] == 403: error_response = JSON_resp['errors'][1] if not error_response['saved']: error_reason = error_response['errors']['value'][0] response += UIMessage("Error: %s" % error_reason, type=UIMessageType.Fatal) return response
def do_transform(self, request, response, config): maltego_misp_event = request.entity # print(dir(maltego_misp_event)) misp = get_misp_connection(config) event_json = misp.get_event( maltego_misp_event.id) # FIXME get it without attachments # print(json.dumps(event_json, sort_keys=True, indent=4)) if not event_json.get('Event'): return response for e in event_json['Event']['RelatedEvent']: response += event_to_entity(e) for a in event_json['Event']["Attribute"]: for entity in attribute_to_entity(a): if entity: response += entity for o in event_json['Event']['Object']: # LATER unfortunately we cannot automatically expand the objects response += object_to_entity(o) for g in event_json['Event']['Galaxy']: for c in g['GalaxyCluster']: response += galaxycluster_to_entity(c) if 'Tag' in event_json['Event']: for t in event_json['Event']['Tag']: # ignore all misp-galaxies if t['name'].startswith('misp-galaxy'): continue response += Hashtag(t['name']) return response
def do_transform(self, request, response, config): maltego_misp_attribute = request.entity # skip MISP Events (value = int) try: int(maltego_misp_attribute.value) return response except Exception: pass misp = get_misp_connection(config) events_json = misp.search(controller='events', values=maltego_misp_attribute.value, withAttachments=False) in_misp = False for e in events_json['response']: in_misp = True response += event_to_entity(e) # find the object again, and bookmark it green # we need to do really rebuild the Entity from scratch as request.entity is of type Unknown if in_misp: for e in events_json['response']: attr = get_attribute_in_event(e, maltego_misp_attribute.value) if attr: for item in attribute_to_entity(attr, only_self=True): response += item return response
def do_transform(self, request, response, config): maltego_misp_event = request.entity misp = get_misp_connection(config) event_json = misp.get_event(maltego_misp_event.id) # FIXME get it without attachments # FIXME use search + includeAttachments:0, eventid: as request body if not event_json.get('Event'): return response response += event_to_entity(event_json) event_tags = [] if 'Tag' in event_json['Event']: for t in event_json['Event']['Tag']: event_tags.append(t['name']) # ignore all misp-galaxies if t['name'].startswith('misp-galaxy'): continue # ignore all those we add as notes if tag_matches_note_prefix(t['name']): continue response += Hashtag(t['name']) for g in event_json['Event']['Galaxy']: for c in g['GalaxyCluster']: response += galaxycluster_to_entity(c) # for e in event_json['Event']['RelatedEvent']: # response += event_to_entity(e, link_style=LinkStyle.DashDot) for a in event_json['Event']["Attribute"]: for entity in attribute_to_entity(a, event_tags=event_tags): if entity: response += entity for o in event_json['Event']['Object']: # LATER unfortunately we cannot automatically expand the objects response += object_to_entity(o) return response
def do_transform(self, request, response, config): # skip some Entities skip = ['properties.mispevent', 'properties.mispobject'] for i in skip: if i in request.entity.fields: return response if 'ipv4-range' in request.entity.fields: # placeholder for https://github.com/MISP/MISP-maltego/issues/11 pass misp = get_misp_connection(config) if 'properties.mispgalaxy' in request.entity.fields: tag_name = get_entity_property(request.entity, 'tag_name') if not tag_name: tag_name = request.entity.value events_json = misp.search(controller='events', tags=tag_name, withAttachments=False) else: events_json = misp.search(controller='events', values=request.entity.value, withAttachments=False) in_misp = False for e in events_json['response']: in_misp = True response += event_to_entity(e) # find the object again, and bookmark it green # we need to do really rebuild the Entity from scratch as request.entity is of type Unknown if in_misp: for e in events_json['response']: attr = get_attribute_in_event(e, request.entity.value) if attr: for item in attribute_to_entity(attr, only_self=True): response += item return response
def do_transform(self, request, response, config): response += check_update(config) # skip some Entities skip = ['properties.mispevent'] for i in skip: if i in request.entity.fields: return response if 'ipv4-range' in request.entity.fields: # placeholder for https://github.com/MISP/MISP-maltego/issues/11 pass misp = get_misp_connection(config, request.parameters) # from Galaxy if 'properties.mispgalaxy' in request.entity.fields: tag_name = get_entity_property(request.entity, 'tag_name') if not tag_name: tag_name = request.entity.value events_json = misp.search(controller='events', tags=tag_name, with_attachments=False) for e in events_json: response += event_to_entity(e, link_direction=LinkDirection.OutputToInput) return response # from Object elif 'properties.mispobject' in request.entity.fields: if request.entity.fields.get('event_id'): events_json = misp.search(controller='events', eventid=request.entity.fields.get('event_id').value, with_attachments=False) for e in events_json: response += event_to_entity(e, link_direction=LinkDirection.OutputToInput) return response else: return response # from Hashtag elif 'properties.temp' in request.entity.fields: tag_name = get_entity_property(request.entity, 'Temp') if not tag_name: tag_name = request.entity.value events_json = misp.search(controller='events', tags=tag_name, with_attachments=False) for e in events_json: response += event_to_entity(e, link_direction=LinkDirection.OutputToInput) return response # standard Entities (normal attributes) else: events_json = misp.search(controller='events', value=request.entity.value, with_attachments=False) # return the MISPEvent or MISPObject of the attribute for e in events_json: # find the value as attribute attr = get_attribute_in_event(e, request.entity.value) if attr: response += event_to_entity(e, link_direction=LinkDirection.OutputToInput) # find the value as object if 'Object' in e['Event']: for o in e['Event']['Object']: if get_attribute_in_object(o, attribute_value=request.entity.value).get('value'): response += object_to_entity(o, link_direction=LinkDirection.OutputToInput) return response
def do_transform(self, request, response, config): maltego_misp_event = request.entity misp = get_misp_connection(config) event_json = misp.get_event(maltego_misp_event.id) # FIXME get it without attachments # FIXME use search + includeAttachments:0, eventid: as request body if not event_json.get('Event'): return response response += event_to_entity(event_json) for e in event_json['Event']['RelatedEvent']: response += event_to_entity(e, link_style=LinkStyle.DashDot) return response
def do_transform(self, request, response, config): maltego_object = request.entity misp = get_misp_connection(config) event_json = misp.get_event(maltego_object.event_id) for o in event_json['Event']['Object']: if o['uuid'] == maltego_object.uuid: for entity in object_to_attributes(o): if entity: response += entity return response
def do_transform(self, request, response, config): maltego_object = request.entity misp = get_misp_connection(config) event_json = misp.get_event(maltego_object.event_id) for o in event_json['Event']['Object']: if o['uuid'] == maltego_object.uuid: for entity in object_to_attributes(o, event_json): if entity: response += entity return response
def do_transform(self, request, response, config): response += check_update(config) misp = get_misp_connection(config, request.parameters) if request.entity.tag_name: tag_name = request.entity.tag_name else: tag_name = request.entity.value events_json = misp.search(controller='events', tags=tag_name, with_attachments=False) for e in events_json: response += MISPEvent(e['Event']['id'], uuid=e['Event']['uuid'], info=e['Event']['info'], link_direction=LinkDirection.OutputToInput) return response
def do_transform(self, request, response, config): maltego_misp_attribute = request.entity misp = get_misp_connection(config) # misp. events_json = misp.search(controller='events', values=maltego_misp_attribute.value, withAttachments=False) for e in events_json['response']: response += MISPEvent(e['Event']['id'], uuid=e['Event']['uuid'], info=e['Event']['info']) return response
def do_transform(self, request, response, config): response += check_update(config) maltego_object = request.entity misp = get_misp_connection(config, request.parameters) event_json = misp.get_event(maltego_object.event_id) for o in event_json['Event']['Object']: if o['uuid'] == maltego_object.uuid: for entity in object_to_relations(o, event_json): if entity: response += entity return response
def do_transform(self, request, response, config): self.request = request self.response = response self.config = config maltego_misp_event = request.entity self.misp = get_misp_connection(config) self.event_json = self.misp.get_event( maltego_misp_event.id ) # FIXME get it without attachments # FIXME use search + includeAttachments:0, eventid: as request body if not self.event_json.get('Event'): return False self.response += event_to_entity(self.event_json) return True
def do_transform(self, request, response, config): maltego_misp_galaxy = request.entity misp = get_misp_connection(config) if maltego_misp_galaxy.tag_name: tag_name = maltego_misp_galaxy.tag_name else: tag_name = maltego_misp_galaxy.value events_json = misp.search(controller='events', tags=tag_name, withAttachments=False) for e in events_json['response']: response += MISPEvent(e['Event']['id'], uuid=e['Event']['uuid'], info=e['Event']['info'], link_direction=LinkDirection.OutputToInput) return response
def do_transform(self, request, response, config): self.request = request self.response = response self.config = config maltego_misp_event = request.entity self.misp = get_misp_connection(config) event_id = maltego_misp_event.id search_result = self.misp.search(controller='events', eventid=event_id, withAttachments=False) if search_result.get('response'): self.event_json = search_result['response'].pop() else: return False self.response += event_to_entity(self.event_json) return True
def do_transform(self, request, response, config): self.request = request self.response = response self.config = config self.response += check_update(config) maltego_misp_event = request.entity self.misp = get_misp_connection(config, request.parameters) event_id = maltego_misp_event.id search_result = self.misp.search(controller='events', eventid=event_id, with_attachments=False) if search_result: self.event_json = search_result.pop() else: return False self.response += event_to_entity(self.event_json) return True
def do_transform(self, request, response, config): maltego_misp_event = request.entity misp = get_misp_connection(config) event_json = misp.get_event(maltego_misp_event.id) event_tags = [] if 'Tag' in event_json['Event']: for t in event_json['Event']['Tag']: event_tags.append(t['name']) # ignore all misp-galaxies if t['name'].startswith('misp-galaxy'): continue response += Hashtag(t['name']) for g in event_json['Event']['Galaxy']: for c in g['GalaxyCluster']: response += galaxycluster_to_entity(c) return response
def do_transform(self, request, response, config): response += check_update(config) maltego_misp_attribute = request.entity # skip MISP Events (value = int) try: int(maltego_misp_attribute.value) return response except Exception: pass misp = get_misp_connection(config, request.parameters) events_json = misp.search(controller='events', value=maltego_misp_attribute.value, with_attachments=False) # we need to do really rebuild the Entity from scratch as request.entity is of type Unknown for e in events_json: attr = get_attribute_in_event(e, maltego_misp_attribute.value) if attr: for item in attribute_to_entity(attr, only_self=True): response += item return response
def do_transform(self, request, response, config): maltego_misp_attribute = request.entity # skip MISP Events (value = int) try: int(maltego_misp_attribute.value) return response except Exception: pass misp = get_misp_connection(config) events_json = misp.search(controller='events', values=maltego_misp_attribute.value, withAttachments=False) in_misp = False for e in events_json['response']: in_misp = True break # find the object again, and bookmark it green # we need to do really rebuild the Entity from scratch as request.entity is of type Unknown if in_misp: for e in events_json['response']: attr = get_attribute_in_event(e, maltego_misp_attribute.value) if attr: for item in attribute_to_entity(attr, only_self=True): response += item return response