def sample_hashes(self, results, event):
if results.get("target", {}).get("file", {}):
f = results["target"]["file"]
misp_object = MISPObject("file")
misp_object.comment = "File submitted to CAPEv2"
misp_object.add_attribute("filename", value=f["name"], category="Payload delivery")
misp_object.add_attribute("md5", value=f["md5"], category="Payload delivery")
misp_object.add_attribute("sha1", value=f["sha1"], category="Payload delivery")
misp_object.add_attribute("sha256", value=f["sha256"], category="Payload delivery")
misp_object.add_attribute("ssdeep", value=f["ssdeep"], category="Payload delivery")
self.misp.add_object(event, misp_object)
# If the alert contains email indicators, create an email object.
if isight_alert.emailIdentifier:
# If emailLanguage is provided, add it to the default comment.
if isight_alert.emailLanguage:
add_comment = 'Email language: ' + isight_alert.emailLanguage
if default_comment == '':
email_comment = add_comment
else:
email_comment = default_comment + '; ' + add_comment
else:
email_comment = default_comment
# Create the object.
email_object = MISPObject('email')
email_object.comment = email_comment
# Add attributes to the object.
if isight_alert.senderAddress:
email_object.add_attribute('from', value=isight_alert.senderAddress, to_ids=email_ids)
if isight_alert.senderName:
email_object.add_attribute('from-display-name', value=isight_alert.senderName, to_ids=False)
if isight_alert.sourceIP:
email_object.add_attribute('ip-src', value=isight_alert.sourceIP, to_ids=email_ids)
if isight_alert.subject:
email_object.add_attribute('subject', value=isight_alert.subject, to_ids=False)
if isight_alert.recipient:
email_object.add_attribute('to', value=isight_alert.recipient, to_ids=False)
if isight_alert.senderDomain:
domain_attribute = event.add_attribute(category='Network activity', type='domain',
value=isight_alert.senderDomain, to_ids=False)
email_object.add_reference(domain_attribute.uuid, 'derived-from', comment='Email source domain')
def update_misp_event(misp_instance, event, isight_alert):
# Update attributes based on the iSight report.
#
# Ideas of Alex not implemented:
# Use expanded networkIdentifier as a comment.
# Create attributes and use object relationships for iSight fields that have no corresponding MISP object attribute.
#
# Unused iSight fields: observationTime
PySight_settings.logger.debug('Updating the event %s', event)
# Verify that misp_instance is of the correct type
#if not isinstance(misp_instance, PyMISP):
if not isinstance(misp_instance, PyMISP):
PySight_settings.logger.error(
'Parameter misp_instance is not a PyMISP object')
return False
# Determine whether the to_ids flag shall be set.
if isight_alert.emailIdentifier == 'Attacker' or isight_alert.emailIdentifier == 'Compromised':
email_ids = True
else:
email_ids = False
if isight_alert.fileIdentifier == 'Attacker' or isight_alert.fileIdentifier == 'Compromised':
file_ids = True
elif isight_alert.intelligenceType == 'malware':
file_ids = True
else:
file_ids = False
if isight_alert.networkIdentifier == 'Attacker' or isight_alert.networkIdentifier == 'Compromised':
network_ids = True
else:
network_ids = False
# Use malwareFamily as the default comment.
if isight_alert.malwareFamily:
default_comment = isight_alert.malwareFamily
else:
default_comment = ''
# If the alert contains email indicators, create an email object.
if isight_alert.emailIdentifier:
# If emailLanguage is provided, add it to the default comment.
if isight_alert.emailLanguage:
add_comment = 'Email language: ' + isight_alert.emailLanguage
if default_comment == '':
email_comment = add_comment
else:
email_comment = default_comment + '; ' + add_comment
else:
email_comment = default_comment
# Create the object.
email_object = MISPObject('email')
email_object.comment = email_comment
# Add attributes to the object.
if isight_alert.senderAddress:
email_object.add_attribute('from',
value=isight_alert.senderAddress,
to_ids=email_ids)
if isight_alert.senderName:
email_object.add_attribute('from-display-name',
value=isight_alert.senderName,
to_ids=False)
if isight_alert.sourceIP:
email_object.add_attribute('ip-src',
value=isight_alert.sourceIP,
to_ids=email_ids)
if isight_alert.subject:
email_object.add_attribute('subject',
value=isight_alert.subject,
to_ids=False)
if isight_alert.recipient:
email_object.add_attribute('to',
value=isight_alert.recipient,
to_ids=False)
if isight_alert.senderDomain:
domain_attribute = event.add_attribute(
category='Network activity',
type='domain',
value=isight_alert.senderDomain,
to_ids=False)
email_object.add_reference(domain_attribute.uuid,
'derived-from',
comment='Email source domain')
# Lastly, add the object to the event.
event.add_object(email_object)
# If the report contains an MD5 hash, create a file object.
if isight_alert.md5:
# If a file description is given, add it to the default comment.
if isight_alert.description:
add_comment = isight_alert.description
if default_comment == '':
file_comment = add_comment
else:
file_comment = default_comment + '; ' + add_comment
else:
file_comment = default_comment
# Create the object.
file_object = MISPObject('file')
file_object.comment = file_comment
# Add attributes to the object.
file_object.add_attribute('md5',
value=isight_alert.md5,
to_ids=file_ids)
if isight_alert.sha1:
file_object.add_attribute('sha1',
value=isight_alert.sha1,
to_ids=file_ids)
if isight_alert.sha256:
file_object.add_attribute('sha256',
value=isight_alert.sha256,
to_ids=file_ids)
if isight_alert.fileName and not isight_alert.fileName == 'UNAVAILABLE' and \
not isight_alert.fileName.upper() == 'UNKNOWN':
# Don't use filenames for detection.
file_object.add_attribute('filename',
value=isight_alert.fileName,
to_ids=False)
if isight_alert.fileSize:
# Don't use file size for detection.
file_object.add_attribute('size-in-bytes',
value=isight_alert.fileSize,
to_ids=False)
if isight_alert.fuzzyHash:
file_object.add_attribute('ssdeep',
value=isight_alert.fuzzyHash,
to_ids=file_ids)
if isight_alert.fileType and not isight_alert.fileType == 'fileType':
# Don't use file type for detection.
file_object.add_attribute('text',
value=isight_alert.fileType,
to_ids=False)
if isight_alert.fileCompilationDateTime:
# Convert epoch format to ISO86011 UTC format.
compile_date = datetime.datetime.fromtimestamp(
isight_alert.fileCompilationDateTime)
file_object.add_attribute('compilation-timestamp',
value=str(compile_date),
to_ids=False)
if isight_alert.filePath:
file_object.add_attribute('path',
value=isight_alert.filePath,
to_ids=False)
# Lastly, add the object to the event.
event.add_object(file_object)
# If the report contains a user agent string, create a user-agent attribute.
if isight_alert.userAgent:
event.add_attribute(category='Network activity',
type='user-agent',
value=isight_alert.userAgent,
to_ids=network_ids,
comment=default_comment)
# If the report contains an ASN, create an AS attribute.
if isight_alert.asn:
# Don't use the ASN for detection.
event.add_attribute(category='Network activity',
type='AS',
value=isight_alert.asn,
to_ids=False,
comment=default_comment)
# If the report contains a domain, create a hostname attribute (because iSight domain names are in fact hostnames).
if isight_alert.domain:
# If an IP address is provided with a hostname, put the IP address in a comment, possibly in addition to the
# default network comment.
if isight_alert.ip:
add_comment = 'Resolves to ' + isight_alert.ip
if default_comment == '':
temp_comment = add_comment
else:
temp_comment = default_comment + '; ' + add_comment
else:
temp_comment = default_comment
# If a protocol is provided, also add it to the comment.
if isight_alert.protocol:
add_comment = isight_alert.protocol
if temp_comment == '':
host_comment = add_comment
else:
host_comment = temp_comment + '; ' + add_comment
else:
host_comment = temp_comment
# Add the attribute to the event. If a port is provided, use a combined attribute.
if isight_alert.port:
host_port = isight_alert.domain + '|' + isight_alert.port
new_attr = event.add_attribute(category='Network activity',
type='hostname|port',
value=host_port,
to_ids=network_ids,
comment=host_comment)
else:
new_attr = event.add_attribute(category='Network activity',
type='hostname',
value=isight_alert.domain,
to_ids=network_ids,
comment=host_comment)
if isight_alert.networkType == 'C&C':
# Add veris tag to attribute.
new_attr.add_tag('veris:action:malware:variety="C2"')
# If the report doesn't contain a hostname but contains an IP address, create an ip-src or ip-dst attribute.
elif isight_alert.ip:
# Add the protocol to the comment if it is provided by iSight.
if isight_alert.protocol:
add_comment = isight_alert.protocol
if default_comment == '':
ip_comment = add_comment
else:
ip_comment = default_comment + '; ' + add_comment
else:
ip_comment = default_comment
# Determine whether it's a source or destination IP address.
# For specific network types, the IP address should be a destination IP address.
if isight_alert.networkType == 'URL' or isight_alert.networkType == 'C&C' or \
isight_alert.networkType == 'downloadLink' or isight_alert.networkType == 'maliciousLink' or \
isight_alert.networkType == 'wateringHole':
ip_type = 'ip-dst'
# Else (networkType == 'network'), we determine the IP address type based on the network identifier.
else:
if isight_alert.networkIdentifier == 'Attacker':
# Might be source or destination, but likelihood of source is higher.
ip_type = 'ip-src'
elif isight_alert.networkIdentifier == 'Compromised':
# Might be source or destination, but likelihood of destination is higher.
ip_type = 'ip-dst'
elif isight_alert.networkIdentifier == 'Related':
# Might be source or destination, but likelihood of source is higher.
ip_type = 'ip-src'
elif isight_alert.networkIdentifier == 'Victim':
# Might be source or destination, but likelihood of destination is higher.
ip_type = 'ip-dst'
else:
# Might be source or destination, but likelihood of source is higher.
ip_type = 'ip-src'
if isight_alert.port:
# If a port is provided, it's likely a destination IP address.
ip_type = 'ip-dst'
type_combo = ip_type + '|port'
ip_port = isight_alert.ip + '|' + isight_alert.port
new_attr = event.add_attribute(category='Network activity',
type=type_combo,
value=ip_port,
to_ids=network_ids,
comment=ip_comment)
else:
new_attr = event.add_attribute(category='Network activity',
type=ip_type,
value=isight_alert.ip,
to_ids=network_ids,
comment=ip_comment)
if isight_alert.networkType == 'C&C':
# Add veris tag to attribute.
new_attr.add_tag('veris:action:malware:variety="C2"')
# If the report contains a domain registrant email address, then create a whois attribute.
if isight_alert.registrantEmail:
whois_object = MISPObject('whois')
whois_object.comment = default_comment
whois_object.add_attribute('registrant-email',
value=isight_alert.registrantEmail,
to_ids=network_ids)
if isight_alert.registrantName:
whois_object.add_attribute('registrant-name',
value=isight_alert.registrantName,
to_ids=False)
if isight_alert.domain:
whois_object.add_attribute('domain',
value=isight_alert.domain,
to_ids=network_ids)
elif isight_alert.sourceDomain:
whois_object.add_attribute('domain',
value=isight_alert.sourceDomain,
to_ids=network_ids)
event.add_object(whois_object)
# If the report contains a URL, create a url attribute.
if isight_alert.url:
event.add_attribute(category='Network activity',
type='url',
value=isight_alert.url,
to_ids=network_ids,
comment=default_comment)
if isight_alert.networkType == 'C&C':
# Add veris tag to attribute.
event.add_attribute_tag('veris:action:malware:variety="C2"',
isight_alert.url)
# If the report contains registry information, create a regkey attribute.
# Ideally, the registry field would be split into hive, key and value.
if isight_alert.registry:
# If a file description is given, add it to the default comment.
if isight_alert.description:
add_comment = isight_alert.description
if default_comment == '':
reg_comment = add_comment
else:
reg_comment = default_comment + '; ' + add_comment
else:
reg_comment = default_comment
event.add_attribute(category='Artifacts dropped',
type='regkey',
value=isight_alert.registry,
to_ids=file_ids,
comment=reg_comment)
# If the report contains a malware family, create a malware-type attribute.
if isight_alert.malwareFamily:
event.add_attribute(category='Antivirus detection',
type='text',
value=isight_alert.malwareFamily,
to_ids=False)
# If the report contains an actor, create a threat-actor attribute.
if isight_alert.actor:
# Don't use the threat actor for detection.
event.add_attribute(category='Attribution',
type='threat-actor',
value=isight_alert.actor,
to_ids=False)
# Finally, commit the event additions to the MISP instance.
misp_instance.update_event(event)
def is_map_alert_to_event(p_misp_instance, new_misp_event, a_isight_alert, a_auto_comment):
"""
START THE MAPPING here
general info that should be there in every alert
internal reference the alert ID
:return True if maping worked
False if an error occured
:rtype: Boolean
:param p_misp_instance:
:type pyMisp:
:param a_auto_comment:
:type a_auto_comment:
:param a_event:
:type a_event:
:param a_isight_alert:
:type a_isight_alert:
"""
try:
if not isinstance(p_misp_instance, PyMISP):
# if this is not the right type
PySight_settings.logger.error("Parameter misp instance is not an PyMisp object")
return False
PySight_settings.logger.debug("mapping alert %s", a_isight_alert.reportId)
new_misp_event.add_attribute(type='other', value=a_isight_alert.reportId, comment=a_auto_comment, category='Internal reference')
# Start Tagging here
# this Tag migth be custom, that is why it will be created:
p_misp_instance.new_tag('iSight', exportable=True) # FIXME: Don't do that for each event.
new_misp_event.add_tag('iSight')
# TLP change it if you want to change default TLP
new_misp_event.add_tag('tlp:amber')
# General detected by a security system. So reflect in a tag
new_misp_event.add_tag('veris:discovery_method="Prt - monitoring service"')
# Severity Tag + Threat level of the Event
if a_isight_alert.riskRating:
PySight_settings.logger.debug("risk: %s", a_isight_alert.riskRating)
if a_isight_alert.riskRating == 'High':
new_misp_event.add_tag('csirt_case_classification:criticality-classification="1"')
# upgrade Threat level if set already
new_misp_event.threat_level_id = 1
elif a_isight_alert.alert_severity == 'minr':
new_misp_event.add_tag('csirt_case_classification:criticality-classification="3"')
new_misp_event.add_tag('veris:impact:overall_rating = "Insignificant"')
new_misp_event.threat_level_id = 3
else:
new_misp_event.add_tag('csirt_case_classification:criticality-classification="3"')
new_misp_event.add_tag('veris:impact:overall_rating = "Unknown"')
new_misp_event.threat_level_id = 4
else:
PySight_settings.logger.info("No Event severity found")
if a_isight_alert.ThreatScape:
if a_isight_alert.ThreatScape == 'Espionage' or a_isight_alert.ThreatScape == 'cyberEspionage':
new_misp_event.add_tag('veris:actor:motive="Espionage"')
elif a_isight_alert.ThreatScape == 'hacktivism':
new_misp_event.add_tag('veris:actor:external:variety="Activist"')
elif a_isight_alert.ThreatScape == 'cyberCrime' or a_isight_alert.ThreatScape == 'Cyber Crime':
new_misp_event.add_tag('veris:actor:external:variety="Organized crime"')
# Add tag if APT is in the title:
if "APT" in a_isight_alert.title:
new_misp_event.add_tag('APT')
new_misp_event.add_tag('Threat Type="APT"')
# Url of the original Alert
if a_isight_alert.reportLink:
new_misp_event.add_attribute(type='link', value=a_isight_alert.reportLink, to_ids=False, comment="reportLink: {}".format(a_auto_comment))
# File infos
if a_isight_alert.md5:
PySight_settings.logger.debug("Malware within the event %s", a_isight_alert.md5)
new_file_object = MISPObject(name='file', standalone=False)
new_file_object.add_attribute('filename', a_isight_alert.fileName, to_ids=False)
new_file_object.add_attribute('md5', a_isight_alert.md5, to_ids=False)
new_file_object.add_attribute('sha1', a_isight_alert.sha1, to_ids=False)
new_file_object.add_attribute('sha256', a_isight_alert.sha256, to_ids=False)
if not (a_isight_alert.description is None):
new_file_object.comment = '{} Name of file {}'.format(a_auto_comment, a_isight_alert.description)
else:
new_file_object.comment = '{} Name of file'.format(a_auto_comment)
new_misp_event.add_object(new_file_object)
# if not (iSight_alert.fileSize is None):
# misp_instance.add_internal_text(event, iSight_alert.fileSize, False, auto_comment + " File size in bytes")
if not (a_isight_alert.fuzzyHash is None):
# FIXME: probably better to attach to an existing MISPObject of type file
new_misp_event.add_attribute(type='text', value=a_isight_alert.fuzzyHash, category='Internal reference', comment=a_auto_comment + "{} File fuzzy (ssdeep) hash".format(a_auto_comment))
if a_isight_alert.fileIdentifier and a_isight_alert.fileIdentifier is not None:
desc = ""
if a_isight_alert.fileIdentifier == "Attacker":
desc = "Indicators confirmed to host malicious content, has functioned as a commandand-control (C2) server, and/or otherwise acted as a source of malicious activity."
elif a_isight_alert.fileIdentifier == "Compromised":
desc = "Indicators confirmed to host malicious content due to compromise or abuse. The exact time and length of compromise is unknown unless disclosed within the report."
elif a_isight_alert.fileIdentifier == "Related":
desc = 'Indicators likely related to an attack but potentially only partially confirmed. Detailed by one or more methods, like passive DNS, geo-location, and connectivity detection.'
elif a_isight_alert.fileIdentifier == "Victim":
desc = "Indicators representing an entity that has been confirmed to have been victimized by malicious activity, where actors have attempted or succeeded to compromise."
new_misp_event.add_attribute(type='other', value=a_isight_alert.fileIdentifier, category='Internal reference', comment="{} File characterization {}".format(a_auto_comment, desc))
desc = ""
for network in a_isight_alert.networks_array:
if network.networkType == "C&C":
desc = "Indicators confirmed to host malicious content, has functioned as a commandand-control (C2) server, and/or otherwise acted as a source of malicious activity."
PySight_settings.logger.debug("Network indicator found")
attribute = new_misp_event.add_attribute(type='domain', value=network.domain, comment='{} domain {}'.format(desc, a_auto_comment))
attribute.add_tag('veris:action:malware:variety="C2"')
# p_misp_instance.add_tag()
PySight_settings.logger.error("added " + network.domain)
# for temp in result_attribute['Event']['Attribute']:
# attribute_id = temp
# break
# TODO: that needs to be reviewed
# TODO: make it a config value what to do with C2, PAP X Y Z
# p_misp_instance.add_tag(attribute_id, "PAP:WHITE", attribute=True)
if a_isight_alert.networkIdentifier and a_isight_alert.networkIdentifier is not None:
desc = ""
if a_isight_alert.networkIdentifier == "Attacker":
# TODO: Then something is C2?!
a_isight_alert.isCommandAndControl = True
desc = "Indicators confirmed to host malicious content, has functioned as a commandand-control (C2) server, and/or otherwise acted as a source of malicious activity."
elif a_isight_alert.networkIdentifier == "Compromised":
desc = "Indicators confirmed to host malicious content due to compromise or abuse. The exact time and length of compromise is unknown unless disclosed within the report."
elif a_isight_alert.networkIdentifier == "Related":
desc = 'Indicators likely related to an attack but potentially only partially confirmed. Detailed by one or more methods, like passive DNS, geo-location, and connectivity detection.'
elif a_isight_alert.networkIdentifier == "Victim":
desc = "Indicators representing an entity that has been confirmed to have been victimized by malicious activity, where actors have attempted or succeeded to compromise."
if a_isight_alert.fileType:
new_misp_event.add_attribute(type='other', value=a_isight_alert.fileType, category='Internal reference', comment="{} File format".format(a_auto_comment))
if a_isight_alert.packer:
new_misp_event.add_attribute(type='other', value=a_isight_alert.packer, category='Internal reference', comment="{} Packer used on file".format(a_auto_comment))
if a_isight_alert.registryHive:
new_misp_event.add_attribute(type='other', value=a_isight_alert.registryHive, category='Internal reference', comment="{} Hive value of registry used".format(a_auto_comment))
if a_isight_alert.registryKey:
new_misp_event.add_attribute(type='other', value=a_isight_alert.registryKey, category='Internal reference', comment="{} Key of registry used".format(a_auto_comment))
if a_isight_alert.registryValue:
new_misp_event.add_attribute(type='other', value=a_isight_alert.registryValue, category='Internal reference', comment="{} Value of registry key used".format(a_auto_comment))
# Threat Actor
if a_isight_alert.actorId and a_isight_alert.actorId is not None and a_isight_alert.actorId != 'None':
new_misp_event.add_attribute(type='threat-actor', value=a_isight_alert.actorId, comment=a_auto_comment)
if a_isight_alert.actor and a_isight_alert.actor is not None:
new_misp_event.add_attribute(type='threat-actor', value=a_isight_alert.actor, comment=a_auto_comment)
# Domain
if a_isight_alert.domain:
PySight_settings.logger.debug("Network indicator found")
new_attribute = new_misp_event.add_attribute(type='domain', value=a_isight_alert.domain, comment='{} domain {}'.format(desc, a_auto_comment))
# TODO: that needs to be reviewed
# TODO: make it a config value what to do with C2, PAP X Y Z
new_attribute.add_tag('PAP:WHITE')
# TODO: Add custom Tag if that is C2 as soon as https://github.com/MISP/MISP/issues/802 is completed
if a_isight_alert.ip:
PySight_settings.logger.debug("IP indicator found")
# TODO Activcate that again maybe?!
# data_basic_search_ip(PySight_settings.isight_url, PySight_settings.isight_pub_key, PySight_settings.isight_priv_key, a_isight_alert.ip)
# TODO: Add custom Tag if that is C2 as soon as https://github.com/MISP/MISP/issues/802 is completed
new_misp_event.add_attribute(type='ip-dst', value=a_isight_alert.ip, comment='{} ip {}'.format(desc, a_auto_comment))
if a_isight_alert.isCommandAndControl:
new_misp_event.add_tag('veris:action:malware:variety="C2"')
if not (a_isight_alert.url is None):
new_misp_event.add_attribute(type='url', value=a_isight_alert.url, comment='url {}'.format(a_auto_comment))
has_email = False
new_email_object = MISPObject(name='email', standalone=False)
# if attack was by E-Mail
if a_isight_alert.senderAddress:
new_email_object.add_attribute('from', value=a_isight_alert.senderAddress, to_ids=False, comment='senderAddress {}'.format(a_auto_comment))
has_email = True
if a_isight_alert.subject:
new_email_object.add_attribute('subject', value=a_isight_alert.subject, to_ids=False, comment='E-mail subject {}'.format(a_auto_comment))
has_email = True
if a_isight_alert.senderName:
new_email_object.add_attribute('from-display-name', value=a_isight_alert.senderName, to_ids=False, comment='E-mail sender name {}'.format(a_auto_comment))
has_email = True
if a_isight_alert.sourceDomain:
attr = new_misp_event.add_attribute(type='domain', value=a_isight_alert.sourceDomain, comment='E-mail source domain {}'.format(a_auto_comment))
if has_email:
new_email_object.add_reference(attr.uuid, 'related-to', 'E-mail source domain')
if a_isight_alert.emailLanguage:
attr = new_misp_event.add_attribute(type='other', value=a_isight_alert.emailLanguage, category='Internal reference', comment='E-mail language {}'.format(a_auto_comment))
if has_email:
new_email_object.add_reference(attr.uuid, 'related-to', 'E-mail language')
if has_email:
new_misp_event.add_object(new_email_object)
p_misp_instance.add_event(new_misp_event)
except TypeError:
# sys, traceback = error_handling(e,a_string="Type Error")
import sys
PySight_settings.logger.error("TypeError error: %s", sys.exc_info[0])
return False
except AttributeError:
# sys, traceback = error_handling(e,a_string="Attribute Error")
import sys
PySight_settings.logger.error("Attribute Error %s", sys.exc_info()[0])
except Exception:
import sys
PySight_settings.logger.error("General Error %s", sys.exc_info()[0])
return False
return True
from keys import misp_url, misp_key, misp_verifycert
from datetime import date
misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
event = MISPEvent()
event.info = 'IoT malware' # Event Title
event.distribution = 1 # 0 = Your Organisation Only, 1 = Community
event.threat_level_id = 2 # 1 = High, 2 = Medium, 3 = Low
event.analysis = 2 # 0 (initial analysis), 1 (On-Going), 2 (Complete)
event.add_tag('tlp:amber')
d = date.today()
event.set_date(d)
misp_object = MISPObject('ss7-attack', standalone=False)
misp_object.comment = 'SS7 attack PSI cat2.1'
misp_object.add_attribute('Category', value='Cat2.1')
misp_object.add_attribute('text',
value='This attack is used for location tracking')
misp_object.add_attribute('SccpCgGT', value='99999999999')
event.add_object(misp_object)
event = misp.add_event(event, pythonify=True)
# Publish event
event.publish()
def update_misp_event(misp_instance, event, isight_alert):
# Update attributes based on the iSight report.
#
# Ideas of Alex not implemented:
# Use expanded networkIdentifier as a comment.
# Create attributes and use object relationships for iSight fields that have no corresponding MISP object attribute.
#
# Unused iSight fields: observationTime
PySilo_settings.logger.debug('update_misp_event:Updating the event %s',
event)
# Verify that misp_instance is of the correct type
#if not isinstance(misp_instance, PyMISP):
if not isinstance(misp_instance, ExpandedPyMISP):
PySilo_settings.logger.debug(
'update_misp_event:Silobreaker Attributes')
return False
#silobreaker stuff added by dmolna213
#PySilo_settings.logger.debug('update_misp_event:Parameter misp_instance is not a PyMISP object')F
PySilo_settings.logger.debug('208:update_misp_event:Type %s',
isight_alert.Type)
PySilo_settings.logger.debug('208:update_misp_event:Description %s',
isight_alert.Description)
if isight_alert.Type:
#if isight_alert.Type=='Email':
default_comment = isight_alert.Description
else:
default_comment = 'Compromised Email'
# Determine whether the to_ids flag shall be set.
if isight_alert.emailIdentifier == 'Attacker' or isight_alert.emailIdentifier == 'Compromised':
email_ids = True
else:
email_ids = False
if isight_alert.fileIdentifier == 'Attacker' or isight_alert.fileIdentifier == 'Compromised':
file_ids = True
elif isight_alert.intelligenceType == 'malware':
file_ids = True
else:
file_ids = False
if isight_alert.networkIdentifier == 'Attacker' or isight_alert.networkIdentifier == 'Compromised':
network_ids = True
else:
network_ids = False
# Use malwareFamily as the default comment.
if isight_alert.malwareFamily:
default_comment = isight_alert.malwareFamily
else:
default_comment = ''
# If the alert contains email indicators, create an email object for compromised email.
#added by dmolina213.
if isight_alert.Description:
# If emailLanguage is provided, add it to the default comment.
#PySilo_settings.logger.debug('update_misp_event260:Parameter misp_instance is not a PyMISP object')
if isight_alert.Type:
add_comment = 'VA Compromised Email: ' + isight_alert.Type + isight_alert.Description
if default_comment == '':
email_comment = add_comment
else:
email_comment = default_comment + '; ' + add_comment
else:
email_comment = default_comment
PySilo_settings.logger.debug(
'update_misp_event273:email_comment %s', email_comment)
# Create the object.
PySilo_settings.logger.debug('update_misp_event273:Create Object')
email_object = MISPObject('email')
PySilo_settings.logger.debug('update_misp_event273:Create Object %s',
email_object)
email_object.comment = email_comment
# Add attributes to the object.
if isight_alert.Description:
email_object.add_attribute('from',
value=isight_alert.Description,
to_ids=False)
# Lastly, add the object to the event.
PySilo_settings.logger.debug('Adding object to event %s', email_object)
print('Adding object to event ', email_object)
event.add_object(email_object)
# If the report contains an MD5 hash, create a file object.
if isight_alert.md5:
# If a file description is given, add it to the default comment.
if isight_alert.description:
add_comment = isight_alert.description
if default_comment == '':
file_comment = add_comment
else:
file_comment = default_comment + '; ' + add_comment
else:
file_comment = default_comment
# Create the object.
file_object = MISPObject('file')
file_object.comment = file_comment
# Add attributes to the object.
file_object.add_attribute('md5',
value=isight_alert.md5,
to_ids=file_ids)
if isight_alert.sha1:
file_object.add_attribute('sha1',
value=isight_alert.sha1,
to_ids=file_ids)
if isight_alert.sha256:
file_object.add_attribute('sha256',
value=isight_alert.sha256,
to_ids=file_ids)
if isight_alert.fileName and not isight_alert.fileName == 'UNAVAILABLE' and \
not isight_alert.fileName.upper() == 'UNKNOWN':
# Don't use filenames for detection.
file_object.add_attribute('filename',
value=isight_alert.fileName,
to_ids=False)
if isight_alert.fileSize:
# Don't use file size for detection.
file_object.add_attribute('size-in-bytes',
value=isight_alert.fileSize,
to_ids=False)
if isight_alert.fuzzyHash:
file_object.add_attribute('ssdeep',
value=isight_alert.fuzzyHash,
to_ids=file_ids)
if isight_alert.fileType and not isight_alert.fileType == 'fileType':
# Don't use file type for detection.
file_object.add_attribute('text',
value=isight_alert.fileType,
to_ids=False)
if isight_alert.fileCompilationDateTime:
# Convert epoch format to ISO86011 UTC format.
compile_date = datetime.datetime.fromtimestamp(
isight_alert.fileCompilationDateTime)
file_object.add_attribute('compilation-timestamp',
value=str(compile_date),
to_ids=False)
if isight_alert.filePath:
file_object.add_attribute('path',
value=isight_alert.filePath,
to_ids=False)
# Lastly, add the object to the event.
PySilo_settings.logger.debug('Adding object to event %s')
event.add_object(file_object)
# If the report contains a user agent string, create a user-agent attribute.
if isight_alert.userAgent:
event.add_attribute(category='Network activity',
type='user-agent',
value=isight_alert.userAgent,
to_ids=network_ids,
comment=default_comment)
# If the report contains an ASN, create an AS attribute.
if isight_alert.asn:
# Don't use the ASN for detection.
event.add_attribute(category='Network activity',
type='AS',
value=isight_alert.asn,
to_ids=False,
comment=default_comment)
# If the report contains a domain, create a hostname attribute (because iSight domain names are in fact hostnames).
if isight_alert.domain:
# If an IP address is provided with a hostname, put the IP address in a comment, possibly in addition to the
# default network comment.
if isight_alert.ip:
add_comment = 'Resolves to ' + isight_alert.ip
if default_comment == '':
temp_comment = add_comment
else:
temp_comment = default_comment + '; ' + add_comment
else:
temp_comment = default_comment
# If a protocol is provided, also add it to the comment.
if isight_alert.protocol:
add_comment = isight_alert.protocol
if temp_comment == '':
host_comment = add_comment
else:
host_comment = temp_comment + '; ' + add_comment
else:
host_comment = temp_comment
# Add the attribute to the event. If a port is provided, use a combined attribute.
if isight_alert.port:
host_port = isight_alert.domain + '|' + isight_alert.port
new_attr = event.add_attribute(category='Network activity',
type='hostname|port',
value=host_port,
to_ids=network_ids,
comment=host_comment)
else:
new_attr = event.add_attribute(category='Network activity',
type='hostname',
value=isight_alert.domain,
to_ids=network_ids,
comment=host_comment)
if isight_alert.networkType == 'C&C':
# Add veris tag to attribute.
new_attr.add_tag('veris:action:malware:variety="C2"')
new_attr.add_tag('vIsight:APIv3')
# If the report doesn't contain a hostname but contains an IP address, create an ip-src or ip-dst attribute.
# TODO: Is there a better way to determine whether it's a source or destination IP address?
elif isight_alert.ip:
# Add the protocol to the comment if it is provided by iSight.
if isight_alert.protocol:
add_comment = isight_alert.protocol
if default_comment == '':
ip_comment = add_comment
else:
ip_comment = default_comment + '; ' + add_comment
else:
ip_comment = default_comment
if isight_alert.networkIdentifier == 'Attacker':
# Might be source or destination, but likelihood of source is higher.
ip_type = 'ip-src'
if isight_alert.networkType == 'C&C':
ip_type = 'ip-dst'
elif isight_alert.networkIdentifier == 'Compromised':
# Might be source or destination, but likelihood of destination is higher.
ip_type = 'ip-dst'
elif isight_alert.networkIdentifier == 'Related':
# Might be source or destination, but likelihood of source is higher.
ip_type = 'ip-src'
elif isight_alert.networkIdentifier == 'Victim':
# Might be source or destination, but likelihood of destination is higher.
ip_type = 'ip-dst'
else:
# Might be source or destination, but likelihood of source is higher.
ip_type = 'ip-src'
if isight_alert.port:
# If a port is provided, it's likely a destination IP address.
ip_type = 'ip-dst'
type_combo = ip_type + '|port'
ip_port = isight_alert.ip + '|' + isight_alert.port
new_attr = event.add_attribute(category='Network activity',
type=type_combo,
value=ip_port,
to_ids=network_ids,
comment=ip_comment)
else:
new_attr = event.add_attribute(category='Network activity',
type=ip_type,
value=isight_alert.ip,
to_ids=network_ids,
comment=ip_comment)
if isight_alert.networkType == 'C&C':
# Add veris tag to attribute.
new_attr.add_tag('veris:action:malware:variety="C2"')
# If the report contains a domain registrant email address, then create a whois attribute.
if isight_alert.registrantEmail:
whois_object = MISPObject('whois')
whois_object.comment = default_comment
whois_object.add_attribute('registrant-email',
value=isight_alert.registrantEmail,
to_ids=network_ids)
if isight_alert.registrantName:
whois_object.add_attribute('registrant-name',
value=isight_alert.registrantName,
to_ids=False)
if isight_alert.domain:
whois_object.add_attribute('domain',
value=isight_alert.domain,
to_ids=network_ids)
elif isight_alert.sourceDomain:
whois_object.add_attribute('domain',
value=isight_alert.sourceDomain,
to_ids=network_ids)
event.add_object(whois_object)
# If the report contains a URL, create a url attribute.
if isight_alert.url:
event.add_attribute(category='Network activity',
type='url',
value=isight_alert.url,
to_ids=network_ids,
comment=default_comment)
if isight_alert.networkType == 'C&C':
# Add veris tag to attribute.
event.add_attribute_tag('veris:action:malware:variety="C2"',
isight_alert.url)
# If the report contains registry information, create a regkey attribute.
# Ideally, the registry field would be split into hive, key and value.
if isight_alert.registry:
# If a file description is given, add it to the default comment.
if isight_alert.description:
add_comment = isight_alert.description
if default_comment == '':
reg_comment = add_comment
else:
reg_comment = default_comment + '; ' + add_comment
else:
reg_comment = default_comment
event.add_attribute(category='Artifacts dropped',
type='regkey',
value=isight_alert.registry,
to_ids=file_ids,
comment=reg_comment)
# If the report contains a malware family, create a malware-type attribute.
if isight_alert.malwareFamily:
event.add_attribute(category='Antivirus detection',
type='text',
value=isight_alert.malwareFamily,
to_ids=False)
# If the report contains an actor, create a threat-actor attribute.
if isight_alert.actor:
# Don't use the threat actor for detection.
event.add_attribute(category='Attribution',
type='threat-actor',
value=isight_alert.actor,
to_ids=False)
# Finally, commit the event additions to the MISP instance.
misp_instance.update_event(event)
# Lastly, publish the event without sending an alert email.
# This command expects the event ID instead of a MISPevent as argument.
print('#####publishing event:', event['id'])
PySilo_settings.logger.debug('#####publishing event: %s', event['id'],
isight_alert.ID)
event.attribute.add_tag('ISIGHT APIv3')
misp_instance.publish(event['id'], alert=False)
misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
event = MISPEvent()
event.info = 'FluBot - POST Luxembourg Detected URLs - All domains' # Event Title
event.distribution = 1 # 0 = Your Organisation Only, 1 = Community
event.threat_level_id = 1 # 1 = High, 2 = Medium, 3 = Low
event.analysis = 2 # 0 (initial analysis), 1 (On-Going), 2 (Complete)
event.add_tag('tlp:green')
event.add_tag('Flubot')
event.add_tag('android')
event.add_tag('Smishing')
event.add_tag('android-malware')
d = date.today()
event.set_date(d)
with open(sys.argv[1]) as csv_file:
csv_reader = csv.reader(csv_file, delimiter=',')
for row in csv_reader:
misp_object = MISPObject('url', standalone=False)
misp_object.comment = 'Flubot Domain detect via TIDS'
misp_object.add_attribute('url', value=row[0])
misp_object.add_attribute('domain', value=row[1])
event.add_object(misp_object)
event = misp.add_event(event, pythonify=True)
# Publish event
event.publish()