def do_transform(self, request, response, config):
maltego_misp_event = request.entity
misp = get_misp_connection(config)
event_json = misp.get_event(maltego_misp_event.id) # FIXME get it without attachments # FIXME use search + includeAttachments:0, eventid: as request body
if not event_json.get('Event'):
return response
response += event_to_entity(event_json)
event_tags = []
if 'Tag' in event_json['Event']:
for t in event_json['Event']['Tag']:
event_tags.append(t['name'])
# ignore all misp-galaxies
if t['name'].startswith('misp-galaxy'):
continue
# ignore all those we add as notes
if tag_matches_note_prefix(t['name']):
continue
response += Hashtag(t['name'])
for g in event_json['Event']['Galaxy']:
for c in g['GalaxyCluster']:
response += galaxycluster_to_entity(c)
for a in event_json['Event']["Attribute"]:
for entity in attribute_to_entity(a, event_tags=event_tags):
if entity:
response += entity
for o in event_json['Event']['Object']:
response += object_to_entity(o)
return response
def do_transform(self, request, response, config):
response += check_update(config)
maltego_misp_attribute = request.entity
# skip MISP Events (value = int)
try:
int(maltego_misp_attribute.value)
return response
except Exception:
pass
# Check if valid MISP ID is specified
if not 'EventID' in maltego_misp_attribute.fields:
response += UIMessage("Error: Add MISP EventID Property 'EventID' to Maltego Entity!",
type=UIMessageType.Fatal)
return response
elif int(maltego_misp_attribute.fields['EventID'].value) == 0:
response += UIMessage("Error: Enter MISP EventID to Property 'EventID' of Maltego Entity!",
type=UIMessageType.Fatal)
return response
eventID = maltego_misp_attribute.fields['EventID'].value
misp = get_misp_connection(config, request.parameters)
JSON_resp = misp.freetext(eventID, maltego_misp_attribute.value, adhereToWarninglists=True, distribution=0, returnMetaAttributes=False,
pythonify=True,)
if 'errors' in JSON_resp:
if JSON_resp['errors'][0] == 403:
error_response = JSON_resp['errors'][1]
if not error_response['saved']:
error_reason = error_response['errors']['value'][0]
response += UIMessage("Error: %s" % error_reason, type=UIMessageType.Fatal)
return response
def do_transform(self, request, response, config):
maltego_misp_event = request.entity
# print(dir(maltego_misp_event))
misp = get_misp_connection(config)
event_json = misp.get_event(
maltego_misp_event.id) # FIXME get it without attachments
# print(json.dumps(event_json, sort_keys=True, indent=4))
if not event_json.get('Event'):
return response
for e in event_json['Event']['RelatedEvent']:
response += event_to_entity(e)
for a in event_json['Event']["Attribute"]:
for entity in attribute_to_entity(a):
if entity:
response += entity
for o in event_json['Event']['Object']:
# LATER unfortunately we cannot automatically expand the objects
response += object_to_entity(o)
for g in event_json['Event']['Galaxy']:
for c in g['GalaxyCluster']:
response += galaxycluster_to_entity(c)
if 'Tag' in event_json['Event']:
for t in event_json['Event']['Tag']:
# ignore all misp-galaxies
if t['name'].startswith('misp-galaxy'):
continue
response += Hashtag(t['name'])
return response
def do_transform(self, request, response, config):
maltego_misp_attribute = request.entity
# skip MISP Events (value = int)
try:
int(maltego_misp_attribute.value)
return response
except Exception:
pass
misp = get_misp_connection(config)
events_json = misp.search(controller='events',
values=maltego_misp_attribute.value,
withAttachments=False)
in_misp = False
for e in events_json['response']:
in_misp = True
response += event_to_entity(e)
# find the object again, and bookmark it green
# we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
if in_misp:
for e in events_json['response']:
attr = get_attribute_in_event(e, maltego_misp_attribute.value)
if attr:
for item in attribute_to_entity(attr, only_self=True):
response += item
return response
def do_transform(self, request, response, config):
maltego_misp_event = request.entity
misp = get_misp_connection(config)
event_json = misp.get_event(maltego_misp_event.id) # FIXME get it without attachments # FIXME use search + includeAttachments:0, eventid: as request body
if not event_json.get('Event'):
return response
response += event_to_entity(event_json)
event_tags = []
if 'Tag' in event_json['Event']:
for t in event_json['Event']['Tag']:
event_tags.append(t['name'])
# ignore all misp-galaxies
if t['name'].startswith('misp-galaxy'):
continue
# ignore all those we add as notes
if tag_matches_note_prefix(t['name']):
continue
response += Hashtag(t['name'])
for g in event_json['Event']['Galaxy']:
for c in g['GalaxyCluster']:
response += galaxycluster_to_entity(c)
# for e in event_json['Event']['RelatedEvent']:
# response += event_to_entity(e, link_style=LinkStyle.DashDot)
for a in event_json['Event']["Attribute"]:
for entity in attribute_to_entity(a, event_tags=event_tags):
if entity:
response += entity
for o in event_json['Event']['Object']:
# LATER unfortunately we cannot automatically expand the objects
response += object_to_entity(o)
return response
def do_transform(self, request, response, config):
# skip some Entities
skip = ['properties.mispevent', 'properties.mispobject']
for i in skip:
if i in request.entity.fields:
return response
if 'ipv4-range' in request.entity.fields:
# placeholder for https://github.com/MISP/MISP-maltego/issues/11
pass
misp = get_misp_connection(config)
if 'properties.mispgalaxy' in request.entity.fields:
tag_name = get_entity_property(request.entity, 'tag_name')
if not tag_name:
tag_name = request.entity.value
events_json = misp.search(controller='events', tags=tag_name, withAttachments=False)
else:
events_json = misp.search(controller='events', values=request.entity.value, withAttachments=False)
in_misp = False
for e in events_json['response']:
in_misp = True
response += event_to_entity(e)
# find the object again, and bookmark it green
# we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
if in_misp:
for e in events_json['response']:
attr = get_attribute_in_event(e, request.entity.value)
if attr:
for item in attribute_to_entity(attr, only_self=True):
response += item
return response
def do_transform(self, request, response, config):
response += check_update(config)
# skip some Entities
skip = ['properties.mispevent']
for i in skip:
if i in request.entity.fields:
return response
if 'ipv4-range' in request.entity.fields:
# placeholder for https://github.com/MISP/MISP-maltego/issues/11
pass
misp = get_misp_connection(config, request.parameters)
# from Galaxy
if 'properties.mispgalaxy' in request.entity.fields:
tag_name = get_entity_property(request.entity, 'tag_name')
if not tag_name:
tag_name = request.entity.value
events_json = misp.search(controller='events', tags=tag_name, with_attachments=False)
for e in events_json:
response += event_to_entity(e, link_direction=LinkDirection.OutputToInput)
return response
# from Object
elif 'properties.mispobject' in request.entity.fields:
if request.entity.fields.get('event_id'):
events_json = misp.search(controller='events', eventid=request.entity.fields.get('event_id').value,
with_attachments=False)
for e in events_json:
response += event_to_entity(e, link_direction=LinkDirection.OutputToInput)
return response
else:
return response
# from Hashtag
elif 'properties.temp' in request.entity.fields:
tag_name = get_entity_property(request.entity, 'Temp')
if not tag_name:
tag_name = request.entity.value
events_json = misp.search(controller='events', tags=tag_name, with_attachments=False)
for e in events_json:
response += event_to_entity(e, link_direction=LinkDirection.OutputToInput)
return response
# standard Entities (normal attributes)
else:
events_json = misp.search(controller='events', value=request.entity.value, with_attachments=False)
# return the MISPEvent or MISPObject of the attribute
for e in events_json:
# find the value as attribute
attr = get_attribute_in_event(e, request.entity.value)
if attr:
response += event_to_entity(e, link_direction=LinkDirection.OutputToInput)
# find the value as object
if 'Object' in e['Event']:
for o in e['Event']['Object']:
if get_attribute_in_object(o, attribute_value=request.entity.value).get('value'):
response += object_to_entity(o, link_direction=LinkDirection.OutputToInput)
return response
def do_transform(self, request, response, config):
maltego_misp_event = request.entity
misp = get_misp_connection(config)
event_json = misp.get_event(maltego_misp_event.id) # FIXME get it without attachments # FIXME use search + includeAttachments:0, eventid: as request body
if not event_json.get('Event'):
return response
response += event_to_entity(event_json)
for e in event_json['Event']['RelatedEvent']:
response += event_to_entity(e, link_style=LinkStyle.DashDot)
return response
def do_transform(self, request, response, config):
maltego_object = request.entity
misp = get_misp_connection(config)
event_json = misp.get_event(maltego_object.event_id)
for o in event_json['Event']['Object']:
if o['uuid'] == maltego_object.uuid:
for entity in object_to_attributes(o):
if entity:
response += entity
return response
def do_transform(self, request, response, config):
maltego_object = request.entity
misp = get_misp_connection(config)
event_json = misp.get_event(maltego_object.event_id)
for o in event_json['Event']['Object']:
if o['uuid'] == maltego_object.uuid:
for entity in object_to_attributes(o, event_json):
if entity:
response += entity
return response
def do_transform(self, request, response, config):
response += check_update(config)
misp = get_misp_connection(config, request.parameters)
if request.entity.tag_name:
tag_name = request.entity.tag_name
else:
tag_name = request.entity.value
events_json = misp.search(controller='events', tags=tag_name, with_attachments=False)
for e in events_json:
response += MISPEvent(e['Event']['id'], uuid=e['Event']['uuid'], info=e['Event']['info'], link_direction=LinkDirection.OutputToInput)
return response
def do_transform(self, request, response, config):
maltego_misp_attribute = request.entity
misp = get_misp_connection(config)
# misp.
events_json = misp.search(controller='events',
values=maltego_misp_attribute.value,
withAttachments=False)
for e in events_json['response']:
response += MISPEvent(e['Event']['id'],
uuid=e['Event']['uuid'],
info=e['Event']['info'])
return response
def do_transform(self, request, response, config):
response += check_update(config)
maltego_object = request.entity
misp = get_misp_connection(config, request.parameters)
event_json = misp.get_event(maltego_object.event_id)
for o in event_json['Event']['Object']:
if o['uuid'] == maltego_object.uuid:
for entity in object_to_relations(o, event_json):
if entity:
response += entity
return response
def do_transform(self, request, response, config):
self.request = request
self.response = response
self.config = config
maltego_misp_event = request.entity
self.misp = get_misp_connection(config)
self.event_json = self.misp.get_event(
maltego_misp_event.id
) # FIXME get it without attachments # FIXME use search + includeAttachments:0, eventid: as request body
if not self.event_json.get('Event'):
return False
self.response += event_to_entity(self.event_json)
return True
def do_transform(self, request, response, config):
maltego_misp_galaxy = request.entity
misp = get_misp_connection(config)
if maltego_misp_galaxy.tag_name:
tag_name = maltego_misp_galaxy.tag_name
else:
tag_name = maltego_misp_galaxy.value
events_json = misp.search(controller='events',
tags=tag_name,
withAttachments=False)
for e in events_json['response']:
response += MISPEvent(e['Event']['id'],
uuid=e['Event']['uuid'],
info=e['Event']['info'],
link_direction=LinkDirection.OutputToInput)
return response
def do_transform(self, request, response, config):
self.request = request
self.response = response
self.config = config
maltego_misp_event = request.entity
self.misp = get_misp_connection(config)
event_id = maltego_misp_event.id
search_result = self.misp.search(controller='events',
eventid=event_id,
withAttachments=False)
if search_result.get('response'):
self.event_json = search_result['response'].pop()
else:
return False
self.response += event_to_entity(self.event_json)
return True
def do_transform(self, request, response, config):
self.request = request
self.response = response
self.config = config
self.response += check_update(config)
maltego_misp_event = request.entity
self.misp = get_misp_connection(config, request.parameters)
event_id = maltego_misp_event.id
search_result = self.misp.search(controller='events',
eventid=event_id,
with_attachments=False)
if search_result:
self.event_json = search_result.pop()
else:
return False
self.response += event_to_entity(self.event_json)
return True
def do_transform(self, request, response, config):
maltego_misp_event = request.entity
misp = get_misp_connection(config)
event_json = misp.get_event(maltego_misp_event.id)
event_tags = []
if 'Tag' in event_json['Event']:
for t in event_json['Event']['Tag']:
event_tags.append(t['name'])
# ignore all misp-galaxies
if t['name'].startswith('misp-galaxy'):
continue
response += Hashtag(t['name'])
for g in event_json['Event']['Galaxy']:
for c in g['GalaxyCluster']:
response += galaxycluster_to_entity(c)
return response
def do_transform(self, request, response, config):
response += check_update(config)
maltego_misp_attribute = request.entity
# skip MISP Events (value = int)
try:
int(maltego_misp_attribute.value)
return response
except Exception:
pass
misp = get_misp_connection(config, request.parameters)
events_json = misp.search(controller='events', value=maltego_misp_attribute.value, with_attachments=False)
# we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
for e in events_json:
attr = get_attribute_in_event(e, maltego_misp_attribute.value)
if attr:
for item in attribute_to_entity(attr, only_self=True):
response += item
return response
def do_transform(self, request, response, config):
maltego_misp_attribute = request.entity
# skip MISP Events (value = int)
try:
int(maltego_misp_attribute.value)
return response
except Exception:
pass
misp = get_misp_connection(config)
events_json = misp.search(controller='events', values=maltego_misp_attribute.value, withAttachments=False)
in_misp = False
for e in events_json['response']:
in_misp = True
break
# find the object again, and bookmark it green
# we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
if in_misp:
for e in events_json['response']:
attr = get_attribute_in_event(e, maltego_misp_attribute.value)
if attr:
for item in attribute_to_entity(attr, only_self=True):
response += item
return response
