def misp_event_create(event_info, internal_reference, phish_artefacts):
event = MISPEvent()
event.distribution = misp_distribution
if (sharing_group_id >= 1 and misp_distribution == 4):
event.sharing_group_id = sharing_group_id
event.threat_level_id = misp_threat_level_id
event.analysis = misp_analysis
event.info = event_info
event = pymisp.add_event(event, pythonify=True)
if hasattr(event, 'uuid'):
attribute = pymisp.add_attribute(event.uuid, {
'type': 'text',
'value': internal_reference,
'category': 'Internal reference',
'distribution': "0"
},
pythonify=True)
if (attribute.value == internal_reference):
# Creating Object
print("Creating Objects...")
misp_create_objects(event, phish_artefacts)
for misp_tag in misp_tags:
pymisp.tag(event.uuid, misp_tag)
pymisp.update_event(event)
else:
return ("")
if (auto_publish):
print("Publishing MISP Event")
pymisp.publish(event)
return (event)
def add_event(self):
try:
event = MISPEvent()
event.distribution = 0
# ATD Threat mapping to MISP Threat Level
atd_threat_level = self.query['Summary']['Verdict']['Severity']
if not atd_threat_level:
pass
else:
if atd_threat_level == '3':
event.threat_level_id = 1
elif atd_threat_level == '4':
event.threat_level_id = 2
elif atd_threat_level == '5':
event.threat_level_id = 3
else:
event.threat_level_id = 0
event.analysis = 0 # initial
event.info = "ATD Analysis Report - {0}".format(self.mainfile)
event.attributes = self.attributes
event.Tag = 'ATD:Report'
event = self.misp.add_event(event, pythonify=True)
self.evenid = event.id
print('SUCCESS: New MISP Event got created with ID: {}'.format(str(event.id)))
except Exception as e:
exc_type, exc_obj, exc_tb = sys.exc_info()
print("ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}"
.format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno,
error=str(e)))
def submit_tf_update(misp: ExpandedPyMISP, attributes: list) -> MISPEvent:
"""
create/update abuse.ch MISP-Event and append the new attributes
"""
eventinfo = event_info_template.format(
datetime.now().strftime(info_dateformat))
# logging.debug(eventinfo)
events = misp.search(controller='events',
eventinfo=eventinfo,
org=1,
pythonify=True)
if events: # current event exists already
event = events[0]
else: # create a new event
event = MISPEvent()
event.distribution = event_distribution
event.threat_level_id = event_threat_level
event.analysis = 2
event.info = eventinfo
for tag in tagging:
event.add_tag(tag)
event = misp.add_event(event, pythonify=True)
for att in attributes:
event.add_attribute(**att)
event.published = autopublish
return misp.update_event(event)
def test_sync_all_communities(self):
'''Simple event, all communities, enable automatic push on two sub-instances'''
event = MISPEvent()
event.info = 'Event created on first instance - test_sync_all_communities'
event.distribution = Distribution.all_communities
event.add_attribute('ip-src', '1.1.1.1')
try:
source = self.instances[0]
server = source.site_admin_connector.update_server(
{'push': True}, source.sync_servers[0].id)
self.assertTrue(server.push)
middle = self.instances[1]
middle.site_admin_connector.update_server(
{'push': True}, middle.sync_servers[1].id
) # Enable automatic push to 3rd instance
last = self.instances[2]
event = source.user_connector.add_event(event)
source.org_admin_connector.publish(event)
source.site_admin_connector.server_push(source.sync_servers[0])
time.sleep(30)
middle_event = middle.user_connector.get_event(event.uuid)
self.assertEqual(event.attributes[0].value,
middle_event.attributes[0].value)
last_event = last.user_connector.get_event(event.uuid)
self.assertEqual(event.attributes[0].value,
last_event.attributes[0].value)
finally:
source.org_admin_connector.delete_event(event)
middle.site_admin_connector.delete_event(middle_event)
last.site_admin_connector.delete_event(last_event)
source.site_admin_connector.update_server(
{'push': False}, source.sync_servers[0].id)
middle.site_admin_connector.update_server(
{'push': False}, middle.sync_servers[1].id)
def create_complex_event(self):
event = MISPEvent()
event.info = 'Complex Event'
event.distribution = Distribution.all_communities
event.add_tag('tlp:white')
event.add_attribute('ip-src', '8.8.8.8')
event.add_attribute('ip-dst', '8.8.8.9')
event.add_attribute('domain', 'google.com')
event.add_attribute('md5', '3c656da41f4645f77e3ec3281b63dd43')
event.attributes[0].distribution = Distribution.your_organisation_only
event.attributes[1].distribution = Distribution.this_community_only
event.attributes[2].distribution = Distribution.connected_communities
event.attributes[0].add_tag('tlp:red')
event.attributes[1].add_tag('tlp:amber')
event.attributes[2].add_tag('tlp:green')
obj = MISPObject('file')
obj.distribution = Distribution.connected_communities
obj.add_attribute('filename', 'testfile')
obj.add_attribute('md5', '3c656da41f4645f77e3ec3281b63dd44')
obj.attributes[0].distribution = Distribution.your_organisation_only
event.add_object(obj)
return event
def create_misp_event(misp_instance, isight_report_instance):
# No MISP event for this iSight report ID exists yet.
# Alas, create a new MISP event.
# Convert the publication date of the iSight report into a datetime object.
if isight_report_instance.publishDate:
date = datetime.datetime.fromtimestamp(
isight_report_instance.publishDate)
else:
# If iSight doesn't provide a date, use today's date.
date = datetime.datetime.now(datetime.timezone.utc)
# Create a MISP event from the FireEye iSight report with the following parameters.
print('****create new event*****')
event = MISPEvent()
event.distribution = 1 # This community only
if isight_report_instance.riskRating == 'CRITICAL' or isight_report_instance.riskRating == 'Critical':
event.threat_level_id = 1 # High
elif isight_report_instance.riskRating == 'HIGH' or isight_report_instance.riskRating == 'High':
event.threat_level_id = 1 # High
elif isight_report_instance.riskRating == 'MEDIUM' or isight_report_instance.riskRating == 'Medium':
event.threat_level_id = 2 # Medium
elif isight_report_instance.riskRating == 'LOW' or isight_report_instance.riskRating == 'Low':
event.threat_level_id = 3 # Low
else:
event.threat_level_id = 4 # Unknown
event.analysis = 2 # Completed
event.info = "iSIGHT: " + isight_report_instance.title
event.date = date
# Push the event to the MISP server.
my_event = misp_instance.add_event(event, pythonify=True)
print("#######Push event to MISP server####", my_event)
PySilo_settings.logger.debug('Created MISP event %s for iSight report %s',
event, isight_report_instance.reportId)
# Add default tags to the event.
misp_instance.tag(my_event, 'Source:SILOBREAKER')
#misp_instance.tag(my_event, 'basf:source="iSight"')
misp_instance.tag(my_event, 'CTI feed: SILOBREAKER')
misp_instance.tag(my_event, 'tlp:amber')
misp_instance.tag(my_event, 'report id', isight_report_instance.Id)
# Use some iSight ThreatScapes for event tagging. Reports can have multiple ThreatScapes.
#if 'Cyber Espionage' in isight_report_instance.ThreatScape:
# VERIS distinguishes between external, internal or partner actors. This difference is not yet implemented in
# MISP. External would be most likely.
#misp_instance.tag(my_event, 'veris:actor:external:motive="Espionage"')
#misp_instance.tag(my_event, 'veris:actor:motive="Espionage"')
#if 'Hacktivism' in isight_report_instance.ThreatScape:
#misp_instance.tag(my_event, 'veris:actor:external:variety="Activist"')
#if 'Critical Infrastructure' in isight_report_instance.ThreatScape:
# misp_instance.tag(my_event, 'basf:technology="OT"')
#if 'Cyber Physical' in isight_report_instance.ThreatScape:
#misp_instance.tag(my_event, 'basf:technology="OT"')
#if 'Cyber Crime' in isight_report_instance.ThreatScape:
#misp_instance.tag(my_event, 'veris:actor:external:variety="Organized crime"')
update_misp_event(misp_instance, my_event, isight_report_instance)
def create_daily_event(self):
today = datetime.date.today()
# [0-3]
distribution = 0
info = "Daily AIL-leaks {}".format(today)
# [0-2]
analysis = 0
# [1-4]
threat = 3
published = False
org_id = None
orgc_id = None
sharing_group_id = None
date = None
event = MISPEvent()
event.distribution = distribution
event.info = info
event.analysis = analysis
event.threat = threat
event.published = published
event.add_tag('infoleak:output-format="ail-daily"')
existing_event = self.pymisp.add_event(event)
return existing_event
def create_simple_event():
event = MISPEvent()
event.info = 'This is a super simple test'
event.distribution = Distribution.your_organisation_only
event.threat_level_id = ThreatLevel.low
event.analysis = Analysis.completed
event.add_attribute('text', str(uuid.uuid4()))
return event
def create_simple_event(self, force_timestamps=False):
mispevent = MISPEvent(force_timestamps=force_timestamps)
mispevent.info = 'This is a super simple test'
mispevent.distribution = Distribution.your_organisation_only
mispevent.threat_level_id = ThreatLevel.low
mispevent.analysis = Analysis.completed
mispevent.add_attribute('text', str(uuid4()))
return mispevent
def environment(self):
first_event = MISPEvent()
first_event.info = 'First event - org only - low - completed'
first_event.distribution = Distribution.your_organisation_only
first_event.threat_level_id = ThreatLevel.low
first_event.analysis = Analysis.completed
first_event.set_date("2017-12-31")
first_event.add_attribute('text', str(uuid4()))
first_event.attributes[0].add_tag('admin_only')
first_event.attributes[0].add_tag('tlp:white___test')
first_event.add_attribute('text', str(uuid4()))
first_event.attributes[1].add_tag('unique___test')
second_event = MISPEvent()
second_event.info = 'Second event - org only - medium - ongoing'
second_event.distribution = Distribution.your_organisation_only
second_event.threat_level_id = ThreatLevel.medium
second_event.analysis = Analysis.ongoing
second_event.set_date("Aug 18 2018")
second_event.add_attribute('text', str(uuid4()))
second_event.attributes[0].add_tag('tlp:white___test')
second_event.add_attribute('ip-dst', '1.1.1.1')
# Same value as in first event.
second_event.add_attribute('text', first_event.attributes[0].value)
third_event = MISPEvent()
third_event.info = 'Third event - all orgs - high - initial'
third_event.distribution = Distribution.all_communities
third_event.threat_level_id = ThreatLevel.high
third_event.analysis = Analysis.initial
third_event.set_date("Jun 25 2018")
third_event.add_tag('tlp:white___test')
third_event.add_attribute('text', str(uuid4()))
third_event.attributes[0].add_tag('tlp:amber___test')
third_event.attributes[0].add_tag('foo_double___test')
third_event.add_attribute('ip-src', '8.8.8.8')
third_event.attributes[1].add_tag('tlp:amber___test')
third_event.add_attribute('ip-dst', '9.9.9.9')
# Create first and third event as admin
# usr won't be able to see the first one
first = self.admin_misp_connector.add_event(first_event)
third = self.admin_misp_connector.add_event(third_event)
# Create second event as user
second = self.user_misp_connector.add_event(second_event)
return first, second, third
def create_misp_event(misp_client, misp_distribution, misp_threat_level,
misp_analysis_level, misp_event_name):
misp_event = MISPEvent()
misp_event.distribution = misp_distribution
misp_event.threat_level_id = misp_threat_level
misp_event.analysis = misp_analysis_level
misp_event.info = misp_event_name
event_response = misp_client.add_event(misp_event)
return event_response
def convertTEtoMISP(self, teevent):
"""
Convert a ThreatExchange entry to MISP entry
"""
# Create empty event
mispevt = MISPEvent()
mispevt.info = "[Facebook ThreatExchange]"
mispevt.distribution = 0
mispevt.sharing_group_id = self.privacy_levels[teevent["privacy_type"]]
# Check if event is to be kept
if "status" in teevent.keys() and teevent["status"] in self.score.keys() and self.score[teevent["status"]] < self.badness_threshold :
print("IGNORE EVENT %s due to status (%s)" % (teevent, teevent["status"]))
return None
# Add indicator to event
if "raw_indicator" in teevent.keys():
if "type" in teevent.keys():
if teevent["type"] in self.type_map.keys():
indicator = teevent["raw_indicator"].replace("\\", "")
mispevt.add_attribute(self.type_map[teevent["type"]] , indicator) # not to brutal??
else:
print("WARNING: TYPE %s SHOULD BE ADDED TO MAPPING" % teevent["type"])
else:
print("WARNING, event %s does not contains any indicator :(" % teevent)
return None # don't create event without content!
# Add a category
mispevt.category = "Network activity"
# Enrich description
if "description" in teevent.keys():
mispevt.info = mispevt.info + " - %s" % teevent["description"]
if "owner" in teevent.keys() and "name" in teevent["owner"].keys():
owner = teevent["owner"]["name"]
if("email" in teevent["owner"].keys()):
email = teevent["owner"]["email"].replace("\\u0040", "@")
else:
email = ""
mispevt.info = mispevt.info + " - by %s (%s)" % (owner, email)
# Add sharing indicators (tags)
if "share_level" in teevent.keys():
if teevent["share_level"] in self.share_levels.keys():
mispevt.Tag.append(self.share_levels[teevent["share_level"]])
else:
print("WARNING: SHARING LEVEL %s SHOULD BE ADDED TO MAPPING" % teevent["share_level"])
if self.extra_tag is not None:
mispevt.Tag.append(self.extra_tag)
evtid = teevent["id"]
return [evtid, mispevt]
def save(self):
site_id = self.validated_data['id']
site = Site.objects.get(pk=site_id)
# Check if there is already an Event
if DnsTwisted.objects.filter(domain_name=site.domain_name):
dns_twisted = DnsTwisted.objects.get(domain_name=site.domain_name)
if site.misp_event_id is None:
site.misp_event_id = dns_twisted.misp_event_id
# Save the case id in database
Site.objects.filter(pk=site.pk).update(
misp_event_id=dns_twisted.misp_event_id)
# Test MISP instance connection
try:
requests.get(settings.MISP_URL, verify=settings.MISP_VERIFY_SSL)
except requests.exceptions.SSLError as e:
print(str(timezone.now()) + " - ", e)
raise AuthenticationFailed("SSL Error: " + settings.MISP_URL)
except requests.exceptions.RequestException as e:
print(str(timezone.now()) + " - ", e)
raise NotFound("Not Found: " + settings.MISP_URL)
misp_api = ExpandedPyMISP(settings.MISP_URL, settings.MISP_KEY,
settings.MISP_VERIFY_SSL)
if site.misp_event_id is not None:
# If the event already exist, then we update IOCs
update_attributes(misp_api, site)
else:
# If the event does not exist, then we create it
# Prepare MISP Event
event = MISPEvent()
event.distribution = 0
event.threat_level_id = 2
event.analysis = 0
event.info = "Suspicious domain name " + site.domain_name
event.tags = create_misp_tags(misp_api)
# Create MISP Event
print(str(timezone.now()) + " - " + 'Create MISP Event')
print('-----------------------------')
event = misp_api.add_event(event, pythonify=True)
# Store Event Id in database
Site.objects.filter(pk=site.pk).update(misp_event_id=event.id)
if DnsTwisted.objects.filter(domain_name=site.domain_name):
DnsTwisted.objects.filter(domain_name=site.domain_name).update(
misp_event_id=event.id)
# Create MISP Attributes
create_attributes(misp_api, event.id, site)
def make_new_event(misp):
LOGGER.info('Creating new fixed event...')
event = MISPEvent()
timestamp = datetime.utcnow()
event_date = timestamp.strftime('%Y-%m-%d')
event.info = MISP_EVENT_TITLE
event.analysis = Analysis.completed
event.distribution = Distribution.your_organisation_only
event.threat_level_id = ThreatLevel.low
event.add_tag('type:OSINT')
event.add_tag('tlp:white')
LOGGER.info('Saving event...')
time.sleep(1)
return misp.add_event(event, pythonify=True)
def test_sync_community(self):
'''Simple event, this community only, pull from member of the community'''
event = MISPEvent()
event.info = 'Event created on first instance - test_sync_community'
event.distribution = Distribution.this_community_only
event.add_attribute('ip-src', '1.1.1.1')
try:
source = self.instances[0]
dest = self.instances[1]
event = source.org_admin_connector.add_event(event)
source.org_admin_connector.publish(event)
dest.site_admin_connector.server_pull(dest.sync_servers[0])
time.sleep(10)
dest_event = dest.org_admin_connector.get_event(event.uuid)
self.assertEqual(dest_event.distribution, 0)
finally:
source.org_admin_connector.delete_event(event)
dest.site_admin_connector.delete_event(dest_event)
def test_simple_sync(self):
'''Test simple event, push to one server'''
event = MISPEvent()
event.info = 'Event created on first instance - test_simple_sync'
event.distribution = Distribution.all_communities
event.add_attribute('ip-src', '1.1.1.1')
try:
source = self.instances[0]
dest = self.instances[1]
event = source.org_admin_connector.add_event(event)
source.org_admin_connector.publish(event)
source.site_admin_connector.server_push(source.sync_servers[0], event)
time.sleep(10)
dest_event = dest.org_admin_connector.get_event(event.uuid)
self.assertEqual(event.attributes[0].value, dest_event.attributes[0].value)
finally:
source.org_admin_connector.delete_event(event)
dest.site_admin_connector.delete_event(dest_event)
def _create_new_event(self, org_uuid) -> MISPEvent:
""" Creates new MISP event. """
misp_event = MISPEvent()
# TODO turn on correct organization assignment
# misp_event.orgc = self.misp_inst.get_organisation(org_uuid, pythonify=True)
# completed
misp_event.analysis = 2
# low
misp_event.threat_level_id = 3
# TODO use sharing group instead
misp_event.distribution = 1
# misp_event.distribution = 4
# misp_event.sharing_group_id = 2
misp_event.uuid = self.uuid_generator.get_misp_event_uuid(org_uuid)
misp_event.add_tag("rsit:test")
misp_event.add_tag("tlp:amber")
misp_event.info = "CTI - IntelMQ feed"
return self.misp_inst.add_event(misp_event, pythonify=True)
def inserta_misp(nombre_evento, full_tweet, fverbose):
#Instancio evento MISP
event = MISPEvent()
#Nombre del evento. Se cambiara por cada tweet recibido
event.info = nombre_evento # Required
#Valores por defecto
event.distribution = 0 # Optional, defaults to MISP.default_event_distribution in MISP config
event.threat_level_id = 2 # Optional, defaults to MISP.default_event_threat_level in MISP config
event.analysis = 1 # Optional, defaults to 0 (initial analysis)
#Inserto el tweet completo
#event.add_attribute('External analysis', full_tweet)
event.add_attribute('text', full_tweet)
event.add_tag('tlp:white')
add_tweet_atributes(event, full_tweet, fverbose)
#Inserto el evento MISP
event = misp.add_event(event, pythonify=True)
def make_new_event(misp):
LOGGER.info('Creating new fixed event...')
event = MISPEvent()
event_date = datetime.now().strftime('%Y-%m-%d')
event_title = '{0} {1}'.format(MISP_EVENT_TITLE, event_date)
event.info = event_title
event.analysis = Analysis.completed
event.distribution = Distribution.your_organisation_only
event.threat_level_id = ThreatLevel.low
event.add_tag('type:OSINT')
event.add_tag('tlp:white')
LOGGER.info('Saving event...')
time.sleep(1)
try:
new_event = misp.add_event(event, pythonify=True)
return new_event
except Exception as ex:
LOGGER.error('Failed to make MISP event: {0}'.format(str(ex)))
return False
def createEvent(eventName):
mt = MaltegoTransform()
mt.addUIMessage("[Info] Creating event with the name %s" % eventName)
mispevent = MISPEvent()
mispevent.analysis = MISP_ANALYSIS
mispevent.date = datetime.now()
mispevent.distribution = MISP_DISTRIBUTION
mispevent.info = eventName
mispevent.threat_level_id = MISP_THREAT
mispevent.published = MISP_EVENT_PUBLISH
event = misp.add_event(mispevent)
eid = event['Event']['id']
einfo = event['Event']['info']
eorgc = event['Event']['orgc_id']
me = MaltegoEntity('maltego.MISPEvent', eid)
me.addAdditionalFields('EventLink', 'EventLink', False,
BASE_URL + '/events/view/' + eid)
me.addAdditionalFields('Org', 'Org', False, eorgc)
me.addAdditionalFields('notes', 'notes', False, eorgc + ": " + einfo)
mt.addEntityToMessage(me)
returnSuccess("event", eid, None, mt)
def create_full_event(
self,
info,
distribution: MISPDistribution = MISPDistribution.ORGANIZATION,
threat_level: MISPThreatLevel = MISPThreatLevel.MEDIUM,
analysis: MISPAnalysis = MISPAnalysis.INITIAL,
attributes: list = None,
tags: list = None):
new_event = MISPEvent()
new_event.distribution = distribution.value
new_event.threat_level_id = threat_level.value
new_event.analysis = analysis.value
new_event.info = info
if attributes is not None:
new_event.Attribute = list()
if tags is not None:
new_event.Tag = list()
event = self.misp_api.add_event(new_event)
self.misp_api.get_all_tags()
print(event.to_json())
return event
def run(self, results):
"""Run analysis.
@return: MISP results dict.
"""
url = self.options.get("url", "")
apikey = self.options.get("apikey", "")
if not url or not apikey:
log.error("MISP URL or API key not configured.")
return
self.misp = PyMISP(url, apikey, False, "json")
self.threads = self.options.get("threads", "")
if not self.threads:
self.threads = 5
self.iocs = deque()
self.misper = dict()
try:
if self.options.get("upload_iocs", False) and results.get("malscore", 0) >= self.options.get("min_malscore", 0):
distribution = int(self.options.get("distribution", 0))
threat_level_id = int(self.options.get("threat_level_id", 4))
analysis = int(self.options.get("analysis", 0))
tag = self.options.get("tag") or "CAPEv2"
info = self.options.get("title", "")
upload_sample = self.options.get("upload_sample")
malfamily = ""
if results.get("detections", ""):
malfamily = results["detections"]
response = self.misp.search("attributes", value=results["target"]["file"]["sha256"], return_format="json", pythonify=True)
if response:
event = self.misp.get_event(response[0].event_id, pythonify=True)
else:
event = MISPEvent()
event.distribution = distribution
event.threat_level_id = threat_level_id
event.analysis = analysis
event.info = "{} {} - {}".format(info, malfamily, results.get("info", {}).get("id"))
event = self.misp.add_event(event, pythonify=True)
# Add a specific tag to flag Cuckoo's event
if tag:
self.misp.tag(event, tag)
# malpedia galaxy
if malpedia_json:
self.malpedia(results, event, malfamily)
# ToDo?
self.signature(results, event)
self.sample_hashes(results, event)
self.all_network(results, event)
self.dropped_files(results, event)
if upload_sample:
target = results.get("target", {})
f = target.get("file", {})
if target.get("category") == "file" and f:
with open(f["path"], "rb") as f:
event.add_attribute(
"malware-sample",
value=os.path.basename(f["path"]),
data=BytesIO(f.read()),
expand="binary",
comment="Sample run",
)
if results.get("target", {}).get("url", "") and results["target"]["url"] not in whitelist:
event.add_attribute("url", results["target"]["url"])
# ToDo migth be outdated!
# if self.options.get("ids_files", False) and "suricata" in results.keys():
# for surifile in results["suricata"]["files"]:
# if "file_info" in surifile.keys():
# self.misper["iocs"].append({"md5": surifile["file_info"]["md5"]})
# self.misper["iocs"].append({"sha1": surifile["file_info"]["sha1"]})
# self.misper["iocs"].append({"sha256": surifile["file_info"]["sha256"]})
if self.options.get("mutexes", False) and "behavior" in results and "summary" in results["behavior"]:
if "mutexes" in results.get("behavior", {}).get("summary", {}):
for mutex in results["behavior"]["summary"]["mutexes"]:
if mutex not in whitelist:
event.add_attribute("mutex", mutex)
if self.options.get("registry", False) and "behavior" in results and "summary" in results["behavior"]:
if "read_keys" in results["behavior"].get("summary", {}):
for regkey in results["behavior"]["summary"]["read_keys"]:
event.add_attribute("regkey", regkey)
event.run_expansions()
self.misp.update_event(event)
# Make event public
if self.options.get("published", True):
self.misp.publish(event)
except Exception as e:
log.error("Failed to generate JSON report: %s" % e, exc_info=True)
def save(self):
alert_id = self.validated_data['id']
alert = Alert.objects.get(pk=alert_id)
dns_twisted = DnsTwisted.objects.get(pk=alert.dns_twisted.pk)
# Getting IOCs related to the new twisted domain
if Site.objects.filter(domain_name=dns_twisted.domain_name):
already_in_monitoring = True
site = Site.objects.get(domain_name=dns_twisted.domain_name)
# Store Event Id in database
DnsTwisted.objects.filter(pk=dns_twisted.pk).update(misp_event_id=site.misp_event_id)
else:
already_in_monitoring = False
site = Site.objects.create(domain_name=dns_twisted.domain_name, rtir=-999999999)
monitoring_init(site)
site = Site.objects.get(pk=site.pk)
# We now hav the IOCs related to the domain, we can remove it from monitoring
if not already_in_monitoring:
Site.objects.filter(pk=site.pk).delete()
if site.misp_event_id is None:
site.misp_event_id = dns_twisted.misp_event_id
# Test MISP instance connection
try:
requests.get(settings.MISP_URL, verify=settings.MISP_VERIFY_SSL)
except requests.exceptions.SSLError as e:
print(str(timezone.now()) + " - ", e)
raise AuthenticationFailed("SSL Error: " + settings.MISP_URL)
except requests.exceptions.RequestException as e:
print(str(timezone.now()) + " - ", e)
raise NotFound("Not Found: " + settings.MISP_URL)
misp_api = ExpandedPyMISP(settings.MISP_URL, settings.MISP_KEY, settings.MISP_VERIFY_SSL)
if site.misp_event_id is not None:
# If the event already exist, then we update IOCs
update_attributes(misp_api, site)
else:
# If the event does not exist, then we create it
# Prepare MISP Event
event = MISPEvent()
event.distribution = 0
event.threat_level_id = 2
event.analysis = 0
event.info = "Suspicious domain name " + site.domain_name
event.tags = create_misp_tags(misp_api)
# Create MISP Event
print(str(timezone.now()) + " - " + 'Create MISP Event')
print('-----------------------------')
event = misp_api.add_event(event, pythonify=True)
# Store Event Id in database
DnsTwisted.objects.filter(pk=dns_twisted.pk).update(misp_event_id=event.id)
if Site.objects.filter(domain_name=dns_twisted.domain_name):
Site.objects.filter(pk=site.pk).update(misp_event_id=event.id)
# Create MISP Attributes
create_attributes(misp_api, event.id, site)
def misp_add_event(self, query):
# Parse out all data from json
mainfile = query['Summary']['Subject']['Name']
# Set Distribution = Organization Only
distribution=self.parameters.misp_distribution
# Set Threat level = getting the threat level from ATD
threat_level_id=query['Summary']['Verdict']['Severity']
# Set Analysis status = completed
analysis_status=2
# Creat Event object in MISP
misp_event = MISPEvent()
misp_event.info = "McAfee ATD Sandbox Analysis Report - " + mainfile
misp_event.distribution = distribution
misp_event.threat_level_id = atd_to_misp_confidence(threat_level_id)
misp_event.analysis = analysis_status
# Add main Information to MISP
atdip = query['Summary']['ATD IP']
if not atdip: pass
else: self.misp_add_attribute(misp_event, "comment", "ATD IP " + atdip)
dstip = query['Summary']['Dst IP']
if not dstip: pass
else: self.misp_add_attribute(misp_event, "ip-dst", dstip)
taskid = query['Summary']['TaskId']
if not taskid: pass
else: self.misp_add_attribute(misp_event, "comment", "ATD TaskID: " + taskid)
size = query['Summary']['Subject']['size']
if not size: pass
else: self.misp_add_attribute(misp_event, "comment", "File size is " + size)
verdict = query['Summary']['Verdict']['Description']
if not verdict: pass
else: self.misp_add_attribute(misp_event, "comment", verdict)
# Add file object to MISP Event
self.misp_add_fileObject (misp_event, mainfile,
query['Summary']['Subject']['md5'],
query['Summary']['Subject']['sha-1'],
query['Summary']['Subject']['sha-256']
)
# Add process information to MISP
try:
for processes in query['Summary']['Processes']:
name = processes['Name']
md5 = processes['Md5']
sha1 = processes['Sha1']
sha256 = processes['Sha256']
if not name: pass
else: self.misp_add_attribute(misp_event, "filename", name)
if not md5: pass
else: self.misp_add_attribute(misp_event, "md5", md5)
if not sha1: pass
else: self.misp_add_attribute(misp_event, "sha1", sha1)
if not sha256: pass
else: self.misp_add_attribute(misp_event, "sha256", sha256)
except:
pass
# Add files information to MISP
try:
for files in query['Summary']['Files']:
# Evaluate attributes
name = files['Name']
md5 = files['Md5']
sha1 = files['Sha1']
sha256 = files['Sha256']
# Add attributes as FileObject to event
self.misp_add_fileObject (misp_event, name, md5, sha1, sha256)
except:
pass
# Add URL information to MISP
try:
for url in query['Summary']['Urls']:
url = url['Url']
if not url: pass
else: self.misp_add_attribute(misp_event, "url", url)
except:
pass
# Add ips information to MISP
try:
for ips in query['Summary']['Ips']:
ipv4 = ips['Ipv4']
port = ips['Port']
if not ipv4: pass
else: self.misp_add_attribute(misp_event, "ip-dst", ipv4)
if not port: pass
else: self.misp_add_attribute(misp_event, "url", ipv4 + ":" + port)
except:
pass
# Add stats Information to MISP
try:
for stats in query['Summary']['Stats']:
category = stats['Category']
if not category: pass
else: self.misp_add_attribute(misp_event, "comment", category)
except:
pass
# Add behaviour information to MISP
try:
for behave in query['Summary']['Behavior']:
behave = behave['Analysis']
if not category: pass
else: self.misp_add_attribute(misp_event, "comment", behave)
except:
pass
# Add Confidence level from ATD to MISP
self.misp_add_tag(misp_event, str(atd_to_veris_confidence(threat_level_id)))
# Add TLP info to MISP
self.misp_add_tag(misp_event, str("tlp:amber"))
self.misp_add_tag(misp_event, str("McAfee ATD Analysis"))
# Add tag to event
self.misp_add_tag(misp_event, str("cssa:origin=\"sandbox\""))
self.misp_add_tag(misp_event, str("cssa:sharing-class=\"unvetted\""))
# Add actual event to MISP instance
# Moved to calling routine
# misp_event = self.misp.add_event(misp_event)
return misp_event
"The distribution setting used for the attributes and for the newly created event, if relevant. [0-3]."
)
parser.add_argument(
"-i",
"--info",
help="Used to populate the event info field if no event ID supplied.")
parser.add_argument(
"-a",
"--analysis",
type=int,
help=
"The analysis level of the newly created event, if applicable. [0-2]")
parser.add_argument(
"-t",
"--threat",
type=int,
help=
"The threat level ID of the newly created event, if applicable. [1-4]")
args = parser.parse_args()
misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
event = MISPEvent()
event.distribution = args.distrib
event.threat_level_id = args.threat
event.analysis = args.analysis
event.info = args.info
event = misp.add_event(event, pythonify=True)
print(event)
headers = {'Authorization': "Basic " + proofpoint_key}
responseVap = requests.request("GET", urlVap, headers=headers)
jsonDataVap = json.loads(responseVap.text)
for alert in jsonDataVap["users"]:
orgc = MISPOrganisation()
orgc.name = 'Proofpoint'
orgc.id = '#{ORGC.ID}' # organisation id
orgc.uuid = '#{ORGC.UUID}' # organisation uuid
# initialize and set MISPEvent()
event = MISPEvent()
event.Orgc = orgc
event.info = 'Very Attacked Person ' + jsonDataVap["interval"]
event.distribution = 0 # Optional, defaults to MISP.default_event_distribution in MISP config
event.threat_level_id = 2 # setting this to 0 breaks the integration
event.analysis = 0 # Optional, defaults to 0 (initial analysis)
totalVapUsers = event.add_attribute('counter',
jsonDataVap["totalVapUsers"],
comment="Total VAP Users")
averageAttackIndex = event.add_attribute('counter',
jsonDataVap["averageAttackIndex"],
comment="Average Attack Count")
vapAttackIndexThreshold = event.add_attribute(
'counter',
jsonDataVap["vapAttackIndexThreshold"],
comment="Attack Threshold")
def create_misp_event(misp_instance, isight_report_instance, event_tags):
# No MISP event for this iSight report ID exists yet.
# Alas, create a new MISP event.
# Convert the publication date of the iSight report into a datetime object.
if isight_report_instance.publishDate:
date = datetime.datetime.fromtimestamp(
isight_report_instance.publishDate)
else:
# If iSight doesn't provide a date, use today's date.
date = datetime.datetime.now(datetime.timezone.utc)
# Create a MISP event from the FireEye iSight report with the following parameters.
event = MISPEvent()
event.distribution = 1 # This community only
if isight_report_instance.riskRating == 'CRITICAL' or isight_report_instance.riskRating == 'Critical':
event.threat_level_id = 1 # High
elif isight_report_instance.riskRating == 'HIGH' or isight_report_instance.riskRating == 'High':
event.threat_level_id = 1 # High
elif isight_report_instance.riskRating == 'MEDIUM' or isight_report_instance.riskRating == 'Medium':
event.threat_level_id = 2 # Medium
elif isight_report_instance.riskRating == 'LOW' or isight_report_instance.riskRating == 'Low':
event.threat_level_id = 3 # Low
else:
event.threat_level_id = 4 # Unknown
event.analysis = 2 # Completed
event.info = "iSIGHT: " + isight_report_instance.title
event.date = date
# Push the event to the MISP server.
my_event = misp_instance.add_event(event, pythonify=True)
PySight_settings.logger.debug('Created MISP event %s for iSight report %s',
event, isight_report_instance.reportId)
# Add the event ID to the global list of newly created events.
global new_events
new_events.append(my_event['id'])
# Add default tags to the event.
if event_tags:
for event_tag in event_tags:
misp_instance.tag(my_event, event_tag)
# Use some iSight ThreatScapes for event tagging. Reports can have multiple ThreatScapes.
if 'Cyber Espionage' in isight_report_instance.ThreatScape:
# VERIS distinguishes between external, internal or partner actors. This difference is not yet implemented in
# MISP. External would be most likely.
#misp_instance.tag(my_event, 'veris:actor:external:motive="Espionage"')
misp_instance.tag(my_event, 'veris:actor:motive="Espionage"')
if 'Hacktivism' in isight_report_instance.ThreatScape:
misp_instance.tag(my_event, 'veris:actor:external:variety="Activist"')
if 'Critical Infrastructure' in isight_report_instance.ThreatScape:
misp_instance.tag(my_event, 'basf:technology="OT"')
if 'Cyber Physical' in isight_report_instance.ThreatScape:
misp_instance.tag(my_event, 'basf:technology="OT"')
if 'Cyber Crime' in isight_report_instance.ThreatScape:
misp_instance.tag(my_event,
'veris:actor:external:variety="Organized crime"')
# Add the iSight report ID and web link as attributes.
if isight_report_instance.reportId:
misp_instance.add_attribute(my_event, {
'category': 'External analysis',
'type': 'text',
'to_ids': False,
'value': isight_report_instance.reportId
},
pythonify=True)
if isight_report_instance.webLink:
misp_instance.add_attribute(my_event, {
'category': 'External analysis',
'type': 'link',
'to_ids': False,
'value': isight_report_instance.webLink
},
pythonify=True)
# Put the ThreatScape into an Attribution attribute, but disable correlation.
if isight_report_instance.ThreatScape:
misp_instance.add_attribute(my_event, {
'category': 'Attribution',
'type': 'text',
'to_ids': False,
'value': isight_report_instance.ThreatScape,
'disable_correlation': True
},
pythonify=True)
# Add specific attributes from this iSight report.
update_misp_event(misp_instance, my_event, isight_report_instance)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pymisp import ExpandedPyMISP, MISPEvent
from pymisp import MISPObject
from keys import misp_url, misp_key, misp_verifycert
from datetime import date
misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
event = MISPEvent()
event.info = 'IoT malware' # Event Title
event.distribution = 1 # 0 = Your Organisation Only, 1 = Community
event.threat_level_id = 2 # 1 = High, 2 = Medium, 3 = Low
event.analysis = 2 # 0 (initial analysis), 1 (On-Going), 2 (Complete)
event.add_tag('malware_classification:malware-category="Botnet"')
event.add_tag('tlp:amber')
d = date.today()
event.set_date(d)
attribute_second = event.add_attribute('url',
'http://1.2.3.4/example',
disable_correlation=False,
comment="Botnet example text",
to_ids=False)
event = misp.add_event(event, pythonify=True)
# Publish event
def create_event(misp):
event = MISPEvent()
event.distribution = 0
event.threat_level_id = 1
event.analysis = 0
return event
def misp_send(self, strMISPEventID, strInput, strInfo, strUsername):
# Establish communication with MISP
# event = MISPEvent()
# event.info = 'Test event'
# event.analysis = 0
# event.distribution = 3
# event.threat_level_id = 2
# event.add_attribute('md5', '678ff97bf16d8e1c95679c4681834c41')
# #<add more attributes>
# self.misp.add_event(event)
# exit()
try:
objects = []
#get comments and tags from string input
str_comment, tags = self.get_comm_and_tags(strInput)
print(tags)
if tags == None:
self.misp_logger.info('Irate not in Tags: %s equals None' %
tags)
response = None
return response
#setup misp objects
mispobj_email = MISPObject(name="email")
mispobj_file = MISPObject(name="file")
mispobj_files = {}
mispobj_domainip = MISPObject(name="domain-ip")
url_no = 0
file_no = 0
mispobj_urls = {}
#process input
for line in strInput.splitlines():
if ("domain:" in line.lower()
): #Catch domain and add to domain/IP object
mispobj_domainip = MISPObject(name="domain-ip")
vals = line.split(":", 1)
mispobj_domainip.add_attribute("domain",
value=vals[1].strip(),
comment=str_comment)
objects.append(mispobj_domainip)
elif ("ip:" in line.lower()) or ("ip-dst:" in line.lower(
)) or ("ip-src:"
in line.lower()): #Catch IP and add to domain/IP object
if "domain:" in strInput.splitlines():
mispobj_domainip = MISPObject(name="domain-ip")
vals = line.split(":", 1)
mispobj_domainip.add_attribute("ip",
value=vals[1].strip(),
comment=str_comment)
objects.append(mispobj_domainip)
else:
mispobj_network_connection = MISPObject(
name="network-connection")
vals = line.split(":", 1)
if ("ip:" in line.lower()) or ("ip-dst:"
in line.lower()):
mispobj_network_connection.add_attribute(
"ip-dst",
type="ip-dst",
value=vals[1].strip(),
comment=str_comment)
else:
mispobj_network_connection.add_attribute(
"ip-src",
type="ip-src",
value=vals[1].strip(),
comment=str_comment)
objects.append(mispobj_network_connection)
elif ("source-email:"
in line.lower()) or ("email-source" in line.lower()) or (
"from:" in line.lower()
): #Catch email and add to email object
vals = line.split(":", 1)
mispobj_email.add_attribute("from",
value=vals[1].strip(),
comment=str_comment)
elif ("url:" in line.lower()) or (
('kit:' in line.lower() or ('creds:' in line.lower())) and
(('hxxp' in line.lower()) or ('http' in line.lower()))
): #Catch URL and add to URL object
vals = line.split(":", 1)
url = vals[1].strip()
url = refang(url)
parsed = urlparse(url)
mispobj_url = MISPObject(name="url")
mispobj_url.add_attribute("url",
value=parsed.geturl(),
category="Payload delivery",
comment=str_comment)
if parsed.hostname:
mispobj_url.add_attribute("host",
value=parsed.hostname,
comment=str_comment)
if parsed.scheme:
mispobj_url.add_attribute("scheme",
value=parsed.scheme,
comment=str_comment)
if parsed.port:
mispobj_url.add_attribute("port",
value=parsed.port,
comment=str_comment)
mispobj_urls[url_no] = mispobj_url
url_no += 1
#Catch different hashes and add to file object
elif ("sha1:" in line.lower()) or ("SHA1:" in line):
vals = line.split(":", 1)
mispobj_file.add_attribute("sha1",
value=vals[1].strip(),
comment=str_comment)
elif ("sha256:" in line.lower()) or ("SHA256:" in line):
vals = line.split(":", 1)
mispobj_file.add_attribute("sha256",
value=vals[1].strip(),
comment=str_comment)
elif ("md5:" in line.lower()) or ("MD5:" in line):
vals = line.split(":", 1)
mispobj_file.add_attribute("md5",
value=vals[1].strip(),
comment=str_comment)
elif (
"subject:" in line.lower()
): #or ("subject:" in line): #Catch subject and add to email object
self.misp_logger.info('adding subject')
vals = line.split(":", 1)
mispobj_email.add_attribute("subject",
value=vals[1].strip(),
comment=str_comment)
elif ("hash|filename:" in line.lower()
): #catch hash|filename pair and add to file object
vals = line.split(":", 1)
val = vals[1].split("|")
l_hash = val[0]
l_filename = val[1]
l_mispobj_file = MISPObject(name="file")
if len(re.findall(r"\b[a-fA-F\d]{32}\b", l_hash)) > 0:
l_mispobj_file.add_attribute("md5",
value=l_hash.strip(),
comment=str_comment)
l_mispobj_file.add_attribute("filename",
value=l_filename.strip(),
comment=str_comment)
mispobj_files[file_no] = l_mispobj_file
elif len(re.findall(r'\b[0-9a-f]{40}\b', l_hash)) > 0:
l_mispobj_file.add_attribute("sha1",
value=l_hash.strip(),
comment=str_comment)
l_mispobj_file.add_attribute("filename",
value=l_filename.strip(),
comment=str_comment)
mispobj_files[file_no] = l_mispobj_file
elif len(re.findall(r'\b[A-Fa-f0-9]{64}\b', l_hash)) > 0:
l_mispobj_file.add_attribute("sha256",
value=l_hash.strip(),
comment=str_comment)
l_mispobj_file.add_attribute("filename",
value=l_filename.strip(),
comment=str_comment)
mispobj_files[file_no] = l_mispobj_file
file_no += 1
#add all misp objects to List to be processed and submitted to MISP server as one.
if len(mispobj_file.attributes) > 0:
objects.append(mispobj_file)
if len(mispobj_email.attributes) > 0:
objects.append(mispobj_email)
for u_key, u_value in mispobj_urls.items():
if len(u_value.attributes) > 0:
objects.append(u_value)
for f_key, f_value in mispobj_files.items():
if len(f_value.attributes) > 0:
objects.append(f_value)
# Update timestamp and event
except Exception as e:
error = traceback.format_exc()
response = "Error occured when converting string to misp objects:\n %s" % error
self.misp_logger.error(response)
return response
if self.check_object_length(objects) != True:
self.misp_logger.error(
'Input from %s did not contain accepted tags.\n Input: \n%s' %
(strUsername, strInput))
return "Error in the tags you entered. Please see the guide for accepted tags."
try:
# self.misp_logger.error(dir(self.misp))
misp_event = MISPEvent()
misp_event.info = strInfo
misp_event.distribution = 0
misp_event.analysis = 2
misp_event.threat_level_id = 3
# event.add_attribute('md5', '678ff97bf16d8e1c95679c4681834c41')
#event = self.misp.new_event(info=strInfo, distribution='0', analysis='2', threat_level_id='3', published=False)
#misp_event = MISPEvent()
#misp_event.load(event)
add = self.misp.add_event(misp_event)
self.misp_logger.info("Added event %s" % add)
a, b = self.submit_to_misp(self.misp, misp_event, objects)
for tag in tags:
self.misp.tag(misp_event.uuid, tag)
#self.misp.add_internal_comment(misp_event.id, reference="Author: " + strUsername, comment=str_comment)
ccc = self.misp.publish(misp_event, alert=False)
self.misp_logger.info(ccc)
misp_event = self.misp.get_event(misp_event)
response = misp_event
#for response in misp_event:
if ('errors' in response and response['errors'] != None):
return ("Submission error: " + repr(response['errors']))
else:
if response['Event']['RelatedEvent']:
e_related = ""
for each in response['Event']['RelatedEvent']:
e_related = e_related + each['Event']['id'] + ", "
return "Created ID: " + str(
response['Event']
['id']) + "\nRelated Events: " + ''.join(e_related)
else:
return "Created ID: " + str(response['Event']['id'])
except Exception as e:
error = traceback.format_exc()
response = "Error occured when submitting to misp:\n %s" % error
self.misp_logger.error(response)
return response
