def do_transform(self, request, response, config):
maltego_misp_event = request.entity
# print(dir(maltego_misp_event))
misp = get_misp_connection(config)
event_json = misp.get_event(
maltego_misp_event.id) # FIXME get it without attachments
# print(json.dumps(event_json, sort_keys=True, indent=4))
if not event_json.get('Event'):
return response
for e in event_json['Event']['RelatedEvent']:
response += event_to_entity(e)
for a in event_json['Event']["Attribute"]:
for entity in attribute_to_entity(a):
if entity:
response += entity
for o in event_json['Event']['Object']:
# LATER unfortunately we cannot automatically expand the objects
response += object_to_entity(o)
for g in event_json['Event']['Galaxy']:
for c in g['GalaxyCluster']:
response += galaxycluster_to_entity(c)
if 'Tag' in event_json['Event']:
for t in event_json['Event']['Tag']:
# ignore all misp-galaxies
if t['name'].startswith('misp-galaxy'):
continue
response += Hashtag(t['name'])
return response
def do_transform(self, request, response, config):
maltego_misp_event = request.entity
misp = get_misp_connection(config)
event_json = misp.get_event(maltego_misp_event.id) # FIXME get it without attachments # FIXME use search + includeAttachments:0, eventid: as request body
if not event_json.get('Event'):
return response
response += event_to_entity(event_json)
event_tags = []
if 'Tag' in event_json['Event']:
for t in event_json['Event']['Tag']:
event_tags.append(t['name'])
# ignore all misp-galaxies
if t['name'].startswith('misp-galaxy'):
continue
# ignore all those we add as notes
if tag_matches_note_prefix(t['name']):
continue
response += Hashtag(t['name'])
for g in event_json['Event']['Galaxy']:
for c in g['GalaxyCluster']:
response += galaxycluster_to_entity(c)
# for e in event_json['Event']['RelatedEvent']:
# response += event_to_entity(e, link_style=LinkStyle.DashDot)
for a in event_json['Event']["Attribute"]:
for entity in attribute_to_entity(a, event_tags=event_tags):
if entity:
response += entity
for o in event_json['Event']['Object']:
# LATER unfortunately we cannot automatically expand the objects
response += object_to_entity(o)
return response
def attribute_to_entity(a, link_label=None, event_tags=[], only_self=False):
# prepare some attributes to a better form
a['data'] = None # empty the file content as we really don't need this here
if a['type'] == 'malware-sample':
a['type'] = 'filename|md5'
if a['type'] == 'regkey|value': # LATER regkey|value => needs to be a special non-combined object
a['type'] = 'regkey'
combined_tags = event_tags
if 'Galaxy' in a and not only_self:
for g in a['Galaxy']:
for c in g['GalaxyCluster']:
yield galaxycluster_to_entity(c)
# complement the event tags with the attribute tags.
if 'Tag' in a and not only_self:
for t in a['Tag']:
combined_tags.append(t['name'])
# ignore all misp-galaxies
if t['name'].startswith('misp-galaxy'):
continue
# ignore all those we add as notes
if tag_matches_note_prefix(t['name']):
continue
yield Hashtag(t['name'], bookmark=Bookmark.Green)
notes = convert_tags_to_note(combined_tags)
# special cases
if a['type'] in ('url', 'uri'):
yield(URL(url=a['value'], short_title=a['value'], link_label=link_label, notes=notes, bookmark=Bookmark.Green))
return
# attribute is from an object, and a relation gives better understanding of the type of attribute
if a.get('object_relation') and mapping_misp_to_maltego.get(a['object_relation']):
entity_obj = mapping_misp_to_maltego[a['object_relation']][0]
yield entity_obj(a['value'], labels=[Label('comment', a.get('comment'))], link_label=link_label, notes=notes, bookmark=Bookmark.Green)
# combined attributes
elif '|' in a['type']:
t_1, t_2 = a['type'].split('|')
v_1, v_2 = a['value'].split('|')
if t_1 in mapping_misp_to_maltego:
entity_obj = mapping_misp_to_maltego[t_1][0]
labels = [Label('comment', a.get('comment'))]
if entity_obj == File:
labels.append(Label('hash', v_2))
yield entity_obj_to_entity(entity_obj, v_1, t_1, labels=labels, link_label=link_label, notes=notes, bookmark=Bookmark.Green) # LATER change the comment to include the second part of the regkey
if t_2 in mapping_misp_to_maltego:
entity_obj = mapping_misp_to_maltego[t_2][0]
labels = [Label('comment', a.get('comment'))]
if entity_obj == Hash:
labels.append(Label('filename', v_1))
yield entity_obj_to_entity(entity_obj, v_2, t_2, labels=labels, link_label=link_label, notes=notes, bookmark=Bookmark.Green) # LATER change the comment to include the first part of the regkey
# normal attributes
elif a['type'] in mapping_misp_to_maltego:
entity_obj = mapping_misp_to_maltego[a['type']][0]
yield entity_obj_to_entity(entity_obj, a['value'], a['type'], labels=[Label('comment', a.get('comment'))], link_label=link_label, notes=notes, bookmark=Bookmark.Green)
def gen_response_tags(self, gen_response=True):
self.event_tags = []
if 'Tag' in self.event_json['Event']:
for t in self.event_json['Event']['Tag']:
self.event_tags.append(t['name'])
# ignore all misp-galaxies
if t['name'].startswith('misp-galaxy'):
continue
# ignore all those we add as notes
if tag_matches_note_prefix(t['name']):
continue
if gen_response:
self.response += Hashtag(t['name'])
def do_transform(self, request, response, config):
tweet = request.entity
try:
_body = {
'query': {
'match': {
'id': tweet.id
}
},
'size': request.limits.hard
}
res = es.search(index="twinttweets", body=_body)
for hit in res['hits']['hits']:
tweet = hit['_source']
hashtags = tweet['hashtags']
for h in hashtags:
r = Hashtag()
r.value = h
response += r
except UnicodeEncodeError:
pass
return response
def do_transform(self, request, response, config):
maltego_misp_event = request.entity
misp = get_misp_connection(config)
event_json = misp.get_event(maltego_misp_event.id)
event_tags = []
if 'Tag' in event_json['Event']:
for t in event_json['Event']['Tag']:
event_tags.append(t['name'])
# ignore all misp-galaxies
if t['name'].startswith('misp-galaxy'):
continue
response += Hashtag(t['name'])
for g in event_json['Event']['Galaxy']:
for c in g['GalaxyCluster']:
response += galaxycluster_to_entity(c)
return response
def do_transform(self, request, response, config):
response += check_update(config)
link_label = 'Search result'
if 'properties.mispevent' in request.entity.fields:
conn = MISPConnection(config, request.parameters)
# if event_id
try:
if request.entity.value == '0':
return response
eventid = int(request.entity.value)
events_json = conn.misp.search(controller='events',
eventid=eventid,
with_attachments=False)
for e in events_json:
response += event_to_entity(
e,
link_label=link_label,
link_direction=LinkDirection.OutputToInput)
return response
except ValueError:
pass
# if event_info string as value
events_json = conn.misp.search(controller='events',
eventinfo=request.entity.value,
with_attachments=False)
for e in events_json:
response += event_to_entity(
e,
link_label=link_label,
link_direction=LinkDirection.OutputToInput)
return response
# From galaxy or Hashtag
if 'properties.mispgalaxy' in request.entity.fields or 'properties.temp' in request.entity.fields or 'twitter.hashtag' in request.entity.fields:
if request.entity.value == '-':
return response
# First search in galaxies
keyword = get_entity_property(request.entity, 'Temp')
if not keyword:
keyword = request.entity.value
# assume the user is searching for a cluster based on a substring.
# Search in the list for those that match and return galaxy entities'
potential_clusters = search_galaxy_cluster(keyword)
# LATER check if duplicates are possible
if potential_clusters:
for potential_cluster in potential_clusters:
new_entity = galaxycluster_to_entity(potential_cluster,
link_label=link_label)
# LATER support the type_filter - unfortunately this is not possible, we need Canari to tell us the original entity type
if isinstance(new_entity, MISPGalaxy):
response += new_entity
# from Hashtag search also in tags
if 'properties.temp' in request.entity.fields or 'twitter.hashtag' in request.entity.fields:
keyword = get_entity_property(request.entity, 'Temp')
if not keyword:
keyword = request.entity.value
conn = MISPConnection(config, request.parameters)
result = conn.misp.direct_call('tags/search',
{'name': keyword})
for t in result:
# skip misp-galaxies as we have processed them earlier on
if t['Tag']['name'].startswith('misp-galaxy'):
continue
# In this case we do not filter away those we add as notes, as people might want to pivot on it explicitly.
response += Hashtag(t['Tag']['name'],
link_label=link_label,
bookmark=Bookmark.Green)
return response
# for all other normal entities
conn = MISPConnection(config, request.parameters)
events_json = conn.misp.search(controller='events',
value=request.entity.value,
with_attachments=False)
# we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
for e in events_json:
# find the value as attribute
attr = get_attribute_in_event(e,
request.entity.value,
substring=True)
if attr:
for item in attribute_to_entity(attr, only_self=True):
response += item
# find the value as object, and return the object
if 'Object' in e['Event']:
for o in e['Event']['Object']:
if get_attribute_in_object(
o,
attribute_value=request.entity.value,
substring=True).get('value'):
response += conn.object_to_entity(
o, link_label=link_label)
return response
