def misp_event_create(event_info, internal_reference, phish_artefacts): event = MISPEvent() event.distribution = misp_distribution if (sharing_group_id >= 1 and misp_distribution == 4): event.sharing_group_id = sharing_group_id event.threat_level_id = misp_threat_level_id event.analysis = misp_analysis event.info = event_info event = pymisp.add_event(event, pythonify=True) if hasattr(event, 'uuid'): attribute = pymisp.add_attribute(event.uuid, { 'type': 'text', 'value': internal_reference, 'category': 'Internal reference', 'distribution': "0" }, pythonify=True) if (attribute.value == internal_reference): # Creating Object print("Creating Objects...") misp_create_objects(event, phish_artefacts) for misp_tag in misp_tags: pymisp.tag(event.uuid, misp_tag) pymisp.update_event(event) else: return ("") if (auto_publish): print("Publishing MISP Event") pymisp.publish(event) return (event)
def add_event(self): try: event = MISPEvent() event.distribution = 0 # ATD Threat mapping to MISP Threat Level atd_threat_level = self.query['Summary']['Verdict']['Severity'] if not atd_threat_level: pass else: if atd_threat_level == '3': event.threat_level_id = 1 elif atd_threat_level == '4': event.threat_level_id = 2 elif atd_threat_level == '5': event.threat_level_id = 3 else: event.threat_level_id = 0 event.analysis = 0 # initial event.info = "ATD Analysis Report - {0}".format(self.mainfile) event.attributes = self.attributes event.Tag = 'ATD:Report' event = self.misp.add_event(event, pythonify=True) self.evenid = event.id print('SUCCESS: New MISP Event got created with ID: {}'.format(str(event.id))) except Exception as e: exc_type, exc_obj, exc_tb = sys.exc_info() print("ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}" .format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno, error=str(e)))
def submit_tf_update(misp: ExpandedPyMISP, attributes: list) -> MISPEvent: """ create/update abuse.ch MISP-Event and append the new attributes """ eventinfo = event_info_template.format( datetime.now().strftime(info_dateformat)) # logging.debug(eventinfo) events = misp.search(controller='events', eventinfo=eventinfo, org=1, pythonify=True) if events: # current event exists already event = events[0] else: # create a new event event = MISPEvent() event.distribution = event_distribution event.threat_level_id = event_threat_level event.analysis = 2 event.info = eventinfo for tag in tagging: event.add_tag(tag) event = misp.add_event(event, pythonify=True) for att in attributes: event.add_attribute(**att) event.published = autopublish return misp.update_event(event)
def test_sync_all_communities(self): '''Simple event, all communities, enable automatic push on two sub-instances''' event = MISPEvent() event.info = 'Event created on first instance - test_sync_all_communities' event.distribution = Distribution.all_communities event.add_attribute('ip-src', '1.1.1.1') try: source = self.instances[0] server = source.site_admin_connector.update_server( {'push': True}, source.sync_servers[0].id) self.assertTrue(server.push) middle = self.instances[1] middle.site_admin_connector.update_server( {'push': True}, middle.sync_servers[1].id ) # Enable automatic push to 3rd instance last = self.instances[2] event = source.user_connector.add_event(event) source.org_admin_connector.publish(event) source.site_admin_connector.server_push(source.sync_servers[0]) time.sleep(30) middle_event = middle.user_connector.get_event(event.uuid) self.assertEqual(event.attributes[0].value, middle_event.attributes[0].value) last_event = last.user_connector.get_event(event.uuid) self.assertEqual(event.attributes[0].value, last_event.attributes[0].value) finally: source.org_admin_connector.delete_event(event) middle.site_admin_connector.delete_event(middle_event) last.site_admin_connector.delete_event(last_event) source.site_admin_connector.update_server( {'push': False}, source.sync_servers[0].id) middle.site_admin_connector.update_server( {'push': False}, middle.sync_servers[1].id)
def create_complex_event(self): event = MISPEvent() event.info = 'Complex Event' event.distribution = Distribution.all_communities event.add_tag('tlp:white') event.add_attribute('ip-src', '8.8.8.8') event.add_attribute('ip-dst', '8.8.8.9') event.add_attribute('domain', 'google.com') event.add_attribute('md5', '3c656da41f4645f77e3ec3281b63dd43') event.attributes[0].distribution = Distribution.your_organisation_only event.attributes[1].distribution = Distribution.this_community_only event.attributes[2].distribution = Distribution.connected_communities event.attributes[0].add_tag('tlp:red') event.attributes[1].add_tag('tlp:amber') event.attributes[2].add_tag('tlp:green') obj = MISPObject('file') obj.distribution = Distribution.connected_communities obj.add_attribute('filename', 'testfile') obj.add_attribute('md5', '3c656da41f4645f77e3ec3281b63dd44') obj.attributes[0].distribution = Distribution.your_organisation_only event.add_object(obj) return event
def create_misp_event(misp_instance, isight_report_instance): # No MISP event for this iSight report ID exists yet. # Alas, create a new MISP event. # Convert the publication date of the iSight report into a datetime object. if isight_report_instance.publishDate: date = datetime.datetime.fromtimestamp( isight_report_instance.publishDate) else: # If iSight doesn't provide a date, use today's date. date = datetime.datetime.now(datetime.timezone.utc) # Create a MISP event from the FireEye iSight report with the following parameters. print('****create new event*****') event = MISPEvent() event.distribution = 1 # This community only if isight_report_instance.riskRating == 'CRITICAL' or isight_report_instance.riskRating == 'Critical': event.threat_level_id = 1 # High elif isight_report_instance.riskRating == 'HIGH' or isight_report_instance.riskRating == 'High': event.threat_level_id = 1 # High elif isight_report_instance.riskRating == 'MEDIUM' or isight_report_instance.riskRating == 'Medium': event.threat_level_id = 2 # Medium elif isight_report_instance.riskRating == 'LOW' or isight_report_instance.riskRating == 'Low': event.threat_level_id = 3 # Low else: event.threat_level_id = 4 # Unknown event.analysis = 2 # Completed event.info = "iSIGHT: " + isight_report_instance.title event.date = date # Push the event to the MISP server. my_event = misp_instance.add_event(event, pythonify=True) print("#######Push event to MISP server####", my_event) PySilo_settings.logger.debug('Created MISP event %s for iSight report %s', event, isight_report_instance.reportId) # Add default tags to the event. misp_instance.tag(my_event, 'Source:SILOBREAKER') #misp_instance.tag(my_event, 'basf:source="iSight"') misp_instance.tag(my_event, 'CTI feed: SILOBREAKER') misp_instance.tag(my_event, 'tlp:amber') misp_instance.tag(my_event, 'report id', isight_report_instance.Id) # Use some iSight ThreatScapes for event tagging. Reports can have multiple ThreatScapes. #if 'Cyber Espionage' in isight_report_instance.ThreatScape: # VERIS distinguishes between external, internal or partner actors. This difference is not yet implemented in # MISP. External would be most likely. #misp_instance.tag(my_event, 'veris:actor:external:motive="Espionage"') #misp_instance.tag(my_event, 'veris:actor:motive="Espionage"') #if 'Hacktivism' in isight_report_instance.ThreatScape: #misp_instance.tag(my_event, 'veris:actor:external:variety="Activist"') #if 'Critical Infrastructure' in isight_report_instance.ThreatScape: # misp_instance.tag(my_event, 'basf:technology="OT"') #if 'Cyber Physical' in isight_report_instance.ThreatScape: #misp_instance.tag(my_event, 'basf:technology="OT"') #if 'Cyber Crime' in isight_report_instance.ThreatScape: #misp_instance.tag(my_event, 'veris:actor:external:variety="Organized crime"') update_misp_event(misp_instance, my_event, isight_report_instance)
def create_daily_event(self): today = datetime.date.today() # [0-3] distribution = 0 info = "Daily AIL-leaks {}".format(today) # [0-2] analysis = 0 # [1-4] threat = 3 published = False org_id = None orgc_id = None sharing_group_id = None date = None event = MISPEvent() event.distribution = distribution event.info = info event.analysis = analysis event.threat = threat event.published = published event.add_tag('infoleak:output-format="ail-daily"') existing_event = self.pymisp.add_event(event) return existing_event
def create_simple_event(): event = MISPEvent() event.info = 'This is a super simple test' event.distribution = Distribution.your_organisation_only event.threat_level_id = ThreatLevel.low event.analysis = Analysis.completed event.add_attribute('text', str(uuid.uuid4())) return event
def create_simple_event(self, force_timestamps=False): mispevent = MISPEvent(force_timestamps=force_timestamps) mispevent.info = 'This is a super simple test' mispevent.distribution = Distribution.your_organisation_only mispevent.threat_level_id = ThreatLevel.low mispevent.analysis = Analysis.completed mispevent.add_attribute('text', str(uuid4())) return mispevent
def environment(self): first_event = MISPEvent() first_event.info = 'First event - org only - low - completed' first_event.distribution = Distribution.your_organisation_only first_event.threat_level_id = ThreatLevel.low first_event.analysis = Analysis.completed first_event.set_date("2017-12-31") first_event.add_attribute('text', str(uuid4())) first_event.attributes[0].add_tag('admin_only') first_event.attributes[0].add_tag('tlp:white___test') first_event.add_attribute('text', str(uuid4())) first_event.attributes[1].add_tag('unique___test') second_event = MISPEvent() second_event.info = 'Second event - org only - medium - ongoing' second_event.distribution = Distribution.your_organisation_only second_event.threat_level_id = ThreatLevel.medium second_event.analysis = Analysis.ongoing second_event.set_date("Aug 18 2018") second_event.add_attribute('text', str(uuid4())) second_event.attributes[0].add_tag('tlp:white___test') second_event.add_attribute('ip-dst', '1.1.1.1') # Same value as in first event. second_event.add_attribute('text', first_event.attributes[0].value) third_event = MISPEvent() third_event.info = 'Third event - all orgs - high - initial' third_event.distribution = Distribution.all_communities third_event.threat_level_id = ThreatLevel.high third_event.analysis = Analysis.initial third_event.set_date("Jun 25 2018") third_event.add_tag('tlp:white___test') third_event.add_attribute('text', str(uuid4())) third_event.attributes[0].add_tag('tlp:amber___test') third_event.attributes[0].add_tag('foo_double___test') third_event.add_attribute('ip-src', '8.8.8.8') third_event.attributes[1].add_tag('tlp:amber___test') third_event.add_attribute('ip-dst', '9.9.9.9') # Create first and third event as admin # usr won't be able to see the first one first = self.admin_misp_connector.add_event(first_event) third = self.admin_misp_connector.add_event(third_event) # Create second event as user second = self.user_misp_connector.add_event(second_event) return first, second, third
def create_misp_event(misp_client, misp_distribution, misp_threat_level, misp_analysis_level, misp_event_name): misp_event = MISPEvent() misp_event.distribution = misp_distribution misp_event.threat_level_id = misp_threat_level misp_event.analysis = misp_analysis_level misp_event.info = misp_event_name event_response = misp_client.add_event(misp_event) return event_response
def convertTEtoMISP(self, teevent): """ Convert a ThreatExchange entry to MISP entry """ # Create empty event mispevt = MISPEvent() mispevt.info = "[Facebook ThreatExchange]" mispevt.distribution = 0 mispevt.sharing_group_id = self.privacy_levels[teevent["privacy_type"]] # Check if event is to be kept if "status" in teevent.keys() and teevent["status"] in self.score.keys() and self.score[teevent["status"]] < self.badness_threshold : print("IGNORE EVENT %s due to status (%s)" % (teevent, teevent["status"])) return None # Add indicator to event if "raw_indicator" in teevent.keys(): if "type" in teevent.keys(): if teevent["type"] in self.type_map.keys(): indicator = teevent["raw_indicator"].replace("\\", "") mispevt.add_attribute(self.type_map[teevent["type"]] , indicator) # not to brutal?? else: print("WARNING: TYPE %s SHOULD BE ADDED TO MAPPING" % teevent["type"]) else: print("WARNING, event %s does not contains any indicator :(" % teevent) return None # don't create event without content! # Add a category mispevt.category = "Network activity" # Enrich description if "description" in teevent.keys(): mispevt.info = mispevt.info + " - %s" % teevent["description"] if "owner" in teevent.keys() and "name" in teevent["owner"].keys(): owner = teevent["owner"]["name"] if("email" in teevent["owner"].keys()): email = teevent["owner"]["email"].replace("\\u0040", "@") else: email = "" mispevt.info = mispevt.info + " - by %s (%s)" % (owner, email) # Add sharing indicators (tags) if "share_level" in teevent.keys(): if teevent["share_level"] in self.share_levels.keys(): mispevt.Tag.append(self.share_levels[teevent["share_level"]]) else: print("WARNING: SHARING LEVEL %s SHOULD BE ADDED TO MAPPING" % teevent["share_level"]) if self.extra_tag is not None: mispevt.Tag.append(self.extra_tag) evtid = teevent["id"] return [evtid, mispevt]
def save(self): site_id = self.validated_data['id'] site = Site.objects.get(pk=site_id) # Check if there is already an Event if DnsTwisted.objects.filter(domain_name=site.domain_name): dns_twisted = DnsTwisted.objects.get(domain_name=site.domain_name) if site.misp_event_id is None: site.misp_event_id = dns_twisted.misp_event_id # Save the case id in database Site.objects.filter(pk=site.pk).update( misp_event_id=dns_twisted.misp_event_id) # Test MISP instance connection try: requests.get(settings.MISP_URL, verify=settings.MISP_VERIFY_SSL) except requests.exceptions.SSLError as e: print(str(timezone.now()) + " - ", e) raise AuthenticationFailed("SSL Error: " + settings.MISP_URL) except requests.exceptions.RequestException as e: print(str(timezone.now()) + " - ", e) raise NotFound("Not Found: " + settings.MISP_URL) misp_api = ExpandedPyMISP(settings.MISP_URL, settings.MISP_KEY, settings.MISP_VERIFY_SSL) if site.misp_event_id is not None: # If the event already exist, then we update IOCs update_attributes(misp_api, site) else: # If the event does not exist, then we create it # Prepare MISP Event event = MISPEvent() event.distribution = 0 event.threat_level_id = 2 event.analysis = 0 event.info = "Suspicious domain name " + site.domain_name event.tags = create_misp_tags(misp_api) # Create MISP Event print(str(timezone.now()) + " - " + 'Create MISP Event') print('-----------------------------') event = misp_api.add_event(event, pythonify=True) # Store Event Id in database Site.objects.filter(pk=site.pk).update(misp_event_id=event.id) if DnsTwisted.objects.filter(domain_name=site.domain_name): DnsTwisted.objects.filter(domain_name=site.domain_name).update( misp_event_id=event.id) # Create MISP Attributes create_attributes(misp_api, event.id, site)
def make_new_event(misp): LOGGER.info('Creating new fixed event...') event = MISPEvent() timestamp = datetime.utcnow() event_date = timestamp.strftime('%Y-%m-%d') event.info = MISP_EVENT_TITLE event.analysis = Analysis.completed event.distribution = Distribution.your_organisation_only event.threat_level_id = ThreatLevel.low event.add_tag('type:OSINT') event.add_tag('tlp:white') LOGGER.info('Saving event...') time.sleep(1) return misp.add_event(event, pythonify=True)
def test_sync_community(self): '''Simple event, this community only, pull from member of the community''' event = MISPEvent() event.info = 'Event created on first instance - test_sync_community' event.distribution = Distribution.this_community_only event.add_attribute('ip-src', '1.1.1.1') try: source = self.instances[0] dest = self.instances[1] event = source.org_admin_connector.add_event(event) source.org_admin_connector.publish(event) dest.site_admin_connector.server_pull(dest.sync_servers[0]) time.sleep(10) dest_event = dest.org_admin_connector.get_event(event.uuid) self.assertEqual(dest_event.distribution, 0) finally: source.org_admin_connector.delete_event(event) dest.site_admin_connector.delete_event(dest_event)
def test_simple_sync(self): '''Test simple event, push to one server''' event = MISPEvent() event.info = 'Event created on first instance - test_simple_sync' event.distribution = Distribution.all_communities event.add_attribute('ip-src', '1.1.1.1') try: source = self.instances[0] dest = self.instances[1] event = source.org_admin_connector.add_event(event) source.org_admin_connector.publish(event) source.site_admin_connector.server_push(source.sync_servers[0], event) time.sleep(10) dest_event = dest.org_admin_connector.get_event(event.uuid) self.assertEqual(event.attributes[0].value, dest_event.attributes[0].value) finally: source.org_admin_connector.delete_event(event) dest.site_admin_connector.delete_event(dest_event)
def _create_new_event(self, org_uuid) -> MISPEvent: """ Creates new MISP event. """ misp_event = MISPEvent() # TODO turn on correct organization assignment # misp_event.orgc = self.misp_inst.get_organisation(org_uuid, pythonify=True) # completed misp_event.analysis = 2 # low misp_event.threat_level_id = 3 # TODO use sharing group instead misp_event.distribution = 1 # misp_event.distribution = 4 # misp_event.sharing_group_id = 2 misp_event.uuid = self.uuid_generator.get_misp_event_uuid(org_uuid) misp_event.add_tag("rsit:test") misp_event.add_tag("tlp:amber") misp_event.info = "CTI - IntelMQ feed" return self.misp_inst.add_event(misp_event, pythonify=True)
def inserta_misp(nombre_evento, full_tweet, fverbose): #Instancio evento MISP event = MISPEvent() #Nombre del evento. Se cambiara por cada tweet recibido event.info = nombre_evento # Required #Valores por defecto event.distribution = 0 # Optional, defaults to MISP.default_event_distribution in MISP config event.threat_level_id = 2 # Optional, defaults to MISP.default_event_threat_level in MISP config event.analysis = 1 # Optional, defaults to 0 (initial analysis) #Inserto el tweet completo #event.add_attribute('External analysis', full_tweet) event.add_attribute('text', full_tweet) event.add_tag('tlp:white') add_tweet_atributes(event, full_tweet, fverbose) #Inserto el evento MISP event = misp.add_event(event, pythonify=True)
def make_new_event(misp): LOGGER.info('Creating new fixed event...') event = MISPEvent() event_date = datetime.now().strftime('%Y-%m-%d') event_title = '{0} {1}'.format(MISP_EVENT_TITLE, event_date) event.info = event_title event.analysis = Analysis.completed event.distribution = Distribution.your_organisation_only event.threat_level_id = ThreatLevel.low event.add_tag('type:OSINT') event.add_tag('tlp:white') LOGGER.info('Saving event...') time.sleep(1) try: new_event = misp.add_event(event, pythonify=True) return new_event except Exception as ex: LOGGER.error('Failed to make MISP event: {0}'.format(str(ex))) return False
def createEvent(eventName): mt = MaltegoTransform() mt.addUIMessage("[Info] Creating event with the name %s" % eventName) mispevent = MISPEvent() mispevent.analysis = MISP_ANALYSIS mispevent.date = datetime.now() mispevent.distribution = MISP_DISTRIBUTION mispevent.info = eventName mispevent.threat_level_id = MISP_THREAT mispevent.published = MISP_EVENT_PUBLISH event = misp.add_event(mispevent) eid = event['Event']['id'] einfo = event['Event']['info'] eorgc = event['Event']['orgc_id'] me = MaltegoEntity('maltego.MISPEvent', eid) me.addAdditionalFields('EventLink', 'EventLink', False, BASE_URL + '/events/view/' + eid) me.addAdditionalFields('Org', 'Org', False, eorgc) me.addAdditionalFields('notes', 'notes', False, eorgc + ": " + einfo) mt.addEntityToMessage(me) returnSuccess("event", eid, None, mt)
def create_full_event( self, info, distribution: MISPDistribution = MISPDistribution.ORGANIZATION, threat_level: MISPThreatLevel = MISPThreatLevel.MEDIUM, analysis: MISPAnalysis = MISPAnalysis.INITIAL, attributes: list = None, tags: list = None): new_event = MISPEvent() new_event.distribution = distribution.value new_event.threat_level_id = threat_level.value new_event.analysis = analysis.value new_event.info = info if attributes is not None: new_event.Attribute = list() if tags is not None: new_event.Tag = list() event = self.misp_api.add_event(new_event) self.misp_api.get_all_tags() print(event.to_json()) return event
def run(self, results): """Run analysis. @return: MISP results dict. """ url = self.options.get("url", "") apikey = self.options.get("apikey", "") if not url or not apikey: log.error("MISP URL or API key not configured.") return self.misp = PyMISP(url, apikey, False, "json") self.threads = self.options.get("threads", "") if not self.threads: self.threads = 5 self.iocs = deque() self.misper = dict() try: if self.options.get("upload_iocs", False) and results.get("malscore", 0) >= self.options.get("min_malscore", 0): distribution = int(self.options.get("distribution", 0)) threat_level_id = int(self.options.get("threat_level_id", 4)) analysis = int(self.options.get("analysis", 0)) tag = self.options.get("tag") or "CAPEv2" info = self.options.get("title", "") upload_sample = self.options.get("upload_sample") malfamily = "" if results.get("detections", ""): malfamily = results["detections"] response = self.misp.search("attributes", value=results["target"]["file"]["sha256"], return_format="json", pythonify=True) if response: event = self.misp.get_event(response[0].event_id, pythonify=True) else: event = MISPEvent() event.distribution = distribution event.threat_level_id = threat_level_id event.analysis = analysis event.info = "{} {} - {}".format(info, malfamily, results.get("info", {}).get("id")) event = self.misp.add_event(event, pythonify=True) # Add a specific tag to flag Cuckoo's event if tag: self.misp.tag(event, tag) # malpedia galaxy if malpedia_json: self.malpedia(results, event, malfamily) # ToDo? self.signature(results, event) self.sample_hashes(results, event) self.all_network(results, event) self.dropped_files(results, event) if upload_sample: target = results.get("target", {}) f = target.get("file", {}) if target.get("category") == "file" and f: with open(f["path"], "rb") as f: event.add_attribute( "malware-sample", value=os.path.basename(f["path"]), data=BytesIO(f.read()), expand="binary", comment="Sample run", ) if results.get("target", {}).get("url", "") and results["target"]["url"] not in whitelist: event.add_attribute("url", results["target"]["url"]) # ToDo migth be outdated! # if self.options.get("ids_files", False) and "suricata" in results.keys(): # for surifile in results["suricata"]["files"]: # if "file_info" in surifile.keys(): # self.misper["iocs"].append({"md5": surifile["file_info"]["md5"]}) # self.misper["iocs"].append({"sha1": surifile["file_info"]["sha1"]}) # self.misper["iocs"].append({"sha256": surifile["file_info"]["sha256"]}) if self.options.get("mutexes", False) and "behavior" in results and "summary" in results["behavior"]: if "mutexes" in results.get("behavior", {}).get("summary", {}): for mutex in results["behavior"]["summary"]["mutexes"]: if mutex not in whitelist: event.add_attribute("mutex", mutex) if self.options.get("registry", False) and "behavior" in results and "summary" in results["behavior"]: if "read_keys" in results["behavior"].get("summary", {}): for regkey in results["behavior"]["summary"]["read_keys"]: event.add_attribute("regkey", regkey) event.run_expansions() self.misp.update_event(event) # Make event public if self.options.get("published", True): self.misp.publish(event) except Exception as e: log.error("Failed to generate JSON report: %s" % e, exc_info=True)
def save(self): alert_id = self.validated_data['id'] alert = Alert.objects.get(pk=alert_id) dns_twisted = DnsTwisted.objects.get(pk=alert.dns_twisted.pk) # Getting IOCs related to the new twisted domain if Site.objects.filter(domain_name=dns_twisted.domain_name): already_in_monitoring = True site = Site.objects.get(domain_name=dns_twisted.domain_name) # Store Event Id in database DnsTwisted.objects.filter(pk=dns_twisted.pk).update(misp_event_id=site.misp_event_id) else: already_in_monitoring = False site = Site.objects.create(domain_name=dns_twisted.domain_name, rtir=-999999999) monitoring_init(site) site = Site.objects.get(pk=site.pk) # We now hav the IOCs related to the domain, we can remove it from monitoring if not already_in_monitoring: Site.objects.filter(pk=site.pk).delete() if site.misp_event_id is None: site.misp_event_id = dns_twisted.misp_event_id # Test MISP instance connection try: requests.get(settings.MISP_URL, verify=settings.MISP_VERIFY_SSL) except requests.exceptions.SSLError as e: print(str(timezone.now()) + " - ", e) raise AuthenticationFailed("SSL Error: " + settings.MISP_URL) except requests.exceptions.RequestException as e: print(str(timezone.now()) + " - ", e) raise NotFound("Not Found: " + settings.MISP_URL) misp_api = ExpandedPyMISP(settings.MISP_URL, settings.MISP_KEY, settings.MISP_VERIFY_SSL) if site.misp_event_id is not None: # If the event already exist, then we update IOCs update_attributes(misp_api, site) else: # If the event does not exist, then we create it # Prepare MISP Event event = MISPEvent() event.distribution = 0 event.threat_level_id = 2 event.analysis = 0 event.info = "Suspicious domain name " + site.domain_name event.tags = create_misp_tags(misp_api) # Create MISP Event print(str(timezone.now()) + " - " + 'Create MISP Event') print('-----------------------------') event = misp_api.add_event(event, pythonify=True) # Store Event Id in database DnsTwisted.objects.filter(pk=dns_twisted.pk).update(misp_event_id=event.id) if Site.objects.filter(domain_name=dns_twisted.domain_name): Site.objects.filter(pk=site.pk).update(misp_event_id=event.id) # Create MISP Attributes create_attributes(misp_api, event.id, site)
def misp_add_event(self, query): # Parse out all data from json mainfile = query['Summary']['Subject']['Name'] # Set Distribution = Organization Only distribution=self.parameters.misp_distribution # Set Threat level = getting the threat level from ATD threat_level_id=query['Summary']['Verdict']['Severity'] # Set Analysis status = completed analysis_status=2 # Creat Event object in MISP misp_event = MISPEvent() misp_event.info = "McAfee ATD Sandbox Analysis Report - " + mainfile misp_event.distribution = distribution misp_event.threat_level_id = atd_to_misp_confidence(threat_level_id) misp_event.analysis = analysis_status # Add main Information to MISP atdip = query['Summary']['ATD IP'] if not atdip: pass else: self.misp_add_attribute(misp_event, "comment", "ATD IP " + atdip) dstip = query['Summary']['Dst IP'] if not dstip: pass else: self.misp_add_attribute(misp_event, "ip-dst", dstip) taskid = query['Summary']['TaskId'] if not taskid: pass else: self.misp_add_attribute(misp_event, "comment", "ATD TaskID: " + taskid) size = query['Summary']['Subject']['size'] if not size: pass else: self.misp_add_attribute(misp_event, "comment", "File size is " + size) verdict = query['Summary']['Verdict']['Description'] if not verdict: pass else: self.misp_add_attribute(misp_event, "comment", verdict) # Add file object to MISP Event self.misp_add_fileObject (misp_event, mainfile, query['Summary']['Subject']['md5'], query['Summary']['Subject']['sha-1'], query['Summary']['Subject']['sha-256'] ) # Add process information to MISP try: for processes in query['Summary']['Processes']: name = processes['Name'] md5 = processes['Md5'] sha1 = processes['Sha1'] sha256 = processes['Sha256'] if not name: pass else: self.misp_add_attribute(misp_event, "filename", name) if not md5: pass else: self.misp_add_attribute(misp_event, "md5", md5) if not sha1: pass else: self.misp_add_attribute(misp_event, "sha1", sha1) if not sha256: pass else: self.misp_add_attribute(misp_event, "sha256", sha256) except: pass # Add files information to MISP try: for files in query['Summary']['Files']: # Evaluate attributes name = files['Name'] md5 = files['Md5'] sha1 = files['Sha1'] sha256 = files['Sha256'] # Add attributes as FileObject to event self.misp_add_fileObject (misp_event, name, md5, sha1, sha256) except: pass # Add URL information to MISP try: for url in query['Summary']['Urls']: url = url['Url'] if not url: pass else: self.misp_add_attribute(misp_event, "url", url) except: pass # Add ips information to MISP try: for ips in query['Summary']['Ips']: ipv4 = ips['Ipv4'] port = ips['Port'] if not ipv4: pass else: self.misp_add_attribute(misp_event, "ip-dst", ipv4) if not port: pass else: self.misp_add_attribute(misp_event, "url", ipv4 + ":" + port) except: pass # Add stats Information to MISP try: for stats in query['Summary']['Stats']: category = stats['Category'] if not category: pass else: self.misp_add_attribute(misp_event, "comment", category) except: pass # Add behaviour information to MISP try: for behave in query['Summary']['Behavior']: behave = behave['Analysis'] if not category: pass else: self.misp_add_attribute(misp_event, "comment", behave) except: pass # Add Confidence level from ATD to MISP self.misp_add_tag(misp_event, str(atd_to_veris_confidence(threat_level_id))) # Add TLP info to MISP self.misp_add_tag(misp_event, str("tlp:amber")) self.misp_add_tag(misp_event, str("McAfee ATD Analysis")) # Add tag to event self.misp_add_tag(misp_event, str("cssa:origin=\"sandbox\"")) self.misp_add_tag(misp_event, str("cssa:sharing-class=\"unvetted\"")) # Add actual event to MISP instance # Moved to calling routine # misp_event = self.misp.add_event(misp_event) return misp_event
"The distribution setting used for the attributes and for the newly created event, if relevant. [0-3]." ) parser.add_argument( "-i", "--info", help="Used to populate the event info field if no event ID supplied.") parser.add_argument( "-a", "--analysis", type=int, help= "The analysis level of the newly created event, if applicable. [0-2]") parser.add_argument( "-t", "--threat", type=int, help= "The threat level ID of the newly created event, if applicable. [1-4]") args = parser.parse_args() misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert) event = MISPEvent() event.distribution = args.distrib event.threat_level_id = args.threat event.analysis = args.analysis event.info = args.info event = misp.add_event(event, pythonify=True) print(event)
headers = {'Authorization': "Basic " + proofpoint_key} responseVap = requests.request("GET", urlVap, headers=headers) jsonDataVap = json.loads(responseVap.text) for alert in jsonDataVap["users"]: orgc = MISPOrganisation() orgc.name = 'Proofpoint' orgc.id = '#{ORGC.ID}' # organisation id orgc.uuid = '#{ORGC.UUID}' # organisation uuid # initialize and set MISPEvent() event = MISPEvent() event.Orgc = orgc event.info = 'Very Attacked Person ' + jsonDataVap["interval"] event.distribution = 0 # Optional, defaults to MISP.default_event_distribution in MISP config event.threat_level_id = 2 # setting this to 0 breaks the integration event.analysis = 0 # Optional, defaults to 0 (initial analysis) totalVapUsers = event.add_attribute('counter', jsonDataVap["totalVapUsers"], comment="Total VAP Users") averageAttackIndex = event.add_attribute('counter', jsonDataVap["averageAttackIndex"], comment="Average Attack Count") vapAttackIndexThreshold = event.add_attribute( 'counter', jsonDataVap["vapAttackIndexThreshold"], comment="Attack Threshold")
def create_misp_event(misp_instance, isight_report_instance, event_tags): # No MISP event for this iSight report ID exists yet. # Alas, create a new MISP event. # Convert the publication date of the iSight report into a datetime object. if isight_report_instance.publishDate: date = datetime.datetime.fromtimestamp( isight_report_instance.publishDate) else: # If iSight doesn't provide a date, use today's date. date = datetime.datetime.now(datetime.timezone.utc) # Create a MISP event from the FireEye iSight report with the following parameters. event = MISPEvent() event.distribution = 1 # This community only if isight_report_instance.riskRating == 'CRITICAL' or isight_report_instance.riskRating == 'Critical': event.threat_level_id = 1 # High elif isight_report_instance.riskRating == 'HIGH' or isight_report_instance.riskRating == 'High': event.threat_level_id = 1 # High elif isight_report_instance.riskRating == 'MEDIUM' or isight_report_instance.riskRating == 'Medium': event.threat_level_id = 2 # Medium elif isight_report_instance.riskRating == 'LOW' or isight_report_instance.riskRating == 'Low': event.threat_level_id = 3 # Low else: event.threat_level_id = 4 # Unknown event.analysis = 2 # Completed event.info = "iSIGHT: " + isight_report_instance.title event.date = date # Push the event to the MISP server. my_event = misp_instance.add_event(event, pythonify=True) PySight_settings.logger.debug('Created MISP event %s for iSight report %s', event, isight_report_instance.reportId) # Add the event ID to the global list of newly created events. global new_events new_events.append(my_event['id']) # Add default tags to the event. if event_tags: for event_tag in event_tags: misp_instance.tag(my_event, event_tag) # Use some iSight ThreatScapes for event tagging. Reports can have multiple ThreatScapes. if 'Cyber Espionage' in isight_report_instance.ThreatScape: # VERIS distinguishes between external, internal or partner actors. This difference is not yet implemented in # MISP. External would be most likely. #misp_instance.tag(my_event, 'veris:actor:external:motive="Espionage"') misp_instance.tag(my_event, 'veris:actor:motive="Espionage"') if 'Hacktivism' in isight_report_instance.ThreatScape: misp_instance.tag(my_event, 'veris:actor:external:variety="Activist"') if 'Critical Infrastructure' in isight_report_instance.ThreatScape: misp_instance.tag(my_event, 'basf:technology="OT"') if 'Cyber Physical' in isight_report_instance.ThreatScape: misp_instance.tag(my_event, 'basf:technology="OT"') if 'Cyber Crime' in isight_report_instance.ThreatScape: misp_instance.tag(my_event, 'veris:actor:external:variety="Organized crime"') # Add the iSight report ID and web link as attributes. if isight_report_instance.reportId: misp_instance.add_attribute(my_event, { 'category': 'External analysis', 'type': 'text', 'to_ids': False, 'value': isight_report_instance.reportId }, pythonify=True) if isight_report_instance.webLink: misp_instance.add_attribute(my_event, { 'category': 'External analysis', 'type': 'link', 'to_ids': False, 'value': isight_report_instance.webLink }, pythonify=True) # Put the ThreatScape into an Attribution attribute, but disable correlation. if isight_report_instance.ThreatScape: misp_instance.add_attribute(my_event, { 'category': 'Attribution', 'type': 'text', 'to_ids': False, 'value': isight_report_instance.ThreatScape, 'disable_correlation': True }, pythonify=True) # Add specific attributes from this iSight report. update_misp_event(misp_instance, my_event, isight_report_instance)
#!/usr/bin/env python3 # -*- coding: utf-8 -*- from pymisp import ExpandedPyMISP, MISPEvent from pymisp import MISPObject from keys import misp_url, misp_key, misp_verifycert from datetime import date misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert) event = MISPEvent() event.info = 'IoT malware' # Event Title event.distribution = 1 # 0 = Your Organisation Only, 1 = Community event.threat_level_id = 2 # 1 = High, 2 = Medium, 3 = Low event.analysis = 2 # 0 (initial analysis), 1 (On-Going), 2 (Complete) event.add_tag('malware_classification:malware-category="Botnet"') event.add_tag('tlp:amber') d = date.today() event.set_date(d) attribute_second = event.add_attribute('url', 'http://1.2.3.4/example', disable_correlation=False, comment="Botnet example text", to_ids=False) event = misp.add_event(event, pythonify=True) # Publish event
def create_event(misp): event = MISPEvent() event.distribution = 0 event.threat_level_id = 1 event.analysis = 0 return event
def misp_send(self, strMISPEventID, strInput, strInfo, strUsername): # Establish communication with MISP # event = MISPEvent() # event.info = 'Test event' # event.analysis = 0 # event.distribution = 3 # event.threat_level_id = 2 # event.add_attribute('md5', '678ff97bf16d8e1c95679c4681834c41') # #<add more attributes> # self.misp.add_event(event) # exit() try: objects = [] #get comments and tags from string input str_comment, tags = self.get_comm_and_tags(strInput) print(tags) if tags == None: self.misp_logger.info('Irate not in Tags: %s equals None' % tags) response = None return response #setup misp objects mispobj_email = MISPObject(name="email") mispobj_file = MISPObject(name="file") mispobj_files = {} mispobj_domainip = MISPObject(name="domain-ip") url_no = 0 file_no = 0 mispobj_urls = {} #process input for line in strInput.splitlines(): if ("domain:" in line.lower() ): #Catch domain and add to domain/IP object mispobj_domainip = MISPObject(name="domain-ip") vals = line.split(":", 1) mispobj_domainip.add_attribute("domain", value=vals[1].strip(), comment=str_comment) objects.append(mispobj_domainip) elif ("ip:" in line.lower()) or ("ip-dst:" in line.lower( )) or ("ip-src:" in line.lower()): #Catch IP and add to domain/IP object if "domain:" in strInput.splitlines(): mispobj_domainip = MISPObject(name="domain-ip") vals = line.split(":", 1) mispobj_domainip.add_attribute("ip", value=vals[1].strip(), comment=str_comment) objects.append(mispobj_domainip) else: mispobj_network_connection = MISPObject( name="network-connection") vals = line.split(":", 1) if ("ip:" in line.lower()) or ("ip-dst:" in line.lower()): mispobj_network_connection.add_attribute( "ip-dst", type="ip-dst", value=vals[1].strip(), comment=str_comment) else: mispobj_network_connection.add_attribute( "ip-src", type="ip-src", value=vals[1].strip(), comment=str_comment) objects.append(mispobj_network_connection) elif ("source-email:" in line.lower()) or ("email-source" in line.lower()) or ( "from:" in line.lower() ): #Catch email and add to email object vals = line.split(":", 1) mispobj_email.add_attribute("from", value=vals[1].strip(), comment=str_comment) elif ("url:" in line.lower()) or ( ('kit:' in line.lower() or ('creds:' in line.lower())) and (('hxxp' in line.lower()) or ('http' in line.lower())) ): #Catch URL and add to URL object vals = line.split(":", 1) url = vals[1].strip() url = refang(url) parsed = urlparse(url) mispobj_url = MISPObject(name="url") mispobj_url.add_attribute("url", value=parsed.geturl(), category="Payload delivery", comment=str_comment) if parsed.hostname: mispobj_url.add_attribute("host", value=parsed.hostname, comment=str_comment) if parsed.scheme: mispobj_url.add_attribute("scheme", value=parsed.scheme, comment=str_comment) if parsed.port: mispobj_url.add_attribute("port", value=parsed.port, comment=str_comment) mispobj_urls[url_no] = mispobj_url url_no += 1 #Catch different hashes and add to file object elif ("sha1:" in line.lower()) or ("SHA1:" in line): vals = line.split(":", 1) mispobj_file.add_attribute("sha1", value=vals[1].strip(), comment=str_comment) elif ("sha256:" in line.lower()) or ("SHA256:" in line): vals = line.split(":", 1) mispobj_file.add_attribute("sha256", value=vals[1].strip(), comment=str_comment) elif ("md5:" in line.lower()) or ("MD5:" in line): vals = line.split(":", 1) mispobj_file.add_attribute("md5", value=vals[1].strip(), comment=str_comment) elif ( "subject:" in line.lower() ): #or ("subject:" in line): #Catch subject and add to email object self.misp_logger.info('adding subject') vals = line.split(":", 1) mispobj_email.add_attribute("subject", value=vals[1].strip(), comment=str_comment) elif ("hash|filename:" in line.lower() ): #catch hash|filename pair and add to file object vals = line.split(":", 1) val = vals[1].split("|") l_hash = val[0] l_filename = val[1] l_mispobj_file = MISPObject(name="file") if len(re.findall(r"\b[a-fA-F\d]{32}\b", l_hash)) > 0: l_mispobj_file.add_attribute("md5", value=l_hash.strip(), comment=str_comment) l_mispobj_file.add_attribute("filename", value=l_filename.strip(), comment=str_comment) mispobj_files[file_no] = l_mispobj_file elif len(re.findall(r'\b[0-9a-f]{40}\b', l_hash)) > 0: l_mispobj_file.add_attribute("sha1", value=l_hash.strip(), comment=str_comment) l_mispobj_file.add_attribute("filename", value=l_filename.strip(), comment=str_comment) mispobj_files[file_no] = l_mispobj_file elif len(re.findall(r'\b[A-Fa-f0-9]{64}\b', l_hash)) > 0: l_mispobj_file.add_attribute("sha256", value=l_hash.strip(), comment=str_comment) l_mispobj_file.add_attribute("filename", value=l_filename.strip(), comment=str_comment) mispobj_files[file_no] = l_mispobj_file file_no += 1 #add all misp objects to List to be processed and submitted to MISP server as one. if len(mispobj_file.attributes) > 0: objects.append(mispobj_file) if len(mispobj_email.attributes) > 0: objects.append(mispobj_email) for u_key, u_value in mispobj_urls.items(): if len(u_value.attributes) > 0: objects.append(u_value) for f_key, f_value in mispobj_files.items(): if len(f_value.attributes) > 0: objects.append(f_value) # Update timestamp and event except Exception as e: error = traceback.format_exc() response = "Error occured when converting string to misp objects:\n %s" % error self.misp_logger.error(response) return response if self.check_object_length(objects) != True: self.misp_logger.error( 'Input from %s did not contain accepted tags.\n Input: \n%s' % (strUsername, strInput)) return "Error in the tags you entered. Please see the guide for accepted tags." try: # self.misp_logger.error(dir(self.misp)) misp_event = MISPEvent() misp_event.info = strInfo misp_event.distribution = 0 misp_event.analysis = 2 misp_event.threat_level_id = 3 # event.add_attribute('md5', '678ff97bf16d8e1c95679c4681834c41') #event = self.misp.new_event(info=strInfo, distribution='0', analysis='2', threat_level_id='3', published=False) #misp_event = MISPEvent() #misp_event.load(event) add = self.misp.add_event(misp_event) self.misp_logger.info("Added event %s" % add) a, b = self.submit_to_misp(self.misp, misp_event, objects) for tag in tags: self.misp.tag(misp_event.uuid, tag) #self.misp.add_internal_comment(misp_event.id, reference="Author: " + strUsername, comment=str_comment) ccc = self.misp.publish(misp_event, alert=False) self.misp_logger.info(ccc) misp_event = self.misp.get_event(misp_event) response = misp_event #for response in misp_event: if ('errors' in response and response['errors'] != None): return ("Submission error: " + repr(response['errors'])) else: if response['Event']['RelatedEvent']: e_related = "" for each in response['Event']['RelatedEvent']: e_related = e_related + each['Event']['id'] + ", " return "Created ID: " + str( response['Event'] ['id']) + "\nRelated Events: " + ''.join(e_related) else: return "Created ID: " + str(response['Event']['id']) except Exception as e: error = traceback.format_exc() response = "Error occured when submitting to misp:\n %s" % error self.misp_logger.error(response) return response