def do_transform(self, request, response, config):
response += check_update(config)
maltego_object = request.entity
conn = MISPConnection(config, request.parameters)
event_json = conn.misp.get_event(maltego_object.event_id)
for o in event_json['Event']['Object']:
if o['uuid'] == maltego_object.uuid:
for entity in conn.object_to_relations(o, event_json):
if entity:
response += entity
return response
def do_transform(self, request, response, config):
self.request = request
self.response = response
self.config = config
self.response += check_update(config)
maltego_misp_event = request.entity
self.conn = MISPConnection(config, request.parameters)
event_id = maltego_misp_event.id
search_result = self.conn.misp.search(controller='events', eventid=event_id, with_attachments=False)
if search_result:
self.event_json = search_result.pop()
else:
return False
self.response += event_to_entity(self.event_json)
return True
def do_transform(self, request, response, config):
response += check_update(config)
link_label = 'Search result'
if 'properties.mispevent' in request.entity.fields:
conn = MISPConnection(config, request.parameters)
# if event_id
try:
if request.entity.value == '0':
return response
eventid = int(request.entity.value)
events_json = conn.misp.search(controller='events',
eventid=eventid,
with_attachments=False)
for e in events_json:
response += event_to_entity(
e,
link_label=link_label,
link_direction=LinkDirection.OutputToInput)
return response
except ValueError:
pass
# if event_info string as value
events_json = conn.misp.search(controller='events',
eventinfo=request.entity.value,
with_attachments=False)
for e in events_json:
response += event_to_entity(
e,
link_label=link_label,
link_direction=LinkDirection.OutputToInput)
return response
# From galaxy or Hashtag
if 'properties.mispgalaxy' in request.entity.fields or 'properties.temp' in request.entity.fields or 'twitter.hashtag' in request.entity.fields:
if request.entity.value == '-':
return response
# First search in galaxies
keyword = get_entity_property(request.entity, 'Temp')
if not keyword:
keyword = request.entity.value
# assume the user is searching for a cluster based on a substring.
# Search in the list for those that match and return galaxy entities'
potential_clusters = search_galaxy_cluster(keyword)
# LATER check if duplicates are possible
if potential_clusters:
for potential_cluster in potential_clusters:
new_entity = galaxycluster_to_entity(potential_cluster,
link_label=link_label)
# LATER support the type_filter - unfortunately this is not possible, we need Canari to tell us the original entity type
if isinstance(new_entity, MISPGalaxy):
response += new_entity
# from Hashtag search also in tags
if 'properties.temp' in request.entity.fields or 'twitter.hashtag' in request.entity.fields:
keyword = get_entity_property(request.entity, 'Temp')
if not keyword:
keyword = request.entity.value
conn = MISPConnection(config, request.parameters)
result = conn.misp.direct_call('tags/search',
{'name': keyword})
for t in result:
# skip misp-galaxies as we have processed them earlier on
if t['Tag']['name'].startswith('misp-galaxy'):
continue
# In this case we do not filter away those we add as notes, as people might want to pivot on it explicitly.
response += Hashtag(t['Tag']['name'],
link_label=link_label,
bookmark=Bookmark.Green)
return response
# for all other normal entities
conn = MISPConnection(config, request.parameters)
events_json = conn.misp.search(controller='events',
value=request.entity.value,
with_attachments=False)
# we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
for e in events_json:
# find the value as attribute
attr = get_attribute_in_event(e,
request.entity.value,
substring=True)
if attr:
for item in attribute_to_entity(attr, only_self=True):
response += item
# find the value as object, and return the object
if 'Object' in e['Event']:
for o in e['Event']['Object']:
if get_attribute_in_object(
o,
attribute_value=request.entity.value,
substring=True).get('value'):
response += conn.object_to_entity(
o, link_label=link_label)
return response
def do_transform(self, request, response, config):
response += check_update(config)
# skip some Entities
skip = ['properties.mispevent']
for i in skip:
if i in request.entity.fields:
return response
if 'ipv4-range' in request.entity.fields:
# placeholder for https://github.com/MISP/MISP-maltego/issues/11
pass
conn = MISPConnection(config, request.parameters)
# from Galaxy
if 'properties.mispgalaxy' in request.entity.fields:
tag_name = get_entity_property(request.entity, 'tag_name')
if not tag_name:
tag_name = request.entity.value
events_json = conn.misp.search(controller='events',
tags=tag_name,
with_attachments=False)
for e in events_json:
response += event_to_entity(
e, link_direction=LinkDirection.OutputToInput)
return response
# from Object
elif 'properties.mispobject' in request.entity.fields:
if request.entity.fields.get('event_id'):
events_json = conn.misp.search(
controller='events',
eventid=request.entity.fields.get('event_id').value,
with_attachments=False)
for e in events_json:
response += event_to_entity(
e, link_direction=LinkDirection.OutputToInput)
return response
else:
return response
# from Hashtag
elif 'properties.temp' in request.entity.fields or 'twitter.hashtag' in request.entity.fields:
tag_name = get_entity_property(request.entity, 'Temp')
if not tag_name:
tag_name = request.entity.value
events_json = conn.misp.search_index(tags=tag_name)
for e in events_json:
response += event_to_entity(
{'Event': e}, link_direction=LinkDirection.OutputToInput)
return response
# standard Entities (normal attributes)
else:
events_json = conn.misp.search(controller='events',
value=request.entity.value,
with_attachments=False)
# return the MISPEvent or MISPObject of the attribute
for e in events_json:
# find the value as attribute
attr = get_attribute_in_event(e, request.entity.value)
if attr:
response += event_to_entity(
e, link_direction=LinkDirection.OutputToInput)
# find the value as object
if 'Object' in e['Event']:
for o in e['Event']['Object']:
if get_attribute_in_object(
o,
attribute_value=request.entity.value).get('value'):
response += conn.object_to_entity(
o, link_direction=LinkDirection.OutputToInput)
return response
class EventToTransform(Transform):
input_type = None
"""Generic EventTo class containing multiple reusable functions for the subclasses."""
def __init__(self):
self.request = None
self.response = None
self.config = None
self.conn = None
self.event_json = None
self.event_tags = None
def do_transform(self, request, response, config):
self.request = request
self.response = response
self.config = config
self.response += check_update(config)
maltego_misp_event = request.entity
self.conn = MISPConnection(config, request.parameters)
event_id = maltego_misp_event.id
search_result = self.conn.misp.search(controller='events', eventid=event_id, with_attachments=False)
if search_result:
self.event_json = search_result.pop()
else:
return False
self.response += event_to_entity(self.event_json)
return True
def gen_response_tags(self, gen_response=True):
self.event_tags = []
if 'Tag' in self.event_json['Event']:
for t in self.event_json['Event']['Tag']:
self.event_tags.append(t['name'])
# ignore all misp-galaxies
if t['name'].startswith('misp-galaxy'):
continue
# ignore all those we add as notes
if tag_matches_note_prefix(t['name']):
continue
if gen_response:
self.response += Hashtag(t['name'])
def gen_response_galaxies(self):
for g in self.event_json['Event']['Galaxy']:
for c in g['GalaxyCluster']:
self.response += galaxycluster_to_entity(c)
def gen_response_attributes(self):
if not self.event_tags:
self.gen_response_tags(gen_response=False)
for a in self.event_json['Event']["Attribute"]:
for entity in attribute_to_entity(a, event_tags=self.event_tags):
if entity:
self.response += entity
def gen_response_objects(self):
for o in self.event_json['Event']['Object']:
self.response += self.conn.object_to_entity(o)
def gen_response_relations(self):
for e in self.event_json['Event']['RelatedEvent']:
self.response += event_to_entity(e, link_style=LinkStyle.DashDot)