def _misp_sighting_list_function(self, event, *args, **kwargs): """Function: Return a list of sightings associated with a given event""" try: API_KEY, URL, VERIFY_CERT = common.validate(self.options) # Get the function parameters: event_id = int(kwargs.get("misp_event_id")) # text log = logging.getLogger(__name__) log.info("event_id: %s", event_id) yield StatusMessage("Setting up connection to MISP") proxies = common.get_proxies(self.opts, self.options) misp_client = misp_helper.get_misp_client(URL, API_KEY, VERIFY_CERT, proxies=proxies) yield StatusMessage("Getting sighted list") sighting_list_result = misp_helper.get_misp_sighting_list( misp_client, event_id) yield StatusMessage("Finished getting sighting list") results = {"success": True, "content": sighting_list_result} # Produce a FunctionResult with the results yield FunctionResult(results) except Exception: yield FunctionError()
def _misp_create_tag_function(self, event, *args, **kwargs): """Function: Creates a Tag""" try: # Get the function parameters: misp_tag_type = self.get_select_param(kwargs.get( "misp_tag_type")) # select, values: "Event", "Attribute" misp_tag_name = kwargs.get("misp_tag_name") # text misp_attribute_value = kwargs.get("misp_attribute_value") # text misp_event_id = kwargs.get("misp_event_id") # number # ensure misp_event_id is an integer so we can get an event by it's index if not isinstance(misp_event_id, int): raise IntegrationError( u"Unexpected input type for MISP Event ID. Expected and integer, received {}" .format(type(misp_event_id))) API_KEY, URL, VERIFY_CERT = common.validate(self.options) log = logging.getLogger(__name__) log.info("misp_tag_type: %s", misp_tag_type) log.info("misp_tag_name: %s", misp_tag_name) log.info("misp_attribute_value: %s", misp_attribute_value) log.info("misp_event_id: %s", misp_event_id) if sys.version_info.major < 3: raise FunctionError( "Tagging is only supported when using Python 3") yield StatusMessage("Setting up connection to MISP") proxies = common.get_proxies(self.opts, self.options) misp_client = misp_helper.get_misp_client(URL, API_KEY, VERIFY_CERT, proxies=proxies) yield StatusMessage(u"Tagging {} with {}".format( misp_tag_type, misp_tag_name)) tag_result = misp_helper.create_tag(misp_client, misp_attribute_value, misp_tag_type, misp_tag_name, misp_event_id) if 'errors' in tag_result: raise IntegrationError(u"Unable to save the tag. {}".format( tag_result['errors'][1]['errors'])) log.debug(tag_result) yield StatusMessage("Tag has been created") response_results = {"success": True} # Produce a FunctionResult with the results yield FunctionResult(response_results) except Exception: yield FunctionError()
def _misp_search_attribute_function(self, event, *args, **kwargs): """Function: Search to see if an attribute exists for a given artifact value""" try: API_KEY, URL, VERIFY_CERT = common.validate(self.options) # Get the function parameters: search_attribute = kwargs.get("misp_attribute_value") # text log = logging.getLogger(__name__) log.info("search_attribute: %s", search_attribute) yield StatusMessage("Setting up connection to MISP") proxies = common.get_proxies(self.opts, self.options) misp_client = misp_helper.get_misp_client(URL, API_KEY, VERIFY_CERT, proxies=proxies) yield StatusMessage( u"Searching for attribute - {}".format(search_attribute)) results = {} search_results = misp_helper.search_misp_attribute( misp_client, search_attribute) log.debug(search_results) if search_results['search_status']: results['success'] = True results['content'] = search_results['search_results'] misp_tags = misp_helper.get_misp_attribute_tags( misp_client, search_results['search_results']) results['tags'] = misp_tags else: results['success'] = False yield StatusMessage("Attribute search complete.") # Produce a FunctionResult with the results yield FunctionResult(results) except Exception: yield FunctionError()
def _misp_create_attribute_function(self, event, *args, **kwargs): """Function: """ try: API_KEY, URL, VERIFY_CERT = common.validate(self.options) # Get the function parameters: misp_event_id = kwargs.get("misp_event_id") # number misp_attribute_value = kwargs.get("misp_attribute_value") # text misp_attribute_type = kwargs.get("misp_attribute_type") # text # ensure misp_event_id is an integer so we can get an event by it's index if not isinstance(misp_event_id, int): raise IntegrationError(u"Unexpected input type for MISP Event ID. Expected and integer, received {}".format(type(misp_event_id))) log = logging.getLogger(__name__) log.info("misp_event_id: %s", misp_event_id) log.info("misp_attribute_value: %s", misp_attribute_value) log.info("misp_attribute_type: %s", misp_attribute_type) yield StatusMessage("Setting up connection to MISP") proxies = common.get_proxies(self.opts, self.options) misp_client = misp_helper.get_misp_client(URL, API_KEY, VERIFY_CERT, proxies=proxies) yield StatusMessage(u"Creating new misp attribute {} {}".format(misp_attribute_type, misp_attribute_value)) attribute = misp_helper.create_misp_attribute(misp_client, misp_event_id, misp_attribute_type, misp_attribute_value) log.debug(attribute) yield StatusMessage("Attribute has been created") results = { "success": True, "content": attribute } # Produce a FunctionResult with the results yield FunctionResult(results) except Exception: yield FunctionError()
def _misp_create_event_function(self, event, *args, **kwargs): """Function: create a MISP event from an incident """ try: API_KEY, URL, VERIFY_CERT = common.validate(self.options) # Get the function parameters: misp_event_name = kwargs.get("misp_event_name") # text misp_distribution = kwargs.get("misp_distribution") # number misp_analysis_level = kwargs.get("misp_analysis_level") # number misp_threat_level = kwargs.get("misp_threat_level") # number log = logging.getLogger(__name__) log.info("misp_event_name: %s", misp_event_name) log.info("misp_distribution: %s", misp_distribution) log.info("misp_analysis_level: %s", misp_analysis_level) log.info("misp_threat_level: %s", misp_threat_level) yield StatusMessage("Setting up connection to MISP") proxies = common.get_proxies(self.opts, self.options) misp_client = misp_helper.get_misp_client(URL, API_KEY, VERIFY_CERT, proxies=proxies) yield StatusMessage(u"Creating event {}".format(misp_event_name)) event = misp_helper.create_misp_event(misp_client, misp_distribution, misp_threat_level, misp_analysis_level, misp_event_name) log.debug(event) yield StatusMessage("Event has been created") results = { "success": True, "content": event } # Produce a FunctionResult with the results yield FunctionResult(results) except Exception: yield FunctionError()
def _misp_create_sighting_function(self, event, *args, **kwargs): """Function: """ try: API_KEY, URL, VERIFY_CERT = common.validate(self.options) # Get the function parameters: misp_sighting = kwargs.get("misp_sighting") # text log = logging.getLogger(__name__) log.info("misp_sighting: %s", misp_sighting) yield StatusMessage("Setting up connection to MISP") proxies = common.get_proxies(self.opts, self.options) misp_client = misp_helper.get_misp_client(URL, API_KEY, VERIFY_CERT, proxies=proxies) yield StatusMessage(u"Marking {} as sighted".format(misp_sighting)) sighting = misp_helper.create_misp_sighting( misp_client, misp_sighting) log.debug(sighting) yield StatusMessage("Sighting has been created") results = {"success": True, "content": sighting} # Produce a FunctionResult with the results yield FunctionResult(results) except Exception: yield FunctionError()