2018-11-12 13:25:53 +01:00
from canari . maltego . transform import Transform
# from canari.framework import EnableDebugWindow
2019-12-17 21:42:24 +01:00
from MISP_maltego . transforms . common . entities import MISPEvent , MISPGalaxy , ThreatActor , Software , AttackTechnique
2019-10-12 08:13:17 +02:00
from MISP_maltego . transforms . common . util import check_update , get_misp_connection , galaxycluster_to_entity , get_galaxy_cluster , get_galaxies_relating , search_galaxy_cluster , mapping_galaxy_icon
2019-05-02 21:20:28 +02:00
from canari . maltego . message import UIMessageType , UIMessage , LinkDirection
2018-11-12 13:25:53 +01:00
__author__ = ' Christophe Vandeplas '
__copyright__ = ' Copyright 2018, MISP_maltego Project '
__credits__ = [ ]
__license__ = ' AGPLv3 '
__version__ = ' 0.1 '
__maintainer__ = ' Christophe Vandeplas '
__email__ = ' christophe@vandeplas.com '
__status__ = ' Development '
# @EnableDebugWindow
class GalaxyToEvents ( Transform ) :
""" Expands a Galaxy to multiple MISP Events. """
# The transform input entity type.
input_type = MISPGalaxy
2019-12-27 09:54:20 +01:00
remote = True
2018-11-12 13:25:53 +01:00
def do_transform ( self , request , response , config ) :
2019-10-12 08:13:17 +02:00
response + = check_update ( config )
2018-11-12 13:25:53 +01:00
maltego_misp_galaxy = request . entity
2019-12-27 09:54:20 +01:00
misp = get_misp_connection ( config , request . parameters )
2018-11-12 13:25:53 +01:00
if maltego_misp_galaxy . tag_name :
tag_name = maltego_misp_galaxy . tag_name
else :
tag_name = maltego_misp_galaxy . value
2019-10-25 06:56:01 +02:00
events_json = misp . search ( controller = ' events ' , tags = tag_name , with_attachments = False )
2019-10-06 16:57:27 +02:00
for e in events_json :
2019-05-24 16:17:11 +02:00
response + = MISPEvent ( e [ ' Event ' ] [ ' id ' ] , uuid = e [ ' Event ' ] [ ' uuid ' ] , info = e [ ' Event ' ] [ ' info ' ] , link_direction = LinkDirection . OutputToInput )
2018-11-12 13:25:53 +01:00
return response
# @EnableDebugWindow
2019-12-17 21:42:24 +01:00
class GalaxyToTransform ( Transform ) :
input_type = None
2018-11-12 13:25:53 +01:00
2019-12-17 21:42:24 +01:00
def do_transform ( self , request , response , config , type_filter = MISPGalaxy ) :
2019-10-12 08:13:17 +02:00
response + = check_update ( config )
2018-11-12 13:25:53 +01:00
maltego_misp_galaxy = request . entity
2019-12-17 21:42:24 +01:00
current_cluster = None
2019-03-16 21:00:56 +01:00
if maltego_misp_galaxy . uuid :
current_cluster = get_galaxy_cluster ( uuid = maltego_misp_galaxy . uuid )
elif maltego_misp_galaxy . tag_name :
current_cluster = get_galaxy_cluster ( tag = maltego_misp_galaxy . tag_name )
elif maltego_misp_galaxy . name :
current_cluster = get_galaxy_cluster ( tag = maltego_misp_galaxy . name )
2019-12-17 21:42:24 +01:00
if not current_cluster and maltego_misp_galaxy . name != ' - ' :
2019-05-02 20:37:37 +02:00
# maybe the user is searching for a cluster based on a substring.
# Search in the list for those that match and return galaxy entities
potential_clusters = search_galaxy_cluster ( maltego_misp_galaxy . name )
# TODO check if duplicates are possible
if potential_clusters :
for potential_cluster in potential_clusters :
2019-12-17 21:53:13 +01:00
new_entity = galaxycluster_to_entity ( potential_cluster , link_label = ' Search result ' )
if isinstance ( new_entity , type_filter ) :
response + = new_entity
2019-05-02 20:37:37 +02:00
return response
2018-11-12 13:25:53 +01:00
if not current_cluster :
2019-03-16 21:00:56 +01:00
response + = UIMessage ( " Galaxy Cluster UUID not in local mapping. Please update local cache; non-public UUID are not supported yet. " , type = UIMessageType . Inform )
2018-11-12 13:25:53 +01:00
return response
2019-03-16 21:00:56 +01:00
c = current_cluster
2019-05-01 13:36:54 +02:00
2019-12-17 21:42:24 +01:00
# update existing object
2019-03-16 21:00:56 +01:00
galaxy_cluster = get_galaxy_cluster ( c [ ' uuid ' ] )
icon_url = None
2019-05-01 13:36:54 +02:00
if ' icon ' in galaxy_cluster : # map the 'icon' name from the cluster to the icon filename of the intelligence-icons repository
2019-03-16 21:00:56 +01:00
try :
2019-05-01 13:36:54 +02:00
icon_url = mapping_galaxy_icon [ galaxy_cluster [ ' icon ' ] ]
2019-03-16 21:00:56 +01:00
except Exception :
# it's not in our mapping, just ignore and leave the default Galaxy icon
pass
if c [ ' meta ' ] . get ( ' synonyms ' ) :
synonyms = ' , ' . join ( c [ ' meta ' ] [ ' synonyms ' ] )
else :
synonyms = ' '
request . entity . name = ' {} \n {} ' . format ( c [ ' type ' ] , c [ ' value ' ] )
request . entity . uuid = c [ ' uuid ' ]
request . entity . description = c . get ( ' description ' )
request . entity . cluster_type = c . get ( ' type ' )
request . entity . cluster_value = c . get ( ' value ' )
request . entity . synonyms = synonyms
request . entity . tag_name = c [ ' tag_name ' ]
request . entity . icon_url = icon_url
# response += request.entity
2019-12-17 21:42:24 +01:00
2019-03-16 21:00:56 +01:00
# find related objects
2018-11-12 13:25:53 +01:00
if ' related ' in current_cluster :
for related in current_cluster [ ' related ' ] :
related_cluster = get_galaxy_cluster ( related [ ' dest-uuid ' ] )
if related_cluster :
2019-12-17 21:42:24 +01:00
new_entity = galaxycluster_to_entity ( related_cluster , link_label = related [ ' type ' ] )
if isinstance ( new_entity , type_filter ) :
response + = new_entity
2019-03-16 21:00:56 +01:00
# find objects that are relating to this one
2019-05-02 21:20:28 +02:00
for related in get_galaxies_relating ( current_cluster [ ' uuid ' ] ) :
related_link_label = ' '
for rel_in_rel in related [ ' related ' ] :
if rel_in_rel [ ' dest-uuid ' ] == current_cluster [ ' uuid ' ] :
related_link_label = rel_in_rel [ ' type ' ]
break
2019-12-17 21:42:24 +01:00
new_entity = galaxycluster_to_entity ( related , link_label = related_link_label , link_direction = LinkDirection . OutputToInput )
if isinstance ( new_entity , type_filter ) :
response + = new_entity
2018-11-12 13:25:53 +01:00
return response
2019-12-17 21:42:24 +01:00
class GalaxyToRelations ( GalaxyToTransform ) :
""" Expands a Galaxy to related Galaxies and Clusters """
input_type = MISPGalaxy
2019-12-25 22:41:12 +01:00
remote = True
2019-12-17 21:42:24 +01:00
def do_transform ( self , request , response , config , type_filter = MISPGalaxy ) :
return super ( ) . do_transform ( request , response , config , type_filter )
class GalaxyToSoftware ( GalaxyToTransform ) :
""" Expands a Galaxy to related Software/Tool Galaxies """
input_type = MISPGalaxy
2019-12-25 22:41:12 +01:00
remote = True
2019-12-17 21:42:24 +01:00
def do_transform ( self , request , response , config , type_filter = Software ) :
return super ( ) . do_transform ( request , response , config , type_filter )
class GalaxyToThreatActor ( GalaxyToTransform ) :
""" Expands a Galaxy to related ThreatActor Galaxies """
input_type = MISPGalaxy
2019-12-25 22:41:12 +01:00
remote = True
2019-12-17 21:42:24 +01:00
def do_transform ( self , request , response , config , type_filter = ThreatActor ) :
return super ( ) . do_transform ( request , response , config , type_filter )
class GalaxyToAttackTechnique ( GalaxyToTransform ) :
""" Expands a Galaxy to related Attack Techniques Galaxies """
input_type = MISPGalaxy
2019-12-25 22:41:12 +01:00
remote = True
2019-12-17 21:42:24 +01:00
def do_transform ( self , request , response , config , type_filter = AttackTechnique ) :
return super ( ) . do_transform ( request , response , config , type_filter )