2018-11-12 13:25:53 +01:00
from canari . maltego . transform import Transform
2019-12-17 21:42:24 +01:00
from MISP_maltego . transforms . common . entities import MISPEvent , MISPGalaxy , ThreatActor , Software , AttackTechnique
2020-05-15 08:59:20 +02:00
from MISP_maltego . transforms . common . util import check_update , MISPConnection , galaxycluster_to_entity , get_galaxy_cluster , get_galaxies_relating , search_galaxy_cluster , mapping_galaxy_icon
2019-05-02 21:20:28 +02:00
from canari . maltego . message import UIMessageType , UIMessage , LinkDirection
2018-11-12 13:25:53 +01:00
__author__ = ' Christophe Vandeplas '
__copyright__ = ' Copyright 2018, MISP_maltego Project '
__credits__ = [ ]
__license__ = ' AGPLv3 '
__version__ = ' 0.1 '
__maintainer__ = ' Christophe Vandeplas '
__email__ = ' christophe@vandeplas.com '
__status__ = ' Development '
2019-12-17 21:42:24 +01:00
class GalaxyToTransform ( Transform ) :
input_type = None
2018-11-12 13:25:53 +01:00
2019-12-17 21:42:24 +01:00
def do_transform ( self , request , response , config , type_filter = MISPGalaxy ) :
2019-10-12 08:13:17 +02:00
response + = check_update ( config )
2018-11-12 13:25:53 +01:00
2020-05-14 19:57:19 +02:00
current_cluster = get_galaxy_cluster ( request_entity = request . entity )
2019-03-16 21:00:56 +01:00
2020-05-14 19:57:19 +02:00
# legacy - replaced by Search in MISP
2020-04-13 10:20:19 +02:00
if not current_cluster and request . entity . name != ' - ' :
2019-05-02 20:37:37 +02:00
# maybe the user is searching for a cluster based on a substring.
# Search in the list for those that match and return galaxy entities
2020-04-13 10:20:19 +02:00
potential_clusters = search_galaxy_cluster ( request . entity . name )
2019-05-02 20:37:37 +02:00
if potential_clusters :
for potential_cluster in potential_clusters :
2019-12-17 21:53:13 +01:00
new_entity = galaxycluster_to_entity ( potential_cluster , link_label = ' Search result ' )
if isinstance ( new_entity , type_filter ) :
response + = new_entity
2019-05-02 20:37:37 +02:00
return response
2020-05-14 19:57:19 +02:00
# end of legacy
2019-05-02 20:37:37 +02:00
2018-11-12 13:25:53 +01:00
if not current_cluster :
2019-03-16 21:00:56 +01:00
response + = UIMessage ( " Galaxy Cluster UUID not in local mapping. Please update local cache; non-public UUID are not supported yet. " , type = UIMessageType . Inform )
2018-11-12 13:25:53 +01:00
return response
2019-03-16 21:00:56 +01:00
c = current_cluster
2019-05-01 13:36:54 +02:00
2019-12-17 21:42:24 +01:00
# update existing object
2020-05-14 19:57:19 +02:00
galaxy_cluster = get_galaxy_cluster ( uuid = c [ ' uuid ' ] )
2019-03-16 21:00:56 +01:00
icon_url = None
2019-05-01 13:36:54 +02:00
if ' icon ' in galaxy_cluster : # map the 'icon' name from the cluster to the icon filename of the intelligence-icons repository
2019-03-16 21:00:56 +01:00
try :
2019-05-01 13:36:54 +02:00
icon_url = mapping_galaxy_icon [ galaxy_cluster [ ' icon ' ] ]
2019-03-16 21:00:56 +01:00
except Exception :
# it's not in our mapping, just ignore and leave the default Galaxy icon
pass
if c [ ' meta ' ] . get ( ' synonyms ' ) :
synonyms = ' , ' . join ( c [ ' meta ' ] [ ' synonyms ' ] )
else :
synonyms = ' '
request . entity . name = ' {} \n {} ' . format ( c [ ' type ' ] , c [ ' value ' ] )
request . entity . uuid = c [ ' uuid ' ]
request . entity . description = c . get ( ' description ' )
request . entity . cluster_type = c . get ( ' type ' )
request . entity . cluster_value = c . get ( ' value ' )
request . entity . synonyms = synonyms
request . entity . tag_name = c [ ' tag_name ' ]
request . entity . icon_url = icon_url
# response += request.entity
2019-12-17 21:42:24 +01:00
2019-03-16 21:00:56 +01:00
# find related objects
2018-11-12 13:25:53 +01:00
if ' related ' in current_cluster :
for related in current_cluster [ ' related ' ] :
2020-05-14 19:57:19 +02:00
related_cluster = get_galaxy_cluster ( uuid = related [ ' dest-uuid ' ] )
2018-11-12 13:25:53 +01:00
if related_cluster :
2019-12-17 21:42:24 +01:00
new_entity = galaxycluster_to_entity ( related_cluster , link_label = related [ ' type ' ] )
if isinstance ( new_entity , type_filter ) :
response + = new_entity
2019-03-16 21:00:56 +01:00
# find objects that are relating to this one
2019-05-02 21:20:28 +02:00
for related in get_galaxies_relating ( current_cluster [ ' uuid ' ] ) :
related_link_label = ' '
for rel_in_rel in related [ ' related ' ] :
if rel_in_rel [ ' dest-uuid ' ] == current_cluster [ ' uuid ' ] :
related_link_label = rel_in_rel [ ' type ' ]
break
2019-12-17 21:42:24 +01:00
new_entity = galaxycluster_to_entity ( related , link_label = related_link_label , link_direction = LinkDirection . OutputToInput )
if isinstance ( new_entity , type_filter ) :
response + = new_entity
2018-11-12 13:25:53 +01:00
return response
2019-12-17 21:42:24 +01:00
class GalaxyToRelations ( GalaxyToTransform ) :
input_type = MISPGalaxy
2020-05-18 21:19:43 +02:00
display_name = ' To Related Galaxies '
2019-12-25 22:41:12 +01:00
remote = True
2019-12-17 21:42:24 +01:00
def do_transform ( self , request , response , config , type_filter = MISPGalaxy ) :
return super ( ) . do_transform ( request , response , config , type_filter )
class GalaxyToSoftware ( GalaxyToTransform ) :
input_type = MISPGalaxy
2020-05-18 21:19:43 +02:00
display_name = ' To Malware/Software/Tools '
2019-12-25 22:41:12 +01:00
remote = True
2019-12-17 21:42:24 +01:00
def do_transform ( self , request , response , config , type_filter = Software ) :
return super ( ) . do_transform ( request , response , config , type_filter )
class GalaxyToThreatActor ( GalaxyToTransform ) :
input_type = MISPGalaxy
2020-05-18 21:19:43 +02:00
display_name = ' To Threat Actors '
2019-12-25 22:41:12 +01:00
remote = True
2019-12-17 21:42:24 +01:00
def do_transform ( self , request , response , config , type_filter = ThreatActor ) :
return super ( ) . do_transform ( request , response , config , type_filter )
class GalaxyToAttackTechnique ( GalaxyToTransform ) :
input_type = MISPGalaxy
2020-05-18 21:19:43 +02:00
display_name = ' To Attack Techniques '
2019-12-25 22:41:12 +01:00
remote = True
2019-12-17 21:42:24 +01:00
def do_transform ( self , request , response , config , type_filter = AttackTechnique ) :
return super ( ) . do_transform ( request , response , config , type_filter )