new: [transform] new object to relations transform + reverse relations

2019-05-24 17:06:07 +03:00 · 2019-05-24 17:06:07 +03:00 · 108cae1051
parent 98531ba854
commit 108cae1051
5 changed files with 53 additions and 19 deletions
--- a/publish_to_pip.sh
+++ b/publish_to_pip.sh
@ -1,3 +1,4 @@
 #!/bin/bash
 python3 setup.py sdist bdist_wheel
 twine upload dist/*
+rm -Rf build
--- a/setup.py
+++ b/setup.py
@ -5,7 +5,7 @@ from setuptools import setup, find_packages
 setup(
    name='MISP_maltego',
    author='Christophe Vandeplas',
-    version='1.3',
+    version='1.3.2',
    author_email='christophe@vandeplas.com',
    maintainer='Christophe Vandeplas',
    url='https://github.com/MISP/MISP-maltego',
--- a/src/MISP_maltego/transforms/attributetoevent.py
+++ b/src/MISP_maltego/transforms/attributetoevent.py
@ -91,7 +91,7 @@ class AttributeToEvent(Transform):
            if not tag_name:
                tag_name = request.entity.value
            events_json = misp.search(controller='events', tags=tag_name, withAttachments=False)
-        # FIXME make it work with object to event
+
        # standard Entities
        else:
            events_json = misp.search(controller='events', values=request.entity.value, withAttachments=False)
--- a/src/MISP_maltego/transforms/common/util.py
+++ b/src/MISP_maltego/transforms/common/util.py
@ -229,7 +229,7 @@ def attribute_to_entity(a, link_label=None, event_tags=[], only_self=False):
    # LATER : relationships from attributes - not yet supported by MISP yet, but there are references in the datamodel


-def object_to_entity(o, link_label=None):
+def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOutput):
    # Generate a human readable display-name:
    # - find the first RequiredOneOf that exists
    # - if none, use the first RequiredField
@ -277,6 +277,7 @@ def object_to_entity(o, link_label=None):
        description=o.get('description'),
        comment=o.get('comment'),
        link_label=link_label,
+        link_direction=link_direction,
        bookmark=Bookmark.Green
    )

@ -293,9 +294,15 @@ def object_to_attributes(o, e):
        for item in attribute_to_entity(a):
            yield item

-    # process relationships between objects and attributes
-    if 'ObjectReference' in o:
-        for ref in o['ObjectReference']:
+
+def object_to_relations(o, e):
+    # process forward and reverse references, so just loop over all the objects of the event
+    if 'Object' in e['Event']:
+        for eo in e['Event']['Object']:
+            if 'ObjectReference' in eo:
+                for ref in eo['ObjectReference']:
+                    # we have found original object. Expand to the related object and attributes
+                    if eo['uuid'] == o['uuid']:
                        # the reference is an Object
                        if ref.get('Object'):
                            # get the full object in the event, as our objectReference included does not contain everything we need
@ -307,6 +314,10 @@ def object_to_attributes(o, e):
                            for item in attribute_to_entity(ref['Attribute'], link_label=ref['relationship_type']):
                                yield item

+                    # reverse-lookup - this is another objects relating the original object
+                    if ref['referenced_uuid'] == o['uuid']:
+                        yield object_to_entity(eo, link_label=ref['relationship_type'], link_direction=LinkDirection.OutputToInput)
+

 def get_object_in_event(uuid, e):
    for o in e['Event']['Object']:
--- a/src/MISP_maltego/transforms/eventtoattributes.py
+++ b/src/MISP_maltego/transforms/eventtoattributes.py
@ -2,7 +2,7 @@ from canari.maltego.entities import Hashtag
 from canari.maltego.transform import Transform
 # from canari.framework import EnableDebugWindow
 from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject
-from MISP_maltego.transforms.common.util import get_misp_connection, attribute_to_entity, event_to_entity, galaxycluster_to_entity, object_to_entity, object_to_attributes, tag_matches_note_prefix
+from MISP_maltego.transforms.common.util import get_misp_connection, attribute_to_entity, event_to_entity, galaxycluster_to_entity, object_to_entity, object_to_attributes, object_to_relations, tag_matches_note_prefix
 from canari.maltego.message import LinkStyle


@ -158,7 +158,7 @@ class EventToRelations(EventToTransform):
 class ObjectToAttributes(Transform):
    """"Expands an object to its attributes"""
    input_type = MISPObject
-    description = 'Expands an Obect to Attributes'
+    description = 'Expands an Object to Attributes'

    def do_transform(self, request, response, config):
        maltego_object = request.entity
@ -169,5 +169,27 @@ class ObjectToAttributes(Transform):
                for entity in object_to_attributes(o, event_json):
                    if entity:
                        response += entity
+                for entity in object_to_relations(o, event_json):
+                    if entity:
+                        response += entity
+
+        return response
+
+
+# @EnableDebugWindow
+class ObjectToRelations(Transform):
+    """Expands an object to the relations of the object"""
+    input_type = MISPObject
+    description = 'Expands an Object to Relations'
+
+    def do_transform(self, request, response, config):
+        maltego_object = request.entity
+        misp = get_misp_connection(config)
+        event_json = misp.get_event(maltego_object.event_id)
+        for o in event_json['Event']['Object']:
+            if o['uuid'] == maltego_object.uuid:
+                for entity in object_to_relations(o, event_json):
+                    if entity:
+                        response += entity

        return response