From 7b6796cda2aa64ca6a54a25bf7f4770831cdbcb0 Mon Sep 17 00:00:00 2001
From: Christophe Vandeplas <christophe@vandeplas.com>
Date: Fri, 8 Feb 2019 22:41:33 +0100
Subject: [PATCH] chg: in MISP? as transform to all Entities

this replaces the machine and gazillion of transforms
---
 .../resources/maltego/misp_inMISP.machine     |  24 ---
 .../transforms/attributetoevent.py            | 169 +++---------------
 .../transforms/common/entities.py             |   8 +-
 src/MISP_maltego/transforms/common/util.py    |  25 ++-
 4 files changed, 45 insertions(+), 181 deletions(-)
 delete mode 100644 src/MISP_maltego/resources/maltego/misp_inMISP.machine

diff --git a/src/MISP_maltego/resources/maltego/misp_inMISP.machine b/src/MISP_maltego/resources/maltego/misp_inMISP.machine
deleted file mode 100644
index cdf2790..0000000
--- a/src/MISP_maltego/resources/maltego/misp_inMISP.machine
+++ /dev/null
@@ -1,24 +0,0 @@
-machine("misp.inMISP", 
-        displayName:"in MISP?", 
-        author:"Christophe Vandeplas",
-        description: "Bookmarks in GREEN data that is in MISP") {
-    start {
-        paths {
-            run("MISP_maltego.AliasInMISP")
-            run("MISP_maltego.ASInMISP")
-            run("MISP_maltego.CompanyInMISP")
-            run("MISP_maltego.DNSNameInMISP")
-            run("MISP_maltego.DomainInMISP")
-            run("MISP_maltego.EmailAddressInMISP")
-            run("MISP_maltego.FileInMISP")
-            run("MISP_maltego.HashInMISP")
-            run("MISP_maltego.HashtagInMISP")
-            run("MISP_maltego.IPv4AddressInMISP")
-            run("MISP_maltego.NSRecordInMISP")
-            run("MISP_maltego.PhoneNumberInMISP")
-            run("MISP_maltego.TwitterInMISP")
-            run("MISP_maltego.URLInMISP")
-            run("MISP_maltego.WebsiteInMISP")
-        }
-    }
-}
diff --git a/src/MISP_maltego/transforms/attributetoevent.py b/src/MISP_maltego/transforms/attributetoevent.py
index beda4a4..86422ff 100644
--- a/src/MISP_maltego/transforms/attributetoevent.py
+++ b/src/MISP_maltego/transforms/attributetoevent.py
@@ -2,7 +2,8 @@ from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS,
 from canari.maltego.transform import Transform
 from canari.maltego.message import Bookmark
 # from canari.framework import EnableDebugWindow
-from MISP_maltego.transforms.common.util import get_misp_connection, event_to_entity
+from MISP_maltego.transforms.common.util import get_misp_connection, event_to_entity, get_attribute_in_event, attribute_to_entity
+from MISP_maltego.transforms.common.entities import Unknown
 
 __author__ = 'Christophe Vandeplas'
 __copyright__ = 'Copyright 2018, MISP_maltego Project'
@@ -17,9 +18,9 @@ __status__ = 'Development'
 
 # @EnableDebugWindow
 class AttributeInMISP(Transform):
-    """This method puts a green bookmark on each of the Entities that are present in the MISP database"""
+    """Green bookmark if known in MISP"""
     display_name = 'in MISP?'
-    input_type = None
+    input_type = Unknown
 
     def do_transform(self, request, response, config):
         maltego_misp_attribute = request.entity
@@ -29,16 +30,21 @@ class AttributeInMISP(Transform):
         for e in events_json['response']:
             in_misp = True
             break
+        # find the object again, and bookmark it green
+        # we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
         if in_misp:
-            request.entity.bookmark = Bookmark.Green
-            response += request.entity
+            for e in events_json['response']:
+                attr = get_attribute_in_event(e, maltego_misp_attribute.value)
+                if attr:
+                    for item in attribute_to_entity(attr, only_self=True):
+                        response += item
         return response
 
 
 # @EnableDebugWindow
 class AttributeToEvent(Transform):
-    # The transform input entity type.
-    input_type = None
+    display_name = 'to MISP Event'
+    input_type = Unknown
 
     def do_transform(self, request, response, config):
         maltego_misp_attribute = request.entity
@@ -48,152 +54,17 @@ class AttributeToEvent(Transform):
         for e in events_json['response']:
             in_misp = True
             response += event_to_entity(e)
+        # find the object again, and bookmark it green
+        # we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
         if in_misp:
-            request.entity.bookmark = Bookmark.Green
-            response += request.entity
+            for e in events_json['response']:
+                attr = get_attribute_in_event(e, maltego_misp_attribute.value)
+                if attr:
+                    for item in attribute_to_entity(attr, only_self=True):
+                        response += item
         return response
 
     def on_terminate(self):
         """This method gets called when transform execution is prematurely terminated. It is only applicable for local
         transforms. It can be excluded if you don't need it."""
         pass
-
-
-class HashToEvent(AttributeToEvent):
-    input_type = Hash
-
-
-class DomainToEvent(AttributeToEvent):
-    input_type = Domain
-
-
-class IPv4AddressToEvent(AttributeToEvent):
-    display_name = 'IPv4Address To Event'
-    input_type = IPv4Address
-
-
-class URLToEvent(AttributeToEvent):
-    display_name = 'URL To Event'
-    input_type = URL
-
-
-class DNSNameToEvent(AttributeToEvent):
-    display_name = 'DNSName To Event'
-    input_type = DNSName
-
-
-class ASToEvent(AttributeToEvent):
-    display_name = 'AS To Event'
-    input_type = AS
-
-
-class WebsiteToEvent(AttributeToEvent):
-    input_type = Website
-
-
-class NSRecordToEvent(AttributeToEvent):
-    display_name = 'NSRecord To Event'
-    input_type = NSRecord
-
-
-class PhoneNumberToEvent(AttributeToEvent):
-    input_type = PhoneNumber
-
-
-class EmailAddressToEvent(AttributeToEvent):
-    input_type = EmailAddress
-
-
-class FileToEvent(AttributeToEvent):
-    input_type = File
-
-
-class HashtagToEvent(AttributeToEvent):
-    input_type = Hashtag
-
-
-class AliasToEvent(AttributeToEvent):
-    input_type = Alias
-
-
-class TwitterToEvent(AttributeToEvent):
-    input_type = Twitter
-
-
-class CompanyToEvent(AttributeToEvent):
-    input_type = Company
-
-
-class HashInMISP(AttributeInMISP):
-    display_name = 'Hash in MISP?'
-    input_type = Hash
-
-
-class DomainInMISP(AttributeInMISP):
-    display_name = 'Domain in MISP?'
-    input_type = Domain
-
-
-class IPv4AddressInMISP(AttributeInMISP):
-    display_name = 'IPv4Address in MISP?'
-    input_type = IPv4Address
-
-
-class URLInMISP(AttributeInMISP):
-    display_name = 'URL in MISP?'
-    input_type = URL
-
-
-class DNSNameInMISP(AttributeInMISP):
-    display_name = 'DNSName in MISP?'
-    input_type = DNSName
-
-
-class ASInMISP(AttributeInMISP):
-    display_name = 'AS in MISP?'
-    input_type = AS
-
-
-class WebsiteInMISP(AttributeInMISP):
-    display_name = 'Website in MISP?'
-    input_type = Website
-
-
-class NSRecordInMISP(AttributeInMISP):
-    display_name = 'NSRecord in MISP?'
-    input_type = NSRecord
-
-
-class PhoneNumberInMISP(AttributeInMISP):
-    display_name = 'PhoneNumber in MISP?'
-    input_type = PhoneNumber
-
-
-class EmailAddressInMISP(AttributeInMISP):
-    display_name = 'EmailAddress in MISP?'
-    input_type = EmailAddress
-
-
-class FileInMISP(AttributeInMISP):
-    display_name = 'File in MISP?'
-    input_type = File
-
-
-class HashtagInMISP(AttributeInMISP):
-    display_name = 'Hashtag in MISP?'
-    input_type = Hashtag
-
-
-class AliasInMISP(AttributeInMISP):
-    display_name = 'Alias in MISP?'
-    input_type = Alias
-
-
-class TwitterInMISP(AttributeInMISP):
-    display_name = 'Twitter in MISP?'
-    input_type = Twitter
-
-
-class CompanyInMISP(AttributeInMISP):
-    display_name = 'Company in MISP?'
-    input_type = Company
diff --git a/src/MISP_maltego/transforms/common/entities.py b/src/MISP_maltego/transforms/common/entities.py
index 3f75fb5..c32f89d 100644
--- a/src/MISP_maltego/transforms/common/entities.py
+++ b/src/MISP_maltego/transforms/common/entities.py
@@ -13,10 +13,16 @@ __status__ = 'Development'
 __all__ = [
     'MISPEvent',
     'MISPObject',
-    'MISPGalaxy'
+    'MISPGalaxy',
+    'Unknown'
 ]
 
 
+class Unknown(Entity):
+    _category_ = 'Unknown'
+    _namespace_ = 'maltego'
+
+
 class MISPEvent(Entity):
     _category_ = 'MISP'
     _namespace_ = 'misp'
diff --git a/src/MISP_maltego/transforms/common/util.py b/src/MISP_maltego/transforms/common/util.py
index e63dcc7..703af50 100644
--- a/src/MISP_maltego/transforms/common/util.py
+++ b/src/MISP_maltego/transforms/common/util.py
@@ -1,5 +1,5 @@
-from canari.maltego.entities import Unknown, Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Person, Hashtag, Location, Company, Alias, Port, Twitter
-from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy
+from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Person, Hashtag, Location, Company, Alias, Port, Twitter
+from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy, Unknown
 from canari.maltego.message import UIMessageType, UIMessage, Label, LinkStyle, MaltegoException, Bookmark
 from pymisp import PyMISP
 import json
@@ -128,12 +128,12 @@ def get_misp_connection(config=None):
 
 def entity_obj_to_entity(entity_obj, v, t, **kwargs):
     if entity_obj == Hash:
-        return entity_obj(v, _type=t, bookmark=Bookmark.Green, **kwargs)  # LATER type is conflicting with type of Entity, Report this as bug see line 326 /usr/local/lib/python3.5/dist-packages/canari/maltego/entities.py
+        return entity_obj(v, _type=t, **kwargs)  # LATER type is conflicting with type of Entity, Report this as bug see line 326 /usr/local/lib/python3.5/dist-packages/canari/maltego/entities.py
 
-    return entity_obj(v, bookmark=Bookmark.Green, **kwargs)
+    return entity_obj(v, **kwargs)
 
 
-def attribute_to_entity(a, link_label=None, event_tags=None):
+def attribute_to_entity(a, link_label=None, event_tags=None, only_self=False):
     # prepare some attributes to a better form
     a['data'] = None  # empty the file content as we really don't need this here
     if a['type'] == 'malware-sample':
@@ -142,13 +142,13 @@ def attribute_to_entity(a, link_label=None, event_tags=None):
         a['type'] = 'regkey'
 
     combined_tags = event_tags
-    if 'Galaxy' in a:
+    if 'Galaxy' in a and not only_self:
         for g in a['Galaxy']:
             for c in g['GalaxyCluster']:
                 yield galaxycluster_to_entity(c)
 
     # TODO today the tag is attached to the event, not the attribute, this is something we want to fix soon.
-    if 'Tag' in a:
+    if 'Tag' in a and not only_self:
             for t in a['Tag']:
                 combined_tags.append(t['name'])
                 # ignore all misp-galaxies
@@ -302,6 +302,17 @@ def get_attribute_in_object(o, attribute_type, drop=False):
     return found_attribute
 
 
+def get_attribute_in_event(e, attribute_value):
+    for a in e['Event']["Attribute"]:
+        if a['value'] == attribute_value:
+            return a
+    for o in e['Event']['Object']:
+        for a in o['Attribute']:
+            if a['value'] == attribute_value:
+                return a
+    return None
+
+
 def convert_tags_to_note(tags):
     if not tags:
         return None