new: [objects] custom icons for objects

src/MISP_maltego/transforms/common/mappings.py

@@ -0,0 +1,766 @@
+from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Location, Company, Alias, Port, Twitter
+from MISP_maltego.transforms.common.entities import ThreatActor, Software, AttackTechnique
+
+mapping_misp_to_maltego = {
+    'AS': [AS],
+    'domain': [Domain, NSRecord, Website, DNSName],
+    'email-dst': [EmailAddress],
+    'email-src': [EmailAddress],
+    'filename': [File],
+    'hostname': [Website, NSRecord, Domain, DNSName],
+    'ip': [IPv4Address],
+    'ip-dst': [IPv4Address],
+    'ip-src': [IPv4Address],
+    'md5': [Hash],
+    'phone-number': [PhoneNumber],
+    'sha1': [Hash],
+    'sha224': [Hash],
+    'sha256': [Hash],
+    'sha384': [Hash],
+    'sha512': [Hash],
+    'sha512/224': [Hash],
+    'sha512/256': [Hash],
+    'ssdeep': [Hash],
+    'impfuzzy': [Hash],
+    'uri': [URL],
+    'url': [URL],
+
+    'whois-registrant-email': [EmailAddress],
+    'country-of-residence': [Location],
+    'github-organisation': [Company],
+    'github-username': [Alias],
+    'imphash': [Hash],
+    'jabber-id': [Alias],
+    'passport-country': [Location],
+    'place-of-birth': [Location],
+    'port': [Port],
+    'target-email': [EmailAddress],
+    'target-location': [Location],
+    'target-org': [Company],
+    'target-user': [Alias],
+    'twitter-id': [Twitter],
+    # object mappings
+    'nameserver': [NSRecord],
+    # TODO add more object mappings
+    # custom types created internally for technical reasons
+    # 'rekey_value': [Unknown]
+}
+
+mapping_galaxy_icon = {
+    # "android": "malware",  # "android",
+    "btc": "ransomware",
+    "bug": "vulnerability",
+    # "cart-arrow-down": "malware",  #"tds",
+    "chain": "course_of_action",
+    "door-open": "backdoor",
+    "eye": "malware",
+    "gavel": "tool",
+    # "globe": "cert-eu-govsector",
+    # "industry": "sector",
+    # "internet-explorer": "exploit-kit",
+    "key": "stealer",
+    "map": "attack_pattern",
+    "optin-monster": "malware",
+    # "shield": "malpedia",
+    # "shield": "preventive-measure",
+    "sitemap": "botnet",
+    "usd": "malware",  # "banker",
+    # "user-secret": "mitre-intrusion-set",
+    "user-secret": "threat_actor",
+}
+
+mapping_galaxy_type = {
+    # 'amitt-misinformation-pattern': '',
+    'android': Software,
+    'backdoor': Software,
+    'banker': Software,
+    'botnet': Software,
+    # 'branded-vulnerability': '',
+    # 'cert-eu-govsector': '',
+    'cloud-security': AttackTechnique,
+    'exploit-kit': Software,
+    'financial-fraud': AttackTechnique,
+    'guidelines': AttackTechnique,
+    'malpedia': Software,
+    'microsoft-activity-group': ThreatActor,
+    'mitre-attack-pattern': AttackTechnique,
+    # 'mitre-course-of-action': '',
+    'mitre-intrusion-set': ThreatActor,
+    'mitre-malware': Software,
+    'mitre-tool': Software,
+    # 'preventive-measure': '',
+    'ransomware': Software,
+    'rat': Software,
+    # 'region': '',
+    # 'sector': '',
+    'social-dark-patterns': AttackTechnique,
+    'stealer': Software,
+    'surveillance-vendor': ThreatActor,
+    # 'target-information': '',
+    'tds': Software,
+    'threat-actor': ThreatActor,
+    'tool': Software
+}
+
+mapping_object_icon = {
+    'ail-leak': '',
+    'ais-info': '',
+    'android-permission': '',
+    'annotation': '',
+    'anonymisation': '',
+    'asn': '',
+    'attack-pattern': '',
+    'authenticode-signerinfo': '',
+    'av-signature': '',
+    'bank-account': '',
+    'bgp-hijack': '',
+    'blog': '',
+    'btc-transaction': '',
+    'btc-wallet': '',
+    'cap-alert': '',
+    'cap-info': '',
+    'cap-resource': '',
+    'coin-address': '',
+    'command': '',
+    'command-line': '',
+    'cookie': '',
+    'cortex': '',
+    'cortex-taxonomy': '',
+    'course-of-action': '',
+    'covid19-csse-daily-report': '',
+    'covid19-dxy-live-city': '',
+    'covid19-dxy-live-province': '',
+    'cowrie': '',
+    'credential': '',
+    'credit-card': '',
+    'crypto-material': '',
+    'cytomic_orion': '',
+    'cytomic_orion_machine': '',
+    'dark-pattern': '',
+    'ddos': '',
+    'device': '',
+    'diameter-attack': '',
+    'dns-record': 'ServerDNS',
+    'domain-crawled': '',
+    'domain-ip': 'NetworkGlobal',
+    'elf': '',
+    'elf-section': '',
+    'email': 'Email',
+    'employee': 'Person',
+    'exploit-poc': 'Person',
+    'facial-composite': '',
+    'fail2ban': '',
+    'file': 'File',
+    'forensic-case': '',
+    'forensic-evidence': '',
+    'forged-document': '',
+    'geolocation': '',
+    'gtp-attack': '',
+    'http-request': 'URL',
+    'ilr-impact': '',
+    'ilr-notification-incident': '',
+    'impersonation': '',
+    'imsi-catcher': '',
+    'instant-message': '',
+    'instant-message-group': '',
+    'intelmq_event': '',
+    'intelmq_report': '',
+    'internal-reference': '',
+    'interpol-notice': '',
+    'iot-device': '',
+    'iot-firmware': '',
+    'ip-api-address': '',
+    'ip-port': 'NetworkCard',
+    'irc': '',
+    'ja3': '',
+    'leaked-document': 'InternetDocument',
+    'legal-entity': '',
+    'lnk': 'File',
+    'macho': '',
+    'macho-section': '',
+    'mactime-timeline-analysis': '',
+    'malware-config': '',
+    'meme-image': '',
+    'microblog': '',
+    'mutex': '',
+    'netflow': '',
+    'network-connection': '',
+    'network-socket': '',
+    'news-agency': '',
+    'news-media': '',
+    'organization': '',
+    'original-imported-file': '',
+    'passive-dns': 'ServerDNS',
+    'paste': '',
+    'pcap-metadata': '',
+    'pe': '',
+    'person': 'Person',
+    'pe-section': '',
+    'pgp-meta': '',
+    'phishing': '',
+    'phishing-kit': '',
+    'phone': '',
+    'process': '',
+    'python-etvx-event-log': '',
+    'r2graphity': '',
+    'regexp': '',
+    'registry-key': '',
+    'regripper-NTUser': '',
+    'regripper-sam-hive-single-user': '',
+    'regripper-sam-hive-user-group': '',
+    'regripper-software-hive-appInit-DLLS': '',
+    'regripper-software-hive-application-paths': '',
+    'regripper-software-hive-applications-installed': '',
+    'regripper-software-hive-BHO': '',
+    'regripper-software-hive-command-shell': '',
+    'regripper-software-hive-general-windows-info': '',
+    'regripper-software-hive-software-run': '',
+    'regripper-software-hive-userprofile-winlogon': '',
+    'regripper-system-hive-firewall-configuration': '',
+    'regripper-system-hive-general-configuration': '',
+    'regripper-system-hive-network-information': '',
+    'regripper-system-hive-service-drivers': '',
+    'report': '',
+    'research-scanner': '',
+    'rogue-dns': '',
+    'rtir': '',
+    'sandbox-report': '',
+    'sb-signature': '',
+    'scrippsco2-c13-daily': '',
+    'scrippsco2-c13-monthly': '',
+    'scrippsco2-co2-daily': '',
+    'scrippsco2-co2-monthly': '',
+    'scrippsco2-o18-daily': '',
+    'scrippsco2-o18-monthly': '',
+    'script': '',
+    'shell-commands': '',
+    'shodan-report': '',
+    'shortened-link': '',
+    'short-message-service': '',
+    'splunk': '',
+    'ss7-attack': '',
+    'ssh-authorized-keys': '',
+    'stix2-pattern': '',
+    'suricata': '',
+    'target-system': '',   # TODO intel icons
+    'threatgrid-report': '',
+    'timecode': '',
+    'timesketch_message': '',
+    'timesketch-timeline': '',
+    'timestamp': '',
+    'tor-hiddenservice': '',
+    'tor-node': '',
+    'tracking-id': '',
+    'transaction': '',
+    'translation': '',
+    'trustar_report': '',
+    'TSK-Chats': '',
+    'TSK-Web-Bookmark': '',
+    'TSK-Web-Cookie': '',
+    'TSK-Web-Downloads': '',
+    'TSK-Web-History': '',
+    'TSK-Web-Search-Query': '',
+    'url': 'URL',
+    'user-account': '',
+    'vehicle': '',
+    'victim': '',
+    'virustotal-graph': '',
+    'virustotal-report': '',
+    'vulnerability': '',    # TODO intel icons
+    'weakness': '',         # TODO intel icons
+    'whois': 'UserID',
+    'x509': '',
+    'yabin': '',
+    'yara': '',
+}
+
+# All possible default icons shipped with Maltego - useful for auto_completion
+# AccessCard
+# AccessPoint
+# Accident
+# Accountant
+# Add
+# Admin
+# AdultFemale
+# AdultMale
+# AffiliationAndroid
+# AffiliationAnonymous
+# AffiliationApple
+# AffiliationBebo
+# AffiliationBlogger
+# AffiliationBuiltWith
+# AffiliationCloud
+# AffiliationColdfusion
+# AffiliationDigg
+# AffiliationDropbox
+# AffiliationEbay
+# AffiliationFacebook
+# AffiliationFlickr
+# AffiliationGoogleDrive
+# AffiliationGooglePlus
+# AffiliationInstagram
+# AffiliationKik
+# AffiliationLinkedIn
+# AffiliationLinux
+# AffiliationMeetup
+# AffiliationMyspace
+# AffiliationNewsvine
+# AffiliationOrkut
+# AffiliationPayPal
+# AffiliationPicasa
+# AffiliationPinterest
+# Affiliation
+# AffiliationReddit
+# AffiliationRSS
+# AffiliationSkype
+# AffiliationSnapchat
+# AffiliationSpock
+# AffiliationTinder
+# AffiliationTwitter
+# AffiliationWechat
+# AffiliationWhatsapp
+# AffiliationWiki
+# AffiliationWindows
+# AffiliationWWF
+# AffiliationYammer
+# AffiliationYelp
+# AffiliationYouTube
+# AffiliationZoomInfo
+# AircraftBomber
+# AircraftCarrier
+# AirCrash
+# Airport
+# Alarm
+# Alias
+# Alliance
+# Ammunition
+# Anarchy
+# Antenna
+# Apartments
+# Army
+# Artist
+# Assemble
+# Asteroid
+# Atom
+# Author
+# Baby
+# Backbone
+# Ballerina
+# BandAid
+# BankAccount
+# BankCard
+# Banner
+# Bear
+# Bee
+# Binary
+# BioAgent
+# Bit
+# BlueAura
+# Bomb
+# BookPDF
+# Book
+# BorderCheckpoint
+# Businessman
+# BusinessPhoneSystem
+# Bus
+# CableUSB
+# Camera
+# Captive
+# Cargo
+# Car
+# CashInTransit
+# Cash
+# CellNetwork
+# Cemetery
+# CEO
+# Certificate
+# Certification
+# Champion
+# CheckBox
+# Checkpoint
+# ChemicalAnalysis
+# Child
+# Church
+# CircularArea
+# City
+# Clock
+# ClusterOrange
+# Cluster
+# CoffeeShop
+# ColoredBall
+# Community
+# Company
+# ConferenceAudio
+# Connect
+# Contract
+# ControlTower
+# Cookies
+# CrimeScene
+# Criminal
+# CV
+# Dam
+# DatabaseConnect
+# DatabaseErase
+# Database
+# DateField
+# Deceased
+# Degree
+# Delete
+# Desert
+# Desktop
+# Destroy
+# Diamond
+# Diary
+# Dictator
+# Directions
+# Disabled
+# Disconnect
+# DNACode
+# Donation
+# Donkey
+# Drone
+# DrugDealer
+# Earthquake
+# Elderly
+# Elephant
+# Email
+# Encrypt
+# Environment
+# Erase
+# Event
+# Explosion
+# Factory
+# Farm
+# FastFood
+# Fax
+# FieldDelete
+# Field
+# File
+# FileSharing
+# Files
+# Filter
+# FingerPrint
+# FireForest
+# Firewall
+# Fix
+# FlightNumber
+# FlightPath
+# Flood
+# FloppyDisk
+# Form
+# GamingConsole
+# GangBoss
+# GangMember
+# Gang
+# GasStation
+# Gateway
+# Genealogy
+# Genetic
+# Geography
+# GhostSighting
+# GlobalWarming
+# Gorilla
+# GovermentOfficial
+# Government
+# GPS
+# Green2Grey
+# Green2Orange2Turquoise
+# Green2Red2Blue
+# Group
+# Guard
+# Gun
+# Hacker
+# Harbour
+# HardDisk
+# Harvest
+# Hashtag
+# Headphones
+# Helicopter
+# Home
+# HospitalLocation
+# Hostage
+# Hotel
+# Hurricane
+# HydroPower
+# IconManager
+# ID
+# IED
+# ImageField
+# Image
+# Influencer
+# InfoMessage
+# InternetDocument
+# InternetFastSpeed
+# InternetIP
+# InternetISP
+# InternetMIMEDocs
+# InternetMIMEFolder
+# InternetMIME
+# Internet
+# InternetUser
+# Invasion
+# ISBN
+# Island
+# Judge
+# KeyPrimary
+# Keys
+# KillerWhale
+# Knife
+# Last
+# LawEnforcementOfficer
+# Lawyer
+# Leader
+# License
+# LinkBroke
+# Link
+# List
+# Lobby
+# Location
+# Log
+# MacAddress
+# MaltegoGraph
+# ManyIn
+# Marijuana
+# MedicalRecord
+# Medicine
+# MeetingBusiness
+# MeetingSocial
+# Memorial
+# MergeCells
+# Messenger
+# MilitaryOfficer
+# Mine
+# MissileRPG
+# MissingPerson
+# MobileComputer
+# MobileNet
+# MobilePhone
+# MobileUser
+# Modem
+# Monitoring
+# Moon
+# Mosque
+# Motorbike
+# Movie
+# Murder
+# MusicAlbum
+# MusicSinger
+# MusicSongwriter
+# MXRecord
+# MySQL
+# Neighborhood
+# NetAdmin
+# NetworkAdmin
+# NetworkAsymetric
+# NetworkCardBlue
+# NetworkCard
+# NetworkConnector
+# NetworkDistribution
+# NetworkGlobal
+# NetworkHub
+# NetworkID
+# NetworkIntranet
+# NetworkISDN
+# NetworkMonitor
+# NetworkSoftware
+# NetworkSymmetric
+# News
+# Node
+# NSRecord
+# NuclearPlant
+# Nurse
+# Objects
+# OilField
+# OilSpill
+# OilWell
+# OnlineGroup
+# Orange2Green
+# Orange2Purple
+# Organization
+# OSIModel
+# Passport
+# PasswordPHP
+# Password
+# Patient
+# Person
+# PetrolBomb
+# PhoneConversation
+# PhoneLandlineOffice
+# PhoneLandlineResidential
+# PhoneNumber
+# Phrase
+# Pilot
+# Piracy
+# Pirate
+# Plane
+# Planet
+# Play
+# Poison
+# PoliticalParty
+# Port
+# PowerPlant
+# Prescription
+# PrisonCamp
+# Prisoner
+# Prison
+# Privilege
+# ProgressBar
+# Protester
+# Protest
+# Protocol
+# Purple2Turquoise
+# PurplePink2Green
+# PurplePink2Yellow2Blue
+# QRCode
+# Quarantine
+# QuestionDialog
+# Radar
+# Radio
+# Rain
+# Red2Blue
+# Red2Green
+# Red2Yellow
+# RefugeeCamp
+# RegistrationPlate
+# RegistryErase
+# RelationshipModel
+# Relationship
+# RemoteControl
+# Repeater
+# Reporter
+# Restaurant
+# Resume
+# Rhino
+# Rocket
+# Role
+# Route
+# Router
+# Royalty
+# RunningWater
+# Satellite
+# Savings
+# School
+# Science
+# Scientist
+# Script
+# SecurityCameraMonitoring
+# SecurityCheckpoints
+# Security
+# Seed
+# Sentiment
+# ServerBackup
+# ServerChat
+# ServerDNS
+# ServerFTP
+# ServerMicrosoftSQL
+# Server
+# ServerProxy
+# Service
+# SexOffender
+# Sharing
+# SharkAttack
+# ShipContainer
+# ShipCruise
+# ShipPirate
+# Ship
+# ShipSpeed
+# ShipTanker
+# ShipTrawler
+# ShipYacht
+# Shop
+# SIMCard
+# SiteFTP
+# SizeAllLinks
+# SizeInLinks
+# SizeOutLinks
+# SmileConfused
+# SmileMad
+# Smile
+# SmileSad
+# SMS
+# Sniffer
+# Snow
+# Socket
+# SoftwareBlocking
+# SoftwareCollaborative
+# SoftwareFTP
+# SoftwareManager
+# SoftwareMeeting
+# Software
+# Soldier
+# Solidarity
+# Space
+# SpaceStation
+# Spider
+# SplitCells
+# Spy
+# Spyware
+# SQLQuery
+# SSLCertificate
+# SSL
+# SSN
+# Star
+# Stop
+# SuicideBomber
+# SUNET
+# Suspect
+# SuspiciousPerson
+# Switch
+# Sybase
+# SynagogueTemple
+# Syndicate
+# Table
+# TabletTouch
+# Tag
+# Tank
+# TargetPerson
+# Target
+# Taxi
+# Technician
+# Temple
+# Terminal
+# TerroristLeader
+# TerroristMember
+# TerroristThug
+# Terror
+# TextField
+# Theatre
+# Ticket
+# TradeUnion
+# Train
+# TrainStation
+# Transform
+# Trojan
+# Truck
+# TsetseFly
+# Tsunami
+# Turquoise2Orange2Red
+# Turquoise2Yellow
+# TV
+# UFOAbduction
+# Underground
+# Universe
+# UnknownBody
+# Unknown
+# UPS
+# Urgent
+# URL
+# USB
+# UserID
+# User
+# Victim
+# VideoCamera
+# Videoconference
+# VINNumber
+# Virus
+# Voice
+# VOIP
+# VolcanoEruption
+# VPN
+# WAN
+# WebDir
+# Website
+# WiFi
+# WindFarm
+# WirelessRouter
+# 

src/MISP_maltego/transforms/common/util.py

@@ -1,8 +1,9 @@
-from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Person, Hashtag, Location, Company, Alias, Port, Twitter
+from canari.maltego.entities import Hash, URL, File, Person, Hashtag
 from canari.maltego.message import Label, LinkStyle, MaltegoException, Bookmark, LinkDirection, UIMessage, UIMessageType
 from canari.mode import is_local_exec_mode, is_remote_exec_mode
 from distutils.version import StrictVersion
-from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy, ThreatActor, Software, AttackTechnique
+from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy
+from MISP_maltego.transforms.common.mappings import mapping_object_icon, mapping_misp_to_maltego, mapping_galaxy_icon, mapping_galaxy_type
 from pymisp import ExpandedPyMISP as PyMISP
 import json
 import os
@@ -15,108 +16,6 @@ import time
 
 __version__ = '1.4.3'  # also update version in setup.py
 
-mapping_misp_to_maltego = {
-    'AS': [AS],
-    'domain': [Domain, NSRecord, Website, DNSName],
-    'email-dst': [EmailAddress],
-    'email-src': [EmailAddress],
-    'filename': [File],
-    'hostname': [Website, NSRecord, Domain, DNSName],
-    'ip': [IPv4Address],
-    'ip-dst': [IPv4Address],
-    'ip-src': [IPv4Address],
-    'md5': [Hash],
-    'phone-number': [PhoneNumber],
-    'sha1': [Hash],
-    'sha224': [Hash],
-    'sha256': [Hash],
-    'sha384': [Hash],
-    'sha512': [Hash],
-    'sha512/224': [Hash],
-    'sha512/256': [Hash],
-    'ssdeep': [Hash],
-    'impfuzzy': [Hash],
-    'uri': [URL],
-    'url': [URL],
-
-    'whois-registrant-email': [EmailAddress],
-    'country-of-residence': [Location],
-    'github-organisation': [Company],
-    'github-username': [Alias],
-    'imphash': [Hash],
-    'jabber-id': [Alias],
-    'passport-country': [Location],
-    'place-of-birth': [Location],
-    'port': [Port],
-    'target-email': [EmailAddress],
-    'target-location': [Location],
-    'target-org': [Company],
-    'target-user': [Alias],
-    'twitter-id': [Twitter],
-    # object mappings
-    'nameserver': [NSRecord],
-    # TODO add more object mappings
-    # custom types created internally for technical reasons
-    # 'rekey_value': [Unknown]
-}
-
-mapping_galaxy_icon = {
-    # "android": "malware",  # "android",
-    "btc": "ransomware",
-    "bug": "vulnerability",
-    # "cart-arrow-down": "malware",  #"tds",
-    "chain": "course_of_action",
-    "door-open": "backdoor",
-    "eye": "malware",
-    "gavel": "tool",
-    # "globe": "cert-eu-govsector",
-    # "industry": "sector",
-    # "internet-explorer": "exploit-kit",
-    "key": "stealer",
-    "map": "attack_pattern",
-    "optin-monster": "malware",
-    # "shield": "malpedia",
-    # "shield": "preventive-measure",
-    "sitemap": "botnet",
-    "usd": "malware",  # "banker",
-    # "user-secret": "mitre-intrusion-set",
-    "user-secret": "threat_actor",
-}
-
-mapping_galaxy_type = {
-    # 'amitt-misinformation-pattern': '',
-    'android': Software,
-    'backdoor': Software,
-    'banker': Software,
-    'botnet': Software,
-    # 'branded-vulnerability': '',
-    # 'cert-eu-govsector': '',
-    'cloud-security': AttackTechnique,
-    'exploit-kit': Software,
-    'financial-fraud': AttackTechnique,
-    'guidelines': AttackTechnique,
-    'malpedia': Software,
-    'microsoft-activity-group': ThreatActor,
-    'mitre-attack-pattern': AttackTechnique,
-    # 'mitre-course-of-action': '',
-    'mitre-intrusion-set': ThreatActor,
-    'mitre-malware': Software,
-    'mitre-tool': Software,
-    # 'preventive-measure': '',
-    'ransomware': Software,
-    'rat': Software,
-    # 'region': '',
-    # 'sector': '',
-    'social-dark-patterns': AttackTechnique,
-    'stealer': Software,
-    'surveillance-vendor': ThreatActor,
-    # 'target-information': '',
-    'tds': Software,
-    'threat-actor': ThreatActor,
-    'tool': Software
-}
-
-
 tag_note_prefixes = ['tlp:', 'PAP:', 'de-vs:', 'euci:', 'fr-classif:', 'nato:']
 
 misp_connection = None
@@ -278,11 +177,17 @@ def attribute_to_entity(a, link_label=None, event_tags=[], only_self=False):
 
 
 def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOutput):
+    misp = get_misp_connection()
+    # find a nice icon for it
+    try:
+        icon_url = mapping_object_icon[o['name']]
+    except KeyError:
+        # it's not in our mapping, just ignore and leave the default icon
+        icon_url = None
     # Generate a human readable display-name:
     # - find the first RequiredOneOf that exists
     # - if none, use the first RequiredField
     # LATER further finetune the human readable version of this object
-    misp = get_misp_connection()
     o_template = misp.get_object_template(o['template_uuid'])
     human_readable = None
     try:
@@ -295,7 +200,7 @@ def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOut
                     break
             for a in o['Attribute']:
                 if a['type'] == required_a_type:
-                    human_readable = '{}: {}'.format(o['name'], a['value'])
+                    human_readable = '{}:\n{}'.format(o['name'], a['value'])
                     found = True
                     break
     except Exception:
@@ -313,10 +218,9 @@ def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOut
                     if a['type'] == required_a_type:
                         parts.append(a['value'])
                         break
-            human_readable = '{}: {}'.format(o['name'], '|'.join(parts))
+            human_readable = '{}:\n{}'.format(o['name'], '|'.join(parts))
         except Exception:
             human_readable = o['name']
-            pass
     return MISPObject(
         human_readable,
         uuid=o['uuid'],
@@ -324,6 +228,7 @@ def object_to_entity(o, link_label=None, link_direction=LinkDirection.InputToOut
         meta_category=o.get('meta_category'),
         description=o.get('description'),
         comment=o.get('comment'),
+        icon_url=icon_url,
         link_label=link_label,
         link_direction=link_direction,
         bookmark=Bookmark.Green
@@ -454,9 +359,8 @@ def galaxycluster_to_entity(c, link_label=None, link_direction=LinkDirection.Inp
     try:
         icon_url = mapping_galaxy_icon[galaxy_cluster['icon']]
     except KeyError:
+        # it's not in our mapping, just ignore and leave the default icon
         icon_url = None
-        # it's not in our mapping, just ignore and leave the default Galaxy icon
-        pass
 
     # create the right sub-galaxy: ThreatActor, Software, AttackTechnique, ... or MISPGalaxy
     try: