diff --git a/src/MISP_maltego/resources/maltego/misp_inMISP.machine b/src/MISP_maltego/resources/maltego/misp_inMISP.machine new file mode 100644 index 0000000..cdf2790 --- /dev/null +++ b/src/MISP_maltego/resources/maltego/misp_inMISP.machine @@ -0,0 +1,24 @@ +machine("misp.inMISP", + displayName:"in MISP?", + author:"Christophe Vandeplas", + description: "Bookmarks in GREEN data that is in MISP") { + start { + paths { + run("MISP_maltego.AliasInMISP") + run("MISP_maltego.ASInMISP") + run("MISP_maltego.CompanyInMISP") + run("MISP_maltego.DNSNameInMISP") + run("MISP_maltego.DomainInMISP") + run("MISP_maltego.EmailAddressInMISP") + run("MISP_maltego.FileInMISP") + run("MISP_maltego.HashInMISP") + run("MISP_maltego.HashtagInMISP") + run("MISP_maltego.IPv4AddressInMISP") + run("MISP_maltego.NSRecordInMISP") + run("MISP_maltego.PhoneNumberInMISP") + run("MISP_maltego.TwitterInMISP") + run("MISP_maltego.URLInMISP") + run("MISP_maltego.WebsiteInMISP") + } + } +} diff --git a/src/MISP_maltego/transforms/attributetoevent.py b/src/MISP_maltego/transforms/attributetoevent.py index 436870f..beda4a4 100644 --- a/src/MISP_maltego/transforms/attributetoevent.py +++ b/src/MISP_maltego/transforms/attributetoevent.py @@ -15,6 +15,26 @@ __email__ = 'christophe@vandeplas.com' __status__ = 'Development' +# @EnableDebugWindow +class AttributeInMISP(Transform): + """This method puts a green bookmark on each of the Entities that are present in the MISP database""" + display_name = 'in MISP?' + input_type = None + + def do_transform(self, request, response, config): + maltego_misp_attribute = request.entity + misp = get_misp_connection(config) + events_json = misp.search(controller='events', values=maltego_misp_attribute.value, withAttachments=False) + in_misp = False + for e in events_json['response']: + in_misp = True + break + if in_misp: + request.entity.bookmark = Bookmark.Green + response += request.entity + return response + + # @EnableDebugWindow class AttributeToEvent(Transform): # The transform input entity type. @@ -102,3 +122,78 @@ class TwitterToEvent(AttributeToEvent): class CompanyToEvent(AttributeToEvent): input_type = Company + + +class HashInMISP(AttributeInMISP): + display_name = 'Hash in MISP?' + input_type = Hash + + +class DomainInMISP(AttributeInMISP): + display_name = 'Domain in MISP?' + input_type = Domain + + +class IPv4AddressInMISP(AttributeInMISP): + display_name = 'IPv4Address in MISP?' + input_type = IPv4Address + + +class URLInMISP(AttributeInMISP): + display_name = 'URL in MISP?' + input_type = URL + + +class DNSNameInMISP(AttributeInMISP): + display_name = 'DNSName in MISP?' + input_type = DNSName + + +class ASInMISP(AttributeInMISP): + display_name = 'AS in MISP?' + input_type = AS + + +class WebsiteInMISP(AttributeInMISP): + display_name = 'Website in MISP?' + input_type = Website + + +class NSRecordInMISP(AttributeInMISP): + display_name = 'NSRecord in MISP?' + input_type = NSRecord + + +class PhoneNumberInMISP(AttributeInMISP): + display_name = 'PhoneNumber in MISP?' + input_type = PhoneNumber + + +class EmailAddressInMISP(AttributeInMISP): + display_name = 'EmailAddress in MISP?' + input_type = EmailAddress + + +class FileInMISP(AttributeInMISP): + display_name = 'File in MISP?' + input_type = File + + +class HashtagInMISP(AttributeInMISP): + display_name = 'Hashtag in MISP?' + input_type = Hashtag + + +class AliasInMISP(AttributeInMISP): + display_name = 'Alias in MISP?' + input_type = Alias + + +class TwitterInMISP(AttributeInMISP): + display_name = 'Twitter in MISP?' + input_type = Twitter + + +class CompanyInMISP(AttributeInMISP): + display_name = 'Company in MISP?' + input_type = Company