new: green bookmark #8

README.md

@@ -9,10 +9,6 @@ Alternatively initiate a transform on an existing Maltego entity.
 The currently supported entities are: `AS`, `DNSName`, `Domain`, `EmailAddress`, `File`, `Hash`, `IPv4Address`, `NSRecord`, `Person`, `PhoneNumber`, `URL`, `Website`
 
 
-Dependencies:
-* [PyMISP](https://github.com/MISP/PyMISP)
-* [Canari3](https://github.com/redcanari/canari3)
-
 ## Installation and User Guide:
 Installation is fairly easy, just read the steps in the [documentation](https://github.com/MISP/MISP-maltego/blob/master/doc/README.md).
 

doc/README.md

@@ -36,7 +36,7 @@ In this use case we will be using already existing entities and will initiate a
 Example:
 * create an entity `domain` with the value `1dnscontrol.com`.
 * right click and choose *Local Transforms*  > *MISP_maltego* > *Domain To Event*  
-![animated screenshot](https://github.com/MISP/MISP-maltego/blob/master/doc/img/usecase1-transform.gif)
+![animated screenshot](https://raw.githubusercontent.com/MISP/MISP-maltego/master/doc/img/usecase1-transform.gif)
 * continue loading transforms on the *MISP Event*
 
 ## Transform from MISP Event ID
@@ -45,14 +45,20 @@ While MISP already has a graphing capability we would like to use the power of M
 * One **manual** way is to right click and choose *Local Transforms* > *MISP_maltego* > *Event To Attributes* 
   * Notice the event is transformed to *Attributes*, *Objects*, *Tags*, *Galaxies* and related *MISP Events*
   * You can now further transform on an *Object* > *Object To Attributes* and see the content of the object
-![machine transforms](https://github.com/MISP/MISP-maltego/blob/master/doc/img/usecase2-manual.gif)
+![machine transforms](https://raw.githubusercontent.com/MISP/MISP-maltego/master/doc/img/usecase2-manual.gif)
 * Alternatively you can also use the **Maltego Machine** to speed up things. 
    * Click on the *MISP Event* and in the left menu choose *Event to All* in the *Machines* section. 
-![machine transforms](https://github.com/MISP/MISP-maltego/blob/master/doc/img/usecase2-machine-menu.png)
+![machine transforms](https://raw.githubusercontent.com/MISP/MISP-maltego/master/doc/img/usecase2-machine-menu.png)
    * Notice that the whole event, objects and such will get expanded with data from your MISP instance.
-![animated screenshot](https://github.com/MISP/MISP-maltego/blob/master/doc/img/usecase2-machine.gif)
+![animated screenshot](https://raw.githubusercontent.com/MISP/MISP-maltego/master/doc/img/usecase2-machine.gif)
 * You can now further transform on any data.
-  
+
+## Which data is already in MISP?
+If you use MISP as central database it can be quite convenient to know which data is present in MISP, and which data is not; especially after using a number of other transforms.
+To permit this MISP-Maltego will always add a green bookmark to all the data that is present in MISP.
+![green bookmark](https://raw.githubusercontent.com/MISP/MISP-maltego/master/doc/img/usecase3-bookmark.png)
+
+
 ## Transform from Galaxy
 TODO
 ## Visualise MITRE ATT&CK

src/MISP_maltego/transforms/attributetoevent.py

@@ -1,7 +1,7 @@
 from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Hashtag, Company, Alias, Twitter
 from canari.maltego.transform import Transform
+from canari.maltego.message import Bookmark
 # from canari.framework import EnableDebugWindow
-from MISP_maltego.transforms.common.entities import MISPEvent
 from MISP_maltego.transforms.common.util import get_misp_connection, event_to_entity
 
 __author__ = 'Christophe Vandeplas'
@@ -23,10 +23,14 @@ class AttributeToEvent(Transform):
     def do_transform(self, request, response, config):
         maltego_misp_attribute = request.entity
         misp = get_misp_connection(config)
-        # misp.
         events_json = misp.search(controller='events', values=maltego_misp_attribute.value, withAttachments=False)
+        in_misp = False
         for e in events_json['response']:
+            in_misp = True
             response += event_to_entity(e)
+        if in_misp:
+            request.entity.bookmark = Bookmark.Green
+            response += request.entity
         return response
 
     def on_terminate(self):
@@ -44,22 +48,22 @@ class DomainToEvent(AttributeToEvent):
 
 
 class IPv4AddressToEvent(AttributeToEvent):
-    display_name = 'IPv4AddressToEvent'
+    display_name = 'IPv4Address To Event'
     input_type = IPv4Address
 
 
 class URLToEvent(AttributeToEvent):
-    display_name = 'URLToEvent'
+    display_name = 'URL To Event'
     input_type = URL
 
 
 class DNSNameToEvent(AttributeToEvent):
-    display_name = 'DNSNameToEvent'
+    display_name = 'DNSName To Event'
     input_type = DNSName
 
 
 class ASToEvent(AttributeToEvent):
-    display_name = 'ASToEvent'
+    display_name = 'AS To Event'
     input_type = AS
 
 
@@ -68,7 +72,7 @@ class WebsiteToEvent(AttributeToEvent):
 
 
 class NSRecordToEvent(AttributeToEvent):
-    display_name = 'NSRecordToEvent'
+    display_name = 'NSRecord To Event'
     input_type = NSRecord
 
 

src/MISP_maltego/transforms/common/util.py

@@ -1,6 +1,6 @@
 from canari.maltego.entities import Unknown, Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Person, Hashtag, Location, Company, Alias, Port, Twitter
 from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy
-from canari.maltego.message import UIMessageType, UIMessage, Label, LinkStyle, MaltegoException
+from canari.maltego.message import UIMessageType, UIMessage, Label, LinkStyle, MaltegoException, Bookmark
 from pymisp import PyMISP
 import json
 import os
@@ -128,9 +128,9 @@ def get_misp_connection(config=None):
 
 def entity_obj_to_entity(entity_obj, v, t, **kwargs):
     if entity_obj == Hash:
-        return entity_obj(v, _type=t, **kwargs)  # LATER type is conflicting with type of Entity, Report this as bug see line 326 /usr/local/lib/python3.5/dist-packages/canari/maltego/entities.py
+        return entity_obj(v, _type=t, bookmark=Bookmark.Green, **kwargs)  # LATER type is conflicting with type of Entity, Report this as bug see line 326 /usr/local/lib/python3.5/dist-packages/canari/maltego/entities.py
 
-    return entity_obj(v, **kwargs)
+    return entity_obj(v, bookmark=Bookmark.Green, **kwargs)
 
 
 def attribute_to_entity(a, link_label=None, event_tags=None):
@@ -157,19 +157,19 @@ def attribute_to_entity(a, link_label=None, event_tags=None):
                 # ignore all those we add as notes
                 if tag_matches_note_prefix(t['name']):
                     continue
-                yield Hashtag(t['name'])
+                yield Hashtag(t['name'], bookmark=Bookmark.Green)
 
     notes = convert_tags_to_note(combined_tags)
 
     # special cases
     if a['type'] in ('url', 'uri'):
-        yield(URL(url=a['value'], link_label=link_label, notes=notes))
+        yield(URL(url=a['value'], link_label=link_label, notes=notes, bookmark=Bookmark.Green))
         return
 
     # attribute is from an object, and a relation gives better understanding of the type of attribute
     if a.get('object_relation') and mapping_misp_to_maltego.get(a['object_relation']):
         entity_obj = mapping_misp_to_maltego[a['object_relation']][0]
-        yield entity_obj(a['value'], labels=[Label('comment', a.get('comment'))], link_label=link_label, notes=notes)
+        yield entity_obj(a['value'], labels=[Label('comment', a.get('comment'))], link_label=link_label, notes=notes, bookmark=Bookmark.Green)
 
     # combined attributes
     elif '|' in a['type']:
@@ -180,7 +180,7 @@ def attribute_to_entity(a, link_label=None, event_tags=None):
             labels = [Label('comment', a.get('comment'))]
             if entity_obj == File:
                 labels.append(Label('hash', v_2))
-            yield entity_obj_to_entity(entity_obj, v_1, t_1, labels=labels, link_label=link_label, notes=notes)  # LATER change the comment to include the second part of the regkey
+            yield entity_obj_to_entity(entity_obj, v_1, t_1, labels=labels, link_label=link_label, notes=notes, bookmark=Bookmark.Green)  # LATER change the comment to include the second part of the regkey
         else:
             yield UIMessage("Type {} of combined type {} not supported for attribute: {}".format(t_1, a['type'], a), type=UIMessageType.Inform)
         if t_2 in mapping_misp_to_maltego:
@@ -188,18 +188,18 @@ def attribute_to_entity(a, link_label=None, event_tags=None):
             labels = [Label('comment', a.get('comment'))]
             if entity_obj == Hash:
                 labels.append(Label('filename', v_1))
-            yield entity_obj_to_entity(entity_obj, v_2, t_2, labels=labels, link_label=link_label, notes=notes)  # LATER change the comment to include the first part of the regkey
+            yield entity_obj_to_entity(entity_obj, v_2, t_2, labels=labels, link_label=link_label, notes=notes, bookmark=Bookmark.Green)  # LATER change the comment to include the first part of the regkey
         else:
             yield UIMessage("Type {} of combined type {} not supported for attribute: {}".format(t_2, a['type'], a), type=UIMessageType.Inform)
 
     # normal attributes
     elif a['type'] in mapping_misp_to_maltego:
         entity_obj = mapping_misp_to_maltego[a['type']][0]
-        yield entity_obj_to_entity(entity_obj, a['value'], a['type'], labels=[Label('comment', a.get('comment'))], link_label=link_label, notes=notes)
+        yield entity_obj_to_entity(entity_obj, a['value'], a['type'], labels=[Label('comment', a.get('comment'))], link_label=link_label, notes=notes, bookmark=Bookmark.Green)
 
     # not supported in our maltego mapping
     else:
-        yield Unknown(a['value'], type=a['type'], labels=[Label('comment', a.get('comment'))], link_label=link_label, notes=notes)
+        yield Unknown(a['value'], type=a['type'], labels=[Label('comment', a.get('comment'))], link_label=link_label, notes=notes, bookmark=Bookmark.Green)
         yield UIMessage("Type {} not fully supported for attribute: {}".format(a['type'], a), type=UIMessageType.Inform)
 
     # LATER : relationships from attributes - not yet supported by MISP yet, but there are references in the datamodel
@@ -252,7 +252,8 @@ def object_to_entity(o, link_label=None):
         meta_category=o.get('meta_category'),
         description=o.get('description'),
         comment=o.get('comment'),
-        link_label=link_label
+        link_label=link_label,
+        bookmark=Bookmark.Green
     )
 
 
@@ -261,7 +262,7 @@ def object_to_attributes(o, e):
     if o['name'] == 'person':
         first_name = get_attribute_in_object(o, 'first-name', drop=True).get('value')
         last_name = get_attribute_in_object(o, 'last-name', drop=True).get('value')
-        yield entity_obj_to_entity(Person, ' '.join([first_name, last_name]).strip(), 'person', lastname=last_name, firstnames=first_name)
+        yield entity_obj_to_entity(Person, ' '.join([first_name, last_name]).strip(), 'person', lastname=last_name, firstnames=first_name, bookmark=Bookmark.Green)
 
     # process normal attributes
     for a in o['Attribute']:
@@ -325,7 +326,7 @@ def event_to_entity(e, link_style=LinkStyle.Normal):
         for t in e['Event']['Tag']:
             tags.append(t['name'])
     notes = convert_tags_to_note(tags)
-    return MISPEvent(e['Event']['id'], uuid=e['Event']['uuid'], info=e['Event']['info'], link_style=link_style, notes=notes)
+    return MISPEvent(e['Event']['id'], uuid=e['Event']['uuid'], info=e['Event']['info'], link_style=link_style, notes=notes, bookmark=Bookmark.Green)
 
 
 def galaxycluster_to_entity(c, link_label=None):
@@ -348,7 +349,8 @@ def galaxycluster_to_entity(c, link_label=None):
         synonyms=synonyms,
         tag_name=c['tag_name'],
         link_label=link_label,
-        icon_url=icon_url
+        icon_url=icon_url,
+        bookmark=Bookmark.Green
     )