MISP
/
MISP-maltego
mirror of https://github.com/MISP/MISP-maltego
2
0
Fork 0
Code Issues Releases Wiki Activity

fix: [transform] fixes to Event 

object to Event is not yet working
pull/15/head
Christophe Vandeplas 2019-04-30 22:48:29 +02:00
parent 3e6eb7e3de
commit d9da38e24f
2 changed files with 33 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/MISP_maltego/transforms/attributetoevent.py
View File

@ -1,7 +1,7 @@
from canari.maltego.entities import Unknown from canari.maltego.entities import Unknown
from canari.maltego.transform import Transform from canari.maltego.transform import Transform
# from canari.framework import EnableDebugWindow # from canari.framework import EnableDebugWindow
from MISP_maltego.transforms.common.util import get_misp_connection, event_to_entity, get_attribute_in_event, attribute_to_entity, get_entity_property from MISP_maltego.transforms.common.util import get_misp_connection, event_to_entity, object_to_entity, get_attribute_in_event, get_attribute_in_object, attribute_to_entity, get_entity_property
__author__ = 'Christophe Vandeplas' __author__ = 'Christophe Vandeplas'
__copyright__ = 'Copyright 2018, MISP_maltego Project' __copyright__ = 'Copyright 2018, MISP_maltego Project'
@ -85,25 +85,28 @@ class AttributeToEvent(Transform):
pass pass
misp = get_misp_connection(config) misp = get_misp_connection(config)
# special Entities
if 'properties.mispgalaxy' in request.entity.fields: if 'properties.mispgalaxy' in request.entity.fields:
tag_name = get_entity_property(request.entity, 'tag_name') tag_name = get_entity_property(request.entity, 'tag_name')
if not tag_name: if not tag_name:
tag_name = request.entity.value tag_name = request.entity.value
events_json = misp.search(controller='events', tags=tag_name, withAttachments=False) events_json = misp.search(controller='events', tags=tag_name, withAttachments=False)
# FIXME make it work with object to event
# standard Entities
else: else:
events_json = misp.search(controller='events', values=request.entity.value, withAttachments=False) events_json = misp.search(controller='events', values=request.entity.value, withAttachments=False)
in_misp = False
# return the MISPEvent or MISPObject of the attribute
for e in events_json['response']: for e in events_json['response']:
in_misp = True # find the value as attribute
response += event_to_entity(e) attr = get_attribute_in_event(e, request.entity.value)
# find the object again, and bookmark it green if attr:
# we need to do really rebuild the Entity from scratch as request.entity is of type Unknown response += event_to_entity(e)
if in_misp: # find the value as object
for e in events_json['response']: if 'Object' in e['Event']:
attr = get_attribute_in_event(e, request.entity.value) for o in e['Event']['Object']:
if attr: if get_attribute_in_object(o, attribute_value=request.entity.value).get('value'):
for item in attribute_to_entity(attr, only_self=True): response += object_to_entity(o)
response += item
return response return response

22
src/MISP_maltego/transforms/common/util.py
View File

@ -290,8 +290,8 @@ def object_to_entity(o, link_label=None):
def object_to_attributes(o, e): def object_to_attributes(o, e):
# first process attributes from an object that belong together (eg: first-name + last-name), and remove them from the list # first process attributes from an object that belong together (eg: first-name + last-name), and remove them from the list
if o['name'] == 'person': if o['name'] == 'person':
first_name = get_attribute_in_object(o, 'first-name', drop=True).get('value') first_name = get_attribute_in_object(o, attribute_type='first-name', drop=True).get('value')
last_name = get_attribute_in_object(o, 'last-name', drop=True).get('value') last_name = get_attribute_in_object(o, attribute_type='last-name', drop=True).get('value')
yield entity_obj_to_entity(Person, ' '.join([first_name, last_name]).strip(), 'person', lastname=last_name, firstnames=first_name, bookmark=Bookmark.Green) yield entity_obj_to_entity(Person, ' '.join([first_name, last_name]).strip(), 'person', lastname=last_name, firstnames=first_name, bookmark=Bookmark.Green)
# process normal attributes # process normal attributes
@ -320,7 +320,7 @@ def get_object_in_event(uuid, e):
return o return o
def get_attribute_in_object(o, attribute_type, drop=False): def get_attribute_in_object(o, attribute_type=False, attribute_value=False, drop=False):
'''Gets the first attribute of a specific type within an object''' '''Gets the first attribute of a specific type within an object'''
found_attribute = {'value': ''} found_attribute = {'value': ''}
for i, a in enumerate(o['Attribute']): for i, a in enumerate(o['Attribute']):
@ -329,6 +329,16 @@ def get_attribute_in_object(o, attribute_type, drop=False):
if drop: # drop the attribute from the object if drop: # drop the attribute from the object
o['Attribute'].pop(i) o['Attribute'].pop(i)
break break
if a['value'] == attribute_value:
found_attribute = a.copy()
if drop: # drop the attribute from the object
o['Attribute'].pop(i)
if '|' in a['type'] or a['type'] == 'malware-sample':
if attribute_value in a['value'].split('|'):
found_attribute = a.copy()
if drop: # drop the attribute from the object
o['Attribute'].pop(i)
return found_attribute return found_attribute
@ -336,10 +346,10 @@ def get_attribute_in_event(e, attribute_value):
for a in e['Event']["Attribute"]: for a in e['Event']["Attribute"]:
if a['value'] == attribute_value: if a['value'] == attribute_value:
return a return a
for o in e['Event']['Object']: if '|' in a['type'] or a['type'] == 'malware-sample':
for a in o['Attribute']: if attribute_value in a['value'].split('|'):
if a['value'] == attribute_value:
return a return a
return None return None