############################################# # MISP API Domain to Event # # Author: Emmanuel Bouillon # Email: emmanuel.bouillon.sec@gmail.com # Date: 24/11/2015 ############################################# import sys from misp_util import * from pymisp import PyMISP import json type2attribute = {'domain':('domain','hostname'), 'hostname':('hostname'), 'hash':('md5','sha1','sha256') , 'ip':('ip-src','ip-dst'), 'email':('email-src','email-dst'), 'email-subject': ('email-subject')} argType2enType = {'domain':'maltego.Domain', 'hostname':'maltego.Domain', 'hash':'maltego.Hash', 'ip':'maltego.IPv4Address', 'email':'maltego.EmailAddress', 'email-subject': 'maltego.Phrase'} filename_pipe_hash_type = ('filename|md5', 'filename|sha1', 'filename|sha256', 'malware-sample') if __name__ == '__main__': event_id = sys.argv[1] argType = sys.argv[0].split('.')[0].split('2')[1] # misp_event2argType.py misp = init() try: event = misp.get_event(event_id) event_json = event.json() mt = MaltegoTransform() for attribute in event_json['Event']["Attribute"]: value = attribute["value"] aType = attribute["type"] if aType in type2attribute[argType]: if aType in filename_pipe_hash_type: h = value.split('|')[1].strip() me = MaltegoEntity(argType2enType[argType], h) mt.addEntityToMessage(me); else: me = MaltegoEntity(argType2enType[argType], value) mt.addEntityToMessage(me); except Exception as e: mt.addUIMessage("[ERROR] " + str(e)) mt.returnOutput()