From 2b1cc6e616e688481d2ebb030f3a841c013cc6d3 Mon Sep 17 00:00:00 2001 From: th3jiv3r Date: Wed, 15 Jan 2020 13:17:57 -0600 Subject: [PATCH 1/2] configuration for trustar integration --- examples/trustar.conf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 examples/trustar.conf diff --git a/examples/trustar.conf b/examples/trustar.conf new file mode 100644 index 0000000..77cb4c4 --- /dev/null +++ b/examples/trustar.conf @@ -0,0 +1,14 @@ +[trustar] + +# endpoint that provides oauth token +auth_endpoint = https://api.trustar.co/oauth/token + +# base API URL access endpoint +api_endpoint = https://api.trustar.co/api/1.3 + +# Generate and copy your API key and secret on user API settings page on Station: https://station.trustar.co/settings/api +user_api_key = '#{API_KEY}' +user_api_secret = '#{API_SECRET}' + +# OPTIONAL: enter one or more comma-separate enclave IDs to submit to - get these from API settings page on Station +# enclave_ids = abcdef,1234f From ded30d42e02197c93bf372a2b22fde402aab0f3e Mon Sep 17 00:00:00 2001 From: th3jiv3r Date: Wed, 15 Jan 2020 13:19:43 -0600 Subject: [PATCH 2/2] scrape trustar intel platform reports and create misp events --- examples/trustar_misp.py | 66 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 examples/trustar_misp.py diff --git a/examples/trustar_misp.py b/examples/trustar_misp.py new file mode 100644 index 0000000..32503f6 --- /dev/null +++ b/examples/trustar_misp.py @@ -0,0 +1,66 @@ +from trustar import TruStar, datetime_to_millis +from datetime import datetime, timedelta +from keys import misp_url, misp_key, misp_verifycert +from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation + + +tru = TruStar() + +misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert) + +now = datetime.now() + +# date range for pulling reports is last 4 hours when script is run +to_time = datetime.now() +from_time = to_time - timedelta(hours=4) + +# convert to millis since epoch +to_time = datetime_to_millis(to_time) +from_time = datetime_to_millis(from_time) + +rhisac = "7a33144f-aef3-442b-87d4-dbf70d8afdb0" +reports = tru.get_reports(from_time=from_time, + to_time=to_time, + is_enclave=True, + enclave_ids=rhisac) + +# loop through each trustar report and create MISP events for each +for report in reports: + # initialize and set MISPOrganisation() + orgc = MISPOrganisation() + orgc.name = 'RH-ISAC' + orgc.id = '#{ORGC.ID}' # organisation id + orgc.uuid = '#{ORGC.UUID}' # organisation uuid + # initialize and set MISPEvent() + event = MISPEvent() + event.Orgc = orgc + event.info = report.title + event.distribution = 0 # Optional, defaults to MISP.default_event_distribution in MISP config + event.threat_level_id = 2 # Optional, defaults to MISP.default_event_threat_level in MISP config + event.analysis = 0 # Optional, defaults to 0 (initial analysis) + + # get tags for report + for tag in tru.get_enclave_tags(report.id): + event.add_tag(tag.name) + + # get indicators for report + for indicator in tru.get_indicators_for_report(report.id): + + # map trustar indicator type to MISP format + indicator_type = { + "MD5": "md5", + "SHA1": "sha1", + "SHA256": "sha256", + "SOFTWARE": "filename", + "URL": "link", + "EMAIL_ADDRESS": "email-src", + "IP": "ip-dst", + "MALWARE": "malware-type", + "CIDR_BLOCK": "ip-src", + "CVE": "vulnerability", + "THREAT_ACTOR": "threat-actor" + } + event.add_attribute(indicator_type.get(indicator.type), indicator.value) + + # post each event to MISP via API + misp.add_event(event.to_json())