From 2eef5968f9423881d6e395bf20128fc0c7c97c6d Mon Sep 17 00:00:00 2001 From: Julien Mongenet Date: Mon, 10 Oct 2022 22:32:24 +0200 Subject: [PATCH] Creation fo "add_attributes_from_csv.py" The file aims to ingest a formated CSV file containing attributes for MISP ingestion. --- examples/add_attributes_from_csv.py | 74 +++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 examples/add_attributes_from_csv.py diff --git a/examples/add_attributes_from_csv.py b/examples/add_attributes_from_csv.py new file mode 100644 index 0000000..e05bb1b --- /dev/null +++ b/examples/add_attributes_from_csv.py @@ -0,0 +1,74 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import csv +from pymisp import PyMISP +from pymisp import ExpandedPyMISP, MISPAttribute +from keys import misp_url, misp_key, misp_verifycert +from requests.packages.urllib3.exceptions import InsecureRequestWarning +import argparse +import urllib3 +import requests +requests.packages.urllib3.disable_warnings() + + +""" + +Sample usage: + +python3 add_filetype_object_from_csv.py -e -f .csv + + +Attribute CSV file (aach line is an entry): + +value;category;type;comment;to_ids;first_seen;last_seen;tag1;tag2 +test.pdf;Payload delivery;filename;Email attachment;0;1970-01-01;1970-01-01;tlp:green;ransomware +127.0.0.1;Network activity;ip-dst;C2 server;1;;;tlp:white; + +value = IOC's value +category = its MISP category (https://www.circl.lu/doc/misp/categories-and-types/) +type = its MISP type (https://www.circl.lu/doc/misp/categories-and-types/) +comment = IOC's description +to_ids = Boolean expected (0 = IDS flag not checked // 1 = IDS flag checked) +first_seen = First seen date, if any (left empty if not) +last_seen = Last seen date, if any (left empty if not) +tag = IOC tag, if any + +""" + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description='Add attributes to a MISP event from a semi-colon formated csv file') + parser.add_argument("-e", "--event_uuid", required=True, help="Event UUID to update") + parser.add_argument("-f", "--attr_file", required=True, help="Attribute CSV file path") + args = parser.parse_args() + + pymisp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert) + + f = open(args.attr_file, newline='') + csv_reader = csv.reader(f, delimiter=";") + + for line in csv_reader: + value = line[0] + category = line[1] + type = line[2] + comment = line[3] + ids = line[4] + fseen = line[5] + lseen = line[6] + tags = line[7:] + + misp_attribute = MISPAttribute() + misp_attribute.value = str(value) + misp_attribute.category = str(category) + misp_attribute.type = str(type) + misp_attribute.comment = str(comment) + misp_attribute.to_ids = str(ids) + if fseen != '': + misp_attribute.first_seen = str(fseen) + if lseen != '': + misp_attribute.last_seen = str(lseen) + for x in tags: + misp_attribute.add_tag(x) + r = pymisp.add_attribute(args.event_uuid, misp_attribute) + print(line) + print("\nAttributes successfully saved :)")