MISP
/
PyMISP
mirror of https://github.com/MISP/PyMISP
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: Update asciidoctor generator

pull/141/head
Raphaël Vinot 2017-10-28 16:58:50 -04:00
parent 30da658292
commit ea327ceffb
4 changed files with 115 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
examples/asciidoc_generator.py
View File

@ -1,55 +1,21 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
import argparse
from datetime import date
import importlib
from pymisp import MISPEvent from pymisp import MISPEvent
from defang import defang from defang import defang
import argparse
from pytaxonomies import Taxonomies from pytaxonomies import Taxonomies
from datetime import date
headers = """
:toc: right
:toclevels: 1
:toc-title: Daily Report
:icons: font
:sectanchors:
:sectlinks:
= Daily report by {org_name}
{date}
:icons: font
"""
event_level_tags = """
IMPORTANT: This event is classified TLP:{value}.
{expanded}
"""
attributes = """
=== Indicator(s) of compromise
{list_attributes}
"""
title = """
== ({internal_id}) {title}
{summary}
"""
types_to_attach = ['ip-dst', 'url', 'domain']
objects_to_attach = ['domain-ip']
class ReportGenerator(): class ReportGenerator():
def __init__(self, profile="daily_report"):
def __init__(self):
self.taxonomies = Taxonomies() self.taxonomies = Taxonomies()
self.report = '' self.report = ''
profile_name = "profiles.{}".format(profile)
self.template = importlib.import_module(name=profile_name)
def from_remote(self, event_id): def from_remote(self, event_id):
from pymisp import PyMISP from pymisp import PyMISP
@ -66,15 +32,16 @@ class ReportGenerator():
def attributes(self): def attributes(self):
if not self.misp_event.attributes: if not self.misp_event.attributes:
return '' return ''
list_attributes = '' list_attributes = []
for attribute in self.misp_event.attributes: for attribute in self.misp_event.attributes:
if attribute.type in types_to_attach: if attribute.type in self.template.types_to_attach:
list_attributes += "\n* {}\n".format(defang(attribute.value)) list_attributes.append("* {}".format(defang(attribute.value)))
for obj in self.misp_event.Object: for obj in self.misp_event.Object:
if obj.name in self.template.objects_to_attach:
for attribute in obj.Attribute: for attribute in obj.Attribute:
if attribute.type in types_to_attach: if attribute.type in self.template.types_to_attach:
list_attributes += "\n* {}\n".format(defang(attribute.value)) list_attributes.append("* {}".format(defang(attribute.value)))
return attributes.format(list_attributes=list_attributes) return self.template.attributes.format(list_attributes="\n".join(list_attributes))
def _get_tag_info(self, machinetag): def _get_tag_info(self, machinetag):
return self.taxonomies.revert_machinetag(machinetag) return self.taxonomies.revert_machinetag(machinetag)
@ -82,7 +49,7 @@ class ReportGenerator():
def report_headers(self): def report_headers(self):
content = {'org_name': 'name', content = {'org_name': 'name',
'date': date.today().isoformat()} 'date': date.today().isoformat()}
self.report += headers.format(**content) self.report += self.template.headers.format(**content)
def event_level_tags(self): def event_level_tags(self):
if not self.misp_event.Tag: if not self.misp_event.Tag:
@ -91,7 +58,7 @@ class ReportGenerator():
# Only look for TLP for now # Only look for TLP for now
if tag['name'].startswith('tlp'): if tag['name'].startswith('tlp'):
tax, predicate = self._get_tag_info(tag['name']) tax, predicate = self._get_tag_info(tag['name'])
return event_level_tags.format(value=predicate.predicate.upper(), expanded=predicate.expanded) return self.template.event_level_tags.format(value=predicate.predicate.upper(), expanded=predicate.expanded)
def title(self): def title(self):
internal_id = '' internal_id = ''
@ -106,25 +73,27 @@ class ReportGenerator():
if a.object_relation == 'summary': if a.object_relation == 'summary':
summary = a.value summary = a.value
return title.format(internal_id=internal_id, title=self.misp_event.info, return self.template.title.format(internal_id=internal_id, title=self.misp_event.info,
summary=summary) summary=summary)
def asciidoc(self, lang='en'): def asciidoc(self, lang='en'):
self.report += self.title() self.report += self.title()
self.report += self.event_level_tags() self.report += self.event_level_tags()
self.report += self.attributes() self.report += self.attributes()
if __name__ == '__main__':
if __name__ == '__main__':
try:
parser = argparse.ArgumentParser(description='Create a human-readable report out of a MISP event') parser = argparse.ArgumentParser(description='Create a human-readable report out of a MISP event')
parser.add_argument("--profile", default="daily_report", help="Profile template to use")
parser.add_argument("-o", "--output", help="Output file to write to (generally ends in .adoc)")
group = parser.add_mutually_exclusive_group(required=True) group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-e", "--event", default=[], nargs='+', help="Event ID to get.") group.add_argument("-e", "--event", default=[], nargs='+', help="Event ID to get.")
group.add_argument("-p", "--path", default=[], nargs='+', help="Path to the JSON dump.") group.add_argument("-p", "--path", default=[], nargs='+', help="Path to the JSON dump.")
args = parser.parse_args() args = parser.parse_args()
report = ReportGenerator() report = ReportGenerator(args.profile)
report.report_headers() report.report_headers()
if args.event: if args.event:
@ -136,4 +105,10 @@ if __name__ == '__main__':
report.from_file(f) report.from_file(f)
report.asciidoc() report.asciidoc()
if args.output:
with open(args.output, "w") as ofile:
ofile.write(report.report)
else:
print(report.report) print(report.report)
except ModuleNotFoundError as err:
print(err)

0
examples/profiles/__init__.py Normal file
View File

37
examples/profiles/daily_report.py Normal file
View File

@ -0,0 +1,37 @@
types_to_attach = ['ip-dst', 'url', 'domain']
objects_to_attach = ['domain-ip']
headers = """
:toc: right
:toclevels: 1
:toc-title: Daily Report
:icons: font
:sectanchors:
:sectlinks:
= Daily report by {org_name}
{date}
:icons: font
"""
event_level_tags = """
IMPORTANT: This event is classified TLP:{value}.
{expanded}
"""
attributes = """
=== Indicator(s) of compromise
{list_attributes}
"""
title = """
== ({internal_id}) {title}
{summary}
"""

33
examples/profiles/weekly_report.py Normal file
View File

@ -0,0 +1,33 @@
types_to_attach = ['ip-dst', 'url', 'domain', 'md5']
objects_to_attach = ['domain-ip', 'file']
headers = """
:toc: right
:toclevels: 1
:toc-title: Weekly Report
:icons: font
:sectanchors:
:sectlinks:
= Weekly report by {org_name}
{date}
:icons: font
"""
event_level_tags = """
"""
attributes = """
=== Indicator(s) of compromise
{list_attributes}
"""
title = """
== ({internal_id}) {title}
{summary}
"""