misp-modules/misp_modules/modules/export_mod/vt_graph.py

'''Export MISP event to VirusTotal Graph.'''


import base64
import json
from vt_graph_parser.importers.pymisp_response import from_pymisp_response


misperrors = {
    'error': 'Error'
}
moduleinfo = {
    'version': '0.1',
    'author': 'VirusTotal',
    'description': 'This module is used to create a VirusTotal Graph from a MISP event.',
    'module-type': ['export'],
    'name': 'VirusTotal Graph Export',
    'logo': 'virustotal.png',
    'requirements': ['vt_graph_api, the python library to query the VirusTotal graph API'],
    'features': 'The module takes the MISP event as input and queries the VirusTotal Graph API to create a new graph out of the event.\n\nOnce the graph is ready, we get the url of it, which is returned so we can view it on VirusTotal.',
    'references': ['https://www.virustotal.com/gui/graph-overview'],
    'input': 'A MISP event.',
    'output': 'Link of the VirusTotal Graph created for the event.',
}
mispattributes = {
    'input': [
        'hostname',
        'domain',
        'ip-src',
        'ip-dst',
        'md5',
        'sha1',
        'sha256',
        'url',
        'filename|md5',
        'filename'
    ]
}
moduleconfig = [
    'vt_api_key',
    'fetch_information',
    'private',
    'fetch_vt_enterprise',
    'expand_one_level',
    'user_editors',
    'user_viewers',
    'group_editors',
    'group_viewers'
]


def handler(q=False):
    """Expansion handler.

    Args:
      q (bool, optional): module data. Defaults to False.

    Returns:
      [str]: VirusTotal graph links
    """
    if not q:
        return False
    request = json.loads(q)

    if not request.get('config') or not request['config'].get('vt_api_key'):
        misperrors['error'] = 'A VirusTotal api key is required for this module.'
        return misperrors

    config = request['config']

    api_key = config.get('vt_api_key')
    fetch_information = config.get('fetch_information') or False
    private = config.get('private') or False
    fetch_vt_enterprise = config.get('fetch_vt_enterprise') or False
    expand_one_level = config.get('expand_one_level') or False

    user_editors = config.get('user_editors')
    if user_editors:
        user_editors = user_editors.split(',')
    user_viewers = config.get('user_viewers')
    if user_viewers:
        user_viewers = user_viewers.split(',')
    group_editors = config.get('group_editors')
    if group_editors:
        group_editors = group_editors.split(',')
    group_viewers = config.get('group_viewers')
    if group_viewers:
        group_viewers = group_viewers.split(',')

    graphs = from_pymisp_response(
        request, api_key, fetch_information=fetch_information,
        private=private, fetch_vt_enterprise=fetch_vt_enterprise,
        user_editors=user_editors, user_viewers=user_viewers,
        group_editors=group_editors, group_viewers=group_viewers,
        expand_node_one_level=expand_one_level)
    links = []

    for graph in graphs:
        graph.save_graph()
        links.append(graph.get_ui_link())

    # This file will contains one VirusTotal graph link for each exported event
    file_data = str(base64.b64encode(
        bytes('\n'.join(links), 'utf-8')), 'utf-8')
    return {'response': [], 'data': file_data}


def introspection():
    modulesetup = {
        'responseType': 'application/txt',
        'outputFileExtension': 'txt',
        'userConfig': {},
        'inputSource': []
    }
    return modulesetup


def version():
    moduleinfo['config'] = moduleconfig
    return moduleinfo
add vt_graph export module 2020-01-09 10:57:46 +01:00			`'''Export MISP event to VirusTotal Graph.'''`


			`import base64`
			`import json`
fix: Fixed vt_graph imports 2020-01-10 10:31:52 +01:00			`from vt_graph_parser.importers.pymisp_response import from_pymisp_response`
add vt_graph export module 2020-01-09 10:57:46 +01:00

			`misperrors = {`
			`'error': 'Error'`
			`}`
			`moduleinfo = {`
			`'version': '0.1',`
			`'author': 'VirusTotal',`
chg: [doc] Big doc revamp #680 2024-08-12 11:23:10 +02:00			`'description': 'This module is used to create a VirusTotal Graph from a MISP event.',`
			`'module-type': ['export'],`
			`'name': 'VirusTotal Graph Export',`
			`'logo': 'virustotal.png',`
			`'requirements': ['vt_graph_api, the python library to query the VirusTotal graph API'],`
			`'features': 'The module takes the MISP event as input and queries the VirusTotal Graph API to create a new graph out of the event.\n\nOnce the graph is ready, we get the url of it, which is returned so we can view it on VirusTotal.',`
			`'references': ['https://www.virustotal.com/gui/graph-overview'],`
			`'input': 'A MISP event.',`
			`'output': 'Link of the VirusTotal Graph created for the event.',`
add vt_graph export module 2020-01-09 10:57:46 +01:00			`}`
			`mispattributes = {`
			`'input': [`
			`'hostname',`
			`'domain',`
			`'ip-src',`
			`'ip-dst',`
			`'md5',`
			`'sha1',`
			`'sha256',`
			`'url',`
			`'filename\|md5',`
			`'filename'`
			`]`
			`}`
			`moduleconfig = [`
			`'vt_api_key',`
			`'fetch_information',`
			`'private',`
			`'fetch_vt_enterprise',`
			`'expand_one_level',`
			`'user_editors',`
			`'user_viewers',`
			`'group_editors',`
			`'group_viewers'`
			`]`


			`def handler(q=False):`
fix: Fixed pep8 in the new module and related libraries 2020-01-09 16:01:18 +01:00			`"""Expansion handler.`

			`Args:`
			`q (bool, optional): module data. Defaults to False.`

			`Returns:`
			`[str]: VirusTotal graph links`
			`"""`
			`if not q:`
			`return False`
			`request = json.loads(q)`

			`if not request.get('config') or not request['config'].get('vt_api_key'):`
			`misperrors['error'] = 'A VirusTotal api key is required for this module.'`
			`return misperrors`

			`config = request['config']`

			`api_key = config.get('vt_api_key')`
			`fetch_information = config.get('fetch_information') or False`
			`private = config.get('private') or False`
			`fetch_vt_enterprise = config.get('fetch_vt_enterprise') or False`
			`expand_one_level = config.get('expand_one_level') or False`

			`user_editors = config.get('user_editors')`
			`if user_editors:`
			`user_editors = user_editors.split(',')`
			`user_viewers = config.get('user_viewers')`
			`if user_viewers:`
			`user_viewers = user_viewers.split(',')`
			`group_editors = config.get('group_editors')`
			`if group_editors:`
			`group_editors = group_editors.split(',')`
			`group_viewers = config.get('group_viewers')`
			`if group_viewers:`
			`group_viewers = group_viewers.split(',')`

			`graphs = from_pymisp_response(`
			`request, api_key, fetch_information=fetch_information,`
			`private=private, fetch_vt_enterprise=fetch_vt_enterprise,`
			`user_editors=user_editors, user_viewers=user_viewers,`
			`group_editors=group_editors, group_viewers=group_viewers,`
			`expand_node_one_level=expand_one_level)`
			`links = []`

			`for graph in graphs:`
			`graph.save_graph()`
			`links.append(graph.get_ui_link())`

			`# This file will contains one VirusTotal graph link for each exported event`
			`file_data = str(base64.b64encode(`
			`bytes('\n'.join(links), 'utf-8')), 'utf-8')`
			`return {'response': [], 'data': file_data}`
add vt_graph export module 2020-01-09 10:57:46 +01:00

			`def introspection():`
fix: Fixed pep8 in the new module and related libraries 2020-01-09 16:01:18 +01:00			`modulesetup = {`
			`'responseType': 'application/txt',`
			`'outputFileExtension': 'txt',`
			`'userConfig': {},`
			`'inputSource': []`
			`}`
			`return modulesetup`
add vt_graph export module 2020-01-09 10:57:46 +01:00

			`def version():`
fix: Fixed pep8 in the new module and related libraries 2020-01-09 16:01:18 +01:00			`moduleinfo['config'] = moduleconfig`
			`return moduleinfo`