misp-modules/index.html

733 lines
37 KiB
HTML
Raw Normal View History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="MISP Modules Project">
<meta name="author" content="MISP Project">
<link rel="canonical" href="https://www.misp-project.org/">
<link rel="icon" href="img/favicon.ico">
<meta name="generator" content="mkdocs-1.2.3, mkdocs-material-7.3.4">
<title>MISP Modules Documentation</title>
<link rel="stylesheet" href="assets/stylesheets/main.db9e7362.min.css">
<link rel="stylesheet" href="assets/stylesheets/palette.3f5d1f46.min.css">
<meta name="theme-color" content="#ffffff">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>:root{--md-text-font-family:"Roboto";--md-code-font-family:"Roboto Mono"}</style>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="white" data-md-color-accent="blue">
<script>function __prefix(e){return new URL(".",location).pathname+"."+e}function __get(e,t=localStorage){return JSON.parse(t.getItem(__prefix(e)))}</script>
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#home" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="." title="MISP Modules Documentation" class="md-header__button md-logo" aria-label="MISP Modules Documentation" data-md-component="logo">
<img src="img/misp.png" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
MISP Modules Documentation
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Home
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/MISP/misp-modules/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
MISP/misp-modules
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="." title="MISP Modules Documentation" class="md-nav__button md-logo" aria-label="MISP Modules Documentation" data-md-component="logo">
<img src="img/misp.png" alt="logo">
</a>
MISP Modules Documentation
</label>
<div class="md-nav__source">
<a href="https://github.com/MISP/misp-modules/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
MISP/misp-modules
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Home
<span class="md-nav__icon md-icon"></span>
</label>
<a href="." class="md-nav__link md-nav__link--active">
Home
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#existing-misp-modules" class="md-nav__link">
Existing MISP modules
</a>
<nav class="md-nav" aria-label="Existing MISP modules">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#expansion-modules" class="md-nav__link">
Expansion modules
</a>
</li>
<li class="md-nav__item">
<a href="#export-modules" class="md-nav__link">
Export modules
</a>
</li>
<li class="md-nav__item">
<a href="#import-modules" class="md-nav__link">
Import modules
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#how-to-contribute-your-own-module" class="md-nav__link">
How to contribute your own module?
</a>
</li>
<li class="md-nav__item">
<a href="#licenses" class="md-nav__link">
Licenses
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2">
Modules
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Modules" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Modules
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="expansion/" class="md-nav__link">
Expansion Modules
</a>
</li>
<li class="md-nav__item">
<a href="export_mod/" class="md-nav__link">
Export Modules
</a>
</li>
<li class="md-nav__item">
<a href="import_mod/" class="md-nav__link">
Import Modules
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="install/" class="md-nav__link">
Install Guides
</a>
</li>
<li class="md-nav__item">
<a href="contribute/" class="md-nav__link">
Contribute
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5">
About
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="About" data-md-level="1">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
About
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="license/" class="md-nav__link">
License
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#existing-misp-modules" class="md-nav__link">
Existing MISP modules
</a>
<nav class="md-nav" aria-label="Existing MISP modules">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#expansion-modules" class="md-nav__link">
Expansion modules
</a>
</li>
<li class="md-nav__item">
<a href="#export-modules" class="md-nav__link">
Export modules
</a>
</li>
<li class="md-nav__item">
<a href="#import-modules" class="md-nav__link">
Import modules
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#how-to-contribute-your-own-module" class="md-nav__link">
How to contribute your own module?
</a>
</li>
<li class="md-nav__item">
<a href="#licenses" class="md-nav__link">
Licenses
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1 id="home">Home<a class="headerlink" href="#home" title="Permanent link">&para;</a></h1>
<p><a href="https://travis-ci.org/MISP/misp-modules"><img alt="Build Status" src="https://travis-ci.org/MISP/misp-modules.svg?branch=master" /></a>
<a href="https://coveralls.io/github/MISP/misp-modules?branch=master"><img alt="Coverage Status" src="https://coveralls.io/repos/github/MISP/misp-modules/badge.svg?branch=master" /></a>
<a href="https://codecov.io/gh/MISP/misp-modules"><img alt="codecov" src="https://codecov.io/gh/MISP/misp-modules/branch/master/graph/badge.svg" /></a>
<a href="https://app.fossa.io/projects/git%2Bgithub.com%2FMISP%2Fmisp-modules?ref=badge_shield"><img alt="FOSSA Status" src="https://app.fossa.io/api/projects/git%2Bgithub.com%MISP%2Fmisp-modules.svg?type=shield" /></a></p>
<p>MISP modules are autonomous modules that can be used for expansion and other services in <a href="https://github.com/MISP/MISP">MISP</a>.</p>
<p>The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities
without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration.</p>
<p>MISP modules support is included in MISP starting from version <code>2.4.28</code>.</p>
<p>For more information: <a href="https://www.circl.lu/assets/files/misp-training/switch2016/2-misp-modules.pdf">Extending MISP with Python modules</a> slides from MISP training.</p>
<h2 id="existing-misp-modules">Existing MISP modules<a class="headerlink" href="#existing-misp-modules" title="Permanent link">&para;</a></h2>
<h3 id="expansion-modules">Expansion modules<a class="headerlink" href="#expansion-modules" title="Permanent link">&para;</a></h3>
<ul>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/backscatter_io.py">Backscatter.io</a> - a hover and expansion module to expand an IP address with mass-scanning observations.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/bgpranking.py">BGP Ranking</a> - a hover and expansion module to expand an AS number with the ASN description, its history, and position in BGP Ranking.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/btc_scam_check.py">BTC scam check</a> - An expansion hover module to instantly check if a BTC address has been abused.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/btc_steroids.py">BTC transactions</a> - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/circl_passivedns.py">CIRCL Passive DNS</a> - a hover and expansion module to expand hostname and IP addresses with passive DNS information.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/circl_passivessl.py">CIRCL Passive SSL</a> - a hover and expansion module to expand IP addresses with the X.509 certificate seen.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/countrycode.py">countrycode</a> - a hover module to tell you what country a URL belongs to.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/crowdstrike_falcon.py">CrowdStrike Falcon</a> - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cve.py">CVE</a> - a hover module to give more information about a vulnerability (CVE).</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cve_advanced.py">CVE advanced</a> - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cuckoo_submit.py">Cuckoo submit</a> - A hover module to submit malware sample, url, attachment, domain to Cuckoo Sandbox.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/dbl_spamhaus.py">DBL Spamhaus</a> - a hover module to check Spamhaus DBL for a domain name.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/dns.py">DNS</a> - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/docx-enrich.py">docx-enrich</a> - an enrichment module to get text out of Word document into MISP (using free-text parser).</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/domaintools.py">DomainTools</a> - a hover and expansion module to get information from <a href="http://www.domaintools.com/">DomainTools</a> whois.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/eupi.py">EUPI</a> - a hover and expansion module to get information about an URL from the <a href="https://phishing-initiative.eu/?lang=en">Phishing Initiative project</a>.</li>
<li><a href="misp_modules/modules/expansion/eql.py">EQL</a> - an expansion module to generate event query language (EQL) from an attribute. <a href="https://eql.readthedocs.io/en/latest/">Event Query Language</a></li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/farsight_passivedns.py">Farsight DNSDB Passive DNS</a> - a hover and expansion module to expand hostname and IP addresses with passive DNS information.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/geoip_country.py">GeoIP</a> - a hover and expansion module to get GeoIP information from geolite/maxmind.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/greynoise.py">Greynoise</a> - a hover to get information from greynoise.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/hashdd.py">hashdd</a> - a hover module to check file hashes against <a href="http://www.hashdd.com">hashdd.com</a> including NSLR dataset.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/hibp.py">hibp</a> - a hover module to lookup against Have I Been Pwned?</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/intel471.py">intel471</a> - an expansion module to get info from <a href="https://intel471.com">Intel471</a>.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ipasn.py">IPASN</a> - a hover and expansion to get the BGP ASN of an IP address.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/iprep.py">iprep</a> - an expansion module to get IP reputation from packetmail.net.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_submit.py">Joe Sandbox submit</a> - Submit files and URLs to Joe Sandbox.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_query.py">Joe Sandbox query</a> - Query Joe Sandbox with the link of an analysis and get the parsed data.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/macaddress_io.py">macaddress.io</a> - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from <a href="https://macaddress.io">MAC address Vendor Lookup</a>. See <a href="https://macaddress.io/integrations/MISP-module">integration tutorial here</a>.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/macvendors.py">macvendors</a> - a hover module to retrieve mac vendor information.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ocr-enrich.py">ocr-enrich</a> - an enrichment module to get OCRized data from images into MISP.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ods-enrich.py">ods-enrich</a> - an enrichment module to get text out of OpenOffice spreadsheet document into MISP (using free-text parser).</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/odt-enrich.py">odt-enrich</a> - an enrichment module to get text out of OpenOffice document into MISP (using free-text parser).</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/onyphe.py">onyphe</a> - a modules to process queries on Onyphe.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/onyphe_full.py">onyphe_full</a> - a modules to process full queries on Onyphe.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/otx.py">OTX</a> - an expansion module for <a href="https://otx.alienvault.com/">OTX</a>.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/passivetotal.py">passivetotal</a> - a <a href="https://www.passivetotal.org/">passivetotal</a> module that queries a number of different PassiveTotal datasets.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/pdf-enrich.py">pdf-enrich</a> - an enrichment module to extract text from PDF into MISP (using free-text parser).</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/pptx-enrich.py">pptx-enrich</a> - an enrichment module to get text out of PowerPoint document into MISP (using free-text parser).</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/qrcode.py">qrcode</a> - a module decode QR code, barcode and similar codes from an image and enrich with the decoded values.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/rbl.py">rbl</a> - a module to get RBL (Real-Time Blackhost List) values from an attribute.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/reversedns.py">reversedns</a> - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/securitytrails.py">securitytrails</a> - an expansion module for <a href="https://securitytrails.com/">securitytrails</a>.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/shodan.py">shodan</a> - a minimal <a href="https://www.shodan.io/">shodan</a> expansion module.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/sigma_queries.py">Sigma queries</a> - Experimental expansion module querying a sigma rule to convert it into all the available SIEM signatures.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/sigma_syntax_validator.py">Sigma syntax validator</a> - Sigma syntax validator.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/sourcecache.py">sourcecache</a> - a module to cache a specific link from a MISP instance.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py">STIX2 pattern syntax validator</a> - a module to check a STIX2 pattern syntax.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/threatcrowd.py">ThreatCrowd</a> - an expansion module for <a href="https://www.threatcrowd.org/">ThreatCrowd</a>.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/threatminer.py">threatminer</a> - an expansion module to expand from <a href="https://www.threatminer.org/">ThreatMiner</a>.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/urlhaus.py">urlhaus</a> - Query urlhaus to get additional data about a domain, hash, hostname, ip or url.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/urlscan.py">urlscan</a> - an expansion module to query <a href="https://urlscan.io">urlscan.io</a>.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/virustotal.py">virustotal</a> - an expansion module to query the <a href="https://www.virustotal.com/gui/home">VirusTotal</a> API with a high request rate limit required. (More details about the API: <a href="https://developers.virustotal.com/reference">here</a>)</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/virustotal_public.py">virustotal_public</a> - an expansion module to query the <a href="https://www.virustotal.com/gui/home">VirusTotal</a> API with a public key and a low request rate limit. (More details about the API: <a href="https://developers.virustotal.com/reference">here</a>)</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/vmray_submit.py">VMray</a> - a module to submit a sample to VMray.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/vulndb.py">VulnDB</a> - a module to query <a href="https://www.riskbasedsecurity.com/">VulnDB</a>.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/vulners.py">Vulners</a> - an expansion module to expand information about CVEs using Vulners API.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/whois.py">whois</a> - a module to query a local instance of <a href="https://github.com/rafiot/uwhoisd">uwhois</a>.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/wiki.py">wikidata</a> - a <a href="https://www.wikidata.org">wikidata</a> expansion module.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/xforceexchange.py">xforce</a> - an IBM X-Force Exchange expansion module.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/xlsx-enrich.py">xlsx-enrich</a> - an enrichment module to get text out of an Excel document into MISP (using free-text parser).</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/yara_query.py">YARA query</a> - a module to create YARA rules from single hash attributes.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/yara_syntax_validator.py">YARA syntax validator</a> - YARA syntax validator.</li>
</ul>
<h3 id="export-modules">Export modules<a class="headerlink" href="#export-modules" title="Permanent link">&para;</a></h3>
<ul>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/cef_export.py">CEF</a> module to export Common Event Format (CEF).</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py">Cisco FireSight Manager ACL rule</a> module to export as rule for the Cisco FireSight manager ACL.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/goamlexport.py">GoAML export</a> module to export in <a href="http://goaml.unodc.org/goaml/en/index.html">GoAML format</a>.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/liteexport.py">Lite Export</a> module to export a lite event.</li>
<li><a href="misp_modules/modules/export_mod/mass_eql_export.py">Mass EQL Export</a> module to export applicable attributes from an event to a mass EQL query.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/pdfexport.py">PDF export</a> module to export an event in PDF.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/nexthinkexport.py">Nexthink query format</a> module to export in Nexthink query format.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/osqueryexport.py">osquery</a> module to export in <a href="https://osquery.io/">osquery</a> query format.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/threat_connect_export.py">ThreatConnect</a> module to export in ThreatConnect CSV format.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/threatStream_misp_export.py">ThreatStream</a> module to export in ThreatStream format.</li>
</ul>
<h3 id="import-modules">Import modules<a class="headerlink" href="#import-modules" title="Permanent link">&para;</a></h3>
<ul>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/csvimport.py">CSV import</a> Customizable CSV import module.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/cuckooimport.py">Cuckoo JSON</a> Cuckoo JSON import.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/email_import.py">Email Import</a> Email import module for MISP to import basic metadata.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/goamlimport.py">GoAML import</a> Module to import <a href="http://goaml.unodc.org/goaml/en/index.html">GoAML</a> XML format.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/joe_import.py">Joe Sandbox import</a> Parse data from a Joe Sandbox json report.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/ocr.py">OCR</a> Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/openiocimport.py">OpenIOC</a> OpenIOC import based on PyMISP library.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/threatanalyzer_import.py">ThreatAnalyzer</a> - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.</li>
<li><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/vmray_import.py">VMRay</a> - An import module to process VMRay export.</li>
</ul>
<h2 id="how-to-contribute-your-own-module">How to contribute your own module?<a class="headerlink" href="#how-to-contribute-your-own-module" title="Permanent link">&para;</a></h2>
<p>Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation.
For further information please see <a href="contribute/">Contribute</a>.</p>
<h2 id="licenses">Licenses<a class="headerlink" href="#licenses" title="Permanent link">&para;</a></h2>
<p><a href="https://app.fossa.io/projects/git%2Bgithub.com%2FMISP%2Fmisp-modules?ref=badge_large"><img alt="FOSSA Status" src="https://app.fossa.io/api/projects/git%2Bgithub.com%MISP%2Fmisp-modules.svg?type=large" /></a></p>
<p>For further Information see also the <a href="license/">license file</a>.</p>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer">
<a href="expansion/" class="md-footer__link md-footer__link--next" aria-label="Next: Expansion Modules" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
Expansion Modules
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-footer-copyright">
<div class="md-footer-copyright__highlight">
Copyright &copy; 2019-2021 MISP Project
</div>
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
<div class="md-footer-social">
<a href="https://github.com/MISP" target="_blank" rel="noopener" title="github.com" class="md-footer-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 480 512"><path d="M186.1 328.7c0 20.9-10.9 55.1-36.7 55.1s-36.7-34.2-36.7-55.1 10.9-55.1 36.7-55.1 36.7 34.2 36.7 55.1zM480 278.2c0 31.9-3.2 65.7-17.5 95-37.9 76.6-142.1 74.8-216.7 74.8-75.8 0-186.2 2.7-225.6-74.8-14.6-29-20.2-63.1-20.2-95 0-41.9 13.9-81.5 41.5-113.6-5.2-15.8-7.7-32.4-7.7-48.8 0-21.5 4.9-32.3 14.6-51.8 45.3 0 74.3 9 108.8 36 29-6.9 58.8-10 88.7-10 27 0 54.2 2.9 80.4 9.2 34-26.7 63-35.2 107.8-35.2 9.8 19.5 14.6 30.3 14.6 51.8 0 16.4-2.6 32.7-7.7 48.2 27.5 32.4 39 72.3 39 114.2zm-64.3 50.5c0-43.9-26.7-82.6-73.5-82.6-18.9 0-37 3.4-56 6-14.9 2.3-29.8 3.2-45.1 3.2-15.2 0-30.1-.9-45.1-3.2-18.7-2.6-37-6-56-6-46.8 0-73.5 38.7-73.5 82.6 0 87.8 80.4 101.3 150.4 101.3h48.2c70.3 0 150.6-13.4 150.6-101.3zm-82.6-55.1c-25.8 0-36.7 34.2-36.7 55.1s10.9 55.1 36.7 55.1 36.7-34.2 36.7-55.1-10.9-55.1-36.7-55.1z"/></svg>
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": ".", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "assets/javascripts/workers/search.8397ff9e.min.js", "version": null}</script>
<script src="assets/javascripts/bundle.1e84347e.min.js"></script>
</body>
</html>