Merge branch 'robertnixon2003-master' + a small fix

misp_modules/modules/export_mod/__init__.py

@@ -1 +1 @@
-__all__ = ['testexport','cef_export','liteexport','threat_connect_export', 'pdfexport']
+__all__ = ['testexport','cef_export','liteexport','threat_connect_export','pdfexport','threatStream_misp_export']

misp_modules/modules/export_mod/threatStream_misp_export.py

@@ -0,0 +1,109 @@
+"""
+Export module for coverting MISP events into ThreatStream Structured Import files. Based of work by the CenturyLink CIRT.
+Source: https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/export_mod/threat_connect_export.py
+"""
+
+import base64
+import csv
+import io
+import json
+import logging
+
+
+misperrors = {"error": "Error"}
+
+moduleinfo = {
+    "version": "1.0",
+    "author": "Robert Nixon, based off of the ThreatConnect MISP Module written by the CenturyLink CIRT",
+    "description": "Export a structured CSV file for uploading to ThreatStream",
+    "module-type": ["export"]
+}
+
+
+moduleconfig = []
+
+
+# Map of MISP fields => ThreatStream itypes, you can modify this to your liking
+fieldmap = {
+    "domain": "mal_domain",
+    "hostname": "mal_domain",
+    "ip-src": "mal_ip",
+    "ip-dst": "mal_ip",
+    "email-src": "phish_email",
+    "url": "mal_url",
+    "md5": "mal_md5",
+}
+
+# combine all the MISP fields from fieldmap into one big list
+mispattributes = {
+    "input": list(fieldmap.keys())
+}
+
+
+def handler(q=False):
+    """
+    Convert a MISP query into a CSV file matching the ThreatStream Structured Import file format.
+    Input
+        q: Query dictionary
+    """
+    if q is False or not q:
+        return False
+
+    
+    request = json.loads(q)
+  
+
+    response = io.StringIO()
+    writer = csv.DictWriter(response, fieldnames=["value", "itype", "tags"])
+    writer.writeheader()
+
+    # start parsing MISP data
+    for event in request["data"]:
+        for attribute in event["Attribute"]:
+            if attribute["type"] in mispattributes["input"]:
+                logging.debug("Adding %s to structured CSV export of ThreatStream Export", attribute["value"])
+                if "|" in attribute["type"]:
+                    # if the attribute type has multiple values, line it up with the corresponding ThreatStream values in fieldmap
+                    indicators = tuple(attribute["value"].split("|"))
+                    ts_types = tuple(fieldmap[attribute["type"]].split("|"))
+                    for i, indicator in enumerate(indicators):
+                        writer.writerow({
+                            "value": indicator,
+                            "itype": ts_types[i],
+                            "tags": attribute["comment"]
+                        })
+                else:
+                    writer.writerow({
+                        "itype": fieldmap[attribute["type"]],
+                        "value": attribute["value"],
+                        "tags": attribute["comment"]
+                    })
+
+    return {"response": [], "data": str(base64.b64encode(bytes(response.getvalue(), 'utf-8')), 'utf-8')}
+
+
+def introspection():
+    """
+    Relay the supported attributes to MISP.
+    No Input
+    Output
+        Dictionary of supported MISP attributes
+    """
+    modulesetup = {
+        "responseType": "application/txt",
+        "outputFileExtension": "csv",
+        "userConfig": {},
+        "inputSource": []
+    }
+    return modulesetup
+
+
+def version():
+    """
+    Relay module version and associated metadata to MISP.
+    No Input
+    Output
+        moduleinfo: metadata output containing all potential configuration values
+    """
+    moduleinfo["config"] = moduleconfig
+    return moduleinfo