From 49d5520fa3c246e0e1e66bdc057493586289c855 Mon Sep 17 00:00:00 2001
From: Robert Nixon <nixonrobert81@gmail.com>
Date: Mon, 8 Jan 2018 11:01:16 -0500
Subject: [PATCH 1/4] Added threatStream_misp_export.py

---
 .../export_mod/threatStream_misp_export.py    | 110 ++++++++++++++++++
 1 file changed, 110 insertions(+)
 create mode 100644 misp_modules/modules/export_mod/threatStream_misp_export.py

diff --git a/misp_modules/modules/export_mod/threatStream_misp_export.py b/misp_modules/modules/export_mod/threatStream_misp_export.py
new file mode 100644
index 0000000..2729de1
--- /dev/null
+++ b/misp_modules/modules/export_mod/threatStream_misp_export.py
@@ -0,0 +1,110 @@
+"""
+Export module for coverting MISP events into ThreatStream Structured Import files. Based of work by the CenturyLink CIRT.
+Source: https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/export_mod/threat_connect_export.py
+"""
+
+import base64
+import csv
+import io
+import json
+import logging
+
+
+misperrors = {"error": "Error"}
+
+moduleinfo = {
+    "version": "1.0",
+    "author": "Robert Nixon, based off of the ThreatConnect MISP Module written by the CenturyLink CIRT",
+    "description": "Export a structured CSV file for uploading to ThreatStream",
+    "module-type": ["export"]
+}
+
+
+moduleconfig = ["Default_Source"]
+
+
+# Map of MISP fields => ThreatStream itypes
+fieldmap = {
+    "domain": "mal_domain",
+    "hostname": "mal_domain",
+    "ip-src": "mal_ip",
+    "ip-dst": "mal_ip",
+    "email-src": "phish_email",
+    "url": "mal_url",
+    "md5": "mal_md5",
+}
+
+# combine all the MISP fields from fieldmap into one big list
+mispattributes = {
+    "input": list(fieldmap.keys())
+}
+
+
+def handler(q=False):
+    """
+    Convert a MISP query into a CSV file matching the ThreatStream Structured Import file format.
+    Input
+        q: Query dictionary
+    """
+    if q is False or not q:
+        return False
+
+    # Check if we were given a configuration
+    request = json.loads(q)
+    config = request.get("config", {"Default_Source": ""})
+    logging.info("Setting config to: %s", config)
+
+    response = io.StringIO()
+    writer = csv.DictWriter(response, fieldnames=["value", "itype", "tags"])
+    writer.writeheader()
+
+    # start parsing MISP data
+    for event in request["data"]:
+        for attribute in event["Attribute"]:
+            if attribute["type"] in mispattributes["input"]:
+                logging.debug("Adding %s to structured CSV export of ThreatStream Export", attribute["value"])
+                if "|" in attribute["type"]:
+                    # if the attribute type has multiple values, line it up with the corresponding ThreatStream values in fieldmap
+                    indicators = tuple(attribute["value"].split("|"))
+                    ts_types = tuple(fieldmap[attribute["type"]].split("|"))
+                    for i, indicator in enumerate(indicators):
+                        writer.writerow({
+                            "value": indicator,
+                            "itype": ts_types[i],
+                            "tags": attribute["comment"]
+                        })
+                else:
+                    writer.writerow({
+                        "itype": fieldmap[attribute["type"]],
+                        "value": attribute["value"],
+                        "tags": attribute["comment"]
+                    })
+
+    return {"response": [], "data": str(base64.b64encode(bytes(response.getvalue(), 'utf-8')), 'utf-8')}
+
+
+def introspection():
+    """
+    Relay the supported attributes to MISP.
+    No Input
+    Output
+        Dictionary of supported MISP attributes
+    """
+    modulesetup = {
+        "responseType": "application/txt",
+        "outputFileExtension": "csv",
+        "userConfig": {},
+        "inputSource": []
+    }
+    return modulesetup
+
+
+def version():
+    """
+    Relay module version and associated metadata to MISP.
+    No Input
+    Output
+        moduleinfo: metadata output containing all potential configuration values
+    """
+    moduleinfo["config"] = moduleconfig
+    return moduleinfo

From 1d2f3d9c3c746b9af22959762ed09b981f7963e8 Mon Sep 17 00:00:00 2001
From: Robert Nixon <nixonrobert81@gmail.com>
Date: Mon, 8 Jan 2018 11:03:42 -0500
Subject: [PATCH 2/4] Updated __init__.py

Added reference to new ThreatStream export module
---
 misp_modules/modules/export_mod/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misp_modules/modules/export_mod/__init__.py b/misp_modules/modules/export_mod/__init__.py
index 1932b6f..3d5b5c2 100644
--- a/misp_modules/modules/export_mod/__init__.py
+++ b/misp_modules/modules/export_mod/__init__.py
@@ -1 +1 @@
-__all__ = ['testexport','cef_export','liteexport','threat_connect_export', 'pdfexport']
+__all__ = ['testexport','cef_export','liteexport','threat_connect_export','pdfexport','threatStream_misp_export.py']

From 85f1a9bd9157c527e23585b34a463e6cc2aa44a6 Mon Sep 17 00:00:00 2001
From: Robert Nixon <nixonrobert81@gmail.com>
Date: Mon, 8 Jan 2018 12:09:23 -0500
Subject: [PATCH 3/4] Update threatStream_misp_export.py

---
 .../modules/export_mod/threatStream_misp_export.py       | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/misp_modules/modules/export_mod/threatStream_misp_export.py b/misp_modules/modules/export_mod/threatStream_misp_export.py
index 2729de1..3fd88c8 100644
--- a/misp_modules/modules/export_mod/threatStream_misp_export.py
+++ b/misp_modules/modules/export_mod/threatStream_misp_export.py
@@ -20,10 +20,10 @@ moduleinfo = {
 }
 
 
-moduleconfig = ["Default_Source"]
+moduleconfig = []
 
 
-# Map of MISP fields => ThreatStream itypes
+# Map of MISP fields => ThreatStream itypes, you can modify this to your liking
 fieldmap = {
     "domain": "mal_domain",
     "hostname": "mal_domain",
@@ -49,10 +49,9 @@ def handler(q=False):
     if q is False or not q:
         return False
 
-    # Check if we were given a configuration
+    
     request = json.loads(q)
-    config = request.get("config", {"Default_Source": ""})
-    logging.info("Setting config to: %s", config)
+  
 
     response = io.StringIO()
     writer = csv.DictWriter(response, fieldnames=["value", "itype", "tags"])

From 5c4df3075e559d5357fd4613621b319d9525fc7a Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Mon, 8 Jan 2018 20:31:26 +0100
Subject: [PATCH 4/4] Fix the __init__ import

---
 misp_modules/modules/export_mod/__init__.py                 | 2 +-
 misp_modules/modules/export_mod/threatStream_misp_export.py | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 mode change 100644 => 100755 misp_modules/modules/export_mod/threatStream_misp_export.py

diff --git a/misp_modules/modules/export_mod/__init__.py b/misp_modules/modules/export_mod/__init__.py
index 3d5b5c2..fff02d7 100644
--- a/misp_modules/modules/export_mod/__init__.py
+++ b/misp_modules/modules/export_mod/__init__.py
@@ -1 +1 @@
-__all__ = ['testexport','cef_export','liteexport','threat_connect_export','pdfexport','threatStream_misp_export.py']
+__all__ = ['testexport','cef_export','liteexport','threat_connect_export','pdfexport','threatStream_misp_export']
diff --git a/misp_modules/modules/export_mod/threatStream_misp_export.py b/misp_modules/modules/export_mod/threatStream_misp_export.py
old mode 100644
new mode 100755