mirror of https://github.com/MISP/misp-modules
Added threatStream_misp_export.py
parent
d35a2ee4ae
commit
49d5520fa3
|
@ -0,0 +1,110 @@
|
|||
"""
|
||||
Export module for coverting MISP events into ThreatStream Structured Import files. Based of work by the CenturyLink CIRT.
|
||||
Source: https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/export_mod/threat_connect_export.py
|
||||
"""
|
||||
|
||||
import base64
|
||||
import csv
|
||||
import io
|
||||
import json
|
||||
import logging
|
||||
|
||||
|
||||
misperrors = {"error": "Error"}
|
||||
|
||||
moduleinfo = {
|
||||
"version": "1.0",
|
||||
"author": "Robert Nixon, based off of the ThreatConnect MISP Module written by the CenturyLink CIRT",
|
||||
"description": "Export a structured CSV file for uploading to ThreatStream",
|
||||
"module-type": ["export"]
|
||||
}
|
||||
|
||||
|
||||
moduleconfig = ["Default_Source"]
|
||||
|
||||
|
||||
# Map of MISP fields => ThreatStream itypes
|
||||
fieldmap = {
|
||||
"domain": "mal_domain",
|
||||
"hostname": "mal_domain",
|
||||
"ip-src": "mal_ip",
|
||||
"ip-dst": "mal_ip",
|
||||
"email-src": "phish_email",
|
||||
"url": "mal_url",
|
||||
"md5": "mal_md5",
|
||||
}
|
||||
|
||||
# combine all the MISP fields from fieldmap into one big list
|
||||
mispattributes = {
|
||||
"input": list(fieldmap.keys())
|
||||
}
|
||||
|
||||
|
||||
def handler(q=False):
|
||||
"""
|
||||
Convert a MISP query into a CSV file matching the ThreatStream Structured Import file format.
|
||||
Input
|
||||
q: Query dictionary
|
||||
"""
|
||||
if q is False or not q:
|
||||
return False
|
||||
|
||||
# Check if we were given a configuration
|
||||
request = json.loads(q)
|
||||
config = request.get("config", {"Default_Source": ""})
|
||||
logging.info("Setting config to: %s", config)
|
||||
|
||||
response = io.StringIO()
|
||||
writer = csv.DictWriter(response, fieldnames=["value", "itype", "tags"])
|
||||
writer.writeheader()
|
||||
|
||||
# start parsing MISP data
|
||||
for event in request["data"]:
|
||||
for attribute in event["Attribute"]:
|
||||
if attribute["type"] in mispattributes["input"]:
|
||||
logging.debug("Adding %s to structured CSV export of ThreatStream Export", attribute["value"])
|
||||
if "|" in attribute["type"]:
|
||||
# if the attribute type has multiple values, line it up with the corresponding ThreatStream values in fieldmap
|
||||
indicators = tuple(attribute["value"].split("|"))
|
||||
ts_types = tuple(fieldmap[attribute["type"]].split("|"))
|
||||
for i, indicator in enumerate(indicators):
|
||||
writer.writerow({
|
||||
"value": indicator,
|
||||
"itype": ts_types[i],
|
||||
"tags": attribute["comment"]
|
||||
})
|
||||
else:
|
||||
writer.writerow({
|
||||
"itype": fieldmap[attribute["type"]],
|
||||
"value": attribute["value"],
|
||||
"tags": attribute["comment"]
|
||||
})
|
||||
|
||||
return {"response": [], "data": str(base64.b64encode(bytes(response.getvalue(), 'utf-8')), 'utf-8')}
|
||||
|
||||
|
||||
def introspection():
|
||||
"""
|
||||
Relay the supported attributes to MISP.
|
||||
No Input
|
||||
Output
|
||||
Dictionary of supported MISP attributes
|
||||
"""
|
||||
modulesetup = {
|
||||
"responseType": "application/txt",
|
||||
"outputFileExtension": "csv",
|
||||
"userConfig": {},
|
||||
"inputSource": []
|
||||
}
|
||||
return modulesetup
|
||||
|
||||
|
||||
def version():
|
||||
"""
|
||||
Relay module version and associated metadata to MISP.
|
||||
No Input
|
||||
Output
|
||||
moduleinfo: metadata output containing all potential configuration values
|
||||
"""
|
||||
moduleinfo["config"] = moduleconfig
|
||||
return moduleinfo
|
Loading…
Reference in New Issue