Merge branch 'trustar-feat/EN-4664/trustar-misp'

pull/415/head
chrisr3d 2020-06-30 18:07:38 +02:00
commit 50f31cd63a
7 changed files with 175 additions and 1 deletions

View File

@ -95,6 +95,7 @@ sparqlwrapper==1.8.5
stix2-patterns==1.3.0 stix2-patterns==1.3.0
tabulate==0.8.7 tabulate==0.8.7
tornado==6.0.4 tornado==6.0.4
trustar==0.3.28
url-normalize==1.4.1 url-normalize==1.4.1
urlarchiver==0.2 urlarchiver==0.2
urllib3==1.25.8 urllib3==1.25.8

View File

@ -1184,6 +1184,35 @@ Module to get information from ThreatMiner.
----- -----
#### [trustar_enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/trustar_enrich.py)
<img src=logos/trustar.png height=60>
Module to get enrich indicators with TruSTAR.
- **features**:
>This module enriches MISP attributes with scoring and metadata from TruSTAR.
>
>The TruSTAR indicator summary is appended to the attributes along with links to any associated reports.
- **input**:
>Any of the following MISP attributes:
>- btc
>- domain
>- email-src
>- filename
>- hostname
>- ip-src
>- ip-dst
>- md5
>- sha1
>- sha256
>- url
- **output**:
>MISP attributes enriched with indicator summary data from the TruSTAR API. Data includes a severity level score and additional source and scoring info.
- **references**:
>https://docs.trustar.co/api/v13/indicators/get_indicator_summaries.html
-----
#### [urlhaus](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/urlhaus.py) #### [urlhaus](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/urlhaus.py)
<img src=logos/urlhaus.png height=60> <img src=logos/urlhaus.png height=60>

View File

@ -0,0 +1,8 @@
{
"description": "Module to get enrich indicators with TruSTAR.",
"logo": "logos/trustar.png",
"input": "Any of the following MISP attributes:\n- btc\n- domain\n- email-src\n- filename\n- hostname\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- url",
"output": "MISP attributes enriched with indicator summary data from the TruSTAR API. Data includes a severity level score and additional source and scoring info.",
"references": ["https://docs.trustar.co/api/v13/indicators/get_indicator_summaries.html"],
"features": "This module enriches MISP attributes with scoring and metadata from TruSTAR.\n\nThe TruSTAR indicator summary is appended to the attributes along with links to any associated reports."
}

BIN
doc/logos/trustar.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 37 KiB

View File

@ -1,6 +1,7 @@
from . import _vmray # noqa from . import _vmray # noqa
import os import os
import sys import sys
sys.path.append('{}/lib'.format('/'.join((os.path.realpath(__file__)).split('/')[:-3]))) sys.path.append('{}/lib'.format('/'.join((os.path.realpath(__file__)).split('/')[:-3])))
__all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'circl_passivessl', __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'circl_passivessl',
@ -16,4 +17,5 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
'ods_enrich', 'odt_enrich', 'joesandbox_submit', 'joesandbox_query', 'urlhaus', 'ods_enrich', 'odt_enrich', 'joesandbox_submit', 'joesandbox_query', 'urlhaus',
'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails', 'apivoid', 'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails', 'apivoid',
'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar', 'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar',
'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich'] 'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich',
'trustar_enrich']

View File

@ -0,0 +1,133 @@
import json
import pymisp
from pymisp import MISPAttribute, MISPEvent, MISPObject
from trustar import TruStar
misperrors = {'error': "Error"}
mispattributes = {
'input': ["btc", "domain", "email-src", "filename", "hostname", "ip-src", "ip-dst", "malware-type", "md5", "sha1",
"sha256", "url"], 'format': 'misp_standard'}
moduleinfo = {'version': "0.1", 'author': "Jesse Hedden",
'description': "Enrich data with TruSTAR",
'module-type': ["hover", "expansion"]}
moduleconfig = ["user_api_key", "user_api_secret", "enclave_ids"]
MAX_PAGE_SIZE = 100 # Max allowable page size returned from /1.3/indicators/summaries endpoint
class TruSTARParser:
ENTITY_TYPE_MAPPINGS = {
'BITCOIN_ADDRESS': "btc",
'CIDR_BLOCK': "ip-src",
'CVE': "vulnerability",
'URL': "url",
'EMAIL_ADDRESS': "email-src",
'SOFTWARE': "filename",
'IP': "ip-src",
'MALWARE': "malware-type",
'MD5': "md5",
'REGISTRY_KEY': "regkey",
'SHA1': "sha1",
'SHA256': "sha256"
}
REPORT_BASE_URL = "https://station.trustar.co/constellation/reports/{}"
CLIENT_METATAG = "MISP-{}".format(pymisp.__version__)
def __init__(self, attribute, config):
config['enclave_ids'] = config.get('enclave_ids', "").strip().split(',')
config['client_metatag'] = self.CLIENT_METATAG
self.ts_client = TruStar(config=config)
self.misp_event = MISPEvent()
self.misp_attribute = MISPAttribute()
self.misp_attribute.from_dict(**attribute)
self.misp_event.add_attribute(**self.misp_attribute)
def get_results(self):
"""
Returns the MISP Event enriched with TruSTAR indicator summary data.
"""
event = json.loads(self.misp_event.to_json())
results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])}
return {'results': results}
def generate_trustar_links(self, entity_value):
"""
Generates links to TruSTAR reports if they exist.
:param entity_value: <str> Value of entity.
"""
report_links = list()
trustar_reports = self.ts_client.search_reports(entity_value)
for report in trustar_reports:
report_links.append(self.REPORT_BASE_URL.format(report.id))
return report_links
def parse_indicator_summary(self, summaries):
"""
Converts a response from the TruSTAR /1.3/indicators/summaries endpoint
a MISP trustar_report object and adds the summary data and links as attributes.
:param summaries: <generator> A TruSTAR Python SDK Page.generator object for generating
indicator summaries pages.
"""
for summary in summaries:
trustar_obj = MISPObject('trustar_report')
indicator_type = summary.indicator_type
indicator_value = summary.value
if indicator_type in self.ENTITY_TYPE_MAPPINGS:
trustar_obj.add_attribute(indicator_type, attribute_type=self.ENTITY_TYPE_MAPPINGS[indicator_type],
value=indicator_value)
trustar_obj.add_attribute("INDICATOR_SUMMARY", attribute_type="text",
value=json.dumps(summary.to_dict(), sort_keys=True, indent=4))
report_links = self.generate_trustar_links(indicator_value)
for link in report_links:
trustar_obj.add_attribute("REPORT_LINK", attribute_type="link", value=link)
self.misp_event.add_object(**trustar_obj)
def handler(q=False):
"""
MISP handler function. A user's API key and secret will be retrieved from the MISP
request and used to create a TruSTAR API client. If enclave IDs are provided, only
those enclaves will be queried for data. Otherwise, all of the enclaves a user has
access to will be queried.
"""
if q is False:
return False
request = json.loads(q)
config = request.get('config', {})
if not config.get('user_api_key') or not config.get('user_api_secret'):
misperrors['error'] = "Your TruSTAR API key and secret are required for indicator enrichment."
return misperrors
attribute = request['attribute']
trustar_parser = TruSTARParser(attribute, config)
try:
summaries = list(
trustar_parser.ts_client.get_indicator_summaries([attribute['value']], page_size=MAX_PAGE_SIZE))
except Exception as e:
misperrors['error'] = "Unable to retrieve TruSTAR summary data: {}".format(e)
return misperrors
trustar_parser.parse_indicator_summary(summaries)
return trustar_parser.get_results()
def introspection():
return mispattributes
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo

View File

@ -15,4 +15,5 @@ __all__ = [
'threatanalyzer_import', 'threatanalyzer_import',
'csvimport', 'csvimport',
'joe_import', 'joe_import',
'trustar_import',
] ]