Merge pull request #377 from 0xbennyv/master

Added SophosLabs Intelix as expansion module
2020-03-05 14:10:05 +01:00 · 2020-03-05 14:10:05 +01:00 · 55664dadb9
parent cda5004a0d 6c00f02e42
commit 55664dadb9
3 changed files with 126 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -71,6 +71,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
 * [shodan](misp_modules/modules/expansion/shodan.py) - a minimal [shodan](https://www.shodan.io/) expansion module.
 * [Sigma queries](misp_modules/modules/expansion/sigma_queries.py) - Experimental expansion module querying a sigma rule to convert it into all the available SIEM signatures.
 * [Sigma syntax validator](misp_modules/modules/expansion/sigma_syntax_validator.py) - Sigma syntax validator.
+* [SophosLabs Intelix](misp_modules/modules/expansion/sophoslabs_intelix.py) - SophosLabs Intelix is an API for Threat Intelligence and Analysis (free tier availible). [SophosLabs](https://aws.amazon.com/marketplace/pp/B07SLZPMCS)
 * [sourcecache](misp_modules/modules/expansion/sourcecache.py) - a module to cache a specific link from a MISP instance.
 * [STIX2 pattern syntax validator](misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) - a module to check a STIX2 pattern syntax.
 * [ThreatCrowd](misp_modules/modules/expansion/threatcrowd.py) - an expansion module for [ThreatCrowd](https://www.threatcrowd.org/).
--- a/misp_modules/modules/expansion/init.py
+++ b/misp_modules/modules/expansion/init.py
@ -16,4 +16,4 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
           'ods_enrich', 'odt_enrich', 'joesandbox_submit', 'joesandbox_query', 'urlhaus',
           'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails', 'apivoid',
           'assemblyline_submit', 'assemblyline_query', 'ransomcoindb',
-           'lastline_query', 'lastline_submit']
+           'lastline_query', 'lastline_submit', 'sophoslabs_intelix']
--- a/misp_modules/modules/expansion/sophoslabs_intelix.py
+++ b/misp_modules/modules/expansion/sophoslabs_intelix.py
@ -0,0 +1,124 @@
+from pymisp import MISPEvent, MISPObject
+import json
+import requests
+import base64
+from urllib.parse import quote
+
+moduleinfo = {'version': '1.0',
+              'author': 'Ben Verschaeren',
+              'description': 'SOPHOSLabs Intelix Integration',
+              'module-type': ['expansion']}
+
+moduleconfig = ['client_id', 'client_secret']
+
+misperrors = {'error': 'Error'}
+
+misp_types_in = ['sha256', 'ip', 'ip-src', 'ip-dst', 'uri', 'url', 'domain', 'hostname']
+
+mispattributes = {'input': misp_types_in,
+                  'format': 'misp_standard'}
+
+class SophosLabsApi():
+    def __init__(self, client_id, client_secret):
+        self.misp_event = MISPEvent()
+        self.client_id = client_id
+        self.client_secret= client_secret
+        self.authToken = f"{self.client_id}:{self.client_secret}"
+        self.baseurl = 'de.api.labs.sophos.com'
+        d = {'grant_type': 'client_credentials'}
+        h = {'Authorization': f"Basic {base64.b64encode(self.authToken.encode('UTF-8')).decode('ascii')}",\
+                        'Content-Type': 'application/x-www-form-urlencoded'}
+        r = requests.post('https://api.labs.sophos.com/oauth2/token', headers=h, data=d)
+        if r.status_code == 200:
+            j = json.loads(r.text)
+            self.accessToken = j['access_token']
+
+    def get_result(self):
+        event = json.loads(self.misp_event.to_json())
+        results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])}
+        return {'results': results}
+
+    def hash_lookup(self, filehash):
+        sophos_object = MISPObject('SOPHOSLabs Intelix SHA256 Report')
+        h = {"Authorization": f"{self.accessToken}"}
+        r = requests.get(f"https://{self.baseurl}/lookup/files/v1/{filehash}", headers=h)
+        if r.status_code == 200:
+            j = json.loads(r.text)
+            if 'reputationScore' in j:
+                sophos_object.add_attribute('Reputation Score', type='text', value=j['reputationScore'])
+                if 0 <= j['reputationScore'] <= 19:
+                    sophos_object.add_attribute('Decision', type='text', value='This file is malicious')
+                if 20 <= j['reputationScore'] <= 29:
+                    sophos_object.add_attribute('Decision', type='text', value='This file is potentially unwanted')
+                if 30 <= j['reputationScore'] <= 69:
+                    sophos_object.add_attribute('Decision', type='text', value='This file is unknown and suspicious')
+                if 70 <= j['reputationScore'] <= 100:
+                    sophos_object.add_attribute('Decision', type='text', value='This file is known good')
+            if 'detectionName' in j:
+                sophos_object.add_attribute('Detection Name', type='text', value=j['detectionName'])
+            else:
+                sophos_object.add_attribute('Detection Name', type='text', value='No name associated with this IoC')
+        self.misp_event.add_object(**sophos_object)
+
+    def ip_lookup(self, ip):
+        sophos_object = MISPObject('SOPHOSLabs Intelix IP Category Lookup')
+        h = {"Authorization": f"{self.accessToken}"}
+        r = requests.get(f"https://{self.baseurl}/lookup/ips/v1/{ip}", headers=h)
+        if r.status_code == 200:
+            j = json.loads(r.text)
+            if 'category' in j:
+                for c in j['category']:
+                    sophos_object.add_attribute('IP Address Categorisation', type='text', value=c)
+            else:
+                sophos_object.add_attribute('IP Address Categorisation', type='text', value='No category assocaited with IoC')
+        self.misp_event.add_object(**sophos_object)
+
+    def url_lookup(self, url):
+        sophos_object = MISPObject('SOPHOSLabs Intelix URL Lookup')
+        h = {"Authorization": f"{self.accessToken}"}
+        r = requests.get(f"https://{self.baseurl}/lookup/urls/v1/{quote(url, safe='')}", headers=h)
+        if r.status_code == 200:
+            j = json.loads(r.text)
+            if 'productivityCategory' in j:
+                sophos_object.add_attribute('URL Categorisation', type='text', value=j['productivityCategory'])
+            else:
+                sophos_object.add_attribute('URL Categorisation', type='text', value='No category assocaited with IoC')
+            
+            if 'riskLevel' in j:
+                sophos_object.add_attribute('URL Risk Level', type='text', value=j['riskLevel'])
+            else:
+                sophos_object.add_attribute('URL Risk Level', type='text', value='No risk level associated with IoC')
+                        
+            if 'securityCategory' in j:
+                sophos_object.add_attribute('URL Security Category', type='text', value=j['securityCategory'])
+            else:
+                sophos_object.add_attribute('URL Security Category', type='text', value='No Security Category associated with IoC')
+        self.misp_event.add_object(**sophos_object)
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    j = json.loads(q)
+    if not j.get('config') or not j['config'].get('client_id') or not j['config'].get('client_secret'):
+        misperrors['error'] = "Missing client_id or client_secret value for SOPHOSLabs Intelix. \
+            It's free to sign up here https://aws.amazon.com/marketplace/pp/B07SLZPMCS."
+        return misperrors
+    client = SophosLabsApi(j['config']['client_id'], j['config']['client_secret'])
+    if j['attribute']['type'] == "sha256":
+        client.hash_lookup(j['attribute']['value1'])
+    if j['attribute']['type'] in ['ip-dst', 'ip-src', 'ip']:
+        client.ip_lookup(j["attribute"]["value1"])
+    if j['attribute']['type'] in ['uri', 'url', 'domain', 'hostname']:
+        client.url_lookup(j["attribute"]["value1"])
+    return client.get_result()
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo
+