Add more attributes to the GTI enrichment

2024-08-07 11:16:57 +02:00 · 2024-08-07 11:16:57 +02:00 · 798f05a117
parent f2b11c89a4
commit 798f05a117
1 changed files with 23 additions and 5 deletions
--- a/misp_modules/modules/expansion/google_threat_intelligence.py
+++ b/misp_modules/modules/expansion/google_threat_intelligence.py
@ -72,6 +72,17 @@ class GoogleThreatIntelligenceParser:
        }
        self.proxies = None

+    @staticmethod
+    def get_total_analysis(analysis: dict,
+                           known_distributors: dict = None) -> int:
+        """Get total """
+        if not analysis:
+            return 0
+        count = sum([analysis['undetected'],
+                     analysis['suspicious'],
+                     analysis['harmless']])
+        return count if known_distributors else count + analysis['malicious']
+
    def query_api(self, attribute: dict) -> None:
        """Get data from the API and parse it."""
        self.attribute.from_dict(**attribute)
@ -91,19 +102,19 @@ class GoogleThreatIntelligenceParser:
        report = report.to_dict()
        permalink = ('https://www.virustotal.com/gui/'
                     f"{report['type']}/{report['id']}")
-        report_object = pymisp.MISPObject('Google-Threat-Intel-report')
+        report_object = pymisp.MISPObject('google-threat-intelligence-report')
        report_object.add_attribute('permalink', type='link', value=permalink)
        report_object.add_attribute(
-            'Threat Score', type='text',
+            'threat-score', type='text',
            value=get_key(
                report, 'attributes.gti_assessment.threat_score.value'))
        report_object.add_attribute(
-            'Verdict', type='text',
+            'verdict', type='text',
            value=get_key(
                report, 'attributes.gti_assessment.verdict.value').replace(
                    'VERDICT_', ''))
        report_object.add_attribute(
-            'Severity', type='text',
+            'severity', type='text',
            value=get_key(
                report, 'attributes.gti_assessment.severity.value').replace(
                    'SEVERITY_', ''))
@ -112,6 +123,13 @@ class GoogleThreatIntelligenceParser:
            value=get_key(
                report, ('attributes.popular_threat_classification'
                         '.suggested_threat_label')))
+        analysis = report.get('last_analysis_stats')
+        total = self.get_total_analysis(analysis,
+                                        report.get('known_distributors'))
+        detection_ratio = f"{analysis['malicious']}/{total}" if analysis else '-/-'
+        report_object.add_attribute(
+            'detection-ratio', type='text',
+            value=detection_ratio, disable_correlation=True)
        self.misp_event.add_object(**report_object)
        return report_object.uuid

@ -162,7 +180,7 @@ class GoogleThreatIntelligenceParser:
        url_report = self.client.get_object(f'/urls/{url_id}')

        url_object = pymisp.MISPObject('url')
-        url_object.add_attribute('url', type='url', value=url_report.url)
+        url_object.add_attribute('url', type='url', value=url_report.id)

        report_uuid = self.create_gti_report_object(url_report)
        url_object.add_reference(report_uuid, 'analyzed-with')